Two different domain addresses for websockets

hsobAV · March 25, 2023, 2:49pm

Hi, I have a problem with the implementation of Jitsi in redundancy using two different domain addresses. The first domain address for agents handling the conversation (moderators), the second domain address for customers.The important thing is that the first domain is internal, so they do not have access to each other. Second domain is public but is unreachable from first domain.

I had a problem to have the websocket directed to the right address, so I used custom-config.js by adding config.websocket = ‘wss://’ + window.location.hostname + ‘/’ + subdir + ‘xmpp-websocket’ there; and it works, but I don’t think it’s a good solution.

The next problem is that colibri-ws (wss://chat.av.jitsi.com/colibri-ws/…) communicates through chat.av.jitsi.com, so with agent.jitsi.com I have no access. How to configure different domain addresses for websockets? Is it possible at all? Is my approach correct at all?

I am using version stable-8138-1 for jitsi/web, jitsi/jvb, jitsi/prosody, jitsi/jicofo jitsi/jibri.

Simple schema:

.env

#czat.av.jitsi.com
#agent.av.jitsi.com

# Ustawienia systemowe
VPATH=/home/av/system/
LOGS_PATH=/data/av/logs/

# Exposed HTTP port #8000
HTTP_PORT=80
# Exposed HTTPS port #8443
HTTPS_PORT=443

DISABLE_HTTPS=true


# System time zone
TZ=UTC

# Public URL for the web service (required)
PUBLIC_URL=https://czat.av.jitsi.com

ENABLE_SUBDOMAINS=1

# Media IP addresses to advertise by the JVB
# This setting deprecates DOCKER_HOST_ADDRESS, and supports a comma separated list of IPs
#IP address server with docker
JVB_ADVERTISE_IPS=10.122.176.157

# Enable authentication
ENABLE_AUTH=1

# Enable guest access
ENABLE_GUESTS=0

# Select authentication type: internal, jwt, ldap or matrix
AUTH_TYPE=jwt
# ENABLE_AUTO_LOGIN=0

# 
# JWT authentication
#

# Application identifier
JWT_APP_ID=my_jitsi_app_id

# Application secret known only to your token
JWT_APP_SECRET=secret

# (Optional) Set asap_accepted_issuers as a comma separated list
# JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client

# (Optional) Set asap_accepted_audiences as a comma separated list
# JWT_ACCEPTED_AUDIENCES=myserver1,myserver2

JWT_ALLOW_EMPTY=0

JWT_AUTH_TYPE=token

JWT_TOKEN_AUTH_MODULE=token_affiliation

# XMPP settings

# Internal XMPP domain
XMPP_DOMAIN=czat.av.jitsi.com

# Internal XMPP server
XMPP_SERVER=xmpp.czat.av.jitsi.com

# Internal XMPP server URL
XMPP_BOSH_URL_BASE=http://xmpp.czat.av.jitsi.com:5280

# Internal XMPP domain for authenticated services
XMPP_AUTH_DOMAIN=auth.czat.av.jitsi.com

# XMPP domain for the MUC
XMPP_MUC_DOMAIN=muc.czat.av.jitsi.com

# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.czat.av.jitsi.com

# XMPP domain for unauthenticated users
# XMPP_GUEST_DOMAIN=guest.meet.busanid.dev

# The PUBLIC_URL is always allowed
XMPP_CROSS_DOMAIN=true

# Custom Prosody modules for XMPP_DOMAIN (comma separated)
# XMPP_MODULES=

# Custom Prosody modules for MUC component (comma separated)
XMPP_MUC_MODULES=token_affiliation
# Setting needed for prosody-plugin `token_affiliation`
ENABLE_AUTO_OWNER=false

# Custom Prosody modules for internal MUC component (comma separated)
# XMPP_INTERNAL_MUC_MODULES=

# Enable recording
ENABLE_RECORDING=1
ENABLE_LIVESTREAMING=true
# ENABLE_SERVICE_RECORDING=true

# XMPP domain for the jibri recorder
XMPP_RECORDER_DOMAIN=recorder.czat.av.jitsi.com

# JIBRI_HTTP_API_EXTERNAL_PORT=8443
# JIBRI_HTTP_API_INTERNAL_PORT=443

# XMPP recorder user for Jibri client connections
JIBRI_RECORDER_USER=recorder

# Directory for recordings inside Jibri container
JIBRI_RECORDING_DIR=/config/recordings

# The finalizing script. Will run after recording is complete
JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh

# XMPP user for Jibri client connections
JIBRI_XMPP_USER=jibri

# MUC name for the Jibri pool
JIBRI_BREWERY_MUC=jibribrewery

# MUC connection timeout
JIBRI_PENDING_TIMEOUT=90

JIBRI_RECORDING_RESOLUTION=800x600

JIBRI_STRIP_DOMAIN_JID=muc

# Directory for logs inside Jibri container
JIBRI_LOGS_DIR=/config/logs

# Configs for prejoin page.
ENABLE_PREJOIN_PAGE=false

# Disables profile and the edit of all fields from the profile settings (display name and email)
DISABLE_PROFILE=true

# Hides the participant name editing field in the prejoin screen.
# If requireDisplayName is also set as true, a name should still be provided through either
# the jwt or the userInfo from the iframe api init object in order for this to have an effect.
HIDE_PREJOIN_DISPLAY_NAME=false

