Ejabberd HTTP File Upload (XEP-0363)
XMPP module HTTP File Upload (formerly XEP-0363) provides a way to share files
between XMPP clients, it works transparently and even in multi user chats.
The sender uploads a file on an HTTP(S) server that will then generate an URI,
this is sent to each one of the recipients that can then download it.
The interesting bits about this XEP are various:
- File sharing now works even in multi-user chats (MUC), in any case the file is only uploaded a single time even if the recipients are more than one.
- Peer-to-peer file transfer, be it in-band (XEP-0234: Jingle File Transfer)
or out-of-band (XEP-0065: SOCKS5 Bytestreams), is slow, unreliable, does not
work in MUC and does not work if the recipient is offline.
HTTP File Upload supports both client-server encryption (HTTPS) and end-to-end encryption when used in conjunction with OMEMO encryption (as per today this is supported by Conversations on Android and Gajim desktop client).
3.1. When using OMEMO encryption the files are stored encrypted on the server, this makes it impossibile for ejabberd to create a thumbnail if the file sent is a picture.
To enable HTTP File Upload module with HTTPS enabled in ejabberd editejabberd.yml
configuration file: >
listen:
-
port: 5443
ip: "0.0.0.0"
module: ejabberd_http
request_handlers:
"upload": mod_http_upload
tls: true
protocol_options: 'TLS_OPTIONS'
dhfile: 'DH_FILE'
ciphers: 'TLS_CIPHERS'
modules:
mod_http_upload:
docroot: "/home/ejabberd/upload" # this must be a valid path, user ownership and SELinux flags must be set accordingly
put_url: "https://@HOST@:5443/upload"
access: local
max_size: 25000000 #25 MByte
thumbnail: false
file_mode: "0644"
dir_mode: "0744"
mod_http_upload_quota:
max_days: 2
shaper:
soft_upload_quota:
- 250: all # MiB
hard_upload_quota:
- 10000: all # MiB
define_macro:
'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
'TLS_OPTIONS':
- "no_sslv2, no_sslv3, no_tlsv1"
- "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
- "no_compression"
'DH_FILE': "/usr/local/etc/ejabberd/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096
Add an iptables
rule to allow traffic coming from port TCP 5443
:
$ INPUT -p tcp -m state --state NEW -m tcp --dport 5443 -j ACCEPT
Reload ejabberd service and manually force reconnection in Conversations to be
sure HTTP File Upload
module is actually being used.