![]() Output from post-hook command 00-prosody-auth.sh: Running post-hook command: /etc/letsencrypt/renewal-hooks/post/00-prosody-auth.sh etc/letsencrypt/live//fullchain.pem (success) Which should output something like (ignore warnings for auth, guest, conference, localhost, jitsi-videobridge and focus hosts): Saving debug log to /var/log/letsencrypt/letsencrypt.logĬongratulations, all renewals succeeded. You can test it forcing a renewal: sudo certbot-auto renew -force-renew Then: sudo chmod +x /etc/letsencrypt/renewal-hooks/post/00-prosody-auth.sh Prosodyctl -root cert import /etc/letsencrypt/live sudo nano /etc/letsencrypt/renewal-hooks/post/00-prosody-auth.sh In order to enable automatic certificates renewal, a post hook script has to be added. Since we already have a letsencrypt certificate for, we just need to import it in prosody (ignore warnings for th, auth, guest, conference, localhost, jitsi-videobridge and focus hosts – they are all internal domains) sudo prosodyctl -root cert import /etc/letsencrypt/live However, only is actually intended to be accessed from the Internet (through XMPP clients like Pidgin), while is just an internal domain, used only by jicofo to internally connect to prosody. Certificates for prosody ¶ĭuring jitsi-meet installation, two virtual hosts ( and ) are created in prosody configuration file ( /etc/prosody/conf.avail/.lua), and self-signed certificates are generated for both. Save, exit, then: sudo nano /etc/jitsi/jicofo/sip-communicator.propertiesĪdd the following line (rember to insert your actual domain): .URL=XMPP: Save, exit, then: sudo nano /etc/jitsi/meet/$(hostname -f)-config.jsĪfter the line domain: '', insert another line anonymousdomain: '', (use your actual domain and don’t forget the commas!) Taken from Jitsi-Jicofo official documentationĬhange prosody config: sudo nano /etc/prosody/conf.avail/$(hostname -f).cfg.luaĬhange authentication from anonymous to internal_hashed, andĪdd a second VirtualHost after the first VirtualHost section (use your actual domain): VirtualHost "" Configure authentication only for room creation ¶ ![]() Therefore some extra manual configuration is needed, that is covered by this howto. The only issue is that in the default Jitsi deployment (quick install) prosody uses self-signed certificates, so XMPP clients may display error messages (or even refuse to connect). In this way, basic GDPR compliance can be achieved. Since Prosody server is accessible independently from Jisti-meet, the solution is ask users to change their password through an external XMPP client, like Pidgin. On the other hand, configuring Prosody to allow users to register independently their own account is not even an option, as anyone out there would be able to use your Jisti. Unfortunately, this is not GDPR-compliant, because “enabling users to set their password without the admin knowing it” is a basic and unavoidable security measure. In Jitsi official documentation, the suggested way to set user passwords is using prosodyctl command, that can only be run by the sysadmin. has a simple built-in authentication system (with passwords stored in plain text or hashed, depending on the module used) many other authentication services can be implemented through dedicated modules. The problem solved here, not (yet) covered by official documentation ¶Īs already said in platform introduction, user authentication may be added in various ways authentication control belongs into the XMPP server on which Jitsi relies/depends (). Thus to minimize privacy and security issues while keeping the system practical and easy to use for everybody. More precisely, while hosts need to have an account to create rooms, guests do not need to have one, but should be required to provide a room-specific password to enter. The proposed Jitsi implementation requires authentication for the host, but not for guests. ![]() It is just a WIP proposal, open to discussion, on how a Jitsi server can be quickly (and legally) deployed in order to host one’s own private videomeetings, based on authors’ practical experiences. DISCLAIMER: this is not legal nor technical advice.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |