Video & Audio no longer works whith authentication enabled

Hi Everyone,

I’m fairly new to Jitsi.
I finally managed to have Jitsi working but when I tried to enable authentication with prosodyctl registered users I have the following issues:

1- Anonymous visitors are able to access the Jitsi home page and create a meeting, Meeting host credentials only required to start the meeting.
2- Video and audio no longer works.
3- Participants information is displayed and chat is functioning.
4- When a participant leaves, it causes the other one to be disconnected.

The server (OVH) is managed via webmin/virtualmin and meet.mydomain.net is seup as a Virtalmin “Sub-Server”; as a result my apache configuration is a slightly modified version of the jitsi example.

I’ve checked the different logs, but I’m unable to identify where’s the problem.
The network interface has several IP public adresses and one of them is dedicated to the Jitsi FQDN.
I have included:
org.ice4j.ice.harvest.ALLOWED_ADDRESSES= dedicated_IP
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS= dedicated_IP
and also commented out:
#org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=
I’m going in circle and not making any progress :frowning: , suggestions and troubleshootuing tips are welcome.

Can you give the jvb log?

should be located somewhere here: sftp://(sever address)/var/log/jitsi

jitsi-installer

Dear Derek,

Thanks for your interest and quick reply.
See below a copy of the log after a fresh start.
I have only the domain name.

