From a1e82ea582ef95eb1b9593154601f0a211ef30f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20N=C3=A9grier?= Date: Thu, 15 Sep 2022 07:36:57 +0200 Subject: [PATCH] jvb: migrate config to secure octo * Migrating configuration to use secure octo configuration by default Adding a new JVB_OCTO_RELAY_ID to configure videobridge.relay.relay-id (with a fallback to the old JVB_OCTO_BIND_ADDRESS to be used as relay-id) * Adding a configuration check to verify that Octo cannot be enabled without the ENABLE_COLIBRI_WEBSOCKET environment variable set to "1" --- docker-compose.yml | 4 ++-- jvb/rootfs/defaults/jvb.conf | 6 ++---- jvb/rootfs/etc/cont-init.d/10-config | 6 ++++++ web/rootfs/defaults/meet.conf | 14 ++++++++++++++ 4 files changed, 24 insertions(+), 6 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 43efa43..ec81ca1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -64,6 +64,7 @@ services: - ENABLE_LIPSYNC - ENABLE_NO_AUDIO_DETECTION - ENABLE_NOISY_MIC_DETECTION + - ENABLE_OCTO - ENABLE_OPUS_RED - ENABLE_PREJOIN_PAGE - ENABLE_P2P @@ -316,9 +317,8 @@ services: - JVB_MUC_NICKNAME - JVB_STUN_SERVERS - JVB_OCTO_BIND_ADDRESS - - JVB_OCTO_PUBLIC_ADDRESS - - JVB_OCTO_BIND_PORT - JVB_OCTO_REGION + - JVB_OCTO_RELAY_ID - JVB_WS_DOMAIN - JVB_WS_SERVER_ID - PUBLIC_URL diff --git a/jvb/rootfs/defaults/jvb.conf b/jvb/rootfs/defaults/jvb.conf index 6f32c1a..2d3b457 100644 --- a/jvb/rootfs/defaults/jvb.conf +++ b/jvb/rootfs/defaults/jvb.conf @@ -77,12 +77,10 @@ videobridge { } {{ if $ENABLE_OCTO -}} - octo { + relay { enabled = true - bind-address = "{{ .Env.JVB_OCTO_BIND_ADDRESS | default "0.0.0.0" }}" - public-address = "{{ .Env.JVB_OCTO_PUBLIC_ADDRESS }}" - bind-port = "{{ .Env.JVB_OCTO_BIND_PORT | default "4096" }}" region = "{{ .Env.JVB_OCTO_REGION | default "europe" }}" + relay-id = "{{ .Env.JVB_OCTO_RELAY_ID | default .Env.JVB_OCTO_BIND_ADDRESS }}" } {{ end -}} } diff --git a/jvb/rootfs/etc/cont-init.d/10-config b/jvb/rootfs/etc/cont-init.d/10-config index 517e96d..d3b1047 100644 --- a/jvb/rootfs/etc/cont-init.d/10-config +++ b/jvb/rootfs/etc/cont-init.d/10-config @@ -31,3 +31,9 @@ tpl /defaults/logging.properties > /config/logging.properties tpl /defaults/jvb.conf > /config/jvb.conf chown -R jvb:jitsi /config + +# Configuration checks +if [[ (-z $ENABLE_COLIBRI_WEBSOCKET || $ENABLE_COLIBRI_WEBSOCKET == "0") && $ENABLE_OCTO == "1" ]]; then + echo "ERROR: In order to enable Octo relays (with ENABLE_OCTO=1), you MUST enable Colibri websockets (with ENABLE_COLIBRI_WEBSOCKET=1)"; + exit 1; +fi diff --git a/web/rootfs/defaults/meet.conf b/web/rootfs/defaults/meet.conf index fd2e7be..e269ad2 100644 --- a/web/rootfs/defaults/meet.conf +++ b/web/rootfs/defaults/meet.conf @@ -1,5 +1,6 @@ {{ $ENABLE_COLIBRI_WEBSOCKET := .Env.ENABLE_COLIBRI_WEBSOCKET | default "1" | toBool }} {{ $ENABLE_JAAS_COMPONENTS := .Env.ENABLE_JAAS_COMPONENTS | default "0" | toBool }} +{{ $ENABLE_OCTO := .Env.ENABLE_OCTO | default "0" | toBool -}} {{ $ENABLE_XMPP_WEBSOCKET := .Env.ENABLE_XMPP_WEBSOCKET | default "1" | toBool }} {{ $ENABLE_SUBDOMAINS := .Env.ENABLE_SUBDOMAINS | default "true" | toBool -}} {{ $XMPP_DOMAIN := .Env.XMPP_DOMAIN | default "meet.jitsi" -}} @@ -74,6 +75,19 @@ location ~ ^/colibri-ws/([a-zA-Z0-9-\._]+)/(.*) { proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args; } + +{{ if $ENABLE_OCTO }} +# colibri (JVB) Relay to Relay websockets +location ~ ^/colibri-relay-ws/([a-zA-Z0-9-\._]+)/(.*) { + tcp_nodelay on; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_pass http://$1:9090/colibri-relay-ws/$1/$2$is_args$args; +} +{{ end }} {{ end }} # BOSH