After changing the .env file to enable auth, is it enough to execute “docker-compose up d” to apply changes? Can somone look pls?

Hello I changed my self hosted server’s .env configuration to enable authentication. It looks like this:

# Enable authentication
ENABLE_AUTH=1
# Enable guest access
ENABLE_GUESTS=0
# Select authentication type: internal, jwt or ldap
AUTH_TYPE=jwt
# JWT authentication
# Application identifier
JWT_APP_ID= myıd
JWT_APP_SECRET=myscret

And then I executed “docker-compose up -d” command to apply the changes. But still everyone without a token were able to get in the conferences (I believe after enabling jwt token auth., jitsi looks if there’s a token in the url. I tried to connect without a token, just with a room name. And I managed to create a room). So it did not work. The possible reasons I think of why are:

  1. I was not able to apply the changes to the server because “docker-compose up -d” was not enough. Maybe I should have said “docker-compose down” (or smt similar) before executing the up command.
  2. I need extra server configuration.

Can someone help? Thanks

What image versions did you install?

I think first you should remove the config directory, because it does not get overwritten if you restart the container. Then you should do the docker-compose restart web or whatever the name of the service is. Alternatively you could first down the containers and then up them again. docker-compose down and then docker-compose up -d.

How will I remove the config directory

Hi, I did not install anything extra for authentication if that’s what you are asking

By default there should be a directory called .jitsi-meet-cfg right next to your docker-compose file. Just remove that directory and restart all of the containers (you have to restart them all because this directory contains configs for other services as well and they have to be generated again).

I had a similar problem with jitsi.


It is not so directly in the documentation, but it is not enough to just write the variables in the .env.
You also have to write these variables in the docker-compose as an environment variable.

version: ‘3’
services:
web:
environment:
- ENABLE_AUTH
- ENABLE_GUESTS
- AUTH_TYPE
- JWT_APP_ID
- JWT_APP_SECRET

If that doesn’t work, it can also help to delete the volumes from docker:

version: ‘3’
services:
web:
volumes:
{CONFIG} / web {CONFIG} / transcripts

But don’t forget to secure your SSL certificates beforehand and to deactivate the generation of the new certificates because of the limits of Lets Encrypt.

Alll of them are present under the prospdy environemnts and ENABLE_AUTH and ENABLE_GUESTS are present in the web environments. Is this not enough?

Ok I found the folder. It is full of folders like jibri,jicofo…etc. I am afraid that if I remove the directory some other configurations will not be able to come back or will be broken. (I did not personally configured this server thus I am afraid to remove anything)

In your .env file there is a variable called CONFIG that points to the current config directory. Rename that variable to something else and restart all of the containers. Check if the system works correctly. If it doesn’t, just change back the variable to its original state and restart again. If that happens it means someone changed the files directly without changing the .env configuration as well in which case the process will be a bit more difficult.

I changed the CONFIG variable’s name and then did “docker-compose up -d”. I think everything went okay, “done” was written a couple of times. But when I tried to open the url of the self-hosted jitsi, it did not open. The site was unaccessible. So I renamed it back to its old name and tried it again. Now the server url opened just fine but it still opens up conference rooms without tokens…

Can you please answer me? Is it enough that I did these changes I told above to open up the tokened url option?

I added the rest but it still did not work…

Check the generated config files in CONFIG/

Okay I can check them. But in what way? What should I check for? @saghul

Put the prosody config file somewhere for us to examine and check if it was properly generated.

This is my prosody.cfg.lua file (I hope this was what you asked for):

