What is jwchat? Jwchat
is a full featured, web-based Jabber™ client.
It uses the HTTP-POLL method to connect to a jabber-server. It is written in Javascript, which is quite nice because you do not open a glaring security-hole by installing it.
I am not going to explain how you set up ejabberd or apache2; there are tons of tutorials for that out there.
- Go to the jwchat download-page and download it. Extract it to somewhere where the webserver can read it; i put it in /usr/share/jwchat. Alternatively you can just aptitude install jwchat.
- Edit the config.js you can find in jwchat/www . There are two things you want to edit:
-
- The SITENAME. Just put in your servername.
- The httpbases a bit further down. This is the relative path where jwchat will try to contact the jabber-server. Put in anything you want; the default makes sense, though.
- Now comes the part where the jwchat-documentation fails us: we have to configure the apache2 to proxy all requests which go to the httpbase over to the jabber-server. jwchat proposes the following configuration:
DocumentRoot /var/www/jwchat
Options +Indexes +Multiviews
AddDefaultCharset UTF-8
RewriteEngine on
RewriteRule http-poll/ http://127.0.0.1:5280/http-poll/ [P]While this works, it adds a burden to the user: his firewall needs to allow outgoing connections to port 5280. It is way better to keep all connections on one port so that jwchat works in heavily locked-down environments like libraries, universities and schools. This can be achieved by mod_proxy.
- First you have to enable mod_proxy_http and mod_proxy. You can do that by calling a2enmod proxy proxy_http
- Once this is done, put this somewhere into one of your (virtual)host configurations:
ProxyRequests Off
ProxyPass /http-poll/ http://127.0.0.1:5280/http-poll/
ProxyPassReverse /http-poll/ http://127.0.0.1:5280/http-poll/
Allow from all
Alias /jwchat /usr/share/jwchat/www
Options +Indexes +Multiviews +FollowSymLinks
AddDefaultCharset UTF-8
Now the users can go to $example.com/jwchat and use their jabber-accounts without having to install a client.
It is important to note that the username and password are transmited as plaintext; this is dangerous and stupid. Not only will you die, it will also hurt the whole time you’re dieing.
Edit: I was wrong: Jwchat uses DIGEST-MD5. While it is better than nothing, SSL is way more secure, seeing as the IETF is in the process of deprecating DIGEST-MD5 because of the bruteforceability.
Never use jwchat over an unencrypted connection. Be smart and put that whole configuration into an SSL-enabled host. You don’t lose any functionality but gain important security.