DevelopingEntitiesWithFuntations
commented
1 week ago On newest stable version at the time
Open DevelopingEntitiesWithFuntations opened 1 week ago
DevelopingEntitiesWithFuntations
commented
1 week ago On newest stable version at the time
saghul
commented
1 week ago What previous issue? What config options did you set in prosody?
DevelopingEntitiesWithFuntations
commented
1 week ago This PR: #1776 . Corresponding Issue ID is 1771. I set the following in the .env file:
ENABLE_AUTH=1
ENABLE_GUESTS=1
AUTH_TYPE=jwt
JWT_ASAP_KEYSERVER=http://keyserver
JWT_AUTH_TYPE=token
JWT_TOKEN_AUTH_MODULE=token_verification
JITSI_IMAGE_VERSION=stable-9646
JWT_SIGN_TYPE=RS512Can you please share the full logs and check the generated prosody config?
DevelopingEntitiesWithFuntations
commented
1 week ago @saghul I've glanced upon on the logs and concluded that the other parts are irrelevant.
I did forget the most essential information - with these settings above the only way to open up a room is by using the JWT. The JWT validation fails with the relevant log and on the client side failed to connect or similar log is being put.
How do I check the generated prosody config, and which one? A specific plugin or just the /config/prosody.cfg.lua on the prosody container?
saghul
commented
1 week ago Let's see the generated .lua file in the container. There should be 2 of them.
DevelopingEntitiesWithFuntations
commented
6 days ago jitsi-meet.cfg.lua:
admins = {
"jigasi@auth.jitsi.example.org",
"jibri@auth.jitsi.example.org",
"focus@auth.jitsi.example.org",
"jvb@auth.jitsi.example.org"
}
unlimited_jids = {
"focus@auth.jitsi.example.org",
"jvb@auth.jitsi.example.org"
}
plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom", "/prosody-plugins-contrib" }
muc_mapper_domain_base = "meet.jitsi";
muc_mapper_domain_prefix = "muc";
http_default_host = "meet.jitsi"
consider_bosh_secure = true;
consider_websocket_secure = true;
smacks_max_unacked_stanzas = 5;
smacks_hibernation_time = 60;
smacks_max_old_sessions = 1;
VirtualHost "meet.jitsi"
authentication = "token"
app_id = "jitsi"
app_secret = "<no value>"
allow_empty_token = false
asap_key_server = "http://certificates"
enable_domain_verification = false
ssl = {
key = "/config/certs/meet.jitsi.key";
certificate = "/config/certs/meet.jitsi.crt";
}
modules_enabled = {
"bosh";
"websocket";
"smacks"; -- XEP-0198: Stream Management
"speakerstats";
"conference_duration";
"room_metadata";
"end_conference";
"muc_lobby_rooms";
"muc_breakout_rooms";
"av_moderation";
}
main_muc = "muc.meet.jitsi"
room_metadata_component = "metadata.meet.jitsi"
lobby_muc = "lobby.meet.jitsi"
muc_lobby_whitelist = { "recorder.jitsi.example.org" }
breakout_rooms_muc = "breakout.meet.jitsi"
speakerstats_component = "speakerstats.meet.jitsi"
conference_duration_component = "conferenceduration.meet.jitsi"
end_conference_component = "endconference.meet.jitsi"
av_moderation_component = "avmoderation.meet.jitsi"
c2s_require_encryption = true
VirtualHost "guest.meet.jitsi"
authentication = "jitsi-anonymous"
modules_enabled = {
"smacks"; -- XEP-0198: Stream Management
}
c2s_require_encryption = true
VirtualHost "auth.jitsi.example.org"
ssl = {
key = "/config/certs/auth.jitsi.example.org.key";
certificate = "/config/certs/auth.jitsi.example.org.crt";
}
modules_enabled = {
"limits_exception";
}
authentication = "internal_hashed"
VirtualHost "recorder.jitsi.example.org"
modules_enabled = {
"smacks";
}
authentication = "internal_hashed"
Component "internal.auth.jitsi.example.org" "muc"
storage = "memory"
modules_enabled = {
}
restrict_room_creation = true
muc_filter_whitelist="auth.jitsi.example.org"
muc_room_locking = false
muc_room_default_public_jids = true
muc_room_cache_size = 1000
muc_tombstones = false
muc_room_allow_persistent = false
Component "muc.meet.jitsi" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_meeting_id";
"token_verification";
"polls";
"muc_domain_mapper";
"muc_password_whitelist";
}
-- The size of the cache that saves state for IP addresses
rate_limit_cache_size = 10000;
muc_room_cache_size = 10000
muc_room_locking = false
muc_room_default_public_jids = true
muc_password_whitelist = {
"focus@auth.jitsi.example.org";
"recorder@recorder.jitsi.example.org";
}
muc_tombstones = false
muc_room_allow_persistent = false
Component "focus.meet.jitsi" "client_proxy"
target_address = "focus@auth.jitsi.example.org"
Component "speakerstats.meet.jitsi" "speakerstats_component"
muc_component = "muc.meet.jitsi"
Component "conferenceduration.meet.jitsi" "conference_duration_component"
muc_component = "muc.meet.jitsi"
Component "endconference.meet.jitsi" "end_conference"
muc_component = "muc.meet.jitsi"
Component "avmoderation.meet.jitsi" "av_moderation_component"
muc_component = "muc.meet.jitsi"
Component "lobby.meet.jitsi" "muc"
storage = "memory"
restrict_room_creation = true
muc_tombstones = false
muc_room_allow_persistent = false
muc_room_cache_size = 10000
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
}
Component "breakout.meet.jitsi" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_cache_size = 10000
muc_room_locking = false
muc_room_default_public_jids = true
muc_tombstones = false
muc_room_allow_persistent = false
modules_enabled = {
"muc_meeting_id";
"polls";
}
Component "metadata.meet.jitsi" "room_metadata_component"
muc_component = "muc.meet.jitsi"
breakout_rooms_component = "breakout.meet.jitsi"
prosody.cfg.lua:
-- Prosody Example Configuration File
--
-- Information on configuring Prosody can be found on our
-- website at http://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running: luac -p prosody.cfg.lua
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
--
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
-- blanks. Good luck, and happy Jabbering!
