As far as I can tell, there is no way to associate Jitsi occupants with IP addresses and/or ports. This is a must-have for auditing. Also, it can be used along with fail2ban to ban badly-behaved users.
Without this, a badly behaved user can flood the server with connection requests, potentially causing a DoS.
Ideally, there should be a data structure, such as ‘occupants’, that not only lists the user’s role and associates the user with a conference, but that also has a field that stores the user’s IP address. If we had this, the we could create mod_muc_audit.lua that would record each time an IP attempts to connect to the server and/or gets kicked from a conference. fail2ban can watch the logs and ban based on too many connection attempts or too many kicks.
fail2ban is a MUST! We’ve had many attacks over the last couple of weeks and I fear without proper security we’re going to have to stop using this platform.
We’ve tried numerous modifications to nginx in order to pass the appropriate client IP , but the only IP passed is that of the local host. Which, renders $remote_addr and $proxy_add_x_forwarded_for useless as they always gather “127.0.0.1”
I figured out how to get nginx to log the clients IP address to access.log (rather than logging 127.0.0.1):
Edit /etc/nginx/modules-enabled/60-jitsi-meet.conf
Add to the server {…} section: proxy_protocol on
Add a logging format to /etc/nginx/nginx/conf.
In the http {…} section, add:
log_format proxycombined '$proxy_protocol_addr - $remote_user [$time_local] ’ '"$request" $status $body_bytes_sent ’ ‘"$http_referer" “$http_user_agent”’;
This defines the format to be written to the log file and names this format “proxycombined”. (The default logging format is called “combined”.)
Edit /etc/nginx/sites-enabled/mydomain.conf (whatever your domain is called).
Add to the server {…} section for the server on port 4444:
listen 4444 ssl http2 proxy_protocol;
listen [::]:4444 ssl http2 proxy_protocol;
access_log /var/log/nginx/access.log proxycombined;
Also, this section of code has a couple of lines that say “proxy_set_header X-Forwarded-For $remote_addr” Change each one to use $proxy_protocol_addr.
Now the client’s IP address is passed all the way down the chain and it gets logged to access.log.
I’m not too familiar with lua; how do I access the “X-Forwarded-For” header from my new module: /usr/share/jitsi-meet/prosody-plugins/mod_muc_audit.lua?
Edit: Added in the proxy_protocol on the listen lines. (Forgot those in the first write of these instructions.)
I’m not a lua expert, so I’m going to need some step-by-step help here.
My nginx server is currently sending the user’s IP in the HTTP X-Forwarded-For header.
I see your example that uses: get_ip_from_request. Does this use X-Forwarded-For?
I added to my code: local ip = get_ip_from_request(event.request);
Unfortunately, now I’m getting errors about using an undefined global “get_ip_from_request”. How do I define this global?
My sample code:
module:log("info", "loading audit")
local is_healthcheck_room = module:require "util".is_healthcheck_room;
function audit_joined(event)
module:log("info", "audit joined")
local room = event.room;
if is_healthcheck_room(room) then
return;
end
local occupant = event.occupant;
local jid_resource = require "util.jid".resource;
local nick = jid_resource(occupant.nick);
local ip = get_ip_from_request(event.request);
local role = '';
if occupant.role then
role = occupant.role
end
module:log("info", "room %s: join %s, role %s, ip %s", room, nick, role, ip);
end
module:hook("muc-occupant-joined", audit_joined, 150);
If you set the trusted_proxies in your prosody config, event.request.ip should contain the correct external client IP. get_ip_from_request() is a function that is declared in prosody’s http module to determine the actual client IP by means of the configured list of trusted proxies.
Your code snipped from /etc/nginx/modules-enabled/60-jitsi-meet.conf – with proxy_protocol on – looks correct. This tells nginx to not use the regular TCP+HTTP protocol when forwarding packets to the upstream web service. Instead, it will wrap it in a proxy header. In this case, the upstream web server is on 127.0.0.1:4444.
The next thing you need to do is edit /etc/nginx/sites-enabled/[yourdomain].conf. There are two “server” definitions in this file. The first one is for port 80 ( service { listen:80; … } ) – don’t touch this one.
The second one is for port 4444 ( service { listen:4444; … } ). This is where you need to add proxy_protocol to both of the listen lines.
The “proxy_protocol” on the listen line will unwrap the proxy header. Otherwise, you’ll see errors in /var/log/nginx/error.log (and the errors may contain binary garbage) and the server won’t be able to decode the network traffic, resulting in the error you see.
jitsi has WAY too many configuration files spread all over the place.
If you set the trusted_proxies in your prosody config
Can you be more specific? Which prosody config file? (Please provide the full path on the server.) And where do I set this? (Please give me a line number or sample code or something that tells me what to type and where to type it.)
For the log_format code - I think it’s got those weird quote coding issue there so if a newbie did a cut and paste - an error would occur when restarting the Nginx service.
To get the IP logging in prosody (/var/log/prosody/prosody.log), I had to add (line was not present) proxy_set_header X-Forwarded-For $proxy_protocol_addr; into the xmpp websockets location block:
I thought it was worth mentioning it for others, since this is most likely were you would want to set your fail2ban on when you do LDAP-based authentication.
Does this still work for the latest version with the whiteboard? I’m having trouble with it.
The logging of IPs correctly works, but the side effect is that I am no longer able to hear myself talking from my cell phone (browser) when connecting from 5G. Wifi still works. So –
Phone mic works?
5G Android/Firefox
Base Jitsi: Yes
Jitsi with Whiteboard: Yes
Jitsi with Whiteboard and IP logging: No
Wifi Android/Firefox
Base Jitsi: Yes
Jitsi with Whiteboard: Yes
Jitsi with Whiteboard and IP logging: Yes
I’m not the most knowledgeable but I tried various things to see if I could get it to work and I could not. I freshly installed debian and jitsi meet yesterday using emrah’s jitsi-jibri install script as usual.
If anyone has nginx ip logging right now working with whiteboard/excalidraw backend/websockets and all that and you can connect from outside your network on selfhosted please let us know!
, just need to figure out why it breaks web access.