Restrict access to websocket from cross_domains

ahparsapour · April 11, 2021, 5:00pm

Hi,
I use JitsiMeet version 2.0.5390-3 with prosody 0.11.2-1 on a debian 10 VPS. I use xmpp-websocket for communicating between server and client. and I use lib-jitsi-meet to implement my own frontend for jitsi.
as pointed here, I have set this option in example.com.cfg.lua:

cross_domain_websocket =true;

and every instance of my frontend running on every hostname can access and connect to the meeting, but I don’t wan’t that to happen. Is there a way to only allow users on specefic hostnames(e.g if jitsi is installed on jitsi.example.com, users on example.com and jitsi.example.com) to connect to server and restrict the access for other hostnames?

Thanks in advance.

damencho · April 11, 2021, 6:24pm

You can do that I think in your webserver:

github.com

jitsi/jitsi-meet/blob/fd4819aeca47162c7c2cb9c79b01a4d0b117b3b1/doc/debian/jitsi-meet/jitsi-meet.example#L78


    add_header 'Access-Control-Allow-Origin' '*';
    alias /usr/share/jitsi-meet/$1/$2;

    # cache all versioned files
    if ($arg_v) {
        expires 1y;
    }
}

# BOSH
location = /http-bind {
    proxy_pass       http://localhost:5280/http-bind;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $http_host;
}

# xmpp websockets
location = /xmpp-websocket {
    proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;

In the bosh definition you can do add_header ‘Access-Control-Allow-Origin’ ‘somedomain.com’; and I think you can add several domains with a comma (check the syntax of that header)…