Proxy protocol in ejabberd

ProcessOne

Dec 13, 2018 · 1 min read

This article describes how to configure HAProxy and ejabberd together. If you are using a proxy in front of ejabberd, the support for proxy protocol is a new feature allowing the XMPP server to know the real IP addresses of the connecting client instead of seeing just the IP used by the proxy server.

The proxy protocol was invented by HAProxy, but is now supported by many projects like Apache, nginx, varnish, AWS ELB. You can check the specification of that protocol here.

By using this feature, ejabberd will show the real IP addresses in logs and you will be able to use access control rules that rely on these IP addresses.

We assume you already have HAProxy and ejabberd installed. To enable proxy protocol, start with editing HAProxy configuration. We need to add send-proxy-v2 in backend section:

frontend c2s
        mode tcp
        bind *:5222
        default_backend c2s_backend

backend c2s_backend
        mode tcp
        server l 222.222.222.222:5225 send-proxy-v2 # <- This is place where we need to add that flag

Next, in ejabberd configuration, we need to add use_proxy_protocol: true option in corresponding listen section:

listen:
  -
    port: 5225
    module: ejabberd_c2s
    use_proxy_protocol: true # <- Important part
    ...

It’s important to note the ejabberd listener that has this option enabled will reject all connections that don’t have proxy protocol data sent before the real traffic. Don’t enable this option unless you are using a proxy that is generating it!

Written by ProcessOne

Subscribe to ProcessOne