How to refrain people to create room?

Hi
I just full install/deploy jitsi suite on Ubuntu 18.04 on a cloud vps at OVH.

After completing my installation I would like to manage the way people create room and be the only one who can moderate it allowing it or not.
I don’t want people create rooms on my deployment without control.

I plan to use buddymeet wp plugin for buddypress by @tdakanalis to manage my rooms and groups but I don’t think the plugin can disabled the asked option.

How to do it?

Thanks

1 Like

Thanks.
I saw that you refer all the time Debian.
Do you recommend Debian 9 better than Ubuntu 18.04?

I don’t think it matters for Jitsi. Ubuntu is derived from Debian so it is very similar and people will refer to them in one breath as “Debian/Ubuntu”. If you’re used to Ubuntu, I’d suggest sticking with it.

1 Like

Thanks. That was I think too but in case…

I follow this instructions but this doesn’t refrain user to create their own meeting room.

Begining  -Dorg.jitsi.jicofo.auth.URL=XMPP:jitsi-meet.example.com
``` I get command not found
as well in **/etc/jitsi/jicofo/** the file sip-commincation.properties is empty when I edit it with nano. Is it normal?

running point 4 I got 
-bash: syntax error near unexpected token `the choosen password'

(I did the full install)

I'm a newby in Linux install just 5 servers with LAMP that are working fine. I;m scare there is some hidden operation we need to do that are understandable for advanced user like stop restart a service for example but I think we should not be discarded moreover in that difficult time that people need to communicate.
Thank you

My sip-commincation.properties file was also empty so yes I think that is normal.

Anyone can still create a room in my jitsi as well, after I followed the instructions for Manual Prosody configuration to create the focus admin user, and then the Secure domain instructions to enable authentication on the main domain.

Is there an additional step to require authentication beyond those in the jicofo Readme that I followed? Do some prosody module need to be added?
Thanks

1 Like

Actually it did work in the end, but only with the following hack.
After following the instructions and restart prosodyctl, if it doesn’t prompt to authenticate when creating a room, then:

  • temporarily edit the guest VirtualHost authentication from “anonymous” to “internal_plain” in /etc/prosody/conf.avail/[your-hostname].cfg.lua
  • try to create/enter a room again - this time it finally prompted me for username password
  • change authentication back to “anonymous” for the guest VirtualHost
  • restart prosodyctl (I guess)

After this, it prompts me for username/password just for creating a room, as intended. Yippee.

Also, it needs to be admins = { "focus@auth.jitsi.example.com" } instead of admins = { focus@auth.jitsi.example.com } (i.e. needs quotes) in etc\prosody\prosody.cfg.lua

1 Like

Thanks for your answer I still not resolving this.
I follow and repeat without success.
restart prosodyctl doesn’t work :frowning:
I saw many subdomain auth.mydomain.com
when I setup my virtual server on mydomain.com
there is not auth or auth are the access to others programs?

For prosodyctl

Usage

The basic usage of prosodyctl is:

 prosodyctl COMMAND [OPTIONS]

Where COMMAND may be one of:

adduser JID - Create the specified user account in Prosody

passwd JID - Set the password for the specified user account in Prosody

deluser JID - Permanently remove the specified user account from Prosody

start - Start Prosody

stop - Stop a running Prosody server

restart - Restart Prosody

reload - Reload Prosody’s configuration and re-open log files

status - Reports the running status of Prosody

An alternative configuration file can be given by --config /path/to/config.cfg.lua .

still not working.
I nano prosody.cfg.lua and nano mydomain.com.cfg.lua
make some change but still not work
Now 7 hours just for solving this :frowning: I’m desesperate
People can still register new meeting room
@damencho or @Alan any advise?

Hi Xavierok.

I followed the same guide recently too using Ubuntu 18.04.

Try changing this:

-Dorg.jitsi.jicofo.auth.URL=XMPP:jitsi-meet.example.com

to this:

org.jitsi.jicofo.auth.URL=XMPP:jitsi-meet.example.com

in your /etc/jitsi/jicofo/sip-communicator.properties config file.

Thanks

Steve

Thanks but when I nano this file it is empty

I have restricted my installation to only allow rooms specified in the prosody
/etc/prosody/conf.d/*.cfg.lua file by using a prosody module:

