saghul
commented
1 year ago You can enable that, that's why it's an option. It does serve as a precaution for not allowing connections to arbitrary IPs via the proxy.
Closed jmallach closed 10 months ago
saghul
commented
1 year ago You can enable that, that's why it's an option. It does serve as a precaution for not allowing connections to arbitrary IPs via the proxy.
jmallach
commented
1 year ago Is there no way to allow for all the docker networks that the container is part of?
saghul
commented
1 year ago There is, just use a custom regex for the ranges you want to supprot.
jmallach
commented
1 year ago Right, I can do that. I imagine many people will stumble on the new behaviour though, I suggest adding a pointer in the docs.
Thanks!
saghul
commented
1 year ago 👍 @aaronkvanmeerten can you please document it in the handbook?
xoxys
commented
10 months ago We were running into this issue as well as we use custom container names. In our case, the container is called jitsi-jvb and the default COLIBRI_WEBSOCKET_JVB_LOOKUP_NAME=jvb doesn't work. Changing the env var to COLIBRI_WEBSOCKET_JVB_LOOKUP_NAME=jitsi-jvb fixed it.
IMO, this is a breaking change for a lot of container environments. Any chance to advertise such changes a bit more in the changelog? Just having 825730d web: nginx ws-colibri proxy regex updates (#1645) is a bit useless.
aaronkvanmeerten
commented
10 months ago I fully acknowledge that this change impacts many users, depending on how they have their systems configured. The problem was that the previous set up was so insecure as to be unacceptable/actually being used for attacks. we did a small announcement on our community and have updated the handbook. I am sorry that this impacted you this way, and we will work to improve our messaging when changes like this come in.
xoxys
commented
10 months ago Fully agree and nothing against this change or breaking changes in general. Just wanted to kindly ask for a better announcement of breaking changes in the future.
we did a small announcement on our community and have updated the handbook.
Thanks. In that case, I missed it.
Keep up your good work on Jitsi.
Hi!
After upgrading to the latest release which includes https://github.com/jitsi/docker-jitsi-meet/commit/825730d6597a92b4f06c14eaf54a45e0d4667527, we started getting websocket connection issues between our rproxy and jvb.
Reverting to
ENABLE_COLIBRI_WEBSOCKET_UNSAFE_REGEXfixes the issue.In our setup, Jitsi is a docker compose stack behind a Traefik rproxy. The stack has worked as expected until this change.
We have the default jitsi.meet internal network as well as an external one for communication with Traefik and the internet.
The lookup for
jvbresolves to the external network, but the websocket connection urls hadmeet.jitsinetwork internal IPs instead, so connections were refused.Let me know if you need additional information. Thanks!