view mod_s2sout_override/README.md @ 5682:527c747711f3

mod_http_oauth2: Limit revocation to clients own tokens in strict mode RFC 7009 section 2.1 states: > The authorization server first validates the client credentials (in > case of a confidential client) and then verifies whether the token was > issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed of > the error by the authorization server as described below. The first part was already covered (in strict mode). This adds the later part using the hash of client_id recorded in 0860497152af It still seems weird to me that revoking a leaked token should not be allowed whoever might have discovered it, as that seems the responsible thing to do.
author Kim Alvefur <zash@zash.se>
date Sun, 29 Oct 2023 11:30:49 +0100
parents ae62d92506dc
children
line wrap: on
line source

---
summary: Override s2s connection targets
---

This module replaces [mod_s2soutinjection] and uses more modern and
reliable methods for overriding connection targets.

# Configuration

Enable the module as usual, then specify a map of XMPP remote hostnames
to URIs like `"tcp://host.example:port"`, to have Prosody connect there
instead of doing normal DNS SRV resolution.

Currently supported schemes are `tcp://` and `tls://`.  A future version
could support more methods including alternate SRV lookup targets or
even UNIX sockets.

URIs with IP addresses like `tcp://127.0.0.1:9999` will bypass A/AAAA
DNS lookups.

The special target `"*"` may be used to redirect all servers that don't have
an exact match.

One-level wildcards like `"*.example.net"` also work.

Standard DNS SRV resolution can be restored by specifying a truthy value.

```lua
-- Global section
modules_enabled = {
    -- other global modules
    "s2sout_override";
}

s2sout_override = {
    ["example.com"] = "tcp://other.host.example:5299";
    ["xmpp.example.net"] = "tcp://localhost:5999";
    ["secure.example"] = "tls://127.0.0.1:5270";
    ["*.allthese.example"] = = "tcp://198.51.100.123:9999";

    -- catch-all:
    ["*"] = "tls://127.0.0.1:5370";
    -- bypass the catch-all, use standard DNS SRV:
    ["jabber.example"] = true;
}
```

# Compatibility

Prosody version   status
---------------   ----------
0.12.4            Will work
0.12.3            Will not work
0.11              Will not work