[__jitsi_meet*] Make rooms on different domains not equivalent
This is a backwards-compatible change. We switch the approach from "treat all domains as if they were the main domain" to: "each domain has its own prosody settings". This works perfectly fine, even with secured domains. There is a caveat with secured domains, in that they use the main domain to log in; this means that users are shared across all domains (as they were before this commit). This is due to jicofo refusing to start meetings from a domain that is not configured, and it only accepting one domain. Right now, this is acceptable, however we could want to authenticate against e.g. different LDAP / IMAP servers in the future, so this would need addressing at that stage. Probably the best way to solve it is by patching jicofo, so it accepts starting conferences from multiple domains and getting that patch upstream. Sponsored by: camilion.eu, eXO.catpull/23/head
parent
a12b343660
commit
87cc109bf1
@ -0,0 +1 @@
|
||||
../../__jitsi_meet_domain/files/prosody.cfg.lua.sh
|
@ -0,0 +1,199 @@
|
||||
#!/bin/sh -eu
|
||||
|
||||
# Source:
|
||||
# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
|
||||
FOCUS_USER="focus"
|
||||
JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
|
||||
# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
|
||||
PROSODY_SECUREDOMAIN_START="--[["
|
||||
PROSODY_SECUREDOMAIN_END="--]]"
|
||||
if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
|
||||
PROSODY_MAIN_START=""
|
||||
PROSODY_MAIN_END=""
|
||||
PROSODY_DOMAIN_START="--[["
|
||||
PROSODY_DOMAIN_END="--]]"
|
||||
else
|
||||
PROSODY_MAIN_START="--[["
|
||||
PROSODY_MAIN_END="--]]"
|
||||
PROSODY_DOMAIN_START=""
|
||||
PROSODY_DOMAIN_END=""
|
||||
if [ -n "${SECURED_DOMAINS}" ]; then
|
||||
PROSODY_SECUREDOMAIN_START=""
|
||||
PROSODY_SECUREDOMAIN_END=""
|
||||
fi
|
||||
fi
|
||||
# Websockets haven't been fully tested in this type and don't work reliably
|
||||
PROSODY_WEBSOCKET="-- "
|
||||
|
||||
# shellcheck disable=SC2034 # This is intended to be included
|
||||
PROSODY_CONFIG="$(cat <<EOFPROSODY
|
||||
-- Managed remotely, changes will be lost
|
||||
${PROSODY_MAIN_START}
|
||||
-- This will be managed by __jitsi_meet
|
||||
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
|
||||
|
||||
-- domain mapper options, must at least have domain base set to use the mapper
|
||||
muc_mapper_domain_base = "${JITSI_HOST:?}";
|
||||
|
||||
external_service_secret = "${TURN_SECRET:-TurnSecret}";
|
||||
external_services = {
|
||||
{ type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
|
||||
{ type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
|
||||
{ type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
|
||||
};
|
||||
|
||||
cross_domain_bosh = false;
|
||||
consider_bosh_secure = true;
|
||||
-- Use websockets
|
||||
-- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
|
||||
${PROSODY_WEBSOCKET}consider_websocket_secure = true;
|
||||
|
||||
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
|
||||
|
||||
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
|
||||
ssl = {
|
||||
protocol = "tlsv1_2+";
|
||||
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
||||
}
|
||||
|
||||
unlimited_jids = {
|
||||
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
|
||||
"jvb@auth.${JITSI_HOST:?}"
|
||||
}
|
||||
${PROSODY_MAIN_END}
|
||||
|
||||
${PROSODY_DOMAIN_START}
|
||||
-- This will be managed by __jitsi_meet_domain
|
||||
VirtualHost "${JITSI_DOMAIN:?}"
|
||||
-- enabled = false -- Remove this line to enable this host
|
||||
authentication = "anonymous"
|
||||
-- Properties below are modified by jitsi-meet-tokens package config
|
||||
-- and authentication above is switched to "token"
|
||||
--app_id="example_app_id"
|
||||
--app_secret="example_app_secret"
|
||||
-- Assign this host a certificate for TLS, otherwise it would use the one
|
||||
-- set in the global section (if any).
|
||||
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
||||
-- use the global one.
|
||||
ssl = {
|
||||
key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
|
||||
certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
|
||||
}
|
||||
av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
|
||||
speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
|
||||
conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
|
||||
-- we need bosh
|
||||
modules_enabled = {
|
||||
"bosh";
|
||||
"pubsub";
|
||||
"ping"; -- Enable mod_ping
|
||||
"speakerstats";
|
||||
"external_services";
|
||||
"conference_duration";
|
||||
"muc_lobby_rooms";
|
||||
"muc_breakout_rooms";
|
||||
"av_moderation";
|
||||
${PROSODY_WEBSOCKET} "websocket";
|
||||
${PROSODY_WEBSOCKET} "smacks";
|
||||
}
|
||||
smacks_max_unacked_stanzas = 5;
|
||||
smacks_hibernation_time = 60;
|
||||
smacks_max_hibernated_sessions = 1;
|
||||
smacks_max_old_sessions = 1;
|
||||
c2s_require_encryption = false
|
||||
lobby_muc = "lobby.${JITSI_DOMAIN:?}"
|
||||
breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
|
||||
main_muc = "conference.${JITSI_DOMAIN:?}"
|
||||
-- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
|
||||
|
||||
Component "conference.${JITSI_DOMAIN:?}" "muc"
|
||||
restrict_room_creation = true
|
||||
storage = "memory"
|
||||
modules_enabled = {
|
||||
"muc_meeting_id";
|
||||
"muc_domain_mapper";
|
||||
"polls";
|
||||
--"token_verification";
|
||||
"muc_rate_limit";
|
||||
}
|
||||
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
|
||||
Component "breakout.${JITSI_DOMAIN:?}" "muc"
|
||||
restrict_room_creation = true
|
||||
storage = "memory"
|
||||
modules_enabled = {
|
||||
"muc_meeting_id";
|
||||
"muc_domain_mapper";
|
||||
--"token_verification";
|
||||
"muc_rate_limit";
|
||||
"polls";
|
||||
}
|
||||
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
|
||||
-- internal muc component
|
||||
Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
|
||||
storage = "memory"
|
||||
modules_enabled = {
|
||||
"ping";
|
||||
}
|
||||
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
${PROSODY_DOMAIN_END}
|
||||
${PROSODY_MAIN_START}
|
||||
-- This will be managed by __jitsi_meet
|
||||
|
||||
VirtualHost "auth.${JITSI_DOMAIN:?}"
|
||||
ssl = {
|
||||
key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
|
||||
certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
|
||||
}
|
||||
|
||||
modules_enabled = {
|
||||
"limits_exception";
|
||||
}
|
||||
authentication = "internal_hashed"
|
||||
${PROSODY_MAIN_END}
|
||||
${PROSODY_DOMAIN_START}
|
||||
-- This will be managed by __jitsi_meet_domain
|
||||
|
||||
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
|
||||
Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
|
||||
-- Single focus user for the whole instance
|
||||
target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
|
||||
|
||||
Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
|
||||
muc_component = "conference.${JITSI_DOMAIN:?}"
|
||||
|
||||
Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
|
||||
muc_component = "conference.${JITSI_DOMAIN:?}"
|
||||
|
||||
Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
|
||||
muc_component = "conference.${JITSI_DOMAIN:?}"
|
||||
|
||||
Component "lobby.${JITSI_DOMAIN:?}" "muc"
|
||||
storage = "memory"
|
||||
restrict_room_creation = true
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
modules_enabled = {
|
||||
"muc_rate_limit";
|
||||
"polls";
|
||||
}
|
||||
${PROSODY_DOMAIN_END}
|
||||
|
||||
${PROSODY_SECUREDOMAIN_START}
|
||||
-- Only used on secured domains
|
||||
VirtualHost "${JITSI_DOMAIN}"
|
||||
authentication = "internal_plain"
|
||||
|
||||
VirtualHost "guest.${JITSI_DOMAIN}"
|
||||
authentication = "anonymous"
|
||||
c2s_require_encryption = false
|
||||
${PROSODY_SECUREDOMAIN_END}
|
||||
EOFPROSODY
|
||||
)"
|
@ -0,0 +1,129 @@
|
||||
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
|
||||
|
||||
-- domain mapper options, must at least have domain base set to use the mapper
|
||||
muc_mapper_domain_base = "jitmeet.example.com";
|
||||
|
||||
external_service_secret = "__turnSecret__";
|
||||
external_services = {
|
||||
{ type = "stun", host = "jitmeet.example.com", port = 3478 },
|
||||
{ type = "turn", host = "jitmeet.example.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
|
||||
{ type = "turns", host = "jitmeet.example.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
|
||||
};
|
||||
|
||||
cross_domain_bosh = false;
|
||||
consider_bosh_secure = true;
|
||||
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
|
||||
|
||||
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
|
||||
ssl = {
|
||||
protocol = "tlsv1_2+";
|
||||
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
||||
}
|
||||
|
||||
unlimited_jids = {
|
||||
"focusUser@auth.jitmeet.example.com",
|
||||
"jvb@auth.jitmeet.example.com"
|
||||
}
|
||||
|
||||
VirtualHost "jitmeet.example.com"
|
||||
-- enabled = false -- Remove this line to enable this host
|
||||
authentication = "anonymous"
|
||||
-- Properties below are modified by jitsi-meet-tokens package config
|
||||
-- and authentication above is switched to "token"
|
||||
--app_id="example_app_id"
|
||||
--app_secret="example_app_secret"
|
||||
-- Assign this host a certificate for TLS, otherwise it would use the one
|
||||
-- set in the global section (if any).
