security: don't provide default passwords
Also check if they are not provided at sstartup time and fail to start in that case.
This commit is contained in:
parent
aaec22dd99
commit
a015710e54
15
README.md
15
README.md
|
@ -32,9 +32,11 @@ follow these steps:
|
|||
|
||||
* Clone this repository to your computer.
|
||||
* `git clone https://github.com/jitsi/docker-jitsi-meet && cd docker-jitsi-meet`
|
||||
* Create a ``.env`` file by copying and adjusting ``env.example``, and create required `CONFIG` directories
|
||||
* Create a ``.env`` file by copying and adjusting ``env.example``
|
||||
* `cp env.example .env`
|
||||
* `mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}`
|
||||
* Set strong passwords in the security section options, they ccan be generated with `openssl rand -hex 16`
|
||||
* Create required `CONFIG` directories
|
||||
* `mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb,jigasi,jibri}`
|
||||
* Run ``docker-compose up -d``.
|
||||
* Access the web UI at [``https://localhost:8443``](https://localhost:8443) (or a different port, in case you edited the compose file).
|
||||
|
||||
|
@ -51,6 +53,15 @@ If you want to use jibri too, first configure a host as described in JItsi BRoad
|
|||
and then run Docker Compose as follows: ``docker-compose -f docker-compose.yml -f jibri.yml up -d``
|
||||
or to use jigasi too: ``docker-compose -f docker-compose.yml -f jigasi.yml -f jibri.yml up -d``
|
||||
|
||||
### Security note
|
||||
|
||||
This setup used to have default passwords for intetrnal accounts used across components. In order to make the default setup
|
||||
secure by default these have been removed and the respective containers won't start without having a password set.
|
||||
|
||||
Strong passwordds may be generated as follows: `openssl rand -hex 16`
|
||||
|
||||
DO NOT reuse any of the passwords.
|
||||
|
||||
## Architecture
|
||||
|
||||
A Jitsi Meet installation can be broken down into the following components:
