Jitsi Docker + shibboleth

Has anybody attempted to have oAuth working with the dockerized version of Jitsi? if so, would you please post a small tutorial on how to get started?

I am going crazy trying to add the module https://github.com/nginx-shib/nginx-http-shibboleth to the existing nginx installation
I downloaded the same version of nginx “1.10.3-1+deb9u3”. rebuild it with parameters:

./configure --add-dynmic-module=nginx-http-shibboleth $(nginx -V)
make
make install

and got the ngx_http_shibboleth_module.so file

I redeployed the container with this module but I am getting

nginx -t
nginx: [emerg] module "/etc/nginx/modules-enabled/ngx_http_shibboleth_module.so" is not binary compatible in /etc/nginx/nginx.conf:5
nginx: configuration file /etc/nginx/nginx.conf test failed

5 days later, I was able to figure it out!

sudo docker-compose exec web bash
cd /opt
apt-get update
apt-get install -y wget dpkg-dev git gcc build-essential libpcre3-dev libssl-dev zlib1g-dev
wget http://deb.debian.org/debian/pool/main/n/nginx/nginx_1.10.3-1+deb9u3.dsc
wget http://deb.debian.org/debian/pool/main/n/nginx/nginx_1.10.3.orig.tar.gz
wget http://deb.debian.org/debian/pool/main/n/nginx/nginx_1.10.3-1+deb9u3.debian.tar.xz

dpkg-source --no-check -x nginx_1.10.3-1+deb9u3.dsc
rm nginx_*


git clone https://github.com/nginx-shib/nginx-http-shibboleth
cd nginx-1.10.3

this is the important part to be able to build a compatible dynamic module. The part we care about is everything after configure arguments: and before the first dynamic module

nginx -V

nginx version: nginx/1.10.3
built with OpenSSL 1.1.0k  28 May 2019 (running with OpenSSL 1.1.0l  10 Sep 2019)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-DhOtPd/nginx-1.10.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/headers-more-nginx-module --add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-cache-purge --add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-development-kit --add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/ngx-fancyindex --add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nchan --add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-lua --add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-upload-progress --add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module

for me it looked like this after adding ./configure in front and the path to the shibboleth dynamic module in the back
./configure --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-DhOtPd/nginx-1.10.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --add-dynamic-module=/opt/nginx-http-shibboleth

install

make
make install
exit

extract module file into newly created folder web/rootfs/etc/nginx/modules-enabled/

sudo docker cp dockerjitsimeet_web_1:/usr/lib/nginx/modules/ngx_http_shibboleth_module.so web/rootfs/etc/nginx/modules-enabled/

I am almost there…
After tons of troubleshooting…the shibboleth (SP) + PingFederate(IDP) works flawlessly. if someone is having issues with this I dont mind explaining how i did it)

the problem that I am having is that when I create a room and click “I am the host” I get an nginx error 500 on /login page.

Web log

web_1 | 172.25.139.145 - - [06/May/2020:17:02:15 -0500] "GET /login/?machineUID=29a266634ba67de8fa5e7d30b934ae11&room=login@muc.meet.jitsi&close=false HTTP/1.1" 500 607 "https://jitsi-meet.MYDOMAIN.com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"

Jicofo log

jicofo_1 | Jicofo 2020-05-06 17:02:15.601 INFO: [69] org.jitsi.jicofo.xmpp.FocusComponent.handleAuthUrlIq().512 Sending url: <iq to='krm1upgwesica0ed@meet.jitsi/l0Rpym-Z' id='42905555-61f3-4ae4-a25b-0859cbc09dd6:sendIQ' type='result'><login-url xmlns='http://jitsi.org/protocol/focus' url='login%2F%3FmachineUID%3D29a266634ba67de8fa5e7d30b934ae11%26room%3Dlogin%40muc.meet.jitsi%26close%3Dfalse'/></iq>

I tried making it work for 2 weeks with NGINX+Shibboleth and it was a pain.

I decided to install apache in my docker container and I was able to make it work right away.

cat /etc/apache2/sites-available/jitsi-meet..com.conf

<VirtualHost *:80>
    ServerName jitsi-meet.<my-domain>.com
    Redirect permanent / https://jitsi-meet.<my-domain>.com/
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<VirtualHost *:443>

    ServerName jitsi-meet.<my-domain>.com

    SSLProtocol TLSv1 TLSv1.1 TLSv1.2
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile /config/keys/cert.crt
    SSLCertificateKeyFile /config/keys/cert.key
    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED"
    SSLHonorCipherOrder on
    Header set Strict-Transport-Security "max-age=31536000"

    DocumentRoot "/usr/share/jitsi-meet"
    <Directory "/usr/share/jitsi-meet">
        Options Indexes MultiViews Includes FollowSymLinks
        AddOutputFilter Includes html
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    <Directory "/config">
        Require all granted
    </Directory>

    ErrorDocument 404 /static/404.html

    Alias "/config.js" "/config/config.js"
    <Location /config.js>
        Require all granted
    </Location>

    Alias "/external_api.js" "/usr/share/jitsi-meet/libs/external_api.min.js"
    <Location /external_api.js>
        Require all granted
    </Location>

    Alias "/interface_config.js" "/config/interface_config.js"
    <Location /external_api.js>
        Require all granted
    </Location>

    <Location /Shibboleth.sso>
        SetHandler shib
    </Location>

    <Location /login>
        AuthType shibboleth
        ShibRequestSetting requireSession true
        ShibRequestSetting redirectToSSL 443
        ShibUseHeaders On
        Require valid-user
        Sethandler shib
        ProxyPass http://jicofo:8888/login
        ProxyPassReverse http://jicofo:8888/login
        Require valid-user
    </Location>

    ProxyPreserveHost on
    ProxyPass /http-bind http://xmpp.meet.jitsi:5280/http-bind/
    ProxyPassReverse /http-bind http://xmpp.meet.jitsi:5280/http-bind

    RewriteEngine on
    RewriteRule ^/([a-zA-Z0-9]+)$ /index.html
</VirtualHost>