Ports/IP for Jibri on AWS

Hi,

I have successfully setup Jitsi and Jibri on AWS EC2 instances with recording. I was tweaking around with the security rules on AWS and noticed the Jibri recording works only when the outbound rule for Jibri VM is set to allow all traffic to anyIP. I tried setting the rule to allow outbound connections only to Jitsi VM (both internal and public IPs) but still won’t record.

I also tried allowing traffic for TCP and UDP ports 10000-20000 to all IPs. Still no good.

The Jibri receives the command for recording, publishes it’s state as BUSY, but times out later.
Jibri Log:

JibriConfig(recordingDirectory=/tmp/recordings, enabledStatsD=true, finalizeRecordingScriptPath=/path/to/finalize_recording.sh, xmppEnvironments=[XmppEnvironmentConfig(name=prod environment, xmppServerHosts=[ec2-18-223-219-44.us-east-2.compute.amazonaws.com], xmppDomain=ec2-18-223-219-44.us-east-2.compute.amazonaws.com, controlLogin=XmppCredentials(domain=auth.ec2-18-223-219-44.us-east-2.compute.amazonaws.com, username=jibri, password=jibri), controlMuc=XmppMuc(domain=internal.auth.ec2-18-223-219-44.us-east-2.compute.amazonaws.com, roomName=JibriBrewery, nickname=jibri-nickname), sipControlMuc=null, callLogin=XmppCredentials(domain=recorder.ec2-18-223-219-44.us-east-2.compute.amazonaws.com, username=recorder, password=jibri), stripFromRoomDomain=conference., usageTimeoutMins=0, trustAllXmppCerts=true)])
2019-01-29 12:40:52.841 WARNING: [1] org.glassfish.jersey.internal.inject.Providers.checkProviderRuntime() A provider org.jitsi.jibri.api.http.internal.InternalHttpApi registered in SERVER runtime does not implement any provider interfaces applicable in the SERVER runtime. Due to constraint configuration problems the provider org.jitsi.jibri.api.http.internal.InternalHttpApi will be ignored. 
2019-01-29 12:40:53.352 INFO: [1] org.jitsi.jibri.api.xmpp.XmppApi.start() Connecting to xmpp environment on ec2-18-223-219-44.us-east-2.compute.amazonaws.com with config XmppEnvironmentConfig(name=prod environment, xmppServerHosts=[ec2-18-223-219-44.us-east-2.compute.amazonaws.com], xmppDomain=ec2-18-223-219-44.us-east-2.compute.amazonaws.com, controlLogin=XmppCredentials(domain=auth.ec2-18-223-219-44.us-east-2.compute.amazonaws.com, username=jibri, password=jibri), controlMuc=XmppMuc(domain=internal.auth.ec2-18-223-219-44.us-east-2.compute.amazonaws.com, roomName=JibriBrewery, nickname=jibri-nickname), sipControlMuc=null, callLogin=XmppCredentials(domain=recorder.ec2-18-223-219-44.us-east-2.compute.amazonaws.com, username=recorder, password=jibri), stripFromRoomDomain=conference., usageTimeoutMins=0, trustAllXmppCerts=true)
2019-01-29 12:40:53.365 INFO: [1] org.jitsi.jibri.api.xmpp.XmppApi.start() The trustAllXmppCerts config is enabled for this domain, all XMPP server provided certificates will be accepted
2019-01-29 12:40:53.753 INFO: [1] class org.jitsi.xmpp.mucclient.MucClient.connected() [prod environment: auth.ec2-18-223-219-44.us-east-2.compute.amazonaws.com@ec2-18-223-219-44.us-east-2.compute.amazonaws.com] Xmpp connection status: connected
2019-01-29 12:40:53.878 INFO: [1] class org.jitsi.xmpp.mucclient.MucClient.authenticated() [prod environment: auth.ec2-18-223-219-44.us-east-2.compute.amazonaws.com@ec2-18-223-219-44.us-east-2.compute.amazonaws.com] Xmpp connection status: authenticated (resume from previous? false)
2019-01-29 12:40:54.024 WARNING: [1] org.glassfish.jersey.internal.inject.Providers.checkProviderRuntime() A provider org.jitsi.jibri.api.http.HttpApi registered in SERVER runtime does not implement any provider interfaces applicable in the SERVER runtime. Due to constraint configuration problems the provider org.jitsi.jibri.api.http.HttpApi will be ignored. 


