Best practices for connecting from web browser to Tigase XMPP Server
Currently we have 2 ways to connect to Tigase XMPP Server from web browsers:
- BOSH (Bidirectional-streams Over Synchronous HTTP)
- WebSocket (XMPP over WebSocket)
You will find more informations about these ways for connecting to Tigase XMPP Server with some useful tips below.
BOSH protocol specified in XEP-0124 is one of first protocols defined to allow to establish XMPP connection to XMPP servers from web browsers. Due to that this protocol is widely supported and used by many deployments. It is also easy to use in single server mode. It's enabled by default in Tigase XMPP Server and available at port 5280.
In clustered mode we can deploy it with load balancer deployed with guarantees that each BOSH connection from web browser will be forwarded to same Tigase XMPP Server instance. So in clustered mode if we have two XMPP server
t2 which are hosting domain
example.com we would need to have load balancer which will respond for HTTP request to domain
example.comand forward all requests from same IP address to same node of a cluster (i.e. all request from
192.168.122.32 should be forwarded always to node
Tip #1 - BOSH in cluster mode without load balancer There is also a way to use BOSH without load balancer. In this case XMPP client needs to have more logic and knowledge about all available cluster nodes (with names of nodes which will identify particular cluster nodes from internet). Using this knowledge XMPP client should select one random node from list of available nodes and always establish BOSH connections to this particular node. In case if BOSH connection fails due to network connection issues XMPP client should randomly pick other node from list of rest of available nodes.
We have servers
t2.example.com which are nodes of a cluster hosting domain
example.com. Web client retrieves list of cluster nodes from web server and then when it needs to connect to XMPP server it picks random host from list of retrieved cluster nodes (i.e.
t2.example.com) and tries to connect using BOSH protocol to host
t2.example.com but it should send
example.com as name of server to which it tries to connect (
example.com should be value of
to attribute of XMPP stream.**
WebSocket protocol is newly standarized protocol which is supported now by many of current versions of browsers. Currently there is a draft of protocol draft-ietf-xmpp-websocket-00 which describes usage of WebSocket to connect to XMPP server. Tigase XMPP Server implementation of WebSocket protocol to connect to XMPP server is very close to this draft of this specification. By default Tigase XMPP Server has XMPP-over-WebSocket protocol enabled without encryption on port 5290. To use this protocol you need to use library which supports XMPP-ober-WebSocket protocol.
Tip #1 - Encrypted WebSocket connection It is possible to enable encrypted WebSocket connection in Tigase XMPP Server. To do this you need to add following lines to
etc/init.properties config file:
ws2s/connections/ports\[i\]=5290,5291 ws2s/connections/5291/socket=ssl ws2s/connections/5291/type=accept
In this example we enabled WebSocket endpoint on port 5290 and encrypted WebSocket endpoint on port 5291. Connections on port 5291 are SSL connections which are encapsulating not encrypted WebSocket connections. As this is TLS/SSL connection (no STARTTLS) it uses default certificate installed in Tigase XMPP Server instance. This certificate is located in
Tip #2 - Encrypted WebSocket connection - dealing with multiple VHosts As mentioned in Tip #1 WebSocket endpoint is plain TLS/SSL port, so it always serves default certificate for Tigase XMPP Server instance. It is ok, if we are hosting single domain and if default certificate matches matches our domain. But If we host multiple domain we cannot use
wss://example1.com:5291/" connection URI, if our default certificate is for domain
example2.com. In this situation it is recomended use default certificate for domain under which server is accessible from internet. This domain should identify this server, so this domain would not point i.e. on two nodes of a cluster. After we deploy separate certificate for each of cluster nodes, we should follow same tip as Tip #1 for BOSH. Our web-based XMPP client should have knowledge about each node of a cluster and when it needs to connect it should randomly select one node from list of available cluster nodes and try to connect to is using connection URL that would contain name of server under which it can be identified from internet.
We have servers
t2.example1.com which are nodes of a cluster hosting domain
example2.com. Each of our nodes contains default SSL certificate which domain matches name of cluster node. Web client retrieves list of cluster nodes from web server and then when it needs to connect to XMPP server it picks random host from list of retrieved cluster nodes (i.e.
t2.example1.com) and tries to connect using WebSocket encrypted protocol to host
t2.example1.com using following connections URL
wss://t2.example1.com:5291/. During connection client should still send
example2.com as name of server to which it tries to connect (
example2.com should be value of
to attribute of XMPP stream. This will allow browser to validate certificate as it will be for the same domain to which browser connects, and it will allow XMPP client to connect to domain
example2.com, which is one of hosted vhosts.