🗺️

Add user authentication to Jitsi, a web conferencing system

2021/12/29に公開約8,100字

Hello everyone.
This article was frequently accessed from overseas, so I will translate it into English and repost it.
I hope it helps.

Today's topic

I want to add user authentication to Jitsi, a web conferencing system deployed on AWS, so that only people who know ID / PASS can use it. (I want to limit users to friends, companies, etc.)
Otherwise, Misaka will become a free web conferencing system used by 100 million people, and if you wake up in the morning with the AWS usage fee, you may go bankrupt.

Before the start

I started EC2 of Jitsi that I created before and checked the connection, but it doesn't connect.
Upon confirmation, EC2's "public IPv4 address open address" (global IP assigned to EC2) was changed.
It takes about 3 days to update automatically. It's a little unexpected speed.
You may need to consider using AWS EIP. (About $10 a month)
However, since it is an experiment, it is unnecessary recognition so far.

.env configuration file settings

Set the .env file used by docker-compose.

# Enable authentication
#ENABLE_AUTH=1
+ENABLE_AUTH=1

Restart Docker to reflect the settings.

[root@meet docker-jitsi-meet]# docker-compose stop
[+] Running 4/4
 ⠿ Container docker-jitsi-meet-web-1      Stopped                                                                                                           3.7s
 ⠿ Container docker-jitsi-meet-jicofo-1   Stopped                                                                                                           3.9s
 ⠿ Container docker-jitsi-meet-jvb-1      Stopped                                                                                                           4.0s
 ⠿ Container docker-jitsi-meet-prosody-1  Stopped                                                                                                           3.6s
[root@meet docker-jitsi-meet]# docker-compose up -d
[+] Running 4/4
 ⠿ Container docker-jitsi-meet-prosody-1  Started                                                                                                           1.5s
 ⠿ Container docker-jitsi-meet-web-1      Started                                                                                                           1.5s
 ⠿ Container docker-jitsi-meet-jicofo-1   Started                                                                                                           3.5s
 ⠿ Container docker-jitsi-meet-jvb-1      Started                                                                                                           3.6s
[root@meet docker-jitsi-meet]#

Connection test

When I connected, an authentication pop-up appeared, but I noticed that there was no ID/PASS.
However, it has been successful.

ID / PASS settings

I considered how to set ID/PASS.
It seems that you cannot register from the Jitsi web screen.
After investigating, it seems that it is necessary to register the command in Prosody, which is the XMPP server of the component of Jitsi.

https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker
[root@meet docker-jitsi-meet]# docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua register user meet.jitsi password
[root@meet docker-jitsi-meet]#




Apparently, user authentication worked.

However, in this state, everyone must enter their ID/PASS before the meeting.
In this case, it is necessary to issue an ID/PASS every time a web conference is held temporarily with a person outside the company, which creates restrictions on usage.

Authentication is required only when creating a room, and authentication is not required from the second person

I referred to the following manual.

https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker
Add the following settings to your .env file and restart your Docker container.
A little troublesome, if everyone needs ID / PASS, the ID / PASS input screen will appear immediately after entering the URL, but with this setting, after entering the name, the room After logging in to, the authentication flow will change so that you will get an ID / PASS. (I was worried here.)
# Enable authentication
#ENABLE_AUTH=1
+ENABLE_AUTH=1

# Enable guest access
#ENABLE_GUESTS=1
+ENABLE_GUESTS=1

# Select authentication type: internal, jwt or ldap
#AUTH_TYPE=internal
+AUTH_TYPE=internal

+ENABLE_AUTO_LOGIN=1

Delete ID/PASS (Delete logged-in user)

https://prosody.im/doc/prosodyctl
In the above manual, the register and unregister commands are hidden by default.
I also want to know why it's not on the list. It's OSS.
In this area, you can inquire about the manufacturer's product, so there is a difference with the manufacturer.
[root@meet docker-jitsi-meet]# docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua unregister user meet.jitsi
[root@meet docker-jitsi-meet]#

Also, when adding or deleting users, you need to restart Docker below.
I think this operation is a little bad. (See below)

[root@meet docker-jitsi-meet]# docker-compose stop
[+] Running 4/4
 ⠿ Container docker-jitsi-meet-jvb-1      Stopped                                                                                   4.1s
 ⠿ Container docker-jitsi-meet-web-1      Stopped                                                                                   3.6s
 ⠿ Container docker-jitsi-meet-jicofo-1   Stopped                                                                                   4.0s
 ⠿ Container docker-jitsi-meet-prosody-1  Stopped                                                                                   3.5s
[root@meet docker-jitsi-meet]# docker-compose up -d
[+] Running 4/4
 ⠿ Container docker-jitsi-meet-web-1      Started                                                                                   1.2s
 ⠿ Container docker-jitsi-meet-prosody-1  Started                                                                                   1.2s
 ⠿ Container docker-jitsi-meet-jicofo-1   Started                                                                                   3.1s
 ⠿ Container docker-jitsi-meet-jvb-1      Started                                                                                   3.1s
[root@meet docker-jitsi-meet]#

Future tasks

Even if it is good to use commands such as adding or deleting users, if the system needs to be restarted, various restrictions (problems) will arise in the work time after operation.
For example, when Mr. A is in a meeting and wants to register a newcomer's ID. If the system needs to be restarted, Mr. A's meeting will be interrupted. To avoid that, you need to perform user management when no one is in a meeting.
→ It will be an old-fashioned batch operation without immediacy.
 Therefore, it is expected that it will be easily troubled in normal operation.
The limitation of OSS is that this area is not well done. (Zoom is well done.)

Therefore, it is necessary to consider a mechanism that considers operation.

  • If you use it for work, we recommend that you consider the operation and use the manufacturer's product.
    I would like to avoid user editing work in the middle of the night.

Time required this time

This time, it took a long time even though only the parameter setting was done for the following reasons.

  • However, I think this is the cost of OSS, and it is a part that needs to be understood by users.
  • Because the order of display of the authentication screen of the connection test is different, it was not possible to judge whether the setting was successful or not.
  • Because I forgot to restart Docker after registering ID/PASS, it could not be reflected.

With the above detour, the survey time was about 5 hours.

Discussion

ログインするとコメントできます