---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts
-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { }
-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
--use_libevent = true;
-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation on modules can be found at: http://prosody.im/doc/modules
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"disco"; -- Service discovery
-- Not essential, but recommended
"private"; -- Private XML storage (for room bookmarks, etc.)
"limits"; -- Enable bandwidth limiting for XMPP connections
-- These are commented by default as they have a performance impact
--"privacy"; -- Support privacy lists
--"compression"; -- Stream compression (Debian: requires lua-zlib module to work)
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
-- Admin interfaces
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
-- HTTP modules
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
--"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
--"groups"; -- Shared roster support
--"announce"; -- Send announcement to all online users
--"welcome"; -- Welcome users who register accounts
--"watchregistrations"; -- Alert admins of registrations
--"motd"; -- Send a message to users when they log in
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
"http_health";
};
component_ports = { }
https_ports = { }
trusted_proxies = {
"127.0.0.1";
"::1";
}
-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
"offline"; -- Store offline messages
"register";
-- "c2s"; -- Handle client connections
"s2s"; -- Handle server-to-server connections
};
-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = false;
-- Enable rate limits for incoming client and server connections
limits = {
c2s = {
rate = "10kb/s";
};
s2sin = {
rate = "30kb/s";
};
}
--Prosody garbage collector settings
--For more information see https://prosody.im/doc/advanced_gc
gc = {
mode = "incremental";
threshold = 400;
speed = 250;
step_size = 13;
}
pidfile = "/config/data/prosody.pid";
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
c2s_require_encryption = true;
-- set c2s port
c2s_ports = { 5222 } -- Listen on specific c2s port
c2s_interfaces = { "*", "::" }
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security
s2s_secure_auth = false
-- Many servers don't support encryption or have invalid or self-signed
-- certificates. You can list domains here that will not be required to
-- authenticate using certificates. They will be authenticated using DNS.
--s2s_insecure_domains = { "gmail.com" }
-- Even if you leave s2s_secure_auth disabled, you can still require valid
-- certificates for some domains by specifying a list here.
--s2s_secure_domains = { "jabber.org" }
-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.
authentication = "internal_hashed"
-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.
--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
--
-- Debian:
-- Logs info and higher to /var/log
-- Logs errors to syslog also
log = {
{ levels = {min = "info"}, timestamps = "%Y-%m-%d %X", to = "console"};
}
-- Enable use of native prosody 0.11 support for epoll over select
network_backend = "epoll";
-- Set the TCP backlog to 511 since the kernel rounds it up to the next power of 2: 512.
network_settings = {
tcp_backlog = 511;
}
unbound = {
resolvconf = true
}
http_ports = { 5280 }
http_interfaces = { "*", "::" }
data_path = "/config/data"
Include "conf.d/*.cfg.lua"
Found a fix:
In the same file in the prosody container /config/token/util.lib.lua I had to replace every instance of RS256 to RS512 (of which were 2 and not 1 this time!) and now it works without errors. Where are there two mentions of RS256 now?
What do you think would be a good fix in total?
damencho
commented
6 days ago There is already a configuration signature_algorithm. You need to set that instead of modyfing the code. The second place is something we recently added for visitors which is hardcoded to RS256, but this is not something you use, I think. We will fix it.
saghul
commented
6 days ago There is a setting for it, what image version are you using?
DevelopingEntitiesWithFuntations
commented
5 days ago There is a setting for it, what image version are you using?
stable-9646
There is already a configuration signature_algorithm. You need to set that instead of modyfing the code. The second place is something we recently added for visitors which is hardcoded to RS256, but this is not something you use, I think. We will fix it.
Wait so JWT_SIGN_TYPE=RS512 doesn't work anymore in the .env?
damencho
commented
5 days ago DevelopingEntitiesWithFuntations
commented
4 days ago @damencho then why doesn't it work?
damencho
commented
4 days ago When you set it, do you see it in the resulting prosody configs?
saghul
commented
4 days ago @damencho then why doesn't it work?
It's not in your generated config file. So it's either not properly set, or you are using an old image.
Sorry, the JWT auth token issue is still present, this time a new error is spitted out...
Error verifying token err:not-allowed, reason:Invalid or incorrect alg tenant: room:testI've set my Cert to RS512 as written in my PR and previous issue...
Any idea what's the issue here?