When using this module is active and two users tries to connect to a room that is not allowed then the videobridge will not establish a link between the users. From an users perspective it will behave as if video conference only work when using the rooms specified in the configuration.

The prosody xmpp server is using the lua programming language. When editing lua files remeber that comment lines start with --, if you try to comment a line using // or # then prosody will not start at all and nothing is seen in the prosody log.

First step add a prosody module, a new file, at /usr/lib/prosody/modules/mod_muc_restrict_rooms_exec.lua containing. This module was created by philipp.verpoort Restrict creation of rooms

local st = require "util.stanza";
local jid = require "util.jid";
local nodeprep = require "util.encodings".stringprep.nodeprep;

local rooms = module:shared "muc/rooms";
if not rooms then
        module:log("error", "This module only works on MUC components!");
        return;
end

local restrict_patterns = module:get_option("muc_restrict_matching", {});
local restrict_excepts = module:get_option_set("muc_restrict_exceptions", {});
local restrict_allow_admins = module:get_option_boolean("muc_restrict_allow_admins", false);
local restrict_executable = module:get_option_string("muc_restrict_executable", "/bin/false");
local restrict_executable_reason = module:get_option_string("muc_restrict_executable_reason", "Room is not in list of allowed rooms obtained from executable.");

local function is_restricted(room, who)
	-- If admins can join prohibited rooms, we allow them to
	if restrict_allow_admins and usermanager.is_admin(who, module.host) then
		module:log("debug", "Admins are allowed to enter restricted rooms (%s on %s)", who, room)
		return nil;
	end

	-- Don't evaluate exceptions
	if restrict_excepts:contains(room) then
		module:log("debug", "Room %s is amongst restriction exceptions", room)
		return nil;
	end

	-- Evaluate regexps of restricted patterns
        for pattern,reason in pairs(restrict_patterns) do
                if room:match(pattern) then
			module:log("debug", "Room %s is restricted by pattern %s, user %s is not allowed to join (%s)", room, pattern, who, reason)
                        return reason;
                end
        end

        -- list of allowed chat rooms
	local output = "yoga\ntest\nsadhana\nyinyoga\nlive"

        lines = {}
        for s in output:gmatch("[^\r\n]+") do
                table.insert(lines, s)
        end

        for i, token in ipairs(lines) do
                if string.lower(token) == room then
                        return nil
                end
        end

        module:log("debug", "Room %s is not in list of allowed rooms obtained from executable: %s", room, restrict_executable)
        return restrict_executable_reason
end

module:hook("presence/full", function(event)
        local stanza = event.stanza;

        if stanza.name == "presence" and stanza.attr.type == "unavailable" then   -- Leaving events get discarded
                return;
        end

	-- Get the room
	local room = jid.split(stanza.attr.to);
        if not room then return; end

	-- Get who has tried to join it
	local who = jid.bare(stanza.attr.from)

	-- Checking whether room is restricted
	local check_restricted = is_restricted(room, who)
        if check_restricted ~= nil then
                event.allowed = false;
                event.stanza.attr.type = 'error';
	        return event.origin.send(st.error_reply(event.stanza, "cancel", "forbidden", "You're not allowed to enter this room: " .. check_restricted));
        end
end, 10);

In the /etc/prosody/conf.d/*.cfg.lua add the “module” muc_restrict_rooms_exec to modules_enabled under the muc component. Then specify the room that you allow using muc_restrict_exceptions = { “yoga”, “test”, “live” } Here is how this is configured on my site:

Component "conference.yoga.gongiversum.com" "muc"
    storage = "memory"
    modules_enabled = { "muc_restrict_rooms_exec" }
    muc_restrict_exceptions = { "yoga", "test", "live" }
    admins = { "focus@auth.yoga.gongiversum.com" }

Then finally restart all jitsi meet services, when restarting prosody it is good to also restart jicofo.
systemctl stop prosody
systemctl stop jicofo
systemctl stop jitsi-videobridge2
systemctl stop jibri
systemctl start prosody
systemctl start jicofo
systemctl start jitsi-videobridge2
systemctl start jibri

3 Likes

Ok - it shouldn’t be empty so add this line:

org.jitsi.jicofo.auth.URL=XMPP:jitsi-meet.example.com

Where the example URL is your own.

Following the guide sent by damencho earlier worked for me (https://github.com/jitsi/jicofo/blob/master/README.md#secure-domain) and setting that line is required to get the secure domain config working.