modules_enabled = {
** – Generally required
** “roster”; – Allow users to have a roster. Recommended ; )
** “saslauth”; – Authentication for clients and servers. Recommended if you want to log in.
** “tls”; – Add support for secure TLS on c2s/s2s connections
** “dialback”; – s2s dialback support
** “disco”; – Service discovery
** – Not essential, but recommended
** “private”; – Private XML storage (for room bookmarks, etc.)
** “vcard”; – Allow users to set vCards
** – These are commented by default as they have a performance impact
** --“privacy”; – Support privacy lists
** --“compression”; – Stream compression (Debian: requires lua-zlib module to work)
** – Nice to have
** “version”; – Replies to server version requests
** “uptime”; – Report how long server has been running
** “time”; – Let others know the time here on this server
** “ping”; – Replies to XMPP pings with pongs
** “pep”; – Enables users to publish their mood, activity, playing music and more
** “register”; – Allow users to register on this server using a client and change passwords
** – Admin interfaces
** “admin_adhoc”; – Allows administration via an XMPP client that supports ad-hoc commands
** --“admin_telnet”; – Opens telnet console interface on localhost port 5582
** – HTTP modules
** --“bosh”; – Enable BOSH clients, aka “Jabber over HTTP”
** --“http_files”; – Serve static files from a directory over HTTP
** – Other specific functionality
** “posix”; – POSIX functionality, sends server to background, enables syslog, etc.
** --“groups”; – Shared roster support
** --“announce”; – Send announcement to all online users
** --“welcome”; – Welcome users who register accounts
** --“watchregistrations”; – Alert admins of registrations
** --“motd”; – Send a message to users when they log in
** --“legacyauth”; – Legacy authentication. Only used by some old clients and bots.
** {{ if .Env.GLOBAL_MODULES }}
** “{{ join “”;\n”" (splitList “,” .Env.GLOBAL_MODULES) }}";
** {{ end }}
**};
**https_ports = { }
**-- These modules are auto-loaded, but should you want
**-- to disable them then uncomment them here:
**modules_disabled = {
** – “offline”; – Store offline messages
** – “c2s”; – Handle client connections
** “s2s”; – Handle server-to-server connections
**};
**-- Disable account creation by default, for security
**-- For more information see http://prosody.im/doc/creating_accounts
**allow_registration = false;
**daemonize = false;
**pidfile = “/config/data/prosody.pid”;
**-- Force clients to use encrypted connections? This option will
**-- prevent clients from authenticating unless they are using encryption.
**c2s_require_encryption = false
**-- Force certificate authentication for server-to-server connections?
**-- This provides ideal security, but requires servers you communicate
**-- with to support encryption AND present valid, trusted certificates.
**-- NOTE: Your version of LuaSec must support certificate verification!
**-- For more information see http://prosody.im/doc/s2s#security
**s2s_secure_auth = false
**-- Many servers don’t support encryption or have invalid or self-signed
**-- certificates. You can list domains here that will not be required to
**-- authenticate using certificates. They will be authenticated using DNS.
**–s2s_insecure_domains = { “gmail.com” }
**-- Even if you leave s2s_secure_auth disabled, you can still require valid
**-- certificates for some domains by specifying a list here.
**–s2s_secure_domains = { “jabber.org” }
**-- Select the authentication backend to use. The ‘internal’ providers
**-- use Prosody’s configured data storage to store the authentication data.
**-- To allow Prosody to offer secure authentication mechanisms to clients, the
**-- default provider stores passwords in plaintext. If you do not trust your
**-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
**-- for information about using the hashed backend.
**authentication = “internal_hashed”
**-- Select the storage backend to use. By default Prosody uses flat files
**-- in its configured data directory, but it also supports more backends
**-- through modules. An “sql” backend is included by default, but requires
**-- additional dependencies. See http://prosody.im/doc/storage for more info.
**–storage = “sql” – Default is “internal” (Debian: “sql” requires one of the
**-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
**-- For the “sql” backend, you can uncomment one of the below to configure:
**–sql = { driver = “SQLite3”, database = “prosody.sqlite” } – Default. ‘database’ is the filename.
**–sql = { driver = “MySQL”, database = “prosody”, username = “prosody”, password = “secret”, host = “localhost” }
**–sql = { driver = “PostgreSQL”, database = “prosody”, username = “prosody”, password = “secret”, host = “localhost
**” }
**-- Logging configuration
**-- For advanced logging see http://prosody.im/doc/logging
**–
– Debian:
– Logs info and higher to /var/log
– Logs errors to syslog also
log = {
{ levels = {min = “{{ $LOG_LEVEL }}”}, to = “console”};
}
{{ if .Env.GLOBAL_CONFIG }}
{{ join “\n” (splitList “\n” .Env.GLOBAL_CONFIG) }}
{{ end }}
– Enable use of native prosody 0.11 support for epoll over select
network_backend = “epoll”;
– Set the TCP backlog to 511 since the kernel rounds it up to the next power of 2: 512.
network_settings = {
tcp_backlog = 511;
}
component_interface = { “" }
data_path = “/config/data”
Include "conf.d/
.cfg.lua”

Just ignore the stars (*).

Sorry, I should have clarified. There is another config file for jitsi meet inside conf.d, please post that one.

