Is it safe to make jitsi-meet configuration file public?


#1

Hello,

I want to know if it’s safe to keep Jitsi-Meet configuration file public ? like the official one https://meet.jit.si/config.js
What will happen if another plateforme uses the same for their clients ? for instance, meet.example.com is using https://meet.jit.si/config.js


#2

I don’t see a problem with that. For example the meet.jit.si infrastructure is open and can be used from anybody the same way as meet.jit.si is open to everybody.
All the configurations there like callstats, analytics, Microsoft or Google AppIDs are supposed to be used that way and have their own protection mechanisms configuring the source site so that they can be used only from meet.jit.si, so nobody can take those and use it for their own deployment.
There are also a number of ways to protect the use of the system as jwt and authentication.


#3

meet.jit.si was just an example.
if i understood well, any other jitsi platform could use my ressources (prosody, jvb, etc) once they use the same configuration file as my platform ?
I am talking about my jitsi-meet platform with basic installation (without any kind of authentication)


#4

So the entry point for the deployment is the bosh connection, if that bosh connection cannot be established from another domain it is safe, I think this is the case with a default unprotected deployment.


#5

Correct.
I used https://meet.jit.si/config.js for my testing paltform and this is what I got
image


#6

That’s interesting, I thought it can be used from everywhere. The interesting part is what is in the console log, what didn’t work? :slight_smile:


#7

I simply got this in the JS console :
image

Any explanation ? maybe there are more details in your prosody’s log files


#8

Hum, It must be something else, that is strange it asks for password, does not authenticate you for some reason … Did you download the config.js or you just reference it from your deployment? Reference will not work as the way meet.jit.si is configured.
Checking prosody logs is not an option, there are 6 shards (6 prosodies) in different locations and without knowing the conference name, but anyway it will be waste of time.
But loading bosh from meet.jit.si should be fine as it has 'Access-Control-Allow-Origin' '*'.


#9

Maybe because I send JWT in the URL ? :thinking:
I will try to do it without token parameter in the URL

I downloaded it an replaced my configuration file with it


#10

Yeh, jwt is no way to work as you don’t know the shared secret configured on meet.jit.si :wink:


#11

Well, I confirm. I used https://meet.jit.si/config.js for my jitsi platform.
I guess 18.196.161.128 is one of your jvb instances.

image

So the only way to prevent other jitsi platforms to use my ressources, besides authentication and jwt, is to set Access-Control-Allow-Origin http header to 'Access-Control-Allow-Origin' 'myjitsi.com' ?


#12

Yes, or to not set it at all, this will prevenet any other than the client connected using the web under your domain.


#13

tested and approved ! :ok_hand:
Thanks