[jitsi-users] Jitsy and Proxy: DNS resolving and ACL issue...


#1

I think this is a bug, but i've read to subscribe here, so...

I'm testing Jitsy on my environment, classic corporate with client that
can access the net only behind a proxy (classic HTTP proxy, squid 3.1).
I need to use XMPP mostly, and so i've configured proxy use, doing the
tests with my Gtalk/Hangout account.

But i've found a trouble: Jitsi does DNS resolving before to access the
proxy, and so try to access the service by IP number, not name.

This clearly pose an hard challenge on ACL setup, because it is not the
same to whitelist 'talk.google.com' or the dozen of IPs the service
rely on. ;(
That clearly can change. ;(((

I've tried to look at docs and google a bit around, but i've found no
way to ''offload'' resolving to the proxy.
I know that doing internal resolving is more secure, but on an
corporate environment there's no difference at all: the DNS that the
client can use and the DNS of the proxy is the same. :wink:

I hope i was clear. Thanks.

···

--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
  Polo FVG - Via della Bont�, 7 - 33078 - San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797

    Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
    http://www.lanostrafamiglia.it/25/index.php/component/k2/item/123
  (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)


#2

I think this is a bug, but i've read to subscribe here, so...

I'm testing Jitsy on my environment, classic corporate with client that
can access the net only behind a proxy (classic HTTP proxy, squid 3.1).
I need to use XMPP mostly, and so i've configured proxy use, doing the
tests with my Gtalk/Hangout account.

I'm not aware that Squid can proxy non-http protocols at all, and Jitsi (yes, that's an I at the end) doesn't support xmpp-over-http (yet?).

But i've found a trouble: Jitsi does DNS resolving before to access the
proxy, and so try to access the service by IP number, not name.

This clearly pose an hard challenge on ACL setup, because it is not the
same to whitelist 'talk.google.com' or the dozen of IPs the service
rely on. ;(
That clearly can change. ;(((

I've tried to look at docs and google a bit around, but i've found no
way to ''offload'' resolving to the proxy.
I know that doing internal resolving is more secure, but on an
corporate environment there's no difference at all: the DNS that the
client can use and the DNS of the proxy is the same. :wink:

This has nothing to do with security, and most likely the client and your Squid still use the same proxy. If you want to whitelist something on your firewall by name, you can still do that given that the whitelist supports SRV entries. I've never seen that, so you best bet would be to whitelist the hostnames from the SRVs, e.g. xmpp.l.google.com, alt4.xmpp.l.google.com, alt2.xmpp.l.google.com, alt1.xmpp.l.google.com and alt3.xmpp.l.google.com.

I hope i was clear. Thanks.

Not really, but I hope it helps anyway.

Ingo


#3

Mandi! Ingo Bauersachs
  In chel di` si favelave...

[jitsi, proxi, proxy, jitsy... sorry for the typo ;)]

I'm not aware that Squid can proxy non-http protocols at all, and Jitsi (yes, that's an I at the end) doesn't support xmpp-over-http (yet?).

I'm using it, so indeed work. AFAIK squid (''a proxy'') can proxy every
protocol ''HTTP-like'', as XMPP.

This has nothing to do with security, and most likely the client and your Squid still use the same proxy. If you want to whitelist something on your firewall by name, you can still do that given that the whitelist supports SRV entries. I've never seen that, so you best bet would be to whitelist the hostnames from the SRVs, e.g. xmpp.l.google.com, alt4.xmpp.l.google.com, alt2.xmpp.l.google.com, alt1.xmpp.l.google.com and alt3.xmpp.l.google.com.

No, it is not the same. managing ACL rule by that way is hard:
consider for example that doing CONNECT to an IP address is normally
blocked in ''web browsing'' world, because it is ''strange'' (how to
verify certificate DN?).
Indeed, blocking CONNECT to ip addresses is the standard way to block
skype usage.

Not really, but I hope it helps anyway.

I try to explain better.

Normally a proxy client send to the proxy the ''unresolved request''
(eg, �please give me http://jitsi.org/�), and is the proxy that resolv
'jitsi.org', send the request, filter/cache them, and then reply back
to client.
Seems to me that jitsi, instead, resolv 'jitsi.org' and so send the
request �please give me http://46.105.44.115�.

This is indeed the same, but pose additonal challenge on setting up
proxy ACL, expecially if using CONNECT (https).

It is clear now?

···

--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
  Polo FVG - Via della Bont�, 7 - 33078 - San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797

    Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
    http://www.lanostrafamiglia.it/25/index.php/component/k2/item/123
  (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)


#4

Hi,

I don't know about the specifics of what the XMPP support does and does
not handle.

I do know about the SOCKS proxy case, where a SOCKS5 proxy can do the
resolving for you. (In the case of a SOCKS4 proxy, the proxy would
assume that the software has already resolved the address and the proxy
would only establish a connection to the IP address in the client's
request.)

I think what you are referring to here is the same (or very similar.)
So, instead of Jitsi (or for that matter Java itself, since Java does
that by default) resolve the host name to an address and passing the
address to the proxy. Jitsi would create an "unresolved address" and
pass this raw "http://www.jitsi.org/test.html" text string to the proxy,
and the proxy would then figure out where jitsi.org points to.

If you do this, then the ACL can simply be applied to the request. In
case of ip addresses, the ACL cannot determine anymore which exact
website you are trying to contact.

Is this correct?

