[jicofo] Authentification for host and guests

JKB · April 14, 2020, 12:58pm

Hello,

I’m trying to configure jitsi (debian package 1.0.4101-1) to use authentification for both host and guests.

I have added some parameters in different config files.

/etc/jitsi/meet/jitsi.systella.fr-config.js:

    hosts: {
        // XMPP domain.
        domain: 'jitsi.systella.fr',
        anonymousdomain: 'guest.jitsi.systella.fr',
        muc: 'conference.jitsi.systella.fr'
    },
...

/etc/jitsi/meet/jitsi.systella.fr-config.js:

JICOFO_HOST=localhost
JICOFO_HOSTNAME=jitsi.systella.fr
JICOFO_SECRET=xxxx
JICOFO_OPTS="-Dorg.jitsi.jicofo.auth.URL=XMPP:jitsi.systella.fr"
JICOFO_PORT=5347
JICOFO_AUTH_DOMAIN=auth.jitsi.systella.fr
JICOFO_AUTH_USER=focus
JICOFO_AUTH_PASSWORD=xxxxx
JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.properties"

jitsi.systella.fr.cfg.lua:

VirtualHost "jitsi.systella.fr"
        authentication = "internal_plain"
        ssl = {
                key = "/etc/prosody/certs/jitsi.systella.fr.key";
                certificate = "/etc/prosody/certs/jitsi.systella.fr.crt";
        }
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
        }

        c2s_require_encryption = false

VirtualHost "guest.jitsi.systella.fr"
    authentication = "internal_plain"
    c2s_require_encryption = false


Component "conference.jitsi.systella.fr" "muc"
    storage = "memory"
    --modules_enabled = { "token_verification" }

admins = { "focus@auth.jitsi.systella.fr" }
Component "jitsi-videobridge.jitsi.systella.fr"
    component_secret = "xxxxx"

VirtualHost "auth.jitsi.systella.fr"
    ssl = {
        key = "/etc/prosody/certs/auth.jitsi.systella.fr.key";
        certificate = "/etc/prosody/certs/auth.jitsi.systella.fr.crt";
    }
    authentication = "internal_plain"
    -- authentication = "anonymous"

Component "focus.jitsi.systella.fr"
    component_secret = "xxxx"

Problem: when I try to connect to my server, authentification is required but focus@auth.jitsi.systella.fr is refused and all users created directly with:
prosodyctl register bertrand jitsi.systella.fr <xxxx>
can create a new room.

Where is my mistake ?

Best regards,

JB

JKB · April 15, 2020, 9:23am

I have seen that with this configuration, all registrerd users (xxx@jitsi.systella.fr) are hosts and not guests. All registered users, not only focus@auth.jitsi.systella.fr can create room. I don’t understand…

Best regards,

JKB

Spemmara · May 7, 2020, 8:14pm

I want to do the same thing - authenticate both hosts and guests, but by different means. Were you able to do this?

Thanks.

Spemmara · May 13, 2020, 6:39pm

I think the guest.jitsi.systella.fr virtual host should have authentication as anonymous and not internal_plan.

JKB · May 13, 2020, 9:06pm

No. I use authentication. My configuration is now usable.

Apache2/prosody/jicofo and jitsi-meet.

Apache configuration:

<VirtualHost *:443>
  ServerName jitsi.systella.fr

  SSLProtocol TLSv1 TLSv1.1 TLSv1.2
  SSLEngine on
  SSLProxyEngine on
  SSLCertificateFile /etc/letsencrypt/live/systella.fr/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/systella.fr/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/systella.fr/chain.pem
  SSLCipherSuite
"EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED"
  SSLHonorCipherOrder on
  Header set Strict-Transport-Security "max-age=31536000"

  DocumentRoot "/usr/share/jitsi-meet"
  <Directory "/usr/share/jitsi-meet">
    Options Indexes MultiViews Includes FollowSymLinks
    AddOutputFilter Includes html
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>

