Easiest way to secure jitsi meet

Try creating a room. As @damencho said, the home page will remain the same.

Well… I can create a room without any problems, without entering any password.
I did not restart the server, but restarted apache.

EDIT: I just found the mistake. Prosdy is not restarted when the apache server is restarted. So instead of “shutdown -r now” the following should be used:

systemctl restart prosody

Then it works…
Thanks for the help folks.

@coper I tried this setting, however, when I try to join that room from another device, it asks again the credentials. It is not the first user only, but it is every user. This does not make sense.
It would make sense to protect the “creation” page, and then decide to have or have not passwords for the rooms.
Is that possible? Or at last restrict the use of the “creation” page to specific IPs or so?

This is why the anonymous domain setting exists. This is how it works.

Sorry, I don’t find any explanation in the quoted text and don’t understand what you mean by “this is why anonymous mode exists”. I do NOT want anybody to start meetings, but only a selected few.
I want to invite people to meeting rooms by invitation only.
Like a regular video conferencing system as Teams, Zoom, Blizz etc.
Therefore I need to have a group of users, that can generate meeting, and guests that can join them.
However, if I use the user-password system, Everybody that joins has to provide user credentials (and actually the session get disconnected on connection immediately).

Is that clearer?

The secure configuration has an anonymous domain, used by the guests. So you have hosts which authenticate and guests which don’t need to authenticate. Guests cannot enter the room before any host appear. This is how it works.

Hi @damencho
I still do not know how to do this practically.do this.
When I use authentification=internal_plain everone that joins has to use a username/password, i.e. they cannot join anonymously.
If I use authenficiation=anonymous everybody can join and create meetings anytime.

So please let me know how to configure it that way, that the creator of the session has to authentificate and the guest has not.
Thank you.

Have you followed jitsi/jicofo/blob/master/README.md#secure-domain ?
When you enable internal_plain, do you add this in your config.js:

var config = {
    hosts: {
            domain: 'jitsi-meet.example.com',
            anonymousdomain: 'guest.jitsi-meet.example.com',
            ...
        },
        ...
}

Everything is described in the link I had sent in the secure domain section.

Okay, I did now. I thought this was the modification of the one domain.
I now added a new subdomain for my host.
meet-admin is not the page where I wish to confgure sessions with authenficiaton
meet is now the page where the guests should join.

However, when I access the pages, I get “the same” page, i.e. for both I do not have to enter credentials. Do I have to generate new configs, so separte ones for each domain? I just added the virtual host in the existing one?

var config = {
    hosts: {
        domain: 'meet-admin.XXXX',
        anonymousdomain: 'meet.XXXX',
        muc: 'conference.meet.XXXX'
    },

/etc/prosody/conf.d/

VirtualHost "meet-admin.XXXX"
        authentication = "internal_plain"
        ssl = {
                key = "...";
                certificate = "...";
        }
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
        }

        c2s_require_encryption = false

Component "conference.XXXX" "muc"
    storage = "null"
    --modules_enabled = { "token_verification" }
admins = { "focus@auth.meet.XXXX" }

Component "jitsi-videobridge.XXXX"
    component_secret = "Wox@ocnM"

--#
--# For guest join see https://github.com/jitsi/jicofo/blob/master/README.md#secure-domain
--#
VirtualHost "meet.XXXX"
    authentication = "anonymous"
    c2s_require_encryption = false
--#
--# End of guest join modification
--#


VirtualHost "auth.meet.XXXX"
    ssl = {
        key = "/....";
        certificate = "/....";
    }
    authentication = "internal_plain"

Component "focus.meet.XXXX"
    component_secret = "...."
Component "callcontrol.meet.XXXX" component_secret = "9zHJ@R5t"

/etc/jitsi/jicofo/sip-communicator:

org.jitsi.jicofo.auth.URL=XMPP:meet-admin.XXXX

Or do I have to configure two hosts, i.e. with a different meet-config.js for the guests (leave everything else identical)?

It may sound stupid, but I still do not get how to confgure it.
I assume that a guest domain that can be access “anonymously” means that you have to enter the session a host has configured for a session.

AND: If I join any session at meet.XXXX I am imeediately kicked out again.

Wait, do not rename anything, just follow the doc.

  • So you install jitsi-meet entering this domain ‘jitsi-meet.example.com
  • Make sure it works with 2 and 3 participants
  • Following the doc - is to change the authentication method of ‘jitsi-meet.example.com’ from anonymous to internal_plain
  • Add a new virtualhost which is with authentication method anonymous and add it in config.js as anonymousdomain .
  • The jicofo change -D…:‘jitsi-meet.example.com
  • Restart prosody and jicofo in that order, create a user and go test it accessing your deployment using ‘jitsi-meet.example.com

oookay. I reverted the changes and went back to ONE virtual host (beacuse anything under meet-admin did not work). So I have this one, meet.XXXX
Actually it seems to work. However, I cannot get two people to connect (it breaks the connection immediately).
But at last I see from my PC this one time “if you are the host, identify yourself”.
From the Android client I see this wehn trying to connect. When I connect from the same browser again, I am not asked to identfy myself, also not on new sessions - I assume that is because I identified myself.
Unfortunately Edge is not working, so I do not have two browsers to test in parallel.
This looks pretty much as I intended it to work, so thanks. Now I just have to find out why it breaks when a second user connects. Tried 2 PC, PC+Android…

So thank you for now @damencho I believe I am stuck here until I can find out what breaks the sessions.

You need to check js console logs, what is the error. Most probably no jvb, restart jvb and then jicofo and try again.
You don’t need two browsers to test, you can use one. One standard browser session and one incognito window.

Okay, thanks again @damencho
JVB does not start because “Failed at step CAPABILITIES”
jicofo.log : SIP gateway wennt offline

Everything else is just info.
Any idea? Where can I find out why the video brdige is not starting?

Thanks for the tip with the incognito, did not think of it.

This means you are using an older kernel. Workaround is to go and find the jitsi-videobridge file in /etc/systemd/system and delete the line, AmbientCapabilities=CAP_NET_BIND_SERVICE, then restart jvb it will warn you which command you need first in order your changes to take effect, execute it restart jvb and jicofo.

hi @damencho
Thank you for your answer. However, this does not change anything. i am using Kernel 4.4.0 and I cannot change it due to provider restrictions.
JVB does not start with the same error message.

Dear damencho,

we are a gorup of high school teachers and, after some tribulation (we are not computer geeks…) we could set up a video call with 25 students.
Quality was not excellent but good enough.
The remaining problem, which is why we write to you in this section, is that we noticed that there were many other univited people joining.
Therefore, we would be extremely grateful if you could explain to us if there is a way to:

  1. set up a password so that only invited people attend;
  2. how can the teacher (who started the room) monitor, and eventually kick out, unwanted people.
    All this, possibly, without going into coding, but just from your website page.
    Otherwise could you be so kind and explain to us in the plainest terms how to do that on a Mac with Catalina ?
    We are really appreciative of your and other members’ help in these Covid19 times.
    Yours.

The teacher can enter the room few minutes before the meeting and set a password, using the Add password option:


And the students need to know this password before entering, the teacher can kick a participant by selecting the 3 dots menu on the participant thumbnail and select Kick option.

Damencho

I get some issues with my jitsi, when I restart the server then try to make conference, if one is up the guest try to join then the session restart to fix I have to do systemctl restart jicofo.

How to fix it?

You can set any of the
org.jitsi.jicofo.auth.DISABLE_AUTOLOGIN or org.jitsi.jicofo.auth.AUTH_LIFETIME