502 Bad Gateway

Shankar_Bavan · May 6, 2021, 9:30am

I got 502 Bad Gateway error after install JWT token authentication Prosody plugin

/http-bind?room=b0d10544d

502 Bad Gateway

SEVERE: [11] [xmpp_connection=client] XmppProviderImpl.doConnect#219: Failed to connect/login: The following addresses failed: 'localhost:5222' failed because: localhost/127.0.0.1 exception: java.net.ConnectException: Connection refused (Connection refused)

emrah · May 6, 2021, 10:03am

systemctl status prosody

Shankar_Bavan · May 6, 2021, 10:36am

I reinstalled jitsi. now 502 Bad Gateway error gone.

but, I’m facing following issues.
I could not switch on mic, camera
moderator role not assign
2 user not able to join same room

● prosody.service - Prosody XMPP Server

Loaded: loaded (/lib/systemd/system/prosody.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-05-06 10:20:44 UTC; 15min ago
Docs: Documentation – Prosody IM
Main PID: 11908 (lua5.2)
Tasks: 1 (limit: 4631)
CGroup: /system.slice/prosody.service
└─11908 lua5.2 /usr/bin/prosody -F

Shankar_Bavan · May 6, 2021, 11:26am

This issue only with token based authentication.
no any issue when I use internal_plain

emrah · May 6, 2021, 11:36am

Did you get any error messages while installing jitsi-meet-tokens
output?

luarocks list

Can you share your prosody config

Shankar_Bavan · May 6, 2021, 11:40am

I did not get any error while installing token

luarocks list

Installed rocks:

basexx
   0.4.1-1 (installed) - /usr/local/lib/luarocks/rocks

lbase64
   20120820-1 (installed) - /usr/local/lib/luarocks/rocks

lua-cjson
   2.1.0-1 (installed) - /usr/local/lib/luarocks/rocks

luacrypto
   0.3.2-2 (installed) - /usr/local/lib/luarocks/rocks

luajwtjitsi
   2.0-0 (installed) - /usr/local/lib/luarocks/rocks

luaossl
   20200709-0 (installed) - /usr/local/lib/luarocks/rocks

luasec
   1.0.1-1 (installed) - /usr/local/lib/luarocks/rocks

luasocket
   3.0rc1-2 (installed) - /usr/local/lib/luarocks/rocks

Shankar_Bavan · May 6, 2021, 11:47am

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "jitsi.domain.com";

external_service_secret = "EiFdp83kLK8pbZ9h";
external_services = {
     { type = "stun", host = "jitsi.domain.com", port = 3478 },
     { type = "turn", host = "jitsi.domain.com, port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "jitsi.domain.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
    protocol = "tlsv1_2+";
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES12$
}

VirtualHost "jitsi.domain.com"
    -- enabled = false -- Remove this line to enable this host
    authentication = "token"
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    app_id="9912dc76c9c2e0"
    app_secret="d44f31b9f77e449f74821"
    allow_empty_token = false;
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/aa.key";
        certificate = "/etc/prosody/certs/aa.crt";
    }
    speakerstats_component = "speakerstats.jitsi.domain.com"
    conference_duration_component = "conferenceduration.jitsi.domain.com"
    -- we need bosh
    modules_enabled = {
    "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "external_services";
        "conference_duration";
        "muc_lobby_rooms";
        "presence_identity";
        "token_moderation";
    }
    c2s_require_encryption = false
    lobby_muc = "lobby.jitsi.domain.com"
    main_muc = "conference.jitsi.domain.com"
    -- muc_lobby_whitelist = { "recorder.jitsi.domain.com" } -- Here we can whitelist jibri to enter lobby enabled rooms

Component "conference.jitsi.domain.com" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "token_verification";
    }
    admins = { "focus@auth.jitsi.domain.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true
    
-- internal muc component
Component "internal.auth.jitsi.domain.com" "muc"
    storage = "memory"
    modules_enabled = {
        "ping";
    }
    admins = { "focus@auth.jitsi.domain.com", "jvb@auth.jitsi.domain.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.jitsi.domain.com"
    ssl = {
        key = "/etc/prosody/certs/auth.jitsi.domain.com.key";
        certificate = "/etc/prosody/certs/auth.jitsi.domain.com.crt";
    }
    authentication = "internal_hashed"

-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.jitsi.domain.com" "client_proxy"
    target_address = "focus@auth.jitsi.domain.com"

Component "speakerstats.jitsi.domain.com" "speakerstats_component"
    muc_component = "conference.jitsi.domain.com"

Component "conferenceduration.jitsi.domain.com" "conference_duration_component"
    muc_component = "conference.jitsi.domain.com"

VirtualHost "guest.jitsi.domain.com"
    authentication = "token"
    app_id="9912dc273777e630f8b1ecc876c9c2e0"
    app_secret="d44f31d075b4a379b9f77e449f748212"
    c2s_require_encryption=false
    --allow_empty_token = false;
    modules_enabled = {
      "muc_size";
      "speakerstats";
      "conference_duration";
    }

Component "lobby.jitsi.domain.com" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true

Component "internal.auth.jitsi.domain.com" "muc"
    modules_enabled = {
      "ping";
    }
    storage = "none"
    muc_room_cache_size = 1000

emrah · May 6, 2021, 12:00pm

Do you have valid token while connecting to the meeting room?

Shankar_Bavan · May 6, 2021, 12:02pm

yes. I used laravel php framework.

I have same setup on different server. it is working well.
I’m doing another setup on aws. got stuck with this

I used this guide

github.com

jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

JWT token authentication Prosody plugin
==================

This plugin implements Prosody authentication provider that verifies client connection based on JWT token described in [RFC7519].
It allows to use any external form of authentication with lib-jitsi-meet. Once your user authenticates you need to
generate the JWT token as described in the RFC and pass it to your client app. Once it connects with valid token is considered authenticated by jitsi-meet system.

During configuration you will need to provide the *application ID* that identifies the client and a *secret* shared by both server and JWT token generator. Like described in the RFC, secret is used to compute HMAC hash value which allows to authenticate generated token. There are many existing libraries which can be used to implement token generator. More info can be found here: [http://jwt.io/#libraries-io]

JWT token authentication currently works only with BOSH connections.

[RFC7519]: https://tools.ietf.org/html/rfc7519
[http://jwt.io/#libraries-io]: http://jwt.io/#libraries-io

### Token structure

The following JWT claims are used in authentication token:
- 'iss' specifies *application ID* which identifies the client app connecting to the server. It should be negotiated with the service provider before generating the token.
- 'room' contains the name of the room for which the token has been allocated. This is *NOT* full MUC room address. Example assuming that we have full MUC 'conference1@muc.server.net' then 'conference1' should be used here.  Alternately, a '*' may be provided, allowing access to all rooms within the domain.
- 'exp' token expiration timestamp as defined in the RFC

This file has been truncated. show original

emrah · May 6, 2021, 12:13pm

Can you try with token from jitok

aud and iss should be 9912dc76c9c2e0 according to our config

emrah · May 6, 2021, 12:20pm

Is the token_moderation; line added manually or already there?

Shankar_Bavan · May 6, 2021, 12:21pm

I added manually. plugin file also added.
I removed that and tested. no luck

emrah · May 6, 2021, 12:24pm

Is this a paste error or is 'p' really missing?

Shankar_Bavan · May 6, 2021, 12:27pm

that is copy paste error

Shankar_Bavan · May 6, 2021, 3:49pm

I tried this. no luck.

Do you have any other guide to configure token authentication?

Thank you very much for your support @emrah

emrah · May 6, 2021, 4:35pm

I have no guide but I have an installer

Shankar_Bavan · May 7, 2021, 8:47am

I’m re-installing on fresh instance. I got this error when I install token

emrah · May 7, 2021, 9:40am

What is your distro/version?

Shankar_Bavan · May 7, 2021, 9:42am

Ubuntu 20.04 LTS

emrah · May 7, 2021, 10:20am

Is liblua5.2-dev installed?