Challenges in whitelisting meet.jit.si

As part of a customer implementation their security team is asking us to whitelist only a subdomain of jitsi instead of https://meet.jit.si The issue with opening up the entire URL is it will enable it for a whole lot of users in the company. Is there any option for it?

Not sure I understand. What exactly do they want to accomplish? If you want to have meetings on meet.jit.si you’ll need to whitelist that domain, there is no way around that. What would a subdomain accomplish?

Would you mean a “subnet” on the companies network, limiting only a certain segment of the companies network to be able to access meet.jit.si ?

Thanks for the reply.

The company infosec team do not want to whitelist the entire URL. This is becuase they do not want other employees of the company to use Jitsi. They are ready to allow us if we are using a subdomain. say https://meet.jit.si/mycompany. We need to create meeting requests from this URL.

Thanks for the reply.

Cannot have a subnet in this case. It needs to be a subdomain.

Can you please explain what you mean by subdomain, and explain more clearly what you are want to achieve. Maybe give examples of what you mean by domain and subdomain, and what you want do with these ?

https://meet.jit.si/mycompany. is not a subdomain, that is a name of a Jitsi meeting room, the room being called ‘mycompany’. Meeting rooms can be called using many different names.

meet.jit.si is a subdomain of jit.si, as would internalmeetings.jit.si, and mail.jit.si, if such subdomains were used by jit.si.

Is it that you have been asked to limit access to only a certain list of predetermined meeting room names ?

Maybe you could ask 8x8 to host a Jitsi server for your company (for a cost), with a URL like
https://mycompany.jit.si/, or alternatively, host your own Jitsi server?

Yes, this can be done. Room names will be appended after. So, for instance, for meeting named “abc”, you can have the URL as https://meet.jit.si/mycompany/abc.

ok got it.Thanks

ok. so i guess i will be able to whitelist the URL meet.jit.si/mycompany only right? I do not want other employees in the company to access the main URL meet.jit.si

Freddie,

Now I am curious, functionality I was not aware of.

How is this achieved ?

I tested with jisti.mydomain.com/FredsBakery/AGM and it returned 404 Not Found.

I tested with meet.jit.si/FredsBakery/AGM and it opened a room.

Clearly there is a difference between these two server configurations.

What/why is there a difference?

Missing some configs I guess. That had been enabled by default for long time, but old installs need manual update of nginx config and such.

Thanks for the quick relpy, damencho. You have provided me with some interesting reading.

As I am using Apache2, is there a link for apache2 config for multidomain?

Unfortunately we are not using apache so we don’t have it configured in apache, so if you make it work there any PRs are welcome updating the apache config template.

Thanks damencho, I will put some though to that later on. I know how to start and stop apache2, do some basic configuration, but it will take a bit more learning to translate nginx to apache2, learning that is worth the effort all the same, but takes time.

@GeorgeJitsi @saghul @Freddie Is it possible to configure a subdomain say abc.mycompany.com with a cname host and value pointing to meet.jit.si? Can i use that domain in the jitsi js file? Will it work?

You can host your own Jitsi server

yes thought of that also. Since I am not sure about the level of infra required we thought of using the jitsi meet. Being a startup we cannot afford to have large investments in the infra. Cost is the factor why we did not choose the 8x8 option of spinning our own server. Also another concern is the availability of the service. Getting the recipe right for that might be challenge for a self hosted model. We are running a POC and need to prove that the solution works. Once we have the production version we might be able to go for our own server.

You cannot whitelist a URL path unless your entire corporate network is behind some HTTP proxy. meet.jit.si/foo/bar and meet.jit.si/spam/eggs are served from the same infrastructure.