|
||||
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
||||
-- use the global one.
|
||||
ssl = {
|
||||
key = "/etc/prosody/certs/jitmeet.example.com.key";
|
||||
certificate = "/etc/prosody/certs/jitmeet.example.com.crt";
|
||||
}
|
||||
av_moderation_component = "avmoderation.jitmeet.example.com"
|
||||
speakerstats_component = "speakerstats.jitmeet.example.com"
|
||||
conference_duration_component = "conferenceduration.jitmeet.example.com"
|
||||
-- we need bosh
|
||||
modules_enabled = {
|
||||
"bosh";
|
||||
"pubsub";
|
||||
"ping"; -- Enable mod_ping
|
||||
"speakerstats";
|
||||
"external_services";
|
||||
"conference_duration";
|
||||
"muc_lobby_rooms";
|
||||
"muc_breakout_rooms";
|
||||
"av_moderation";
|
||||
}
|
||||
c2s_require_encryption = false
|
||||
lobby_muc = "lobby.jitmeet.example.com"
|
||||
breakout_rooms_muc = "breakout.jitmeet.example.com"
|
||||
main_muc = "conference.jitmeet.example.com"
|
||||
-- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
|
||||
|
||||
Component "conference.jitmeet.example.com" "muc"
|
||||
restrict_room_creation = true
|
||||
storage = "memory"
|
||||
modules_enabled = {
|
||||
"muc_meeting_id";
|
||||
"muc_domain_mapper";
|
||||
"polls";
|
||||
--"token_verification";
|
||||
"muc_rate_limit";
|
||||
}
|
||||
admins = { "focusUser@auth.jitmeet.example.com" }
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
|
||||
Component "breakout.jitmeet.example.com" "muc"
|
||||
restrict_room_creation = true
|
||||
storage = "memory"
|
||||
modules_enabled = {
|
||||
"muc_meeting_id";
|
||||
"muc_domain_mapper";
|
||||
--"token_verification";
|
||||
"muc_rate_limit";
|
||||
"polls";
|
||||
}
|
||||
admins = { "focusUser@auth.jitmeet.example.com" }
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
|
||||
-- internal muc component
|
||||
Component "internal.auth.jitmeet.example.com" "muc"
|
||||
storage = "memory"
|
||||
modules_enabled = {
|
||||
"ping";
|
||||
}
|
||||
admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
|
||||
VirtualHost "auth.jitmeet.example.com"
|
||||
modules_enabled = {
|
||||
"limits_exception";
|
||||
}
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
|
||||
Component "focus.jitmeet.example.com" "client_proxy"
|
||||
target_address = "focusUser@auth.jitmeet.example.com"
|
||||
|
||||
Component "speakerstats.jitmeet.example.com" "speakerstats_component"
|
||||
muc_component = "conference.jitmeet.example.com"
|
||||
|
||||
Component "conferenceduration.jitmeet.example.com" "conference_duration_component"
|
||||
muc_component = "conference.jitmeet.example.com"
|
||||
|
||||
Component "avmoderation.jitmeet.example.com" "av_moderation_component"
|
||||
muc_component = "conference.jitmeet.example.com"
|
||||
|
||||
Component "lobby.jitmeet.example.com" "muc"
|
||||
storage = "memory"
|
||||
restrict_room_creation = true
|
||||
muc_room_locking = false
|
||||
muc_room_default_public_jids = true
|
||||
modules_enabled = {
|
||||
"muc_rate_limit";
|
||||
"polls";
|
||||
}
|
Loading…
Reference in New Issue