  ErrorDocument 404 /static/404.html

  Alias "/config.js" "/etc/jitsi/meet/jitsi.systella.fr-config.js"
  <Location /config.js>
    Require all granted
  </Location>

  Alias "/external_api.js" "/usr/share/jitsi-meet/libs/external_api.min.js"
  <Location /external_api.js>
    Require all granted
  </Location>

  ProxyPreserveHost on
  ProxyPass /http-bind http://localhost:5280/http-bind/
  ProxyPassReverse /http-bind http://localhost:5280/http-bind/

  RewriteEngine on
  RewriteRule ^/([a-zA-Z0-9]+)$ /index.html
</VirtualHost>

Prosody (/etc/prosody/conf.d/jitsi.systella.fr.cfg.lua):
conf file has to begin with:

consider_bosh_secure = true;
https_key = "/etc/prosody/certs/jitsi.systella.fr.key";
https_certificate = "/etc/prosody/certs/jitsi.systella.fr.crt";

Later, some subdomains are created:

VirtualHost "jitsi.systella.fr"
	authentication = "internal_plain"
        ssl = {
                key = "/etc/prosody/certs/jitsi.systella.fr.key";
                certificate = "/etc/prosody/certs/jitsi.systella.fr.crt";
        }
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
        }
        c2s_require_encryption = false

VirtualHost "guest.jitsi.systella.fr"
        authentication = "internal_plain"
	c2s_require_encryption = false

Component "conference.jitsi.systella.fr" "muc"
        storage = "memory"

admins = { "focus@auth.jitsi.systella.fr" }

Component "jitsi-videobridge.jitsi.systella.fr"
	component_secret = "lkjhlkjolkj"

VirtualHost "auth.jitsi.systella.fr"
    ssl = {
        key = "/etc/prosody/certs/jitsi.systella.fr.key";
        certificate = "/etc/prosody/certs/jitsi.systella.fr.crt";
    }
    authentication = "internal_plain"

Component "focus.jitsi.systella.fr"
    component_secret = "sldkjflsdkjf"

Jicofo’s config:

JICOFO_HOST=localhost
JICOFO_HOSTNAME=jitsi.systella.fr
JICOFO_SECRET=dlfkgjldfkjglj
JICOFO_PORT=5347
JICOFO_AUTH_DOMAIN=auth.jitsi.systella.fr
JICOFO_AUTH_USER=focus
JICOFO_AUTH_PASSWORD=lksdjfljf
JICOFO_OPTS=
JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.properties"

sip-communicator.properties:

org.jitsi.jicofo.auth.URL=XMPP:auth.jitsi.systella.fr
org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true

/etc/jitsi/meet:

var config = {
    hosts: {
        domain: 'jitsi.systella.fr',
        anonymousdomain: 'guest.jitsi.systella.fr',
        authdomain: 'auth.jitsi.systella.fr',
        muc: 'conference.jitsi.systella.fr'
    },

    bosh: '//jitsi.systella.fr/http-bind',
    clientNode: 'http://jitsi.org/jitsimeet',

    testing: {
        enableFirefoxSimulcast: false,
        p2pTestMode: false
    },

    resolution: 720,
    constraints: {
        video: {
            aspectRatio: 16 / 9,
            height: {
                ideal: 480,
                max: 720,
                min: 240
            }
        }
    },

    desktopSharingChromeSources: [ 'screen', 'window', 'tab' ],
    desktopSharingChromeMinExtVersion: '0.1',
    channelLastN: -1,
    enableTcc: true,
    enableRemb: false,
    useIPv6: true,
    requireDisplayName: true,
    enableWelcomePage: true,
    defaultLanguage: 'fr',
    enableUserRolesBasedOnToken: false,

    // J'ai invalidé le p2p, mais ça fonctionne aussi avec cela
    p2p: {
        enabled: false,

        stunServers: [
            { urls: 'stun:stun.l.google.com:19302' },
            { urls: 'stun:stun1.l.google.com:19302' },
            { urls: 'stun:stun2.l.google.com:19302' }
        ],
    },

    analytics: {
    },
    }
};

sip-communicator.properties:

