jvb: migrate config to secure octo

* Migrating configuration to use secure octo configuration by default

Adding a new JVB_OCTO_RELAY_ID to configure videobridge.relay.relay-id (with a fallback to the old JVB_OCTO_BIND_ADDRESS to be used as relay-id)

* Adding a configuration check to verify that Octo cannot be enabled without the ENABLE_COLIBRI_WEBSOCKET environment variable set to "1"

docker-compose.yml

@@ -64,6 +64,7 @@ services:
             - ENABLE_LIPSYNC
             - ENABLE_NO_AUDIO_DETECTION
             - ENABLE_NOISY_MIC_DETECTION
+            - ENABLE_OCTO
             - ENABLE_OPUS_RED
             - ENABLE_PREJOIN_PAGE
             - ENABLE_P2P
@@ -316,9 +317,8 @@ services:
             - JVB_MUC_NICKNAME
             - JVB_STUN_SERVERS
             - JVB_OCTO_BIND_ADDRESS
-            - JVB_OCTO_PUBLIC_ADDRESS
-            - JVB_OCTO_BIND_PORT
             - JVB_OCTO_REGION
+            - JVB_OCTO_RELAY_ID
             - JVB_WS_DOMAIN
             - JVB_WS_SERVER_ID
             - PUBLIC_URL

jvb/rootfs/defaults/jvb.conf

@@ -77,12 +77,10 @@ videobridge {
     }
 
     {{ if $ENABLE_OCTO -}}
-    octo {
+    relay {
         enabled = true
-        bind-address = "{{ .Env.JVB_OCTO_BIND_ADDRESS | default "0.0.0.0" }}"
-        public-address = "{{ .Env.JVB_OCTO_PUBLIC_ADDRESS }}"
-        bind-port = "{{ .Env.JVB_OCTO_BIND_PORT | default "4096" }}"
         region = "{{ .Env.JVB_OCTO_REGION | default "europe" }}"
+        relay-id = "{{ .Env.JVB_OCTO_RELAY_ID | default .Env.JVB_OCTO_BIND_ADDRESS }}"
     }
     {{ end -}}
 }

jvb/rootfs/etc/cont-init.d/10-config

@@ -31,3 +31,9 @@ tpl /defaults/logging.properties > /config/logging.properties
 tpl /defaults/jvb.conf > /config/jvb.conf
 
 chown -R jvb:jitsi /config
+
+# Configuration checks
+if [[ (-z $ENABLE_COLIBRI_WEBSOCKET || $ENABLE_COLIBRI_WEBSOCKET == "0") && $ENABLE_OCTO == "1"  ]]; then
+  echo "ERROR: In order to enable Octo relays (with ENABLE_OCTO=1), you MUST enable Colibri websockets (with ENABLE_COLIBRI_WEBSOCKET=1)";
+  exit 1;
+fi

web/rootfs/defaults/meet.conf

@@ -1,5 +1,6 @@
 {{ $ENABLE_COLIBRI_WEBSOCKET := .Env.ENABLE_COLIBRI_WEBSOCKET | default "1" | toBool }}
 {{ $ENABLE_JAAS_COMPONENTS := .Env.ENABLE_JAAS_COMPONENTS | default "0" | toBool }}
+{{ $ENABLE_OCTO := .Env.ENABLE_OCTO | default "0" | toBool -}}
 {{ $ENABLE_XMPP_WEBSOCKET := .Env.ENABLE_XMPP_WEBSOCKET | default "1" | toBool }}
 {{ $ENABLE_SUBDOMAINS := .Env.ENABLE_SUBDOMAINS | default "true" | toBool -}}
 {{ $XMPP_DOMAIN := .Env.XMPP_DOMAIN | default "meet.jitsi" -}}
@@ -74,6 +75,19 @@ location ~ ^/colibri-ws/([a-zA-Z0-9-\._]+)/(.*) {
 
     proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
 }
+
+{{ if $ENABLE_OCTO }}
+# colibri (JVB) Relay to Relay websockets
+location ~ ^/colibri-relay-ws/([a-zA-Z0-9-\._]+)/(.*) {
+    tcp_nodelay on;
+
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    proxy_pass http://$1:9090/colibri-relay-ws/$1/$2$is_args$args;
+}
+{{ end }}
 {{ end }}
 
 # BOSH