antonfromberlin

Q: messages server proxy65 behind NAT?

Hi,

 

How do I get the proxy65 service usable from the internet? It's natted, here's my setup:

I have a messages server runing on x.x.x.x. (private IP)

I have a router that forwards traffic on ports 5222,...,7777 from the public IP y.y.y.y

 

My proxy65 configuration in /Library/Preferences/com.apple.Proxy65.plist  can only accept the ip x.x.x.x as it cannot bind to the external IP.

The messages server advertises the proxy as <streamhost port='7777' host='x.x.x.x' jid='proxy65.domain.com'/>

 

and that is obviously not usable from outside.

Is there a way to advertise the external IP of the messages host so that wan clients can send files to lan clients?

 

 

Thanks,

Anton.

OS X Mavericks (10.9.2)

Posted on Mar 12, 2014 3:37 AM

Close

Q: messages server proxy65 behind NAT?

  • All replies
  • Helpful answers

  • by antonfromberlin,Solvedanswer

    antonfromberlin antonfromberlin Mar 12, 2014 3:59 AM in response to antonfromberlin
    Level 1 (0 points)
    Mar 12, 2014 3:59 AM in response to antonfromberlin

    Update:

    I commented out this:

        socket.inet_pton(socket.AF_INET, ip)

    in this:

    /Applications/Server.app/Contents/ServerRoot/usr/share/proxy65/proxy65.py

     

    and now my

    /Library/Preferences/com.apple.Proxy65.plist   

    can use a hostname instead of IP like so:

    <dict>

            <key>jid</key>

            <string>proxy65.domain.com</string>

            <key>proxyips</key>

            <string>xmpp.domain.com:7777</string>

     

    so now all works from the outside and from the inside.

  • by Michael Diehr,

    Michael Diehr Michael Diehr Feb 23, 2015 1:44 PM in response to antonfromberlin
    Level 1 (75 points)
    Servers Enterprise
    Feb 23, 2015 1:44 PM in response to antonfromberlin

    Works for me in 10.9.5 Server 3.2.2 : I've posted an update and link to this solution in the newer OS X Server forum as well:  OS X Server Messages Server Jabber Proxy65 File Transfer Solution

  • by Michael Diehr,

    Michael Diehr Michael Diehr May 23, 2015 10:11 AM in response to Michael Diehr
    Level 1 (75 points)
    Servers Enterprise
    May 23, 2015 10:11 AM in response to Michael Diehr

    Update for 10.10.3 / Server App 4.1 :   the plist file may be located in a different location, e.g

     

         /Library/Server/Messages/Config/com.apple.Proxy65.plist

     

    But otherwise the technique seems the same

  • by aureliofrommontreux,

    aureliofrommontreux aureliofrommontreux Aug 13, 2015 5:12 AM in response to antonfromberlin
    Level 1 (0 points)
    Aug 13, 2015 5:12 AM in response to antonfromberlin

    thanks.

    could you precise which strings you changed ?

     

    thank you

  • by Michael Diehr,

    Michael Diehr Michael Diehr Aug 14, 2015 10:39 AM in response to aureliofrommontreux
    Level 1 (75 points)
    Servers Enterprise
    Aug 14, 2015 10:39 AM in response to aureliofrommontreux

    I just tried this in 10.10.5 with Server.App 4.1.5.

     

    In this file:

     

    /Library/Server/Messages/Config/com.apple.Proxy65.plist

    Change this line (which is line # 8)

    <string>XX.XX.XX.XX:7777</string>

     

    Where XX.XX.XX.XX is your IP address.

     

    To this:

    <string>example.com:7777</string>

     

    Replacing example.com with the actual DNS name of your server.

     

     

    In this file:

     

    /Applications/Server.app/Contents/ServerRoot/usr/share/proxy65/proxy65.py

     

    Change this line (which is line # 285 )

     

    socket.inet_pton(socket.AF_INET, ip)          

     

    To this:

     

    # socket.inet_pton(socket.AF_INET, ip)          

     

    Note: be careful when editing this file, as it's Python (.py) and whitespace such as spaces and tabs are important.  Best to use a good programmer's text editor such as BBEdit.

     

     

    Then restart your Messages service and it should work better.

     

    To see if you have solved the issue, go to Server.App / Logs / Proxy Log and make sure you are no longer seeing the error which looks like this:

     

    twisted.internet.error.CannotListenError: Couldn't listen on XX.XX.XX.XX:7777: [Errno 49] Can't assign requested address.

     

    Note: after a server.app upgrade this may fail, with lots of connect/disconnect errors.

    If so, do this:

    • In Server.app, shut down Messages
    • Delete the file /Library/Server/Messages/Config/com.apple.Proxy65.plist
    • Start Messages  (this will recreate the file)
    • Stop Messages
    • Edit the file /Library/Server/Messages/Config/com.apple.Proxy65.plist as shown above.  (The problem seems to be an invalid secret in the file)
    • Start Messages




  • by Michael Diehr,

    Michael Diehr Michael Diehr Jan 31, 2016 12:25 PM in response to Michael Diehr
    Level 1 (75 points)
    Servers Enterprise
    Jan 31, 2016 12:25 PM in response to Michael Diehr

    As a further update, after upgrading to server 5.0 it stopped working again.  After more investigation I figured out the problem.  For this technique to work you need proper DNS setup as well.     What you need is for your public (WAN) DNS name to evaluate to the Private (LAN) IP address, but only for OS X server.

     

    To do this:

    1. Go to Server / MyServerName / Overview / Host Name / Edit Host name, follow the prompts to set up "Accessing your server" as "Internet"
    2. Follow all the prompts.  At the end, when it asks you to set up DNS, say yes.

    Then, go to Server/ Advanced/DNS:

    1. Lookups:   make sure that Perform Lookups for Only Some Clients is set and that "This Server" is checked.
    2. Host Names: make sure you have an entry for your DNS name with your Private (LAN) IP address.

     

    You may need to reboot the server at this point.

     

    To test that it's working:   in the Terminal enter

    dig myservername.com

    and verify that you get the LAN address (not the WAN address).

     

    My understanding of why this technique works:

    1. The Proxy65.py (Socks5 proxy) advertises to the world (e.g. other Messages clients) the name of the proxy running on port 7777  the public DNS name.
    2. The Proxy65.py internally then looks up this DNS name, and (if DNS is set properly as above) gets the private LAN IP address.   This allows it to bind to your server's network stack on port 7777.
    3. Without the modifications to Proxy65.py and Proxy65.plist and DNS, the reason it doesn't work:  Either you are giving it the public IP address (in which case Proxy65.py fails to bind, since it can't bind to the firewall WAN address) or you give it the private IP address (in which case it can bind) but then it advertises to clients the private LAN address, which won't work for anyone outside the firewall/router on the WAN side.

     

     

    There's probably a more elegant fix that could be made inside Proxy65.py but I haven't figured it out.