# List of buttons to hide from the extra join options dropdown.
HIDE_PREJOIN_EXTRA_BUTTONS=true

ENABLE_WELCOME_PAGE=false
# GENERATE_ROOMNAMES_ON_WELCOME_PAGE=false # this setting dosent exist as docker env variable

# Enabling the close page will ignore the welcome page redirection when call is hangup.
ENABLE_CLOSE_PAGE=true

# Start the conference in audio only mode (no video is being received norsent).
#START_AUDIO_ONLY=false

# Every participant after the Nth will start audio muted.
#START_AUDIO_MUTED=0

#Start calls with audio muted. Unlike the option above, this one is only
#applied locally. FIXME: having these 2 options is confusing.
#START_WITH_AUDIO_MUTED=true

damencho · March 25, 2023, 3:16pm

Why do you need that? The config loaded from the shard should have the correct setting?

Same as above, why do you need that?

Both shards have different settings and are accessed through different DNS entries … you have like 2 completely different deployments. I don’t see the problem here.

hsobAV · March 26, 2023, 2:50pm

I do this because the chat.av.jitsi.com address is unreachable from the agent.jitsi.com domain.

So in order for this to work properly I have to have a configuration for one domain on one shard and a configuration for the other domain on the other shard?
The agent and the customer will then end up in the same room?

damencho · March 26, 2023, 3:02pm

Nope. Then agent and customer will not be in same room.

In the first post you mention redundancy, but you want customer and agent to be in the same room but at the same time to not have access to the same resources? Its not clear at all. What is the goal here? Elaborate on that. Why they cannot use the same address?
The bridge cannot give you different websocket address based on some rule … but there are other options maybe …

hsobAV · March 26, 2023, 4:25pm

Access to the resources is for the client and agent, but is reachable from different addresses: agent.jitsi.com and chat.av.jitsi.com.

Network traffic from agent.jitsi.com to chat.av.jitsi.com is not possible because my client does not want one. That’s why I added variable to custom-config.js like this: config.websocket = ‘wss://’ + window.location.hostname + ‘/’ + subdir + ‘xmpp- websocket’. After this change, from the address agent.jitsi.com the websocket connected correctly. Problem is with colibri-ws, I don’t know where I can change it.

Redundancy is used for load balancing between two shards and for fault tolerance.

damencho · March 26, 2023, 5:41pm

Disable jvb websockets and it will use datachannel with the media.

github.com

jitsi/docker-jitsi-meet/blob/2fdc643e7c01a3213aa749b7582255ccc30249e4/jvb/rootfs/defaults/jvb.conf#L2


      
          {{ $COLIBRI_REST_ENABLED := .Env.COLIBRI_REST_ENABLED | default "false" | toBool -}}
          {{ $ENABLE_COLIBRI_WEBSOCKET := .Env.ENABLE_COLIBRI_WEBSOCKET | default "1" | toBool -}}
          {{ $ENABLE_OCTO := .Env.ENABLE_OCTO | default "0" | toBool -}}
          {{ $ENABLE_JVB_XMPP_SERVER := Env.ENABLE_JVB_XMPP_SERVER | default "0" | toBool }}
          {{ $JVB_DISABLE_STUN := .Env.JVB_DISABLE_STUN | default "0" | toBool -}}
          {{ $JVB_STUN_SERVERS := .Env.JVB_STUN_SERVERS | default "meet-jit-si-turnrelay.jitsi.net:443" -}}
          {{ $JVB_AUTH_USER := .Env.JVB_AUTH_USER | default "jvb" -}}
          {{ $JVB_BREWERY_MUC := .Env.JVB_BREWERY_MUC | default "jvbbrewery" -}}
          {{ $JVB_MUC_NICKNAME := .Env.JVB_MUC_NICKNAME | default .Env.HOSTNAME -}}
          {{ $JVB_ADVERTISE_PRIVATE_CANDIDATES := .Env.JVB_ADVERTISE_PRIVATE_CANDIDATES | default "true" | toBool -}}
          {{ $JVB_ADVERTISE_IPS := .Env.JVB_ADVERTISE_IPS | default "" -}}
          {{ $JVB_IPS := splitList "," $JVB_ADVERTISE_IPS -}}

You need to turn this on: docker-jitsi-meet/jicofo.conf at 2fdc643e7c01a3213aa749b7582255ccc30249e4 · jitsi/docker-jitsi-meet · GitHub

hsobAV · March 29, 2023, 1:03pm

Okay, I will check this solution, thanks.

hsobAV · April 18, 2023, 9:40am

It works, but browser performence is too low by this option. Console in dev tools send many logs. Is possible to turn off or reduce it?

dev tools

hsobAV · April 18, 2023, 1:49pm

Logging option in custom-config.js was helpful

config.logging = { defaultLogLevel: 'error' };