Jicofo sends 403 access denied by service policy

amirphl · April 20, 2021, 8:12am

Hi,
Unfortunatly I get conference.focusDisconnected when I try to join a room and a lot of 403 messages in websocket xmpp messages. This is the full log.

jitsi meet client:

2021-04-20T07:54:04.948Z [conference.js] <ee._onConferenceFailed>: CONFERENCE FAILED: conference.focusDisconnected focus.mydomain.com
jicofo:

jicofo logs:

Summary

Jicofo 2021-04-20 12:04:01.494 INFO: [1] Main.main#65: Starting Jicofo.

Jicofo 2021-04-20 12:04:01.804 INFO: [1] JitsiConfig.#47: Initialized newConfig: merge of ./jicofo.conf: 1,system properties,reference.conf @ jar:file:/jicofo-1.1-SNAPSHOT/jicofo.jar!/reference.conf: 1

Jicofo 2021-04-20 12:04:01.807 INFO: [1] ReadOnlyConfigurationService.reloadConfiguration#40: net.java.sip.communicator.SC_HOME_DIR_LOCATION not set

Jicofo 2021-04-20 12:04:01.808 INFO: [1] JitsiConfig.#68: Initialized legacyConfig: sip communicator props (no description provided)

Jicofo 2021-04-20 12:04:01.808 INFO: [1] JitsiConfig$Companion.reloadNewConfig#94: Reloading the Typesafe config source (previously reloaded 0 times).

Jicofo 2021-04-20 12:04:02.527 WARNING: [1] [xmpp_connection=client] XmppProviderImpl.createXmppConnection#167: Disabling TLS certificate verification!

Jicofo 2021-04-20 12:04:02.574 INFO: [1] XmppServices.#40: No dedicated Service XMPP connection configured, re-using the client XMPP connection.

Jicofo 2021-04-20 12:04:02.643 INFO: [1] BridgeSelector.#79: Using org.jitsi.jicofo.bridge.SingleBridgeSelectionStrategy

Jicofo 2021-04-20 12:04:02.652 INFO: [1] [type=bridge brewery=jvbbrewery] BaseBrewery.#101: Initialized with JID=jvbbrewery@internal.auth.mydomain.com

Jicofo 2021-04-20 12:04:02.748 INFO: [12] [xmpp_connection=client] XmppProviderImpl.doConnect#204: Connected, JID= null

Jicofo 2021-04-20 12:04:02.947 WARNING: [16] org.jivesoftware.smackx.muc.MultiUserChat$3.processStanza: Presence not from a full JID: jvbbrewery@internal.auth.mydomain.com

Jicofo 2021-04-20 12:04:02.965 WARNING: [16] org.jivesoftware.smackx.muc.MultiUserChat$3.processStanza: Presence not from a full JID: jvbbrewery@internal.auth.mydomain.com

Jicofo 2021-04-20 12:04:02.970 INFO: [12] [type=bridge brewery=jvbbrewery] BaseBrewery.start#172: Joined the room.

Jicofo 2021-04-20 12:04:02.971 INFO: [12] [xmpp_connection=client] XmppProviderImpl.fireRegistrationStateChanged#330: Set replyTimeout=PT15S

Jicofo 2021-04-20 12:04:03.043 INFO: [1] FocusManager.start#143: Initialized octoId=1234

Jicofo 2021-04-20 12:04:03.056 INFO: [1] JicofoServices.createAuthenticationAuthority#191: Starting authentication service with config=AuthConfig[enabled=true, type=XMPP, loginUrl=ejabberd, logoutUrl=null, authenticationLifetime=PT24H, enableAutoLogin=true].

Jicofo 2021-04-20 12:04:03.059 INFO: [1] AbstractAuthAuthority.#112: Authentication lifetime: PT24H

Jicofo 2021-04-20 12:04:03.066 INFO: [1] IqHandler.init#93: Registering IQ handlers with XmppConnection.

Jicofo 2021-04-20 12:04:03.071 INFO: [1] JicofoServices.#153: Starting HTTP server with config: host=null, port=8888, tlsPort=8843, isTls=false, keyStorePath=null.

Jicofo 2021-04-20 12:04:03.140 INFO: [1] org.eclipse.jetty.util.log.Log.initialized: Logging initialized @1969ms to org.eclipse.jetty.util.log.Slf4jLog

Jicofo 2021-04-20 12:04:03.290 INFO: [1] org.eclipse.jetty.server.Server.doStart: jetty-9.4.35.v20201120; built: 2020-11-20T21:17:03.964Z; git: bdc54f03a5e0a7e280fab27f55c3c75ee8da89fb; jvm 1.8.0_282-b08

Jicofo 2021-04-20 12:04:03.922 WARNING: [1] org.glassfish.jersey.internal.inject.Providers.checkProviderRuntime: A provider org.jitsi.rest.Version registered in SERVER runtime does not implement any provider interfaces applicable in the SERVER runtime. Due to constraint configuration problems the provider org.jitsi.rest.Version will be ignored.

Jicofo 2021-04-20 12:04:04.286 INFO: [1] org.eclipse.jetty.server.handler.ContextHandler.doStart: Started o.e.j.s.ServletContextHandler@5ac6c4f2{/,null,AVAILABLE}

Jicofo 2021-04-20 12:04:04.315 INFO: [1] org.eclipse.jetty.server.AbstractConnector.doStart: Started ServerConnector@42b64ab8{HTTP/1.1, (http/1.1)}{0.0.0.0:8888}

Jicofo 2021-04-20 12:04:04.316 INFO: [1] org.eclipse.jetty.server.Server.doStart: Started @3146ms

Jicofo 2021-04-20 12:04:10.870 INFO: [16] [type=bridge brewery=jvbbrewery] BaseBrewery.addInstance#338: Added brewery instance: jvbbrewery@internal.auth.mydomain.com/jvb1

Jicofo 2021-04-20 12:04:10.884 INFO: [16] BridgeSelector.addJvbAddress#118: Added new videobridge: Bridge[jid=jvbbrewery@internal.auth.mydomain.com/jvb1, relayId=null, region=null, stress=0.00]

Jicofo 2021-04-20 12:04:10.885 INFO: [16] JvbDoctor.addBridge#140: Scheduled health-check task for: jvbbrewery@internal.auth.mydomain.com/jvb1

These are the websocket messages:

<iq xmlns='jabber:client' xml:lang='en' to='cfc3d02d-ccad-4352-be97-b73954f59ee97f5e0d60-ca6d-4dcd-ad0e-36a82974eaf3idmowobt32ivf2icga@mydomain.com/18615075054396656653234' from='focus.mydomain.com' type='error' id='ddb302b7-c093-4dae-919d-292b6ddb5fac:sendIQ'><conference xmlns='http://jitsi.org/protocol/focus' machine-uid='58eb0c649fb437058649e682e955b3e1' room='7f5e0d60-ca6d-4dcd-ad0e-36a82974eaf3@conference.mydomain.com' session-id='27ad2468-1ca2-40b1-84cc-7fc77b7232fb'><property name='call_control' value='callcontrol.mydomain.com'/><property name='disableRtx' value='false'/><property name='enableLipSync' value='false'/><property name='openSctp' value='false'/><property name='startAudioMuted' value='10'/></conference><error code='403' type='auth'><forbidden xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>Access denied by service policy</text></error></iq>

I get a lot of <error code='403' type='auth'> <forbidden xmlns='urn:ietf:params:xml:ns:xmpp-stanzas' /> <text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>Access denied by service policy</text> </error> messages while try to send set messages to xmpp server. Also Jicofo doesn’t log anything after scheduleing health check on jvb.

I have deployed jicofo from commit: GitHub - jitsi/jicofo at adaedbfd013e14462f53f7ffe616a3a186a26d51

Can anyone help?

damencho · April 20, 2021, 12:46pm

There are certain configs done when you upgrade jicofo through debian packages. I think your jicofo is misconfigured.

github.com

jitsi/jitsi-meet/blob/ef4af415a867e7d6810aa37e976f6023e2af71e8/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example#L80


        "ping";
    }
    admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true


VirtualHost "auth.jitmeet.example.com"
    authentication = "internal_hashed"


-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.jitmeet.example.com" "client_proxy"
    target_address = "focusUser@auth.jitmeet.example.com"


Component "speakerstats.jitmeet.example.com" "speakerstats_component"
    muc_component = "conference.jitmeet.example.com"


Component "conferenceduration.jitmeet.example.com" "conference_duration_component"
    muc_component = "conference.jitmeet.example.com"


Component "lobby.jitmeet.example.com" "muc"
    storage = "memory"

github.com

jitsi/jitsi-meet/blob/ef4af415a867e7d6810aa37e976f6023e2af71e8/debian/jitsi-meet-prosody.postinst#L155


fi

# Old versions of jitsi-meet-prosody come with the extra plugin path commented out (https://github.com/jitsi/jitsi-meet/commit/e11d4d3101e5228bf956a69a9e8da73d0aee7949)
# Make sure it is uncommented, as it contains required modules.
if grep -q -- '--plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }' $PROSODY_HOST_CONFIG ;then
    sed -i 's#--plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }#plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }#g' $PROSODY_HOST_CONFIG
    PROSODY_CONFIG_PRESENT="false"
fi

# Make sure the focus@auth user's roster includes the proxy component (this is idempotent)
prosodyctl mod_roster_command subscribe focus.$JVB_HOSTNAME $JICOFO_AUTH_USER@auth.$JVB_HOSTNAME

if [ ! -f /var/lib/prosody/$JVB_HOSTNAME.crt ]; then
    # prosodyctl takes care for the permissions
    # echo for using all default values
    echo | prosodyctl cert generate $JVB_HOSTNAME

    ln -sf /var/lib/prosody/$JVB_HOSTNAME.key /etc/prosody/certs/$JVB_HOSTNAME.key
    ln -sf /var/lib/prosody/$JVB_HOSTNAME.crt /etc/prosody/certs/$JVB_HOSTNAME.crt
fi

amirphl · April 20, 2021, 6:37pm

Thanks you for the reply.
I have changed my XMPP server from Prosody so something else. Is it possible to still register the Jicofo as a component via some configuration or something else?

damencho · April 20, 2021, 6:40pm

Nope, latest master does not use component just the user connection.