Hi,
Please correct me if I’m wrong, but there seems to be a contradiction in the quickstart manual at Self-Hosting Guide - Debian/Ubuntu server · Jitsi Meet Handbook.
It states right at the beginning that one of the required packages is nginx-full. However, further down under “Install Jitsi Meet” it also states that “The installer will check if Nginx or Apache are present”.
The last time I struggled to install Jitsi Meet on a server was in Jan. 2020, and I used apache instead of nginx.
I am now trying to install an updated server and having trouble getting user authentication to work. I was wondering if using nginx or apache made any difference (I don’t think so).
On my older server (Jan. 2020) I have user authentication enabled with ldap2, and it’s working great.
On my new server, unauthed/default installation works fine with Apache2. However, if I enable authentication as per Secure Domain setup · Jitsi Meet Handbook there’s simply no user login page. Any user can open a room. However, if more than one user opens the same room, they do not see each other (they are alone).
I see no errors anywhere (server logs and client browser consoles). The only thing I do see is that the client browsers report:
[modules/xmpp/strophe.util.js] <Object.r.Strophe.log>: Strophe: Server did not yet offer a supported authentication mechanism. Sending a blank poll request.
I also see a cert error message in prosody, but it has been said over and over that Jitsi Meet does not use it and can be ignored:
portmanager error Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281
Here are my config files (using jitsi-meet “stable” on Debian 10):
# cat /etc/prosody/conf.avail/meet.mydomain.org.cfg.lua
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "meet.mydomain.org";
turncredentials_secret = "aF9VS2uVJEzkDCDk";
turncredentials = {
{ type = "stun", host = "meet.mydomain.org", port = "3478" },
{ type = "turn", host = "meet.mydomain.org", port = "3478", transport = "udp" },
{ type = "turns", host = "meet.mydomain.org", port = "5349", transport = "tcp" }
};
cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
protocol = "tlsv1_2+";
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
VirtualHost "meet.mydomain.org"
-- enabled = false -- Remove this line to enable this host
authentication = "internal_hashed"
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
--app_id="example_app_id"
--app_secret="example_app_secret"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/meet.mydomain.org.key";
certificate = "/etc/prosody/certs/meet.mydomain.org.crt";
}
speakerstats_component = "speakerstats.meet.mydomain.org"
conference_duration_component = "conferenceduration.meet.mydomain.org"
-- we need bosh
modules_enabled = {
"bosh";
"pubsub";
"ping"; -- Enable mod_ping
"speakerstats";
"turncredentials";
"conference_duration";
"muc_lobby_rooms";
}
c2s_require_encryption = false
lobby_muc = "lobby.meet.mydomain.org"
main_muc = "conference.meet.mydomain.org"
-- muc_lobby_whitelist = { "recorder.meet.mydomain.org" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.meet.mydomain.org" "muc"
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
--"token_verification";
}
admins = { "focus@auth.meet.mydomain.org" }
muc_room_locking = false
muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.meet.mydomain.org" "muc"
storage = "memory"
modules_enabled = {
"ping";
}
admins = { "focus@auth.meet.mydomain.org", "jvb@auth.meet.mydomain.org" }
muc_room_locking = false
muc_room_default_public_jids = true
VirtualHost "auth.meet.mydomain.org"
ssl = {
key = "/etc/prosody/certs/auth.meet.mydomain.org.key";
certificate = "/etc/prosody/certs/auth.meet.mydomain.org.crt";
}
authentication = "internal_plain"
Component "focus.meet.mydomain.org"
component_secret = "4pSePkRM"
Component "speakerstats.meet.mydomain.org" "speakerstats_component"
muc_component = "conference.meet.mydomain.org"
Component "conferenceduration.meet.mydomain.org" "conference_duration_component"
muc_component = "conference.meet.mydomain.org"
Component "lobby.meet.mydomain.org" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
VirtualHost "guest.meet.mydomain.org"
authentication = "anonymous"
c2s_require_encryption = false
# sudo prosodyctl register testuser meet.mydomain.org testpwd
# ls -l /etc/prosody/conf.d/
total 0
lrwxrwxrwx 1 root root 31 Feb 20 00:23 localhost.cfg.lua -> ../conf.avail/localhost.cfg.lua
lrwxrwxrwx 1 root root 56 Feb 20 00:23 meet.mydomain.org.cfg.lua -> /etc/prosody/conf.avail/meet.mydomain.org.cfg.lua
# cat /etc/jitsi/jicofo/sip-communicator.properties
org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.meet.mydomain.org
org.jitsi.jicofo.auth.URL=XMPP:meet.mydomain.org
# cat /etc/jitsi/meet/meet.mydomain.org-config.js (well, only the first part of the file as I believe it's the only relevant section and the file is long to post here)
/* eslint-disable no-unused-vars, no-var */
var config = {
// Connection
//
hosts: {
// XMPP domain.
domain: 'meet.mydomain.org',
// When using authentication, domain for guest users.
anonymousdomain: 'guest.mydomain.org',
// Domain for authenticated users. Defaults to <domain>.
// authdomain: 'meet.mydomain.org',
// Focus component domain. Defaults to focus.<domain>.
// focus: 'focus.meet.mydomain.org',
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
muc: 'conference.meet.mydomain.org'
},
// BOSH URL. FIXME: use XEP-0156 to discover it.
bosh: '//meet.mydomain.org/http-bind',
// Websocket URL
// websocket: 'wss://meet.mydomain.org/xmpp-websocket',
// The name of client node advertised in XEP-0115 'c' stanza
clientNode: 'http://jitsi.org/jitsimeet',
[...]
This is probably irrelevant, but I’d rather post it anyway:
# cat /etc/jitsi/videobridge/sip-communicator.properties
org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
org.jitsi.videobridge.ENABLE_STATISTICS=true
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost
org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.meet.mydomain.org
org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb
org.jitsi.videobridge.xmpp.user.shard.PASSWORD=gnY0Ym9o
org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.meet.mydomain.org
org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=1c5e46a2-7322-4cfd-b099-c4a8783d98e0
I rebooted the server, but there’s simply no authentication presented to the client.
I also tried explicitly setting
authdomain: 'meet.mydomain.org',
in /etc/jitsi/meet/meet.mydomain.org-config.js, but that didn’t make any difference.
I’m clueless.
My older 2020 server authenticates just fine, but the new one doesn’t for some odd reason.
Any ideas?
Thanks
PS: can I or should I enable websockets with ‘wss://meet.mydomain.org/xmpp-websocket’?
Why is it disabled by default?