Comment on Running ejabberd behind a reverse proxy
thelastknowngod@lemm.ee 1 year ago
This would be nice because I don’t need a static ip and I don’t have to leak my ip address.
How does the VPS know how to find your rpi?
Could you not just use something like duck dns on a cronjob and give out that url?
I would also need to figure out how to supply ejabberd with the correct certificates for the domain. Since it’s running on a different computer than the reverse proxy, would I have to somehow copy the certificate over every time it has to be renewed?
Since the VPS is doing your TLS termination, you would need an encrypted tunnel of some sort. Have you considered something like Istio? That provides mTLS out of the box really… I’ve never seen it for this kind of use case but I don’t see why it wouldn’t work.
adam@discuss.tchncs.de 1 year ago
The vps communicates with the rpi through a vpn.
I have not heard of duck dns nor lstio, but I’ll check it out when I get home.
thelastknowngod@lemm.ee 1 year ago
Istio is a service mesh. You basically run proxies on the vps and the rpi. The apps make calls to localhost and the proxy layer figures out the communication between each proxy.
Duck dns is just a dynamic dns service. It gives you a stable address even if you don’t have a static ip.
adam@discuss.tchncs.de 1 year ago
How would I use that in this situation? I don’t get it. I already have a vpn set up to communicate between the two devices, and have been successfully running multiple services in this configuration for about a month. It’s just XMPP that I’m having trouble with.
thelastknowngod@lemm.ee 1 year ago
It auto discovers machines/instances/VMs/containers in the mesh and figures out the secure routing on the fly. If you couldn’t ensure a consistent IP from the home address it wouldn’t matter… The service mesh would work it out.
It is probably overkill for this project though… Something to think about…