Keep going!

1 Like

Thanks unfortunately It didn’t work

@Xavierok I was having problems around authentication as well, but after reinstalling from scratch again it is working. Even though I had only installed it within the last couple of days, I think there have been updates (or maybe I did something wrong first time).

Also this time in the first step, setting authentication in etc\prosody\prosody.cfg.lua, I overwrote the existing authentication line from internal_hash to internal_plain instead of adding a new line under the VirtualHost (maybe irrelevant I don’t know)

Also, this time my /etc/jitsi/jicofo/sip-communicator.properties file has a line in it, so I added the extra line. The point being that there must have been updates that you get if you install from scratch again.
Now it gives a nice message “Waiting for the host … If you are the host…” until a new room is authenticated. Also it fixed there problem where it (sometimes) wasn’t working from both laptop and phone app.

I terminated my EC2 instance and just launched a new one and retried the jicofo config. 10 minutes. Good luck!

2 Likes

still not working. I’m confuse because here everybody use subdomain when i don’t use one i use a straight forward domain https://camchatpro.net
I am on Debian 9 as i give up with ubuntu 18.04
I start to understand the process of each module and each program.
The first method didn’t work.
Now I setup the second method I will copy paste the files I modify

  1. in /etc/prosody/conf.avail
    I have the files: camchatpro.net.cfg.lua camchatpro.net.cfg.lua.save example.com.cfg.lua localhost.cfg.lua
    I edited
    – Plugins path gets uncommented during jitsi-meet-tokens package install - that’s where token plugin is lo$
    –plugin_paths = { “/usr/share/jitsi-meet/prosody-plugins/” }

VirtualHost “camchatpro.net
– enabled = false – Remove this line to enable this host
authentication = “internal_plain”
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
–app_id=“example_app_id”
–app_secret=“example_app_secret”
– Assign this host a certificate for TLS, otherwise it would use the one
– set in the global section (if any).
– Note that old-style SSL on port 5223 only supports one certificate, and will always
– use the global one.
ssl = {
key = “/etc/prosody/certs/camchatpro.net.key”;
certificate = “/etc/prosody/certs/camchatpro.net.crt”;
}
– we need bosh
modules_enabled = {
“bosh”;
“pubsub”;
“ping”; – Enable mod_ping
}

    c2s_require_encryption = false

Component “meet.camchatpro.net” “muc”
storage = “null”
–modules_enabled = { “token_verification” }
Component “jitsi-videobridge.camchatpro.net
component_secret = “G2Dd57Z8”

VirtualHost “auth.camchatpro.net
ssl = {
key = “/etc/prosody/certs/auth.camchatpro.net.key”;
certificate = “/etc/prosody/certs/auth.camchatpro.net.crt”;
}
authentication = “internal_plain”

Component “focus.camchatpro.net
component_secret = “ndJFXlkN”

VirtualHost “guest.camchatpro.net
authentication = “anonymous”
c2s_require_encryption = false

Component “meet.camchatpro.net” “muc”
storage = “memory”
modules_enabled = { “muc_restrict_rooms_exec” }
muc_restrict_exceptions = { “famille”, “test”, “live” }
admins = { “focus@auth.camchatpro.net” }

At /usr/lib/prosody/modules/mod_muc_restrict_rooms_exec.lua
I have:

local st = require “util.stanza”;
local jid = require “util.jid”;
local nodeprep = require “util.encodings”.stringprep.nodeprep;

local rooms = module:shared “muc/rooms”;
if not rooms then
module:log(“error”, “This module only works on MUC components!”);
return;
end

local restrict_patterns = module:get_option(“muc_restrict_matching”, {});
local restrict_excepts = module:get_option_set(“muc_restrict_exceptions”, {});
local restrict_allow_admins = module:get_option_boolean(“muc_restrict_allow_admins”, false);
local restrict_executable = module:get_option_string(“muc_restrict_executable”, “/bin/false”);
local restrict_executable_reason = module:get_option_string(“muc_restrict_executable_reason”, “Room is not in list of allowed rooms obtained from executable.”);

local function is_restricted(room, who)
– If admins can join prohibited rooms, we allow them to
if restrict_allow_admins and usermanager.is_admin(who, module.host) then
module:log(“debug”, “Admins are allowed to enter restricted rooms (%s on %s)”, who, room)
return nil;
end

    -- Don't evaluate exceptions
    if restrict_excepts:contains(room) then
            module:log("debug", "Room %s is amongst restriction exceptions", room)
            return nil;
    end

    -- Evaluate regexps of restricted patterns
    for pattern,reason in pairs(restrict_patterns) do
            if room:match(pattern) then
