ejabberd http-bind prevents running parallel sessions with different resources

Question

I have a running ejabberd installation, with http-bind enabled, nginx proxy, and a mini jappix xmpp client for web browsers. I also have an external authentication program.

I can connect the same user on this server with different ressources if I use the classical 5222 port. But:

• If I have active sessions from classical xmpp clients (psi, empathy) for a given user I cannot connect this user with http-bind (401 authentication failure).
• I the first connection is made via http-bind no other connection can be done by other classical xmpp clients (and resources are of course different). I sometimes get the 401 already connected message
• I can only connect the same user in one browser, I cannot connect the same user several time on http-bind (resources are different on theses connections, but I also get a 401)
• I'm sure the external authentification program is never launched when I get theses auth failure
• max_user_sessions settings are ok (tested with infinity), and if I'm not connecting in http-bind I can run parallel sessions. But in case of I also tested the new resource_conflict setting values without any success (and it's not a re'source conflict in fact)

Installation: ejabberd-2.1.10 Debian (from ejabberd-2.1.10-linux-x86-installer.bin, but same problem tested in x86_64 version).

Extract of configuration:

    {5280, ejabberd_http, [
                     {request_handlers,
                      [
                       {["http_bind"], mod_http_bind}
                      ]},
                     %%captcha,
                     http_bind,
                     %%http_poll,
                     web_admin
                    ]}

On the logs, when this is happening I have:

=INFO REPORT==== 2012-01-27 10:18:55 ===
D(<0.335.0>:ejabberd_http_bind:684) : reqlist: [{hbr,154037,
                             "01775ec6fc089a2b0c84abb80a4b5b7b4bdd958d",
                             []},
                             {hbr,154036,
                             "01775ec6fc089a2b0c84abb80a4b5b7b4bdd958d",
                             [{xmlstreamelement,
                                   {xmlelement,
                                   "stream:features",[],
                                      [{xmlelement,
                                          "mechanisms",
                                          [{"xmlns",
                                            "urn:ietf:params:xml:ns:xmpp-sasl"}],
                                          [{xmlelement,
                                            "mechanism",[],
                                            [{xmlcdata,
                                              "PLAIN"}]}]}]}},
                                      {xmlstreamstart,
                                       "stream:stream",
                                       [{"version","1.0"},
                                        {"xml:lang","fr"},
                                        {"xmlns","jabber:client"},
                                        {"xmlns:stream",
                                         "http://etherx.jabber.org/streams"},
                                        {"id","3595609800"},
                                        {"from",
                                         "tchat.example.com"}]}]}]

=INFO REPORT==== 2012-01-27 10:18:55 ===
D(<0.335.0>:ejabberd_http_bind:732) : really sending now: [{xmlelement,
                                        "auth",
                                        [{"xmlns",
                                        "urn:ietf:params:xml:ns:xmpp-sasl"},
                                         {"mechanism",
                                          "PLAIN"}],
                                         [{xmlcdata<<"bGRhcHVzZX(...)3">>}]}]
=INFO REPORT==== 2012-01-27 10:18:55 ===
I(<0.336.0>:ejabberd_c2s:649) : ({socket_state,ejabberd_http_bind,{http_bind,<0.335.0>,{{127,0,0,1},50992}},ejabberd_http_bind}) Failed authentication for foo38@tchat.example.com

=INFO REPORT==== 2012-01-27 10:18:55 ===
D(<0.337.0>:ejabberd_http_bind:916) : OutPacket: [{xmlstreamelement,
                                       {xmlelement,"failure",
                                        [{"xmlns",
                                          "urn:ietf:params:xml:ns:xmpp-sasl"}],
                                        [{xmlelement,
                                          "not-authorized",[],
                                          []}]}}]

=INFO REPORT==== 2012-01-27 10:18:55 ===
D(<0.337.0>:ejabberd_http_bind:1054) :  --- outgoing data ---
<body xmlns='http://jabber.org/protocol/httpbind'><failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/></failure></body>

So is this a "feature" in http-bind ? making it the only valid Resource for a given user while activated? And how to run several http-binded sessions for the same user if so? Any hints?

Answer 1

No there must be something wrong with your configuration. I have been successfully using ejabberd's http-bind for a long time and of course you can have multiple connections with different resources and independently of other clients connecting. I also use nginx as a proxy. In you ejabberd.cfg you should have:

  {5280, ejabberd_http, [
   http_bind, 
   web_admin
  ]}

and

{modules,[
      {mod_http_bind,[]},
      ...
]}.

Also, in your logs I see {"from", "tchat.example.com"}, which seems to indicate a missconfiguration.