Blockquote
OpenJDK 64-Bit Server VM warning: Ignoring option UseConcMarkSweepGC; support was removed in 14.0
2021-01-26 14:32:42.122 INFO: [1] JitsiConfig.#47: Initialized newConfig: merge of /etc/jitsi/videobridge/jvb.conf: 1,application.conf @ jar:file:/usr/share/jitsi-videobridge/jitsi-videobridge.jar!/application.conf: 1,system properties,reference.conf @ jar:file:/usr/share/jitsi-videobridge/jitsi-videobridge.jar!/reference.conf: 1,reference.conf @ jar:file:/usr/share/jitsi-videobridge/lib/ice4j-3.0-22-g67ffceb.jar!/reference.conf: 1,reference.conf @ jar:file:/usr/share/jitsi-videobridge/lib/jitsi-media-transform-1.0-214-gfc6cda2.jar!/reference.conf: 1
2021-01-26 14:32:42.154 INFO: [1] ReadOnlyConfigurationService.reloadConfiguration#51: loading config file at path /etc/jitsi/videobridge/sip-communicator.properties
2021-01-26 14:32:42.156 INFO: [1] JitsiConfig.#68: Initialized legacyConfig: sip communicator props (no description provided)
2021-01-26 14:32:42.158 INFO: [1] JitsiConfig$Companion.reloadNewConfig#94: Reloading the Typesafe config source (previously reloaded 0 times).
2021-01-26 14:32:42.432 INFO: [14] org.ice4j.ice.harvest.MappingCandidateHarvesters.initialize: Initialized mapping harvesters (delay=242ms). stunDiscoveryFailed=false
2021-01-26 14:32:42.578 INFO: [15] [hostname=localhost id=shard] MucClient.initializeConnectAndJoin#227: Initializing a new MucClient for [ org.jitsi.xmpp.mucclient.MucClientConfiguration id=shard domain=auth.meet.MyDomain.net hostname=localhost port=null username=jvb mucs=[JvbBrewery@internal.auth.meet.MyDomain.net] mucNickname=34759a52-a5ca-4ab9-bfad-2f6977169de2 disableCertificateVerification=false]
2021-01-26 14:32:42.605 INFO: [1] LastNReducer.#65: LastNReducer with reductionScale: 0.75 recoverScale: 1.25 impactTime: PT1M minLastN: 0 maxEnforcedLastN: 40
2021-01-26 14:32:42.607 INFO: [1] TaskPools.#81: TaskPools detected 8 processors, creating the CPU pool with that many threads
2021-01-26 14:32:42.633 INFO: [15] [hostname=localhost id=shard] MucClient.initializeConnectAndJoin#302: Dispatching a thread to connect and login.
2021-01-26 14:32:42.640 INFO: [1] UlimitCheck.printUlimits#115: Running with open files limit 65000 (hard 65000), thread limit 65000 (hard 65000).
2021-01-26 14:32:42.641 INFO: [1] VideobridgeExpireThread.start#88: Starting with 60 second interval.
2021-01-26 14:32:42.654 INFO: [1] HealthChecker.start#118: Started with interval=10000, timeout=PT30S, maxDuration=PT3S, stickyFailures=false.
2021-01-26 14:32:42.667 INFO: [1] MainKt.main#110: Not starting CallstatsService, disabled in configuration.
2021-01-26 14:32:42.670 INFO: [1] MainKt.main#119: Starting public http server
2021-01-26 14:32:42.715 INFO: [1] ColibriWebSocketService.#40: Base URL: wss://meet.MyDomain.net:443/colibri-ws/default-id
2021-01-26 14:32:42.742 INFO: [1] org.eclipse.jetty.util.log.Log.initialized: Logging initialized @1036ms to org.eclipse.jetty.util.log.JavaUtilLog
2021-01-26 14:32:42.805 INFO: [1] ColibriWebSocketService.registerServlet#65: Registering servlet at /colibri-ws/*, baseUrl = wss://meet.MyDomain.net:443/colibri-ws/default-id
2021-01-26 14:32:42.820 INFO: [1] org.eclipse.jetty.server.Server.doStart: jetty-9.4.35.v20201120; built: 2020-11-20T21:17:03.964Z; git: bdc54f03a5e0a7e280fab27f55c3c75ee8da89fb; jvm 14.0.2+12-Ubuntu-120.04
2021-01-26 14:32:42.892 INFO: [1] org.eclipse.jetty.server.handler.ContextHandler.doStart: Started o.e.j.s.ServletContextHandler@74cec793{/,null,AVAILABLE}
2021-01-26 14:32:42.957 INFO: [1] org.eclipse.jetty.server.AbstractConnector.doStart: Started ServerConnector@5b64c4b7{HTTP/1.1, (http/1.1)}{0.0.0.0:9090}
2021-01-26 14:32:42.958 INFO: [1] org.eclipse.jetty.server.Server.doStart: Started @1253ms
2021-01-26 14:32:42.960 INFO: [1] MainKt.main#137: Starting private http server
2021-01-26 14:32:43.037 INFO: [1] org.eclipse.jetty.server.Server.doStart: jetty-9.4.35.v20201120; built: 2020-11-20T21:17:03.964Z; git: bdc54f03a5e0a7e280fab27f55c3c75ee8da89fb; jvm 14.0.2+12-Ubuntu-120.04
2021-01-26 14:32:43.062 INFO: [15] [hostname=localhost id=shard] MucClient$1.connected#259: Connected.
2021-01-26 14:32:43.062 INFO: [15] [hostname=localhost id=shard] MucClient.lambda$getConnectAndLoginCallable$7#594: Logging in.
2021-01-26 14:32:43.146 INFO: [15] [hostname=localhost id=shard] MucClient$1.authenticated#265: Authenticated, b=false
2021-01-26 14:32:43.219 INFO: [15] [hostname=localhost id=shard] MucClient$MucWrapper.join#720: Joined MUC: jvbbrewery@internal.auth.meet.MyDomain.net
2021-01-26 14:32:43.469 WARNING: [1] org.glassfish.jersey.server.wadl.WadlFeature.configure: JAXBContext implementation could not be found. WADL feature is disabled.
2021-01-26 14:32:43.655 WARNING: [1] org.glassfish.jersey.internal.inject.Providers.checkProviderRuntime: A provider org.jitsi.rest.Version registered in SERVER runtime does not implement any provider interfaces applicable in the SERVER runtime. Due to constraint configuration problems the provider org.jitsi.rest.Version will be ignored.
2021-01-26 14:32:43.658 WARNING: [1] org.glassfish.jersey.internal.inject.Providers.checkProviderRuntime: A provider org.jitsi.rest.Health registered in SERVER runtime does not implement any provider interfaces applicable in the SERVER runtime. Due to constraint configuration problems the provider org.jitsi.rest.Health will be ignored.
2021-01-26 14:32:44.062 INFO: [1] org.eclipse.jetty.server.handler.ContextHandler.doStart: Started o.e.j.s.ServletContextHandler@6ada9c0c{/,null,AVAILABLE}
2021-01-26 14:32:44.063 INFO: [1] org.eclipse.jetty.server.AbstractConnector.doStart: Started ServerConnector@5bd1ceca{HTTP/1.1, (http/1.1)}{127.0.0.1:8080}
2021-01-26 14:32:44.064 INFO: [1] org.eclipse.jetty.server.Server.doStart: Started @2358ms
2021-01-26 14:32:52.654 INFO: [22] HealthChecker.run#170: Performed a successful health check in PT0.000901S. Sticky failure: false

Thanks for the link but ut us not an option, the server is not only for Jitsi and it has a whole bunch of other services.