JVB_HOSTNAME=jitsi.systella.fr
JVB_HOST=
JVB_PORT=5347
JVB_SECRET= (voir Component "jitsi-videobridge.jitsi.systella.fr" dans
la conf de prosody)
JVB_OPTS="--apis=xmpp,rest"
JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi
-Dnet.java.sip.communicator.SC_HOME_DIR_NAME=videobridge
-Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi
-Djava.util.logging.config.file=/etc/jitsi/videobridge/logging.properties"

and last file:

org.jitsi.videobridge.AUTHORIZED_SOURCE_REGEXP=focus@auth.jitsi.systella.fr/.*
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.254.1 
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=(public ip)  
org.ice4j.ice.harvest.ALLOWED_ADDRESSES=192.168.254.1

With these configuration files, I obtain a configuration with authentification for hosts (domain auth.jitsi.systella.fr) and for guest (domain jitsi.systella.fr). I have done some QoS and now jitsi runs as I expected.

Best regards,

JB

Spemmara · May 14, 2020, 12:12am

So you are saying with this configuration you are able to have both hosts and guests authenticated, but only hosts are able to create conference?

Thanks

JKB · May 14, 2020, 6:19am

Exactly.

Hosts are configured in ‘/etc/prosody/conf.d/jitsi.systella.fr.cfg.lua’ and guests are created with prosodyctl register command.

JB

w1L · May 19, 2020, 11:48pm

Hi JKB!

I just followed your configuration but right now I’m no able to join a new meeting.
I’m getting a wrong user/password message.

When you say “Hosts are configured in ‘/etc/prosody/conf.d/jitsi.systella.fr.cfg.lua’”, can you please give an example?

I had created several users with:
sudo prosodyctl register username jitsi.example.com 123password

It was working, but all the users had moderator privileges.
After setting your configuration, the users I’ve created stop working, indeed I’m having the wrong user/password message, so I don’t know what I did wrong.

On the other hand, I tried to ping auth.jitsi.example.com, but there is no answer even locally from the server. Do I need to create a DNS record?

Thanks in advance!
Guille.

JKB · May 20, 2020, 7:36am

Guille Bazzi via Jitsi Community Forum - developers & users a écrit :

[w1L] w1L https://community.jitsi.org/u/w1l
May 19

Hi JKB!

I just followed your configuration but right now I’m no able to join a
new meeting.
I’m getting a wrong user/password message.

When you say “Hosts are configured in
‘/etc/prosody/conf.d/jitsi.systella.fr.cfg.lua’”, can you please give an
example?

You should have a line in configuration file like :

admins = { “admin_account@auth.jitsi.my.domain” }

Change "admin_account@auth.jitsi.my.comain" by yours. In my case, it's

“host@auth.jitsi.systella.fr”. If I remember, you can put several logins
in admins.

I had created several users with:

sudo prosodyctl register username jitsi.example.com 123password|

It was working, but all the users had moderator privileges.
After setting your configuration, the users I’ve created stop working,
indeed I’m having the wrong user/password message, so I don’t know what
I did wrong.

You must have at beginning of prosody configuration :

consider_bosh_secure = true;
https_key = “/etc/prosody/certs/jitsi.systella.fr.key”;
https_certificate = “/etc/prosody/certs/jitsi.systella.fr.crt”;

You should activate authentication in prosody :

VirtualHost “jitsi.systella.fr”
…
authentication = “internal_plain”
…

VirtualHost “guest.jitsi.systella.fr”
…
authentication = “internal_plain”
…

VirtualHost “auth.jitsi.systella.fr”
…
authentication = “internal_plain”
…

Host login is admin_account (with domain). And guests are

username@jitsi.my.domain.

On the other hand, I tried to ping |auth.jitsi.example.com|, but there
is no answer even locally from the server. Do I need to create a DNS record?

No, it's only an internal domain. You have to create a DNS record for

your http/https server, but auth.jitsi.my.domain and other jitsi
subdomains are only internal.

If you want more help, please check and post errors in log files.

JKB