Ejabberd HTTP File Upload (XEP-0363) · uwot.eu
another meaningless subtitle

Ejabberd HTTP File Upload (XEP-0363)

· by fabio · Read in about 2 min · (338 Words)
CentOS 7 Conversations ejabberd iptables

XMPP module HTTP File Upload (formerly XEP-0363) provides a way to share files between XMPP clients, it works transparently and even in multi user chats.
The sender uploads a file on an HTTP(S) server that will then generate an URI, this is sent to each one of the recipients that can then download it.
The interesting bits about this XEP are various:
1. File sharing now works even in multi-user chats (MUC), in any case the file is only uploaded a single time even if the recipients are more than one.
2. Peer-to-peer file transfer, be it in-band (XEP-0234: Jingle File Transfer) or out-of-band (XEP-0065: SOCKS5 Bytestreams), is slow, unreliable, does not work in MUC and does not work if the recipient is offline.
HTTP File Upload supports both client-server encryption (HTTPS) and end-to-end encryption when used in conjunction with OMEMO encryption (as per today this is supported by Conversations on Android and Gajim desktop client).
3.1. When using OMEMO encryption the files are stored encrypted on the server, this makes it impossibile for ejabberd to create a thumbnail if the file sent is a picture.
To enable HTTP File Upload module with HTTPS enabled in ejabberd edit ejabberd.yml configuration file: >

listen:
  -
    port: 5443
    ip: "0.0.0.0"
    module: ejabberd_http
    request_handlers:
      "upload": mod_http_upload
    tls: true
    protocol_options: 'TLS_OPTIONS'
    dhfile: 'DH_FILE'
    ciphers: 'TLS_CIPHERS'

modules:
  mod_http_upload:
    docroot: "/home/ejabberd/upload" # this must be a valid path, user ownership and SELinux flags must be set accordingly
    put_url: "https://@HOST@:5443/upload"
    access: local
    max_size: 25000000 #25 MByte
    thumbnail: false
    file_mode: "0644"
    dir_mode: "0744"
  mod_http_upload_quota:
    max_days: 2

shaper:
  soft_upload_quota:
    - 250: all # MiB
  hard_upload_quota:
    - 10000: all # MiB

define_macro:
   'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
   'TLS_OPTIONS':
      - "no_sslv2, no_sslv3, no_tlsv1"
      - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
      - "no_compression"
   'DH_FILE': "/usr/local/etc/ejabberd/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096

Add an iptables rule to allow traffic coming from port 5443:

$ INPUT -p tcp -m state --state NEW -m tcp --dport 5443 -j ACCEPT

Reload ejabberd service and manually force reconnection in Conversations to be sure HTTP File Upload module is actually being used.