2019-01-29 12:41:29.050 INFO: [26] org.jitsi.jibri.api.xmpp.XmppApi.handleJibriIq() Received JibriIq <iq to='jibri@auth.ec2-18-223-219-44.us-east-2.compute.amazonaws.com/c7c43fec-1acf-4011-9bb5-f1c55e080b4a' from='jibribrewery@internal.auth.ec2-18-223-219-44.us-east-2.compute.amazonaws.com/focus' id='amlicmlAYXV0aC5lYzItMTgtMjIzLTIxOS00NC51cy1lYXN0LTIuY29tcHV0ZS5hbWF6b25hd3MuY29tL2M3YzQzZmVjLTFhY2YtNDAxMS05YmI1LWYxYzU1ZTA4MGI0YQBnTHV3Vi0xNzE5AMQjTSrWaLTz8WulnUt8Sn4=' type='set'><jibri xmlns='http://jitsi.org/protocol/jibri' action='start' recording_mode='file' room='test@conference.ec2-18-223-219-44.us-east-2.compute.amazonaws.com' session_id='huxjkypdxlyuyldz'/></iq> from environment prod environment
2019-01-29 12:41:29.053 INFO: [26] org.jitsi.jibri.api.xmpp.XmppApi.handleStartJibriIq() Received start request
2019-01-29 12:41:29.055 INFO: [26] org.jitsi.jibri.api.xmpp.XmppApi.handleStartJibriIq() Sending 'pending' response to start IQ
2019-01-29 12:41:29.057 INFO: [38] org.jitsi.jibri.api.xmpp.XmppApi.run() Starting service
2019-01-29 12:41:29.066 INFO: [38] org.jitsi.jibri.api.xmpp.XmppApi.handleStartService() Parsed call url info: CallUrlInfo(baseUrl=https://ec2-18-223-219-44.us-east-2.compute.amazonaws.com, callName=test, urlParams=[])
2019-01-29 12:41:29.068 INFO: [38] org.jitsi.jibri.JibriManager.startFileRecording() Starting a file recording with params: FileRecordingRequestParams(callParams=CallParams(callUrlInfo=CallUrlInfo(baseUrl=https://ec2-18-223-219-44.us-east-2.compute.amazonaws.com, callName=test, urlParams=[])), sessionId=huxjkypdxlyuyldz, callLoginParams=XmppCredentials(domain=recorder.ec2-18-223-219-44.us-east-2.compute.amazonaws.com, username=recorder, password=jibri)) finalize script path: /path/to/finalize_recording.sh and recordings directory: /tmp/recordings
2019-01-29 12:41:31.029 INFO: [38] org.openqa.selenium.remote.ProtocolHandshake.createSession() Detected dialect: OSS
2019-01-29 12:41:31.088 FINE: [38] org.jitsi.jibri.capture.ffmpeg.FfmpegCapturer.<init>() Detected os as OS: LINUX
2019-01-29 12:41:31.111 INFO: [38] org.jitsi.jibri.service.impl.FileRecordingJibriService.<init>() Writing recording to /tmp/recordings/huxjkypdxlyuyldz
2019-01-29 12:41:31.146 FINE: [38] org.jitsi.jibri.statsd.JibriStatsDClient.incrementCounter() Incrementing statsd counter: start:recording
2019-01-29 12:41:31.154 INFO: [38] org.jitsi.jibri.status.JibriStatusManager.log() Busy status has changed: IDLE -> BUSY
2019-01-29 12:41:31.159 INFO: [38] org.jitsi.jibri.api.xmpp.XmppApi.invoke() Jibri reports its status is now JibriStatus(busyStatus=BUSY, health=OverallHealth(healthStatus=HEALTHY, details={})), publishing presence to connection prod environment
2019-01-29 12:41:32.478 FINE: [45] org.jitsi.jibri.selenium.pageobjects.CallPage.visit() Visiting url https://ec2-18-223-219-44.us-east-2.compute.amazonaws.com/test#config.iAmRecorder=true&config.externalConnectUrl=null&config.startWithAudioMuted=true&config.startWithVideoMuted=true&interfaceConfig.APP_NAME="Jibri"

2019-01-29 12:42:59.050 INFO: [26] org.jitsi.jibri.api.xmpp.XmppApi.handleJibriIq() Received JibriIq <iq to='jibri@auth.ec2-18-223-219-44.us-east-2.compute.amazonaws.com/c7c43fec-1acf-4011-9bb5-f1c55e080b4a' from='jibribrewery@internal.auth.ec2-18-223-219-44.us-east-2.compute.amazonaws.com/focus' id='amlicmlAYXV0aC5lYzItMTgtMjIzLTIxOS00NC51cy1lYXN0LTIuY29tcHV0ZS5hbWF6b25hd3MuY29tL2M3YzQzZmVjLTFhY2YtNDAxMS05YmI1LWYxYzU1ZTA4MGI0YQBnTHV3Vi0xODUzAMQjTSrWaLTz8WulnUt8Sn4=' type='set'><jibri xmlns='http://jitsi.org/protocol/jibri' action='stop'/></iq> from environment prod environment
2019-01-29 12:42:59.053 FINE: [26] org.jitsi.jibri.statsd.JibriStatsDClient.incrementCounter() Incrementing statsd counter: stop:recording
2019-01-29 12:42:59.054 INFO: [26] org.jitsi.jibri.JibriManager.stopService() Stopping the current service
2019-01-29 12:42:59.055 INFO: [26] org.jitsi.jibri.service.impl.FileRecordingJibriService.stop() Stopping capturer
2019-01-29 12:42:59.057 INFO: [26] org.jitsi.jibri.util.JibriSubprocess.ffmpeg.stop() Stopping ffmpeg process
2019-01-29 12:42:59.057 INFO: [26] org.jitsi.jibri.util.JibriSubprocess.ffmpeg.stop() ffmpeg exited with value null
2019-01-29 12:42:59.059 INFO: [26] org.jitsi.jibri.service.impl.FileRecordingJibriService.stop() Quitting selenium

Everthing works fine if I set outbound rule to allow all traffic anywhere.

What should be the ideal rule here so that it functions properly without breaking any connections and maintaining the security?

Abhijit

Jibri also uses 5222 and 443, not only 10000. But I don’t see the point of limiting outgoing traffic.