Secure domain Configuration in Load balanced JVB environment

meet

#1

Hi,
I have installed Meet in a load balanced environment (i.e. : Nginx+MeetAPI on a first server (public address), Prosody, jicofo and Jigasi on a second server (private address), Videobridge on a third server (public address for support tcp/443 WebRTC session).

I try to configure the authentication for opening a room with secure domain schema, as describe in the readme guide, Whit the activation of xmpp ldap2 authentication.

That works pretty fine: I can open a new room with my LDAP credential. But when a new user join this room, he has to login too with his credential !!!

As I have understood, new user of an open room doesn’t need to log in with his credential to enter in conference.

Do you have a guide note for such installation ?
How to configure meet for such fonction ?

Regards,
Pierre


#2

I suppose you are following this README: https://github.com/jitsi/jicofo#secure-domain, have you done the VirtualHost "guest.jitsi-meet.example.com" part and adding to config.js anonymousdomain: 'guest.jitsi-meet.example.com',?
This is the part which allow to users to enter the room, if created, without requiring username or password.


#3

Hi
Exactly, I follow this guide for secure-domain
This other guide for LDAP : http://booting-rpi.blogspot.com/2015/09/using-ldap-authentication-with-jitsi.html

And this one for HA JVB : https://jitsi.org/news/tutorial-video-how-to-load-balance-jitsi-meet/

When I run on a unique server, all is OK and works fine…. but when I Apply the confirguration for JVB run on other server, I have to log in with the credential even if the room is already open.


#4

What do you mean by unique server and for JVB run on other server,?


#5

First, I have installed all components on a unique server Inside my company; configured them and implement LDAP authentication. All works fine.

Then I want to open this to Internet, and I have to re-install it :

  • one server NGINX with meet API,
  • one other server PROSODY / JICOFO / JIGASI and
  • another server VideoBridge .
    In this configuration, the authentication works for openning a new room, but, when new user connect to an existing room, it is prompted for entering indentification credential… this behavior did not exist when jitsi-meet run (previously) on only one server.

#6

Did you double check the anonymous domain settings, from my previous post, in prosody and in config.js? This is the only thing that comes to my mind at the moment.
If that is ok, may be enable debug in prosody and see what is the output when the second participant joins.


#7

Hi
I have checked again…. and I don’t find anything wrong …
Find next my prosody config

- Plugins path gets uncommented during jitsi-meet-tokens package install - that's where token plugin is located
--plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

VirtualHost "meet.example.com"
        authentication = 'ldap2'
        --authentication = "anonymous"
        admins = {
                "jitsi-videobridge.meet.example.com",
                "videobridge2.meet.example.com"
        }
        ssl = {
                key = "/etc/prosody/certs/meet.example.com.key";
                certificate = "/etc/prosody/certs/meet.example.com.crt";
        }
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
        }
        c2s_require_encryption = false

VirtualHost "guest.meet.example.com"
        authentication = "anonymous"
        admins = {
               "jitsi-videobridge.meet.example.com",
               "videobridge2.meet.example.com"
        }
        --ssl = {
        --       key = "/etc/prosody/certs/meet.example.com.key";
        --       certificate = "/etc/prosody/certs/meet.example.com.crt";
        --}
        modules_enabled = {
                       "bosh";
                       "pubsub";
                       "ping"; -- Enable mod_ping
        }
        c2s_require_encryption = false

Component "conference.meet.example.com" "muc"
    storage = "null"
    --modules_enabled = { "token_verification" }
admins = {
        "focus@auth.meet.example.com"
        }

--Component "jitsi-videobridge.meet.example.com"
--    component_secret = "secret"

Component "videobridge2.meet.example.com"
    component_secret = "secret"
…

And the meet/meet.exmaple.com-config.js

/* eslint-disable no-unused-vars, no-var */

var config = {
    // Configuration
    //

    // Alternative location for the configuration.
    // configLocation: './config.json',

    // Custom function which given the URL path should return a room name.
    // getroomnode: function (path) { return 'someprefixpossiblybasedonpath'; },


    // Connection
    //

    hosts: {
        // XMPP domain.
        domain: 'meet.example.com',

        // XMPP MUC domain. FIXME: use XEP-0030 to discover it.
        muc: 'conference.meet.example.com',

        // When using authentication, domain for guest users.
        anonymousdomain: 'guest.meet.example.com',

        // Domain for authenticated users. Defaults to .
        // authdomain: 'meet.example.com',

        // Jirecon recording component domain.
        // jirecon: 'jirecon.meet.example.com',

        // Call control component (Jigasi).
        call_control: 'callcontrol.meet.example.com'

        // Focus component domain. Defaults to focus..
        // focus: 'focus.meet.example.com',
    },

    // BOSH URL. FIXME: use XEP-0156 to discover it.
    bosh: '//meet.example.com/http-bind',

    // The name of client node advertised in XEP-0115 'c' stanza
    clientNode: 'http://jitsi.org/jitsimeet',

    // The real JID of focus participant - can be overridden here
    // focusUserJid: 'focus@auth.meet.example.com',




#8


#9

Hi

Finaly I find where is the issue…
I have installed Jitsi Meet in a 3 tiers model : web server nginx in a public DMZ, videobridge on a second public DMZ server and all other components on a private DMZ server.

The issue was about the file /etc/jitsi/meet/meet.example.com-config.js which I forger to duplicate on my nginx web server…

Now all works fine.

Rgds
Pierre