In the browser Java console I’ve also noticed:

Blockquote
BridgeChannel.js:86 WebSocket connection to ‘wss://meet.MyDomain.net/colibri-ws/default-id/25290a9108d8fc95/faed9723?pwd=7ef48nik9eonetc11h9o2emqah’ failed: Error during WebSocket handshake: Unexpected response code: 404
_initWebSocket @ BridgeChannel.js:86
t @ BridgeChannel.js:105

Does not sound very positive…

share your prosody config file: /etc/prosody[conf.avail/your.domain.com.cfg.lua should be where it’s located`

Thanks Derek, here we go:

plugin_paths = { “/usr/share/jitsi-meet/prosody-plugins/” }
– domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = “meet.MyDomain.net”;
turncredentials_secret = “Hjxm2NXzAHI1CFBj”;
turncredentials = {
{ type = “stun”, host = “meet.MyDomain.net”, port = “3478” },
{ type = “turn”, host = “meet.MyDomain.net”, port = “3478”, transport = “udp” },
{ type = “turns”, host = “meet.MyDomain.net”, port = “5349”, transport = “tcp” }
};
cross_domain_bosh = false;
consider_bosh_secure = true;
https_ports = { }; – Uncomment this line to enable listening on port 5284
Mozilla SSL Configuration Generator
ssl = {
protocol = “tlsv1_2+”;
ciphers = “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POL
Y1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384”
}
VirtualHost “meet.MyDomain.net
– enabled = false – Remove this line to enable this host
authentication = “internal_hashed”
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
–app_id=“example_app_id”
–app_secret=“example_app_secret”
– Assign this host a certificate for TLS, otherwise it would use the one
– set in the global section (if any).
– Note that old-style SSL on port 5223 only supports one certificate, and will always
– use the global one.
ssl = {
key = “/etc/prosody/certs/meet.MyDomain.net.key”;
certificate = “/etc/prosody/certs/meet.MyDomain.net.crt”;
}
speakerstats_component = “speakerstats.meet.MyDomain.net
conference_duration_component = “conferenceduration.meet.MyDomain.net
– we need bosh
modules_enabled = {
“bosh”;
“pubsub”;
“ping”; – Enable mod_ping
“speakerstats”;
“turncredentials”;
“conference_duration”;
“muc_lobby_rooms”;
}
c2s_require_encryption = false
lobby_muc = “lobby.meet.MyDomain.net
main_muc = “conference.meet.MyDomain.net
– muc_lobby_whitelist = { “recorder.meet.MyDomain.net” } – Here we can whitelist jibri to enter lobby enabled rooms
Component “conference.meet.MyDomain.net” “muc”
storage = “memory”
modules_enabled = {
“muc_meeting_id”;
“muc_domain_mapper”;
–“token_verification”;
}
admins = { “focus@auth.meet.MyDomain.net” }
muc_room_locking = false
muc_room_default_public_jids = true
– internal muc component
Component “internal.auth.meet.MyDomain.net” “muc”
storage = “memory”
modules_enabled = {
“ping”;
}
admins = { “focus@auth.meet.MyDomain.net”, “jvb@auth.meet.MyDomain.net” }
muc_room_locking = false
muc_room_default_public_jids = true
VirtualHost “auth.meet.MyDomain.net
ssl = {
key = “/etc/prosody/certs/auth.meet.MyDomain.net.key”;
certificate = “/etc/prosody/certs/auth.meet.MyDomain.net.crt”;
}
authentication = “internal_plain”
Component “focus.meet.MyDomain.net
component_secret = “r7igLqrF”
Component “speakerstats.meet.MyDomain.net” “speakerstats_component”
muc_component = “conference.meet.MyDomain.net
Component “conferenceduration.meet.MyDomain.net” “conference_duration_component”
muc_component = “conference.meet.MyDomain.net
Component “lobby.meet.MyDomain.net” “muc”
storage = “memory”
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
– Allow our guests to join a conference without the need for a password
– BELOW VIRTUALHOST NAME SHOULD NOT(!) BE REGISTERED IN DNS!
VirtualHost “guest.meet.MyDomain.net
authentication = “anonymous”
c2s_require_encryption = false