|
||||
|
|
46
env.example
46
env.example
|
@ -1,3 +1,31 @@
|
|||
# Security
|
||||
#
|
||||
# Set these to strong passwords to avoid intruders from impersonating a service account
|
||||
# Here is how to generate a good password: openssl rand -hex 16
|
||||
# The service(s) won't start unless these are specified
|
||||
# You may skip the Jigasi and Jibri passwords if you are not using those
|
||||
# DO NOT reuse passwords
|
||||
#
|
||||
|
||||
# XMPP component password for Jicofo
|
||||
JICOFO_COMPONENT_SECRET=
|
||||
|
||||
# XMPP password for Jicofo client connections
|
||||
JICOFO_AUTH_PASSWORD=
|
||||
|
||||
# XMPP password for JVB client connections
|
||||
JVB_AUTH_PASSWORD=
|
||||
|
||||
# XMPP password for Jigasi MUC client connections
|
||||
JIGASI_XMPP_PASSWORD=
|
||||
|
||||
# XMPP recorder password for Jibri client connections
|
||||
JIBRI_RECORDER_PASSWORD=
|
||||
|
||||
# XMPP password for Jibri client connections
|
||||
JIBRI_XMPP_PASSWORD=
|
||||
|
||||
|
||||
#
|
||||
# Basic configuration options
|
||||
#
|
||||
|
@ -178,9 +206,6 @@ JVB_BREWERY_MUC=jvbbrewery
|
|||
# XMPP user for JVB client connections
|
||||
JVB_AUTH_USER=jvb
|
||||
|
||||
# XMPP password for JVB client connections
|
||||
JVB_AUTH_PASSWORD=passw0rd
|
||||
|
||||
# STUN servers used to discover the server's public IP
|
||||
JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
|
||||
|
||||
|
@ -195,25 +220,16 @@ JVB_TCP_PORT=4443
|
|||
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
|
||||
#JVB_ENABLE_APIS=rest,colibri
|
||||
|
||||
# XMPP component password for Jicofo
|
||||
JICOFO_COMPONENT_SECRET=s3cr37
|
||||
|
||||
# XMPP user for Jicofo client connections.
|
||||
# NOTE: this option doesn't currently work due to a bug
|
||||
JICOFO_AUTH_USER=focus
|
||||
|
||||
# XMPP password for Jicofo client connections
|
||||
JICOFO_AUTH_PASSWORD=passw0rd
|
||||
|
||||
# Base URL of Jicofo's reservation REST API
|
||||
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
|
||||
|
||||
# XMPP user for Jigasi MUC client connections
|
||||
JIGASI_XMPP_USER=jigasi
|
||||
|
||||
# XMPP password for Jigasi MUC client connections
|
||||
JIGASI_XMPP_PASSWORD=passw0rd
|
||||
|
||||
# MUC name for the Jigasi pool
|
||||
JIGASI_BREWERY_MUC=jigasibrewery
|
||||
|
||||
|
@ -267,9 +283,6 @@ XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
|
|||
# XMPP recorder user for Jibri client connections
|
||||
JIBRI_RECORDER_USER=recorder
|
||||
|
||||
# XMPP recorder password for Jibri client connections
|
||||
JIBRI_RECORDER_PASSWORD=passw0rd
|
||||
|
||||
# Directory for recordings inside Jibri container
|
||||
JIBRI_RECORDING_DIR=/config/recordings
|
||||
|
||||
|
@ -279,9 +292,6 @@ JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
|
|||
# XMPP user for Jibri client connections
|
||||
JIBRI_XMPP_USER=jibri
|
||||
|
||||
# XMPP password for Jibri client connections
|
||||
JIBRI_XMPP_PASSWORD=passw0rd
|
||||
|
||||
# MUC name for the Jibri pool
|
||||
JIBRI_BREWERY_MUC=jibribrewery
|
||||
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
#!/usr/bin/with-contenv bash
|
||||
|
||||
if [[ -z $JIBRI_RECORDER_PASSWORD || -z $JIBRI_XMPP_PASSWORD ]]; then
|
||||
echo 'FATAL ERROR: Jibri recorder password and auth password must be set'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# DISPLAY is necessary for start
|
||||
[ -z "${DISPLAY}" ] \
|
||||
&& ( echo -e "\e[31mERROR: Please set DISPLAY variable.\e[39m"; kill 1; exit 1 )
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
#!/usr/bin/with-contenv bash
|
||||
|
||||
if [[ -z $JICOFO_COMPONENT_SECRET || -z $JICOFO_AUTH_PASSWORD ]]; then
|
||||
echo 'FATAL ERROR: Jicofo component secret and auth password must be set'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ ! -f /config/sip-communicator.properties ]]; then
|
||||
tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
|
||||
fi
|
||||
|
@ -8,4 +13,4 @@ if [[ ! -f /config/logging.properties ]]; then
|
|||
cp /defaults/logging.properties /config
|
||||
fi
|
||||
|
||||
chown -R jicofo:jitsi /config
|
||||
chown -R jicofo:jitsi /config
|
||||
|
|
|
@ -6,4 +6,3 @@ DAEMON_DIR=/usr/share/jicofo/
|
|||
DAEMON_OPTS="--domain=$XMPP_DOMAIN --host=$XMPP_SERVER --secret=$JICOFO_COMPONENT_SECRET --user_name=$JICOFO_AUTH_USER --user_domain=$XMPP_AUTH_DOMAIN --user_password=$JICOFO_AUTH_PASSWORD"
|
||||
|
||||
exec s6-setuidgid jicofo /bin/bash -c "cd $DAEMON_DIR; JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" exec $DAEMON $DAEMON_OPTS"
|
||||
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
#!/usr/bin/with-contenv bash
|
||||
|
||||
if [[ -z $JIGASI_XMPP_PASSWORD ]]; then
|
||||
echo 'FATAL ERROR: Jigasi auth password must be set'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ ! -f /config/sip-communicator.properties ]]; then
|
||||
tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
|
||||
fi
|
||||
|
|
|
@ -16,4 +16,3 @@ org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
|
|||
org.jitsi.videobridge.ENABLE_STATISTICS=true
|
||||
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
|
||||
org.jitsi.videobridge.STATISTICS_INTERVAL=5000
|
||||
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
#!/usr/bin/with-contenv bash
|
||||
|
||||
if [[ -z $JVB_AUTH_PASSWORD ]]; then
|
||||
echo 'FATAL ERROR: JVB auth password must be set'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ ! -f /config/sip-communicator.properties ]]; then
|
||||
tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
|
||||
fi
|
||||
|
|
|
@ -34,7 +34,18 @@ if [[ ! -f $PROSODY_CFG ]]; then
|
|||
tpl /defaults/prosody.cfg.lua > $PROSODY_CFG
|
||||
tpl /defaults/conf.d/jitsi-meet.cfg.lua > /config/conf.d/jitsi-meet.cfg.lua
|
||||
|
||||
if [[ -z $JICOFO_COMPONENT_SECRET || -z $JICOFO_AUTH_PASSWORD ]]; then
|
||||
echo 'FATAL ERROR: Jicofo component secret and auth password must be set'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
prosodyctl --config $PROSODY_CFG register $JICOFO_AUTH_USER $XMPP_AUTH_DOMAIN $JICOFO_AUTH_PASSWORD
|
||||
|
||||
if [[ -z $JVB_AUTH_PASSWORD ]]; then
|
||||
echo 'FATAL ERROR: JVB auth password must be set'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
prosodyctl --config $PROSODY_CFG register $JVB_AUTH_USER $XMPP_AUTH_DOMAIN $JVB_AUTH_PASSWORD
|
||||
|
||||
if [[ ! -z $JIBRI_XMPP_USER ]] && [[ ! -z $JIBRI_XMPP_PASSWORD ]]; then
|
||||
|
|
Loading…
Reference in New Issue