* b0cb4a1 web: update TLS config to Mozilla security guidelines
* 0601212 web: replace certbot with acme.sh
* 43f678d build: refactor Makefile
* b00f92a web: use Python 3 only for certbot
* 880b9b0 core: update base image to Debian Buster
* ba01190 web: prevent s6 from restarting cron if it shouldn't be run
* 42a4346 etherpad: use official image and making skin full width
* c36c4d0 web: always rebuild nginx configs on start
* aea4411 Adds private server.
* 6b69576 web: add ability to configure tokenAuthUrl
* ff6d9bc Fix websocket
* e5746ae misc: add ENABLE_PREJOIN_PAGE to .env
* 465816b web,prosody: turn on XMPP WebSocket by default
* d747bfb web,prosody: add XMPP WebSocket / Stream Management support
* 130eb55 jvb: migrate to new config file
* 5290499 doc: updated link for running behind NAT
* 7cb470c misc: support/encourage usage of ShellCheck
* 04a210f misc: working on latest
The former seems to be in a pretty bad state for usage with Debian based
containers:
- The Debian provided package is too old
- certbot-auto no longer works on Debian
- The recommended way of using snap is not Docker friendly
Thus, we are migrating to acme.sh, which has the advantage of also
making the web container slimmer.
certbot-auto will install both Python 2 and 3 packages thus resulting un
unnecessary image bloat. Also, there is no need to install compilers or
development libraries since Wheels are available for the required
packags.
We noticed that websocket were broken with this config.
We believe that the translation from old config to new config in [this commit](130eb551a7 (diff-6f9b0c296a7ff789834c1414349f64f956f2b64df6e405fd45f62c6a11edad3fL34)) didn't translate it well.
We are actually wondering what does private stands for in this context.
With this change, we can confirm that wss works again as expected.
My editor detected `.env` as shell script and thus automatically checked
it with ShellCheck. I would propose to make it a valid shell script that
complies with ShellCheck by default. To do this, we just need to disable
https://github.com/koalaman/shellcheck/wiki/SC2034 because the variables
are not used (in that file).
When you search for "docker-compose .env shellcheck SC2034" it turns out
that I am not the first one to do this :)
* 7ab45bb web: add ability to configure prejoin page
* 0c95794 jvb: regenerate config on every boot
* 3ef2221 jvb: add ability to set the WS domain with an env var
* 79d2601 jvb: add ability to specify set the WS_SERVER_ID with an env var
* b277926 jvb: make colibri websocket endpoints dynamic for multiple jvbs
* 991f695 web: remove no longer needed settings
* 8b7cbc3 revert "jicofo: no auth URL in JWT auth mode"
* 33b386b jvb: add missing variable to docker-compose
* 087f024 web: configure brandingDataUrl with env variables
* a404653 web: configure startAudioOnly using environment variable
* e195cbf jvb: make jvb apis available from outside the container
* 409cade web: configure Matomo using environment variables
* b731c60 doc: update CHANGELOG
* 0fbf3b7 misc: working on latest
Variable JVB_TCP_MAPPED_PORT is used in jvb/roots/defaults/sip-communicator.properties, but is not defined yet in the docker-compose.yml file
(Variable added in commit 1205170056)
* 5ceaf5f web: add IPv6 support
* aff3775 xmpp: allow recorders to bypass lobby
* ad5625b jvb: switch to WebSocket based bridge channels
* 8110336 web: add ability to configure the nginx resolver
* 2f47518 jicofo: no auth URL in JWT auth mode
* c149463 web: build config.js on each boot
* c792bbc base: update frep
* bec928c prosody: configure lobby on the guest domain is necessary
* bcbd977 jicofo: pass XMPP_MUC_DOMAIN through docker-compose.yml
* 8f9caa4 jicofo: set XMPP_MUC_COMPONENT_PREFIX
* 2a0120d web: set security headers also for non HTTPS
* e6586f2 jvb: set LOCAL_ADDRESS to the correct local IP (#630)
* 97f5e75 base: optimize size
* b78c89e misc: minor Dockerfile Improvements
* a754519 misc: working on latest
There's no need to have Jicofo involved in authentication
when JWT authentication type is configured in Prosody in which case
Prosody plugins are validating the token when user tries to enter
a MUC.
This mechanism was initially designed for 'internal' Prosody
XMPP authentication with guest access. In this mode only admin users
are allowed to create MUC rooms and Jicofo is an admin. In this flow,
a user first joins from domain with authentication enabled and it
will receive a session ID from Jicofo. Now the client will store this
session ID in the local storage and use it next time when coming back
to Jitsi Meet to make Jicofo create a MUC room for him/her.
https://jitsi.github.io/handbook/docs/devops-guide/secure-domain
The EXT_JWT mode was an experiment at some point, but now should
probably be removed. It may come handy only in case where there is
no JWT verification in Prosody and all users connect as anonymous and
MUC creation is only allowed to Jicofo.
If the lobby is enabled and ENABLE_AUTH and ENABLE_GUESTS is true, and
therefore the guest.$XMPP_DOMAIN domain is to be defined, the lobby config
should be placed in the guest domain.
NAT_HARVESTER_LOCAL_ADDRESS needs to bet set to the local IP that is actually
used to communicate with clients.
In Docker containers "hostname -I" returns the IPs of all interfaces. The order
of the IPs depends on the interface create order.
Docker makes no guarantees about the interface order and in my tests it is
random.
As a result NAT_HARVESTER_LOCAL_ADDRESS is sometimes set to the IP of the
internal meet.jitsi interface.
Fix this by setting it to the source IP used for routing to $DOCKER_HOST_ADDRESS
Adds 2803 kB disk space for iproute2 and dependencies.
Partly addresses #338