Replace your file with this see if it works (make a copy of your original file)

plugin_paths = { “/usr/share/jitsi-meet/prosody-plugins/” }

– domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = “your.domain.com”;

turncredentials_secret = “XTkmVcqKlAvbhnvc”;

turncredentials = {
{ type = “stun”, host = “your.domain.com”, port = “3478” },
{ type = “turn”, host = “your.domain.com”, port = “3478”, transport = “udp” },
{ type = “turns”, host = “your.domain.com”, port = “5349”, transport = “tcp” }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
– https_ports = { }; – Remove this line to prevent listening on port 5284

Mozilla SSL Configuration Generator
ssl = {
protocol = “tlsv1_2+”;
ciphers = “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384”
}

VirtualHost “your.domain.com
– enabled = false – Remove this line to enable this host
authentication = " internal_plain"
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
–app_id=“example_app_id”
–app_secret=“example_app_secret”
– Assign this host a certificate for TLS, otherwise it would use the one
– set in the global section (if any).
– Note that old-style SSL on port 5223 only supports one certificate, and will always
– use the global one.
ssl = {
key = “/etc/prosody/certs/your.domain.com.key”;
certificate = “/etc/prosody/certs/your.domain.com.crt”;
}
speakerstats_component = “speakerstats.your.domain.com
conference_duration_component = “conferenceduration.your.domain.com
– we need bosh
modules_enabled = {
“bosh”;
“pubsub”;
“ping”; – Enable mod_ping
“speakerstats”;
“turncredentials”;
“conference_duration”;
“muc_lobby_rooms”;
}
c2s_require_encryption = false
lobby_muc = “lobby.your.domain.com
main_muc = “conference.your.domain.com
– muc_lobby_whitelist = { “recorder.your.domain.com” } – Here we can whitelist jibri to enter lobby enabled rooms

Component “conference.your.domain.com” “muc”
storage = “memory”
modules_enabled = {
“muc_meeting_id”;
“muc_domain_mapper”;
– “token_verification”;
}
admins = { “focus@auth.your.domain.com” }
muc_room_locking = false
muc_room_default_public_jids = true

– internal muc component
Component “internal.auth.your.domain.com” “muc”
storage = “memory”
modules_enabled = {
“ping”;
}
admins = { “focus@auth.your.domain.com”, “jvb@auth.your.domain.com” }
muc_room_locking = false
muc_room_default_public_jids = true

VirtualHost “auth.your.domain.com
ssl = {
key = “/etc/prosody/certs/auth.your.domain.com.key”;
certificate = “/etc/prosody/certs/auth.your.domain.com.crt”;
}
authentication = “internal_plain”

Component “focus.your.domain.com
component_secret = “CIVKUXvBVyvGAY7g”

Component “speakerstats.your.domain.com” “speakerstats_component”
muc_component = “conference.your.domain.com

Component “conferenceduration.your.domain.com” “conference_duration_component”
muc_component = “conference.your.domain.com

Component “lobby.your.domain.com” “muc”
storage = “memory”
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true

VirtualHost “guest.your.domain.com
authentication = “anonymous”
c2s_require_encryption = false

Thanks for sharing this file but I noticed in the VirtualHost section for VirtualHost “your.domain.com” your are not requesting any authentification which is not what I’m trying to achieve:

Is this a mistake?
Thank in advance for your feedback.

thanks for pointing that out I just fixed it

I have reverted to my previous configuration allowing anonymoous users and realised that it is not correctly configured either and unstable.
Depending of the browser cannot always join, the video regularly jerks and in the browser java console it looks like the connection is constantly resetting.
I have the feeling that my apache configuration is not right leading into WebSocket connection problems.
I will create another topic to fix this issue first before considering the user authentification configuration.

All self-made problem, I was using JDK version 14 (installed by default) instead of version 8 :pleading_face: :tired_face:!
Refer to:
https://community.jitsi.org/t/constant-websocket-connection-handshake-error-with-apache-server/91841/7