Make Prosody, Jicofo and Videobridge only listen on local loopback interface where sufficient

nagmat84 · February 6, 2021, 3:27pm

I have a default, self-hosted Jitsi installation which I have setup according to Self-Hosting Guide - Debian/Ubuntu server. After inspecting the diagram of the network architecture in Self-Hosting Guide - Manual installation, I conclude that it should be sufficient if

prosody/xmpp on port 5280
jicofo on ports 5222, 5347
jvb on unknown port connected to prosody

were listienng only on the loop-back interface, i.e. bind to 127.0.0.1 only.

Nonetheless a default installation looks like that

# netstat -tlp
tcp    0   0 0.0.0.0:5269     0.0.0.0:*   LISTEN   2009143/lua5.2      
tcp    0   0 0.0.0.0:5280     0.0.0.0:*   LISTEN   2009143/lua5.2      
tcp    0   0 127.0.0.1:5347   0.0.0.0:*   LISTEN   2009143/lua5.2      
tcp    0   0 0.0.0.0:5222     0.0.0.0:*   LISTEN   2009143/lua5.2      
tcp6   0   0 127.0.0.1:8080   :::*        LISTEN   2008324/java        
tcp6   0   0 :::5269          :::*        LISTEN   2009143/lua5.2      
tcp6   0   0 :::8888          :::*        LISTEN   2008392/java        
tcp6   0   0 :::5280          :::*        LISTEN   2009143/lua5.2      
tcp6   0   0 :::9090          :::*        LISTEN   2008324/java        
tcp6   0   0 ::1:5347         :::*        LISTEN   2009143/lua5.2      
tcp6   0   0 :::5222          :::*        LISTEN   2009143/lua5.2

Jicofo, prosody and jvb are listening for connections from any address. What are the config options which must be set such that the daemons only listen for local connections where sufficient.

Please, don’t tell me to simply set up firewall rules as described in the Quick Setup Guide and be happy. I do use a firewall. However, IMHO programs should only open connection they really need and not rely on firewalling alone.

damencho · February 6, 2021, 4:07pm

This one make sense to be in localhost … not sure what is the prosody config for that.

Only prosody listens on those ports, it is not jicofo. On the next stable release 5347 will not be used so that can go away. 5222 cannot be on localhost by default as it will prevent jigasi or jibri from connecting, depending on the configuration.

These two though can be made on localhost. Hey, @Boris_Grozev do we have those documented somewhere how to control them?

Boris_Grozev · February 6, 2021, 4:42pm

This is jicofo. Unless you’re using authentication or reservation this should be on local host (and even in those cases it should probably be on local host, with the necessary endpoints proxied). You can configure it with jicofo.rest.host=127.0.0.1 in jicofo.conf.

This is the bridge’s “public” interface. It’s used to communicate with client and it is safe to be open publically. However, it is usually exposed through an nginx proxy, so it can be limited. You can configure it with videobridge.http-servers.public.host=127.0.0.1 in jvb.conf.

Boris_Grozev · February 6, 2021, 4:47pm

Damian, we can disable s2s completely, right?

I think we should take a look at alll of our defaults.

nagmat84 · February 6, 2021, 6:43pm

I had a look at the default nginx config which is set up by the Jitsi installer. There is no proxy directive which forwards to port 9090 of the localhost. Does this imply, that the default nginx config is missing something and do I miss a feature due to this?

damencho · February 6, 2021, 6:50pm

It has jitsi-meet/jitsi-meet.example at c856c2051331ee1234b26d3931a2a870c352eff9 · jitsi/jitsi-meet · GitHub

nagmat84 · February 6, 2021, 6:59pm

Nice link. But my default config hasn’t that settings. Are you sure that the Ubuntu packages ship the right config file? I have added those lines by hand now.

damencho · February 6, 2021, 7:05pm

Yes, but if you had install it long time ago, upgrades don’t modify it to prevent deleting user settings. There was announcement in the forum that people need to upgrade to websockets as sctp is going away.

damencho · February 6, 2021, 7:05pm

nagmat84 · February 20, 2021, 11:56am

I changed my config as follows:

/etc/prosody/prosody.cfg.lua

interfaces = { "127.0.0.1", "::1" }

/etc/jitsi/jicofo/jicofo.conf

jicofo {
  rest {
    host = "localhost"
  }
}

/etc/jitsi/videobridge/jvb.conf

videobridge {
  http-servers {
    public {
      host = "localhost"
    }
  }
}

Everything is still working, I don’t observer any drawbacks and no unecssary open ports to the outside world.

See above.

It seems that it can be made to listen to localhost only, if everything is hosted on the same machine. According to my understanding, opening ports is only necessary, if you host the installation across different machines due to load balancing. As a single-machine setup is the default, I would recommend a default config which restricts everything to localhost. This follows the “security-by-design approach”. If one need to listen to other machines, one can still open ports as required.

Maybe, but if everything is hosted on the same machine, it seems that this is possible. At least I did not observe any negative effects. As I believe that the default instllation

emrah · February 20, 2021, 2:50pm

According to my experinces, clustered Jitsi systems are more common than a simple server