Jicofo, prosody and jvb are listening for connections from any address. What are the config options which must be set such that the daemons only listen for local connections where sufficient.
Please, don’t tell me to simply set up firewall rules as described in the Quick Setup Guide and be happy. I do use a firewall. However, IMHO programs should only open connection they really need and not rely on firewalling alone.
This one make sense to be in localhost … not sure what is the prosody config for that.
Only prosody listens on those ports, it is not jicofo. On the next stable release 5347 will not be used so that can go away. 5222 cannot be on localhost by default as it will prevent jigasi or jibri from connecting, depending on the configuration.
These two though can be made on localhost. Hey, @Boris_Grozev do we have those documented somewhere how to control them?
This is jicofo. Unless you’re using authentication or reservation this should be on local host (and even in those cases it should probably be on local host, with the necessary endpoints proxied). You can configure it with jicofo.rest.host=127.0.0.1 in jicofo.conf.
This is the bridge’s “public” interface. It’s used to communicate with client and it is safe to be open publically. However, it is usually exposed through an nginx proxy, so it can be limited. You can configure it with videobridge.http-servers.public.host=127.0.0.1 in jvb.conf.
I had a look at the default nginx config which is set up by the Jitsi installer. There is no proxy directive which forwards to port 9090 of the localhost. Does this imply, that the default nginx config is missing something and do I miss a feature due to this?
Yes, but if you had install it long time ago, upgrades don’t modify it to prevent deleting user settings. There was announcement in the forum that people need to upgrade to websockets as sctp is going away.
Everything is still working, I don’t observer any drawbacks and no unecssary open ports to the outside world.
It seems that it can be made to listen to localhost only, if everything is hosted on the same machine. According to my understanding, opening ports is only necessary, if you host the installation across different machines due to load balancing. As a single-machine setup is the default, I would recommend a default config which restricts everything to localhost. This follows the “security-by-design approach”. If one need to listen to other machines, one can still open ports as required.
Maybe, but if everything is hosted on the same machine, it seems that this is possible. At least I did not observe any negative effects. As I believe that the default instllation