Danny

···

On 04-03-15 11:31, Marco Gaiarin wrote:

Mandi! Ingo Bauersachs
  In chel di` si favelave...

[jitsi, proxi, proxy, jitsy... sorry for the typo ;)]

I'm not aware that Squid can proxy non-http protocols at all, and Jitsi (yes, that's an I at the end) doesn't support xmpp-over-http (yet?).

I'm using it, so indeed work. AFAIK squid (''a proxy'') can proxy every
protocol ''HTTP-like'', as XMPP.

This has nothing to do with security, and most likely the client and your Squid still use the same proxy. If you want to whitelist something on your firewall by name, you can still do that given that the whitelist supports SRV entries. I've never seen that, so you best bet would be to whitelist the hostnames from the SRVs, e.g. xmpp.l.google.com, alt4.xmpp.l.google.com, alt2.xmpp.l.google.com, alt1.xmpp.l.google.com and alt3.xmpp.l.google.com.

No, it is not the same. managing ACL rule by that way is hard:
consider for example that doing CONNECT to an IP address is normally
blocked in ''web browsing'' world, because it is ''strange'' (how to
verify certificate DN?).
Indeed, blocking CONNECT to ip addresses is the standard way to block
skype usage.

Not really, but I hope it helps anyway.

I try to explain better.

Normally a proxy client send to the proxy the ''unresolved request''
(eg, «please give me http://jitsi.org/»), and is the proxy that resolv
'jitsi.org', send the request, filter/cache them, and then reply back
to client.
Seems to me that jitsi, instead, resolv 'jitsi.org' and so send the
request «please give me http://46.105.44.115».

This is indeed the same, but pose additonal challenge on setting up
proxy ACL, expecially if using CONNECT (https).

It is clear now?


#5

Mandi! Danny van Heumen
  In chel di` si favelave...

So, instead of Jitsi (or for that matter Java itself, since Java does
that by default) resolve the host name to an address and passing the
address to the proxy. Jitsi would create an "unresolved address" and
pass this raw "http://www.jitsi.org/test.html" text string to the proxy,
and the proxy would then figure out where jitsi.org points to.

If you do this, then the ACL can simply be applied to the request. In
case of ip addresses, the ACL cannot determine anymore which exact
website you are trying to contact.

Is this correct?

Perfect. Thanks.

···

--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
  Polo FVG - Via della Bont�, 7 - 33078 - San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797

    Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
    http://www.lanostrafamiglia.it/25/index.php/component/k2/item/123
  (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)


#6

> So, instead of Jitsi (or for that matter Java itself, since Java does
> that by default) resolve the host name to an address and passing the
> address to the proxy. Jitsi would create an "unresolved address" and
> pass this raw "http://www.jitsi.org/test.html" text string to the proxy,
> and the proxy would then figure out where jitsi.org points to.
>
> If you do this, then the ACL can simply be applied to the request. In
> case of ip addresses, the ACL cannot determine anymore which exact
> website you are trying to contact.
>
> Is this correct?

Perfect. Thanks.

Sorry. This mean that this is added as a bug? I've tried to look into
jitsi BTS, but found nothing related. At least to me.

Thanks.

···

--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
  Polo FVG - Via della Bont�, 7 - 33078 - San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797

    Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
    http://www.lanostrafamiglia.it/25/index.php/component/k2/item/123
  (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)


#7

Hi,

Sorry for not responding to you earlier. I'm not that familiar with the
XMPP code, but I think that this might not be possible at this moment.
At least not in Jitsi.

I am (educated) guessing this is the case, because I couldn't find
anything related to proxy resolving when I was looking into the proxy
support to hook IRC into, so I'm not a 100% sure. So other devs might
correct me, now that I have said this ... :slight_smile:

If you have configured a proxy (and you are sure that it is a proxy that
supports SOCKS5, but I'm guessing it does since it regulates ACLs via
this way) and it does not work for you, then I guess it isn't supported.

In any case, if you add this, do not add it as a bug, but as a feature
request/improvement/enhancement (whatever it is called). Only later, in
SOCKS5, was DNS resolving via the proxy added. And then still in many
programs you have to enable this separately. (For example, Firefox.) So
it's not a bug, just a currently missing feature.

Kind regards,
Danny

···

On 09-03-15 18:02, Marco Gaiarin wrote:

So, instead of Jitsi (or for that matter Java itself, since Java does
that by default) resolve the host name to an address and passing the
address to the proxy. Jitsi would create an "unresolved address" and
pass this raw "http://www.jitsi.org/test.html" text string to the proxy,
and the proxy would then figure out where jitsi.org points to.

If you do this, then the ACL can simply be applied to the request. In
case of ip addresses, the ACL cannot determine anymore which exact
website you are trying to contact.

Is this correct?

Perfect. Thanks.

Sorry. This mean that this is added as a bug? I've tried to look into
jitsi BTS, but found nothing related. At least to me.

Thanks.


#8

Mandi! Danny van Heumen
  In chel di` si favelave...

In any case, if you add this, do not add it as a bug, but as a feature
request/improvement/enhancement (whatever it is called).

I've speak about ''bug'' but clearly i meant ''fire up something on
BTS''. I've just added:

  https://trac.jitsi.org/ticket/1318

I hope it is clear. Thanks.

···

--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
  Polo FVG - Via della Bont�, 7 - 33078 - San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797

    Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
    http://www.lanostrafamiglia.it/25/index.php/component/k2/item/123
  (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)