Docker-Jitsi-Jicofo-Traefik

Hi,

I use Jitsi in docker and it’s work fine with standard configuration :

My follow link :

The result I want to achieve

I want :

To run jitsi meet with docker --> Ok
With Traefik --> ok with basic configuration ( TLS, Redirect https) not witch Jicofo
schedule meetings on a given date, a given time via a single authorized user who will invite another user (including a room manager).

summary

My work environment

Docker stack Traefik and jitsi are the latest

Step 1 : Basic configuration

git clone https://github.com/jitsi/docker-jitsi-meet && cd docker-jitsi-meet
cp env.example .env
vim .env  

My .env configuration

CONFIG=.jitsi-meet-cfg
PUBLIC_URL=https://my_domain_name
./gen-passwords.sh
mkdir -p .jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}

Step 2 : Jicofo and create prosody user/passwd

# Enable authentication
ENABLE_AUTH=1

# Enable guest access
#ENABLE_GUESTS=1

# Select authentication type: internal, jwt or ldap
AUTH_TYPE=internal
docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua register mon_user meet.jitsi mon_passwd
docker-compose up -d
docker-compose ps

I can connect with a user and password ! :slight_smile:

Here’s my docker-compose.yml

Spoiler alert

It’s the same as :https://github.com/jitsi/docker-jitsi-meet but i add my traefik labels and network for web service

labels:
   - "traefik.enable=true"
   - "traefik.http.routers.jitsi.rule=Host(`meet.my_domain`)  "
   - "traefik.http.routers.jitsi.entrypoints=websecure"

networks:
            meet.jitsi:
                aliases:
                    - ${XMPP_DOMAIN}
            traefik-nework:

But this is the complete file :

version: '3'

services:
    # Frontend
    web:
        image: jitsi/web:latest
        restart: ${RESTART_POLICY}
        ports:
            - '${HTTP_PORT}:80'
            - '${HTTPS_PORT}:443'
        volumes:
            - ${CONFIG}/web:/config:Z
              #- ${CONFIG}/web/letsencrypt:/etc/letsencrypt:Z # Traefik manage this ;)
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.jitsi.rule=Host(`meet.my_domain`)  "
            - "traefik.http.routers.jitsi.entrypoints=traefik-network-sec"
        environment:
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - ENABLE_LETSENCRYPT
            - ENABLE_HTTP_REDIRECT
            - ENABLE_TRANSCRIPTIONS
            - DISABLE_HTTPS
            - JICOFO_AUTH_USER
            - LETSENCRYPT_DOMAIN
            - LETSENCRYPT_EMAIL
            - PUBLIC_URL
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_BOSH_URL_BASE
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_RECORDER_DOMAIN
            - ETHERPAD_URL_BASE
            - TZ
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - ENABLE_RECORDING
        networks:
            meet.jitsi:
                aliases:
                    - ${XMPP_DOMAIN}
            traefik-nework:  
    # XMPP server
    prosody:
        image: jitsi/prosody:latest
        restart: ${RESTART_POLICY}
        expose:
            - '5222'
            - '5347'
            - '5280'
        volumes:
            - ${CONFIG}/prosody/config:/config:Z
            - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - GLOBAL_MODULES
            - GLOBAL_CONFIG
            - LDAP_URL
            - LDAP_BASE
            - LDAP_BINDDN
            - LDAP_BINDPW
            - LDAP_FILTER
            - LDAP_AUTH_METHOD
            - LDAP_VERSION
            - LDAP_USE_TLS
            - LDAP_TLS_CIPHERS
            - LDAP_TLS_CHECK_PEER
            - LDAP_TLS_CACERT_FILE
            - LDAP_TLS_CACERT_DIR
            - LDAP_START_TLS
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_MODULES
            - XMPP_MUC_MODULES
            - XMPP_INTERNAL_MUC_MODULES
            - XMPP_RECORDER_DOMAIN
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JIGASI_XMPP_USER
            - JIGASI_XMPP_PASSWORD
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - JWT_APP_ID
            - JWT_APP_SECRET
            - JWT_ACCEPTED_ISSUERS
            - JWT_ACCEPTED_AUDIENCES
            - JWT_ASAP_KEYSERVER
            - JWT_ALLOW_EMPTY
            - JWT_AUTH_TYPE
            - JWT_TOKEN_AUTH_MODULE
            - LOG_LEVEL
            - TZ
        networks:
            meet.jitsi:
                aliases:
                    - ${XMPP_SERVER}

    # Focus component
    jicofo:
        image: jitsi/jicofo:latest
        restart: ${RESTART_POLICY}
        volumes:
            - ${CONFIG}/jicofo:/config:Z
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JICOFO_RESERVATION_REST_BASE_URL
            - JVB_BREWERY_MUC
            - JIGASI_BREWERY_MUC
            - JIGASI_SIP_URI
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - TZ
        depends_on:
            - prosody
              #labels:
              #- "traefik.enable=true"
              #- "traefik.http.routers.docker-jitsi-reservation.rule=Host(`reservation.example.com`)"
              #- "traefik.http.routers.docker-jitsi-reservation.entrypoints=websecure"
      
        networks:
            meet.jitsi:            

    # Video bridge
    jvb:
        image: jitsi/jvb:latest
        restart: ${RESTART_POLICY}
        ports:
            - '${JVB_PORT}:${JVB_PORT}/udp'
            - '${JVB_TCP_MAPPED_PORT}:${JVB_TCP_PORT}'
        volumes:
            - ${CONFIG}/jvb:/config:Z
        environment:
            - DOCKER_HOST_ADDRESS
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JVB_BREWERY_MUC
            - JVB_PORT
            - JVB_TCP_HARVESTER_DISABLED
            - JVB_TCP_PORT
            - JVB_STUN_SERVERS
            - JVB_ENABLE_APIS
            - TZ
        depends_on:
            - prosody
        networks:
            meet.jitsi:

# Custom network so all services can communicate using a FQDN
networks:
  meet.jitsi:
  traefik-nework:  :
    external: true

This config work fine

Step 3 : Jicofo …

I follow this https://github.com/jitsi/jicofo/blob/master/doc/reservation.md

I understood that we needed a url: http://reservation.example.com/

My jifoco parameters in my .env configuration file :

 Base URL of Jicofo s reservation REST API
JICOFO_RESERVATION_REST_BASE_URL=https://reservation.my_domain_name

# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
JICOFO_ENABLE_HEALTH_CHECKS=true

This config work fine, i mean :

Authentification for room access work fine

Now I have two great questions to achieve my final goal

  1. Jicofo configuration

For access reservation room, i must send POST request on “https://reservation.my_domain_name” ?
I have enable Jicofo’s healt check REST API, I guess I have to expose the 8888 port on my jicofo container.

I have a 405 error, unauthorized
does anyone have an example request with authentication and password?
I try the same way on debian package install (binary mode) and i have the same result.

  1. Traefik configuration

I guess jicofo should not be on my traefik network. But however, how should I determine this host rule ?

Like this on the front?

image: jitsi/web:latest
        restart: ${RESTART_POLICY}
        ports:
            - '${HTTP_PORT}:80'
            - '${HTTPS_PORT}:443'
        volumes:
            - ${CONFIG}/web:/config:Z
              #- ${CONFIG}/web/letsencrypt:/etc/letsencrypt:Z # Traefik manage this ;)
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.jitsi.rule=Host(`meet.my_domain`) || Host(`reservation.meet.my_domain`) "
            - "traefik.http.routers.jitsi.entrypoints=traefik-network-sec

I have a problem of understanding here

can you help me ? I hope I was clear because there is a lot