Can't make jicofo secure


#1

Hello,

I’m trying to have the password authentication with Jicofo but it breaks the working application.

I’ve followed everything on page and I don’t use Jigasi right now

    // When using authentication, domain for guest users.
    anonymousdomain: 'guest.mydomain.org',
    // Domain for authenticated users. Defaults to <domain>.
    //authdomain: 'jitsi-meet.mydomain.org',

Do I need these DNS entries in the DNS ?

When I display javascript on my browser

Logger.js:125 [JitsiMeetJS.js] <Object.getGlobalOnErrorHandler>: UnhandledError: null Script: null Line: null Column: null StackTrace: Error: Strophe: BOSH-Connection failed: host-unknown
at Object.i.Strophe.log (strophe.util.js:89)
at Object.error (strophe.js:2083)
at e.Bosh._connect_cb (strophe.js:5291)
at s.Connection._connect_cb (strophe.js:3910)
at e.Bosh._onRequestStateChange (strophe.js:5559)
n @ Logger.js:125
getGlobalOnErrorHandler @ JitsiMeetJS.js:535
window.onerror @ middleware.js:100
callErrorHandler @ GlobalOnErrorHandler.js:61
i.Strophe.log @ strophe.util.js:89
error @ strophe.js:2083
_connect_cb @ strophe.js:5291
_connect_cb @ strophe.js:3910
_onRequestStateChange @ strophe.js:5559
XMLHttpRequest.send (async)
l @ strophe.js:5662
_processRequest @ strophe.js:5677
_throttledRequestHandler @ strophe.js:5823
_connect @ strophe.js:5170
connect @ strophe.js:3051
value @ xmpp.js:282
value @ xmpp.js:342
r.connect @ JitsiConnection.js:61
e @ connection.js:38
(anonymous) @ connection.js:62
r @ connection.js:86
t.a @ connection.js:179
(anonymous) @ conference.js:150
createInitialLocalTracksAndConnect @ conference.js:160
init @ conference.js:715
(anonymous) @ actions.web.js:28
(anonymous) @ index.js:11
(anonymous) @ middleware.js:41
(anonymous) @ middleware.js:27
(anonymous) @ middleware.js:13
(anonymous) @ middleware.js:21
(anonymous) @ middleware.js:22
(anonymous) @ middleware.js:18
(anonymous) @ middleware.js:63
(anonymous) @ middleware.js:43
(anonymous) @ middleware.web.js:35
(anonymous) @ middleware.js:29
(anonymous) @ middleware.js:99
(anonymous) @ middleware.js:17
(anonymous) @ middleware.js:30
(anonymous) @ middleware.js:20
(anonymous) @ middleware.js:39
(anonymous) @ middleware.js:12
(anonymous) @ middleware.js:29
(anonymous) @ middleware.js:25
(anonymous) @ middleware.web.js:23
(anonymous) @ middleware.any.js:94
(anonymous) @ middleware.js:65
(anonymous) @ middleware.js:33
(anonymous) @ middleware.js:25
(anonymous) @ middleware.js:29
(anonymous) @ middleware.js:44
(anonymous) @ middleware.js:100
(anonymous) @ middleware.js:62
(anonymous) @ middleware.js:24
(anonymous) @ middleware.js:42
(anonymous) @ middleware.js:38
(anonymous) @ middleware.js:27
(anonymous) @ middleware.js:23
(anonymous) @ middleware.js:25
(anonymous) @ middleware.js:45
(anonymous) @ middleware.js:42
(anonymous) @ middleware.js:18
(anonymous) @ middleware.js:130
(anonymous) @ middleware.js:126
value @ Conference.web.js:274
value @ Conference.web.js:155
Bn @ react-dom.production.min.js:214
Hn @ react-dom.production.min.js:206
Rn @ react-dom.production.min.js:205
Dn @ react-dom.production.min.js:201
enqueueSetState @ react-dom.production.min.js:131
o.setState @ react.production.min.js:12
n @ I18n.js:135
t @ I18n.js:147
(anonymous) @ EventEmitter.js:46
e.emit @ EventEmitter.js:45
(anonymous) @ i18next.js:162
(anonymous) @ i18next.js:265
(anonymous) @ i18next.js:266
(anonymous) @ BackendConnector.js:134
t.loaded @ BackendConnector.js:121
(anonymous) @ BackendConnector.js:269
(anonymous) @ BackendConnector.js:162
(anonymous) @ index.js:94
s.onreadystatechange @ ajax.js:66
XMLHttpRequest.send (async)
t.default @ ajax.js:68
value @ index.js:82
value @ index.js:75
t.read @ BackendConnector.js:155
t.loadOne @ BackendConnector.js:265
(anonymous) @ BackendConnector.js:211
t.load @ BackendConnector.js:210
(anonymous) @ i18next.js:215
t.load @ CacheConnector.js:40
t.loadResources @ i18next.js:214
r @ i18next.js:280
t.changeLanguage @ i18next.js:286
s @ i18next.js:159
setTimeout (async)
t.init @ i18next.js:171
(anonymous) @ i18next.js:68
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ actions.js:46
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ actionTypes.js:10
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ functions.js:87
(anonymous) @ functions.js:9
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ AnalyticsEvents.js:630
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ actions.js:714
(anonymous) @ actions.js:501
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ AnalyticsEvents.js:67
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ actions.js:240
(anonymous) @ actions.js:265
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ _descriptors.js:3
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ actions.js:20
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ actions.web.js:265
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ actions.js:17
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ AuthHandler.js:15
(anonymous) @ AuthHandler.js:229
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ connection.js:189
(anonymous) @ connection.js:149
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ jquery.autosize.js:274
(anonymous) @ conference.js:2710
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ RemoteControlParticipant.js:54
t @ bootstrap 2f6d6f3c8ae82385fb5c:19
(anonymous) @ bootstrap 2f6d6f3c8ae82385fb5c:62
(anonymous) @ bootstrap 2f6d6f3c8ae82385fb5c:62
Logger.js:125 [modules/xmpp/strophe.util.js] <Object.i.Strophe.log>: Strophe: BOSH-Connection failed: host-unknown