                    module:log("debug", "Room %s is restricted by pattern %s, user %s is not allowed to join (%s)", room, pattern, who, reason)
                    return reason;
            end
    end

    -- list of allowed chat rooms
    local output = "rooms"

    lines = {}
    for s in output:gmatch("[^\r\n]+") do
            table.insert(lines, s)
    end

    for i, token in ipairs(lines) do
            if string.lower(token) == room then
                    return nil
            end
    end

    module:log("debug", "Room %s is not in list of allowed rooms obtained from executable: %s", room, restrict_executable)
    return restrict_executable_reason

end
module:hook(“presence/full”, function(event)
local stanza = event.stanza;

    if stanza.name == "presence" and stanza.attr.type == "unavailable" then   -- Leaving events get discarded
            return;
    end

    -- Get the room
    local room = jid.split(stanza.attr.to);
    if not room then return; end

    -- Get who has tried to join it
    local who = jid.bare(stanza.attr.from)

    -- Checking whether room is restricted
    local check_restricted = is_restricted(room, who)
    if check_restricted ~= nil then
            event.allowed = false;
            event.stanza.attr.type = 'error';
            return event.origin.send(st.error_reply(event.stanza, "cancel", "forbidden", "You're not allowed to enter this room: " .. check_restricted));
    end

end, 10);

In the /etc/prosody/conf.d/camchatpro.net.cfg.lua

– Plugins path gets uncommented during jitsi-meet-tokens package install - that’s where token plugin is located
–plugin_paths = { “/usr/share/jitsi-meet/prosody-plugins/” }

VirtualHost “camchatpro.net
– enabled = false – Remove this line to enable this host
authentication = “internal_plain”
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
–app_id=“example_app_id”
–app_secret=“example_app_secret”
– Assign this host a certificate for TLS, otherwise it would use the one
– set in the global section (if any).
– Note that old-style SSL on port 5223 only supports one certificate, and will always
– use the global one.
ssl = {
key = “/etc/prosody/certs/camchatpro.net.key”;
certificate = “/etc/prosody/certs/camchatpro.net.crt”;
}
– we need bosh
modules_enabled = {
“bosh”;
“pubsub”;
“ping”; – Enable mod_ping
}

    c2s_require_encryption = false

Component “meet.camchatpro.net” “muc”
storage = “null”
–modules_enabled = { “token_verification” }
admins = { “focus@auth.camchatpro.net” }

Component “jitsi-videobridge.camchatpro.net
component_secret = “G2Dd57Z8”

VirtualHost “auth.camchatpro.net
ssl = {
key = “/etc/prosody/certs/auth.camchatpro.net.key”;
certificate = “/etc/prosody/certs/auth.camchatpro.net.crt”;
}
authentication = “internal_plain”

Component “focus.camchatpro.net
component_secret = “ndJFXlkN”

VirtualHost “guest.camchatpro.net
authentication = “anonymous”
c2s_require_encryption = false

Component “meet.camchatpro.net” “muc”
storage = “memory”
modules_enabled = { “muc_restrict_rooms_exec” }
muc_restrict_exceptions = { “famille”, “test”, “live” }
admins = { “focus@auth.camchatpro.net” }

Component “jitsi-videobridge.camchatpro.net
component_secret = “G2Dd57Z8”

VirtualHost “auth.camchatpro.net
ssl = {
key = “/etc/prosody/certs/auth.camchatpro.net.key”;
certificate = “/etc/prosody/certs/auth.camchatpro.net.crt”;
}
authentication = “internal_plain”

Component “focus.camchatpro.net
component_secret = “ndJFXlkN”

VirtualHost “guest.camchatpro.net
authentication = “anonymous”
c2s_require_encryption = false

Component “meet.camchatpro.net” “muc”
storage = “memory”
modules_enabled = { “muc_restrict_rooms_exec” }
muc_restrict_exceptions = { “famille”, “test”, “live” }
admins = { “focus@auth.camchatpro.net” }

In my /etc/jitsi/jicofo/sip-communicator.properties
org.jitsi.jicofo.auth.URL=XMPP:jitsi-camchatpro.net

I’m a bit empty now 10 hours on that problem now.

I have to say un big thank you at @xranby (nice yoga room and sound therapy) @steve_mils @Alan
If you can check what I did thanks.

I’m not an expert at all unfortunately. I haven’t tried to install any modules or plugins yet. I just followed the instruction on https://github.com/jitsi/jicofo

Do you have this line in /etc/jitsi/jicofo/sip-communicator.properties
org.jitsi.jicofo.auth.URL=XMPP:camchatpro.net

Oh I see you have a “jitsi-” prefix there, maybe take that out. I found it confusing as well that the documentation starts with jitsi.example.com and then changes to jitsi-meet.example.com, but I’m assuming jisti and jitsi-meet are interchangeable there and not significant

Thanks @Alan unfortunately I tried several variation and still not work :frowning: