security: don't provide default passwords

Also check if they are not provided at sstartup time and fail to start
in that case.
pull/386/head
Saúl Ibarra Corretgé 5 years ago
parent aaec22dd99
commit a015710e54
  1. 15
      README.md
  2. 46
      env.example
  3. 5
      jibri/rootfs/etc/cont-init.d/10-config
  4. 7
      jicofo/rootfs/etc/cont-init.d/10-config
  5. 1
      jicofo/rootfs/etc/services.d/jicofo/run
  6. 5
      jigasi/rootfs/etc/cont-init.d/10-config
  7. 1
      jvb/rootfs/defaults/sip-communicator.properties
  8. 5
      jvb/rootfs/etc/cont-init.d/10-config
  9. 11
      prosody/rootfs/etc/cont-init.d/10-config

@ -32,9 +32,11 @@ follow these steps:
* Clone this repository to your computer.
* `git clone https://github.com/jitsi/docker-jitsi-meet && cd docker-jitsi-meet`
* Create a ``.env`` file by copying and adjusting ``env.example``, and create required `CONFIG` directories
* Create a ``.env`` file by copying and adjusting ``env.example``
* `cp env.example .env`
* `mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}`
* Set strong passwords in the security section options, they ccan be generated with `openssl rand -hex 16`
* Create required `CONFIG` directories
* `mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb,jigasi,jibri}`
* Run ``docker-compose up -d``.
* Access the web UI at [``https://localhost:8443``](https://localhost:8443) (or a different port, in case you edited the compose file).
@ -51,6 +53,15 @@ If you want to use jibri too, first configure a host as described in JItsi BRoad
and then run Docker Compose as follows: ``docker-compose -f docker-compose.yml -f jibri.yml up -d``
or to use jigasi too: ``docker-compose -f docker-compose.yml -f jigasi.yml -f jibri.yml up -d``
### Security note
This setup used to have default passwords for intetrnal accounts used across components. In order to make the default setup
secure by default these have been removed and the respective containers won't start without having a password set.
Strong passwordds may be generated as follows: `openssl rand -hex 16`
DO NOT reuse any of the passwords.
## Architecture
A Jitsi Meet installation can be broken down into the following components:

@ -1,3 +1,31 @@
# Security
#
# Set these to strong passwords to avoid intruders from impersonating a service account
# Here is how to generate a good password: openssl rand -hex 16
# The service(s) won't start unless these are specified
# You may skip the Jigasi and Jibri passwords if you are not using those
# DO NOT reuse passwords
#
# XMPP component password for Jicofo
JICOFO_COMPONENT_SECRET=
# XMPP password for Jicofo client connections
JICOFO_AUTH_PASSWORD=
# XMPP password for JVB client connections
JVB_AUTH_PASSWORD=
# XMPP password for Jigasi MUC client connections
JIGASI_XMPP_PASSWORD=
# XMPP recorder password for Jibri client connections
JIBRI_RECORDER_PASSWORD=
# XMPP password for Jibri client connections
JIBRI_XMPP_PASSWORD=
#
# Basic configuration options
#
@ -178,9 +206,6 @@ JVB_BREWERY_MUC=jvbbrewery
# XMPP user for JVB client connections
JVB_AUTH_USER=jvb
# XMPP password for JVB client connections
JVB_AUTH_PASSWORD=passw0rd
# STUN servers used to discover the server's public IP
JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
@ -195,25 +220,16 @@ JVB_TCP_PORT=4443
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
#JVB_ENABLE_APIS=rest,colibri
# XMPP component password for Jicofo
JICOFO_COMPONENT_SECRET=s3cr37
# XMPP user for Jicofo client connections.
# NOTE: this option doesn't currently work due to a bug
JICOFO_AUTH_USER=focus
# XMPP password for Jicofo client connections
JICOFO_AUTH_PASSWORD=passw0rd
# Base URL of Jicofo's reservation REST API
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
# XMPP user for Jigasi MUC client connections
JIGASI_XMPP_USER=jigasi
# XMPP password for Jigasi MUC client connections
JIGASI_XMPP_PASSWORD=passw0rd
# MUC name for the Jigasi pool
JIGASI_BREWERY_MUC=jigasibrewery
@ -267,9 +283,6 @@ XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
# XMPP recorder user for Jibri client connections
JIBRI_RECORDER_USER=recorder
# XMPP recorder password for Jibri client connections
JIBRI_RECORDER_PASSWORD=passw0rd
# Directory for recordings inside Jibri container
JIBRI_RECORDING_DIR=/config/recordings
@ -279,9 +292,6 @@ JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
# XMPP user for Jibri client connections
JIBRI_XMPP_USER=jibri
# XMPP password for Jibri client connections
JIBRI_XMPP_PASSWORD=passw0rd
# MUC name for the Jibri pool
JIBRI_BREWERY_MUC=jibribrewery

@ -1,5 +1,10 @@
#!/usr/bin/with-contenv bash
if [[ -z $JIBRI_RECORDER_PASSWORD || -z $JIBRI_XMPP_PASSWORD ]]; then
echo 'FATAL ERROR: Jibri recorder password and auth password must be set'
exit 1
fi
# DISPLAY is necessary for start
[ -z "${DISPLAY}" ] \
&& ( echo -e "\e[31mERROR: Please set DISPLAY variable.\e[39m"; kill 1; exit 1 )

@ -1,5 +1,10 @@
#!/usr/bin/with-contenv bash
if [[ -z $JICOFO_COMPONENT_SECRET || -z $JICOFO_AUTH_PASSWORD ]]; then
echo 'FATAL ERROR: Jicofo component secret and auth password must be set'
exit 1
fi
if [[ ! -f /config/sip-communicator.properties ]]; then
tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
fi
@ -8,4 +13,4 @@ if [[ ! -f /config/logging.properties ]]; then
cp /defaults/logging.properties /config
fi
chown -R jicofo:jitsi /config
chown -R jicofo:jitsi /config

@ -6,4 +6,3 @@ DAEMON_DIR=/usr/share/jicofo/
DAEMON_OPTS="--domain=$XMPP_DOMAIN --host=$XMPP_SERVER --secret=$JICOFO_COMPONENT_SECRET --user_name=$JICOFO_AUTH_USER --user_domain=$XMPP_AUTH_DOMAIN --user_password=$JICOFO_AUTH_PASSWORD"
exec s6-setuidgid jicofo /bin/bash -c "cd $DAEMON_DIR; JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" exec $DAEMON $DAEMON_OPTS"

@ -1,5 +1,10 @@
#!/usr/bin/with-contenv bash
if [[ -z $JIGASI_XMPP_PASSWORD ]]; then
echo 'FATAL ERROR: Jigasi auth password must be set'
exit 1
fi
if [[ ! -f /config/sip-communicator.properties ]]; then
tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
fi

@ -16,4 +16,3 @@ org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
org.jitsi.videobridge.ENABLE_STATISTICS=true
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
org.jitsi.videobridge.STATISTICS_INTERVAL=5000

@ -1,5 +1,10 @@
#!/usr/bin/with-contenv bash
if [[ -z $JVB_AUTH_PASSWORD ]]; then
echo 'FATAL ERROR: JVB auth password must be set'
exit 1
fi
if [[ ! -f /config/sip-communicator.properties ]]; then
tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
fi

@ -34,7 +34,18 @@ if [[ ! -f $PROSODY_CFG ]]; then
tpl /defaults/prosody.cfg.lua > $PROSODY_CFG
tpl /defaults/conf.d/jitsi-meet.cfg.lua > /config/conf.d/jitsi-meet.cfg.lua
if [[ -z $JICOFO_COMPONENT_SECRET || -z $JICOFO_AUTH_PASSWORD ]]; then
echo 'FATAL ERROR: Jicofo component secret and auth password must be set'
exit 1
fi
prosodyctl --config $PROSODY_CFG register $JICOFO_AUTH_USER $XMPP_AUTH_DOMAIN $JICOFO_AUTH_PASSWORD
if [[ -z $JVB_AUTH_PASSWORD ]]; then
echo 'FATAL ERROR: JVB auth password must be set'
exit 1
fi
prosodyctl --config $PROSODY_CFG register $JVB_AUTH_USER $XMPP_AUTH_DOMAIN $JVB_AUTH_PASSWORD
if [[ ! -z $JIBRI_XMPP_USER ]] && [[ ! -z $JIBRI_XMPP_PASSWORD ]]; then

Loading…
Cancel
Save