I found two “conf.d"s so I posted both of them:
Alright so this is in ./prosody/rootfs/defaults/conf.d
admins = {
“{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}”,
“{{ .Env.JVB_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}”
}
plugin_paths = { “/prosody-plugins/”, “/prosody-plugins-custom” }
http_default_host = “{{ .Env.XMPP_DOMAIN }}”
{{ $ENABLE_AUTH := .Env.ENABLE_AUTH | default “0” | toBool }}
{{ $ENABLE_GUEST_DOMAIN := and $ENABLE_AUTH (.Env.ENABLE_GUESTS | default “0” | toBool)}}
{{ $AUTH_TYPE := .Env.AUTH_TYPE | default “internal” }}
{{ $JWT_ASAP_KEYSERVER := .Env.JWT_ASAP_KEYSERVER | default “” }}
{{ $JWT_ALLOW_EMPTY := .Env.JWT_ALLOW_EMPTY | default “0” | toBool }}
{{ $JWT_AUTH_TYPE := .Env.JWT_AUTH_TYPE | default “token” }}
{{ $JWT_TOKEN_AUTH_MODULE := .Env.JWT_TOKEN_AUTH_MODULE | default “token_verification” }}
{{ $ENABLE_LOBBY := .Env.ENABLE_LOBBY | default “0” | toBool }}
{{ if and $ENABLE_AUTH (eq $AUTH_TYPE “jwt”) .Env.JWT_ACCEPTED_ISSUERS }}
asap_accepted_issuers = { “{{ join “”,”” (splitList “,” .Env.JWT_ACCEPTED_ISSUERS) }}" }
{{ end }}
{{ if and $ENABLE_AUTH (eq $AUTH_TYPE “jwt”) .Env.JWT_ACCEPTED_AUDIENCES }}
asap_accepted_audiences = { “{{ join “”,”" (splitList “,” .Env.JWT_ACCEPTED_AUDIENCES) }}" }
{{ end }}
VirtualHost “{{ .Env.XMPP_DOMAIN }}”
{{ if $ENABLE_AUTH }}
{{ if eq $AUTH_TYPE “jwt” }}
authentication = “{{ $JWT_AUTH_TYPE }}”
app_id = “{{ .Env.JWT_APP_ID }}”
app_secret = “{{ .Env.JWT_APP_SECRET }}”
allow_empty_token = {{ if $JWT_ALLOW_EMPTY }}true{{ else }}false{{ end }}
{{ if $JWT_ASAP_KEYSERVER }}
asap_key_server = “{{ .Env.JWT_ASAP_KEYSERVER }}”
{{ end }}
{{ else if eq $AUTH_TYPE “ldap” }}
authentication = “cyrus”
cyrus_application_name = “xmpp”
allow_unencrypted_plain_auth = true
{{ else if eq $AUTH_TYPE “internal” }}
authentication = “internal_hashed”
{{ end }}
{{ else }}
authentication = “anonymous”
{{ end }}
ssl = {
key = “/config/certs/{{ .Env.XMPP_DOMAIN }}.key”;
certificate = “/config/certs/{{ .Env.XMPP_DOMAIN }}.crt”;
}
modules_enabled = {
“bosh”;
“pubsub”;
“ping”;
“speakerstats”;
“conference_duration”;
{{ if and $ENABLE_LOBBY (not $ENABLE_GUEST_DOMAIN) }}
“muc_lobby_rooms”;
{{ end }}
{{ if .Env.XMPP_MODULES }}
“{{ join “”;\n”" (splitList “,” .Env.XMPP_MODULES) }}";
{{ end }}
{{ if and $ENABLE_AUTH (eq $AUTH_TYPE “ldap”) }}
“auth_cyrus”;
{{end}}
}
{{ if and $ENABLE_LOBBY (not $ENABLE_GUEST_DOMAIN) }}
main_muc = “{{ .Env.XMPP_MUC_DOMAIN }}”
lobby_muc = “lobby.{{ .Env.XMPP_DOMAIN }}”
{{ end }}
speakerstats_component = “speakerstats.{{ .Env.XMPP_DOMAIN }}”
conference_duration_component = “conferenceduration.{{ .Env.XMPP_DOMAIN }}”
c2s_require_encryption = false
{{ if $ENABLE_GUEST_DOMAIN }}
VirtualHost “{{ .Env.XMPP_GUEST_DOMAIN }}”
authentication = “anonymous”
c2s_require_encryption = false
{{ if $ENABLE_LOBBY }}
modules_enabled = {
“muc_lobby_rooms”;
}
main_muc = “{{ .Env.XMPP_MUC_DOMAIN }}”
lobby_muc = “lobby.{{ .Env.XMPP_DOMAIN }}”
{{ end }}
{{ end }}
VirtualHost “{{ .Env.XMPP_AUTH_DOMAIN }}”
ssl = {
key = “/config/certs/{{ .Env.XMPP_AUTH_DOMAIN }}.key”;
certificate = “/config/certs/{{ .Env.XMPP_AUTH_DOMAIN }}.crt”;
}
authentication = “internal_hashed”
{{ if .Env.XMPP_RECORDER_DOMAIN }}
VirtualHost “{{ .Env.XMPP_RECORDER_DOMAIN }}”
modules_enabled = {
“ping”;
}
authentication = “internal_hashed”
{{ end }}
Component “{{ .Env.XMPP_INTERNAL_MUC_DOMAIN }}” “muc”
storage = “memory”
modules_enabled = {
“ping”;
{{ if .Env.XMPP_INTERNAL_MUC_MODULES }}
“{{ join “”;\n”" (splitList “,” .Env.XMPP_INTERNAL_MUC_MODULES) }}";
{{ end }}
}
muc_room_locking = false
muc_room_default_public_jids = true
Component “{{ .Env.XMPP_MUC_DOMAIN }}” “muc”
storage = “memory”
modules_enabled = {
“muc_meeting_id”;
{{ if .Env.XMPP_MUC_MODULES }}
“{{ join “”;\n”" (splitList “,” .Env.XMPP_MUC_MODULES) }}";
{{ end }}
{{ if and $ENABLE_AUTH (eq $AUTH_TYPE “jwt”) }}
“{{ $JWT_TOKEN_AUTH_MODULE }}”;
{{ end }}
}
muc_room_cache_size = 1000
muc_room_locking = false
muc_room_default_public_jids = true
Component “focus.{{ .Env.XMPP_DOMAIN }}”
component_secret = “{{ .Env.JICOFO_COMPONENT_SECRET }}”
Component “speakerstats.{{ .Env.XMPP_DOMAIN }}” “speakerstats_component”
muc_component = “{{ .Env.XMPP_MUC_DOMAIN }}”
Component “conferenceduration.{{ .Env.XMPP_DOMAIN }}” “conference_duration_component”
muc_component = “{{ .Env.XMPP_MUC_DOMAIN }}”
{{ if $ENABLE_LOBBY }}
Component “lobby.{{ .Env.XMPP_DOMAIN }}” “muc”
storage = “memory”
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
{{ end }}


And this is in docker-jitsi-meet/root/snap/docker/471/.jitsi-meet-cfg/prosody/config/conf.d

dmins = {
“focus@auth.meet.jitsi”,
“jvb@auth.meet.jitsi”
}
plugin_paths = { “/prosody-plugins/”, “/prosody-plugins-custom” }
http_default_host = “meet.jitsi”
VirtualHost “meet.jitsi”

authentication = "token"
app_id = "my_jitsi_app_id"
app_secret = "my_jitsi_app_secret"
allow_empty_token = false


ssl = {
    key = "/config/certs/meet.jitsi.key";
    certificate = "/config/certs/meet.jitsi.crt";
}

modules_enabled = {
“bosh”;
“pubsub”;
“ping”;
“speakerstats”;
“conference_duration”;

}

speakerstats_component = "speakerstats.meet.jitsi"
conference_duration_component = "conferenceduration.meet.jitsi"
c2s_require_encryption = false

VirtualHost “auth.meet.jitsi”
ssl = {
key = “/config/certs/auth.meet.jitsi.key”;
certificate = “/config/certs/auth.meet.jitsi.crt”;
}
authentication = “internal_hashed”
VirtualHost “recorder.meet.jitsi”
modules_enabled = {
“ping”;
}
authentication = “internal_hashed”
Component “internal-muc.meet.jitsi” “muc”
storage = “memory”
modules_enabled = {
“ping”;

}
muc_room_locking = false
muc_room_default_public_jids = true

Component “muc.meet.jitsi” “muc”
storage = “memory”
modules_enabled = {
“muc_meeting_id”;

    "token_verification";
    
}
muc_room_cache_size = 1000
muc_room_locking = false
muc_room_default_public_jids = true

Component “focus.meet.jitsi”
component_secret = “92534da088532a29119325b35a6457d9”
Component “speakerstats.meet.jitsi” “speakerstats_component”
muc_component = “muc.meet.jitsi”
Component “conferenceduration.meet.jitsi” “conference_duration_component”
muc_component = “muc.meet.jitsi”

The token based auth config looks good there.