Secure domain issues (or general permission/mod issues)

(I had to butcher the links as I’m only allowed to have 2 as a new user :roll_eyes:)

I followed /handbook/docs/devops-guide/devops-guide-quickstart on a fresh Ubuntu 20.04 and everything works except that when I create a room I don’t become moderator and therefore can’t set a password on the room.

Since we wanted to use authentication anyways I followed /handbook/docs/devops-guide/secure-domain (except jigasi and jicofo). Now the thing is that when I enable anonymousdomain: 'guest.meet.domain.tld', (proper domain) I am not required to authenticate anymore (to create or join). Also nobody becomes moderator again. When I don’t enable anonymousdomain everyone has to auth (even to join) and everyone becomes moderator.

The only config changes I made are what are described in the secure domain guide.

(for stupid reasons I can only add one attachment as a new user so the second image is here :roll_eyes:)

What am I doing wrong? Or am I misunderstanding the concept? Auth required to create, guests can join is what I’m thinking.

Can you shareyour complete cfg.lua file? These excerpts don’t paint a full picture. Just post the entire file here as text (change your domain name).

Sure, I replaced the domain with redacted.tld and the turnserver secret just in case.

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "meet.redacted.tld";

turncredentials_secret = "redacted_just_in_case";

turncredentials = {
  { type = "stun", host = "meet.redacted.tld", port = "3478" },
  { type = "turn", host = "meet.redacted.tld", port = "3478", transport = "udp" },
  { type = "turns", host = "meet.redacted.tld", port = "5349", transport = "tcp" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
  protocol = "tlsv1_2+";
  ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}

VirtualHost "meet.redacted.tld"
        -- enabled = false -- Remove this line to enable this host
        authentication = "internal_hashed"
        -- Properties below are modified by jitsi-meet-tokens package config
        -- and authentication above is switched to "token"
        --app_id="example_app_id"
        --app_secret="example_app_secret"
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/meet.redacted.tld.key";
                certificate = "/etc/prosody/certs/meet.redacted.tld.crt";
        }
        speakerstats_component = "speakerstats.meet.redacted.tld"
        conference_duration_component = "conferenceduration.meet.redacted.tld"
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
            "speakerstats";
            "turncredentials";
            "conference_duration";
            "muc_lobby_rooms";
        }
        c2s_require_encryption = false
        lobby_muc = "lobby.meet.redacted.tld"
        main_muc = "conference.meet.redacted.tld"
        -- muc_lobby_whitelist = { "recorder.meet.redacted.tld" } -- Here we can whitelist jibri to enter lobby enabled rooms

VirtualHost "guest.meet.redacted.tld"
    authentication = "anonymous"
    c2s_require_encryption = false


Component "conference.meet.redacted.tld" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        -- "token_verification";
    }
    admins = { "focus@auth.meet.redacted.tld" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.meet.redacted.tld" "muc"
    storage = "memory"
    modules_enabled = {
      "ping";
    }
    admins = { "focus@auth.meet.redacted.tld", "jvb@auth.meet.redacted.tld" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.meet.redacted.tld"
    ssl = {
        key = "/etc/prosody/certs/auth.meet.redacted.tld.key";
        certificate = "/etc/prosody/certs/auth.meet.redacted.tld.crt";
    }
    authentication = "internal_plain"

Component "focus.meet.redacted.tld"
    component_secret = "k22OWhuO"

Component "speakerstats.meet.redacted.tld" "speakerstats_component"
    muc_component = "conference.meet.redacted.tld"

Component "conferenceduration.meet.redacted.tld" "conference_duration_component"
    muc_component = "conference.meet.redacted.tld"

Component "lobby.meet.redacted.tld" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true

This is wrong:

Replace with this:

VirtualHost "meet.redacted.tld"
        -- enabled = false -- Remove this line to enable this host
        authentication = "internal_hashed"
        -- Properties below are modified by jitsi-meet-tokens package config
        -- and authentication above is switched to "token"
        --app_id="example_app_id"
        --app_secret="example_app_secret"
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/meet.redacted.tld.key";
                certificate = "/etc/prosody/certs/meet.redacted.tld.crt";
        }
        speakerstats_component = "speakerstats.meet.redacted.tld"
        conference_duration_component = "conferenceduration.meet.redacted.tld"
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
            "speakerstats";
            "turncredentials";
            "conference_duration";
        }
        

VirtualHost "guest.meet.redacted.tld"
    authentication = "anonymous"
    c2s_require_encryption = false
    modules_enabled = {
           "muc_lobby_rooms";
        }
        lobby_muc = "lobby.meet.redacted.tld"
        main_muc = "conference.meet.redacted.tld"
        -- muc_lobby_whitelist = { "recorder.meet.redacted.tld" } -- Here we can whitelist jibri to enter lobby enabled rooms

First I would like to ask if I’m blind and missed this or isn’t this documented?

Unfortunately the same issue persists, when I comment out anonymousdomain in config.js everyone has to auth, when it’s not commented out nobody has to auth.

PS: I did restart prosody, jitsi-videobridge and jicofo (though I don’t think I use that) after every change.

Edit: I also haven’t changed anything besides the two diffs at the top + your changes (which as I understand just moves the muc_lobby_rooms and related settings to the second vhost). I let the setup script do everything else.