Domain Authentication per Doc Goes into Infinite Loop

Hi Everyone,

I followed the documentation for setting up domain authentication. It goes into an infinite loop of requesting authentication in both the IOS app and any browser.

Running on Ubuntu 20.04 LTS

Error log
2022/08/18 05:58:36 [crit] 4704#4704: *55 SSL_read() failed (SSL: error:0A000126:SSL routines::unexpected eof while reading) while waiting for request, client: 107.178.XX.X4, server: 0.0.0.0:443

Is there any way I can debug this. I have tried a few things besides the standard configuration documented but so far nothing works.

Thanks for any pointers.
Addendum. I have decided to use dovecot module for authentication. But this behavior really does feel like a bug rather than an error in configuration.

Welcome to the forum.

What kind of certs are you using?

letsencrypt

Thanks

Non-authentication configuration works great.

Can you share your prosody config (domain.cfg.lua)? Redact all sensitive information.

Yes, I am sending it now.
I also tried last night to get the mod_auth_dovecot community module working. I was unsuccessful. It could not open a socket to the dovecot instance running a nearby server.

plugin_paths = { “/usr/share/jitsi-meet/prosody-plugins/” }

– domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = “meet.hidingmydomain.me”;

external_service_secret = “redacted”;
external_services = {
{ type = “stun”, host = “meet.hidingmydomain.me”, port = 3478 },
{ type = “turn”, host = “meet.hidingmydomain.me”, port = 3478, transport = “udp”, secret = true, ttl = 86400, algorithm = “turn” },
{ type = “turns”, host = “meet.hidingmydomain.me”, port = 5349, transport = “tcp”, secret = true, ttl = 86400, algorithm = “turn” }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
– https_ports = { }; – Remove this line to prevent listening on port 5284

– by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
–http_cors_override = {
– bosh = {
– enabled = false;
– };
– websocket = {
– enabled = false;
– };
–}

Mozilla SSL Configuration Generator
ssl = {
protocol = “tlsv1_2+”;
ciphers = “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384”
}

unlimited_jids = {
focus@auth.meet.hidingmydomain.me”,
jvb@auth.meet.hidingmydomain.me
}

VirtualHost “meet.hidingmydomain.me
authentication = “internal_hashed”
authentication = “jitsi-anonymous” – do not delete me
– authentication = “jitsi-anonymous” – do not delete me
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
–app_id=“example_app_id”
–app_secret=“example_app_secret”
– Assign this host a certificate for TLS, otherwise it would use the one
– set in the global section (if any).
– Note that old-style SSL on port 5223 only supports one certificate, and will always
– use the global one.
ssl = {
key = “/etc/prosody/certs/meet.hidingmydomain.me.key”;
certificate = “/etc/prosody/certs/meet.hidingmydomain.me.crt”;
}
av_moderation_component = “avmoderation.meet.hidingmydomain.me
speakerstats_component = “speakerstats.meet.hidingmydomain.me
conference_duration_component = “conferenceduration.meet.hidingmydomain.me
– we need bosh
modules_enabled = {
“bosh”;
“pubsub”;
“ping”; – Enable mod_ping
“speakerstats”;
“external_services”;
“conference_duration”;
“muc_lobby_rooms”;
“muc_breakout_rooms”;
“av_moderation”;
}
c2s_require_encryption = false
lobby_muc = “lobby.meet.hidingmydomain.me
breakout_rooms_muc = “breakout.meet.hidingmydomain.me
main_muc = “conference.meet.hidingmydomain.me
– muc_lobby_whitelist = { “recorder.meet.hidingmydomain.me” } – Here we can whitelist jibri to enter lobby enabled rooms

VirtualHost “guest.meet.hidingmydomain.me
authentication = “anonymous”
c2s_require_encryption = false

Component “conference.meet.hidingmydomain.me” “muc”
restrict_room_creation = true
storage = “memory”
modules_enabled = {
“muc_meeting_id”;
“muc_domain_mapper”;
“polls”;
–“token_verification”;
“muc_rate_limit”;
}
admins = { “focus@auth.meet.hidingmydomain.me” }
muc_room_locking = false
muc_room_default_public_jids = true

Component “breakout.meet.hidingmydomain.me” “muc”
restrict_room_creation = true
storage = “memory”
modules_enabled = {
“muc_meeting_id”;
“muc_domain_mapper”;
“muc_rate_limit”;
“polls”;
}
admins = { “focus@auth.meet.hidingmydomain.me” }
muc_room_locking = false
muc_room_default_public_jids = true

– internal muc component
Component “internal.auth.meet.hidingmydomain.me” “muc”
storage = “memory”
modules_enabled = {
“ping”;
}
admins = { “focus@auth.meet.hidingmydomain.me”, “jvb@auth.meet.hidingmydomain.me” }
muc_room_locking = false
muc_room_default_public_jids = true

VirtualHost “auth.meet.hidingmydomain.me
ssl = {
key = “/etc/prosody/certs/auth.meet.hidingmydomain.me.key”;
certificate = “/etc/prosody/certs/auth.meet.hidingmydomain.me.crt”;
}
modules_enabled = {
“limits_exception”;
}
authentication = “internal_hashed”

– Proxy to jicofo’s user JID, so that it doesn’t have to register as a component.
Component “focus.meet.hidingmydomain.me” “client_proxy”
target_address = “focus@auth.meet.hidingmydomain.me

Component “speakerstats.meet.hidingmydomain.me” “speakerstats_component”
muc_component = “conference.meet.hidingmydomain.me

Component “conferenceduration.meet.hidingmydomain.me” “conference_duration_component”
muc_component = “conference.meet.hidingmydomain.me

Component “avmoderation.meet.hidingmydomain.me” “av_moderation_component”
muc_component = “conference.meet.hidingmydomain.me

Component “lobby.meet.hidingmydomain.me” “muc”
storage = “memory”
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
“muc_rate_limit”;
“polls”;
}

– Enables dial-in for Jitsi meet components customers
– Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
– and execute $ sudo luarocks install luajwtjitsi 3.0-0
VirtualHost “jigasi.meet.jitsi”
enabled = false – Jitsi meet components customers remove this line
modules_enabled = {
“ping”;
“bosh”;
“muc_password_check”;
}
authentication = “token”
app_id = “jitsi”;
asap_key_server = “https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8
asap_accepted_issuers = { “jaas-components” }
asap_accepted_audiences = { “jigasi.meet.hidingmydomain.me” }

There should be only one active authentication line. For your case it is:

authentication = “internal_hashed”
-- authentication = “jitsi-anonymous” – do not delete me

Thanks, I will try this.

Okay, with this change the IOS app works correctly. However, browsers no longer show the home page, but get automatically redirected to a the first random room. Trying to go to the URL without a room under this condition does not work. Always get thrown into the first random room. After starting a room with the IOS app (after authentication) this room cannot be joined by a web browser- blank page. And testing it with another IOS device, the room requires the second user to authenticate even though it’s already open and running.

These are not related with authentication. It seems like there are multiple issues in your system.

There seems to be multiple issues. I tried setting this both ways. enableWelcomePage: true/false makes no difference. This service is running on a bare metal server with lots of RAM and CPU that was just set up specifically for the this purpose of hosting jitsi. Failing that, I will need to look at the other open source options. However, I am optimistic about getting this sorted out.

The Jitsi IOS app can authenticate to start a conference. Then- Joining the same conference via app should not require authentication of the second attendee, but it does. So, there is something wrong with guest anonymous access.
On every desktop browser I have tried, creating a conference fails to bring up the authentication dialogue. Brave performs the poorest. Firefox will at least let you return to the home page.
This is configured per the book with not a lot of other things going on.
If I fall back to vanilla configuration, the service works very good and I have tested with several participants across the country. P2P direct streaming is working great, everything is working great but authentication.

Thanks for your help.
Michael

What is your distro/version?

Debian 11?
Ubuntu 20.04?

Ubuntu 22.04.1 LTS

Nobody saw that 20.04 I accidentally initially wrote… :slight_smile:
It’s 22.04.1
Definitely some significant changes since 20.04 and I wonder if that it’s part of the puzzle.

You may try Jitsi Secure Domain Installer if you have Debian 11 Bullseye or Ubuntu 20.04.

Javascript error here:

[Error] 2022-08-23T18:42:18.604Z – “[JitsiMeetJS.js]” – “UnhandledError: Right side of assignment cannot be destructured” – “Script: null” – “Line: null” – “Column: null” – "StackTrace: " – “@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1495729↵asyncFunctionResume@[native code…”
“@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1495729
asyncFunctionResume@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1495844
asyncFunctionResume@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1625550
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1624981
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1619623
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1618987
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1613073
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1591274
asyncFunctionResume@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1586045
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1580106
asyncFunctionResume@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1577914
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1565227
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1558584
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1550252
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1549989
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1549919
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1541500
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1536613
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1535349
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1522276
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1512010
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1511654
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1509753
asyncFunctionResume@[native code]
asyncFunctionResume@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1506082
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1504739
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1502048
asyncFunctionResume@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1499653
generatorResume@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1486601
Promise@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1486361
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1495488
generatorResume@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1486601
Promise@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1486361
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:136:630523
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1625550
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1624981
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1619623
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1618987
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1613073
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1591274
asyncFunctionResume@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1586045
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1580106
asyncFunctionResume@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1577914
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1565227
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1558584
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1550252
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1549989
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1549919
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1541500
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1536613
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1535349
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1522276
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1512010
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1511654
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1509753
asyncFunctionResume@[native code]
asyncFunctionResume@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1506082
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1504739
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1502048
asyncFunctionResume@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1499653
generatorResume@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1486601
Promise@[native code]
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:138:1486361
@https://meet.redacted.com/libs/app.bundle.min.js?v=6447:136:630472
asyncFunctionResume@[native code]
@[native code]
promiseReactionJobWithoutPromise@[native code]”
error
r (lib-jitsi-meet.min.js:2:33529)
r
getGlobalOnErrorHandler (lib-jitsi-meet.min.js:2:746075)
(anonymous function) (app.bundle.min.js:138:1537541)

That’s not an option for me. I am keeping this server on 22.04 LTS.
I am really thinking this is a bug. Will file an issue on GitHub.

The problem was a trailing “,” in the hosts section of the javascript configuration file.
Removing it corrected the issues, as the entire section was not loaded.
Thanks to all for assistance.

1 Like