I suppose that this piece is important
// BOSH URL. FIXME: use XEP-0156 to discover it.
bosh: ‘//conference.jitsi.mydomain.org/http-bind’,


#2

So for domain and anonymous domain you don’t need DNS, but for bosh you need it, the bosh connection address is normally the one you use to access the web where you have deployed, and by default is the same as domain…
What I mean is that all the domains inside prosody do not need dns entry. You need only for the address you access deployment and for the bosh connection, which normally are the same(if there are different some browser protection kicks in and you need some extra http headers coming from the web server).


#3

Thank you Damencho for this clarification.

I changed it to

bosh://jitsi.mydomain.org/http-bind

And I will troubleshoot further.


#4

Thank you for your answers, I managed to make it (almost) work.

The problem was that on this page, the domain refers to jitsi-meet.example.com
https://github.com/jitsi/jicofo

But on this page it refers to jitsi.example.com
https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md

In fact it should be the same domain in both cases. Very confusing…

The only thing I don’t understand and what doesn’t work as I’d like is the username that is allowed to create a room.
It works with myuser but doesn’t work with myuser@mydomain.org

Do you know if I could create a room with myuser@domain1.org and youruser@domain2.org ?
Also, after I made the authentication, I don’t have to reauthenticate. How long does it last ? Can I configure this delay ?


#5

These are two separate documents, and it should be consistent in the document, but those docs are not in sync in anyway.

Nope, that is currently not possible.

There is an option for jicofo to disable re-authenticate:
org.jitsi.jicofo.auth.DISABLE_AUTOLOGIN=true
Default is 24h,


You can configure that using this property: