security: don't provide default passwords
Also check if they are not provided at sstartup time and fail to start in that case.
This commit is contained in:
parent
aaec22dd99
commit
a015710e54
15
README.md
15
README.md
|
@ -32,9 +32,11 @@ follow these steps:
|
||||||
|
|
||||||
* Clone this repository to your computer.
|
* Clone this repository to your computer.
|
||||||
* `git clone https://github.com/jitsi/docker-jitsi-meet && cd docker-jitsi-meet`
|
* `git clone https://github.com/jitsi/docker-jitsi-meet && cd docker-jitsi-meet`
|
||||||
* Create a ``.env`` file by copying and adjusting ``env.example``, and create required `CONFIG` directories
|
* Create a ``.env`` file by copying and adjusting ``env.example``
|
||||||
* `cp env.example .env`
|
* `cp env.example .env`
|
||||||
* `mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}`
|
* Set strong passwords in the security section options, they ccan be generated with `openssl rand -hex 16`
|
||||||
|
* Create required `CONFIG` directories
|
||||||
|
* `mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb,jigasi,jibri}`
|
||||||
* Run ``docker-compose up -d``.
|
* Run ``docker-compose up -d``.
|
||||||
* Access the web UI at [``https://localhost:8443``](https://localhost:8443) (or a different port, in case you edited the compose file).
|
* Access the web UI at [``https://localhost:8443``](https://localhost:8443) (or a different port, in case you edited the compose file).
|
||||||
|
|
||||||
|
@ -51,6 +53,15 @@ If you want to use jibri too, first configure a host as described in JItsi BRoad
|
||||||
and then run Docker Compose as follows: ``docker-compose -f docker-compose.yml -f jibri.yml up -d``
|
and then run Docker Compose as follows: ``docker-compose -f docker-compose.yml -f jibri.yml up -d``
|
||||||
or to use jigasi too: ``docker-compose -f docker-compose.yml -f jigasi.yml -f jibri.yml up -d``
|
or to use jigasi too: ``docker-compose -f docker-compose.yml -f jigasi.yml -f jibri.yml up -d``
|
||||||
|
|
||||||
|
### Security note
|
||||||
|
|
||||||
|
This setup used to have default passwords for intetrnal accounts used across components. In order to make the default setup
|
||||||
|
secure by default these have been removed and the respective containers won't start without having a password set.
|
||||||
|
|
||||||
|
Strong passwordds may be generated as follows: `openssl rand -hex 16`
|
||||||
|
|
||||||
|
DO NOT reuse any of the passwords.
|
||||||
|
|
||||||
## Architecture
|
## Architecture
|
||||||
|
|
||||||
A Jitsi Meet installation can be broken down into the following components:
|
A Jitsi Meet installation can be broken down into the following components:
|
||||||
|
|
46
env.example
46
env.example
|
@ -1,3 +1,31 @@
|
||||||
|
# Security
|
||||||
|
#
|
||||||
|
# Set these to strong passwords to avoid intruders from impersonating a service account
|
||||||
|
# Here is how to generate a good password: openssl rand -hex 16
|
||||||
|
# The service(s) won't start unless these are specified
|
||||||
|
# You may skip the Jigasi and Jibri passwords if you are not using those
|
||||||
|
# DO NOT reuse passwords
|
||||||
|
#
|
||||||
|
|
||||||
|
# XMPP component password for Jicofo
|
||||||
|
JICOFO_COMPONENT_SECRET=
|
||||||
|
|
||||||
|
# XMPP password for Jicofo client connections
|
||||||
|
JICOFO_AUTH_PASSWORD=
|
||||||
|
|
||||||
|
# XMPP password for JVB client connections
|
||||||
|
JVB_AUTH_PASSWORD=
|
||||||
|
|
||||||
|
# XMPP password for Jigasi MUC client connections
|
||||||
|
JIGASI_XMPP_PASSWORD=
|
||||||
|
|
||||||
|
# XMPP recorder password for Jibri client connections
|
||||||
|
JIBRI_RECORDER_PASSWORD=
|
||||||
|
|
||||||
|
# XMPP password for Jibri client connections
|
||||||
|
JIBRI_XMPP_PASSWORD=
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Basic configuration options
|
# Basic configuration options
|
||||||
#
|
#
|
||||||
|
@ -178,9 +206,6 @@ JVB_BREWERY_MUC=jvbbrewery
|
||||||
# XMPP user for JVB client connections
|
# XMPP user for JVB client connections
|
||||||
JVB_AUTH_USER=jvb
|
JVB_AUTH_USER=jvb
|
||||||
|
|
||||||
# XMPP password for JVB client connections
|
|
||||||
JVB_AUTH_PASSWORD=passw0rd
|
|
||||||
|
|
||||||
# STUN servers used to discover the server's public IP
|
# STUN servers used to discover the server's public IP
|
||||||
JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
|
JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
|
||||||
|
|
||||||
|
@ -195,25 +220,16 @@ JVB_TCP_PORT=4443
|
||||||
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
|
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
|
||||||
#JVB_ENABLE_APIS=rest,colibri
|
#JVB_ENABLE_APIS=rest,colibri
|
||||||
|
|
||||||
# XMPP component password for Jicofo
|
|
||||||
JICOFO_COMPONENT_SECRET=s3cr37
|
|
||||||
|
|
||||||
# XMPP user for Jicofo client connections.
|
# XMPP user for Jicofo client connections.
|
||||||
# NOTE: this option doesn't currently work due to a bug
|
# NOTE: this option doesn't currently work due to a bug
|
||||||
JICOFO_AUTH_USER=focus
|
JICOFO_AUTH_USER=focus
|
||||||
|
|
||||||
# XMPP password for Jicofo client connections
|
|
||||||
JICOFO_AUTH_PASSWORD=passw0rd
|
|
||||||
|
|
||||||
# Base URL of Jicofo's reservation REST API
|
# Base URL of Jicofo's reservation REST API
|
||||||
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
|
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
|
||||||
|
|
||||||
# XMPP user for Jigasi MUC client connections
|
# XMPP user for Jigasi MUC client connections
|
||||||
JIGASI_XMPP_USER=jigasi
|
JIGASI_XMPP_USER=jigasi
|
||||||
|
|
||||||
# XMPP password for Jigasi MUC client connections
|
|
||||||
JIGASI_XMPP_PASSWORD=passw0rd
|
|
||||||
|
|
||||||
# MUC name for the Jigasi pool
|
# MUC name for the Jigasi pool
|
||||||
JIGASI_BREWERY_MUC=jigasibrewery
|
JIGASI_BREWERY_MUC=jigasibrewery
|
||||||
|
|
||||||
|
@ -267,9 +283,6 @@ XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
|
||||||
# XMPP recorder user for Jibri client connections
|
# XMPP recorder user for Jibri client connections
|
||||||
JIBRI_RECORDER_USER=recorder
|
JIBRI_RECORDER_USER=recorder
|
||||||
|
|
||||||
# XMPP recorder password for Jibri client connections
|
|
||||||
JIBRI_RECORDER_PASSWORD=passw0rd
|
|
||||||
|
|
||||||
# Directory for recordings inside Jibri container
|
# Directory for recordings inside Jibri container
|
||||||
JIBRI_RECORDING_DIR=/config/recordings
|
JIBRI_RECORDING_DIR=/config/recordings
|
||||||
|
|
||||||
|
@ -279,9 +292,6 @@ JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
|
||||||
# XMPP user for Jibri client connections
|
# XMPP user for Jibri client connections
|
||||||
JIBRI_XMPP_USER=jibri
|
JIBRI_XMPP_USER=jibri
|
||||||
|
|
||||||
# XMPP password for Jibri client connections
|
|
||||||
JIBRI_XMPP_PASSWORD=passw0rd
|
|
||||||
|
|
||||||
# MUC name for the Jibri pool
|
# MUC name for the Jibri pool
|
||||||
JIBRI_BREWERY_MUC=jibribrewery
|
JIBRI_BREWERY_MUC=jibribrewery
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
#!/usr/bin/with-contenv bash
|
#!/usr/bin/with-contenv bash
|
||||||
|
|
||||||
|
if [[ -z $JIBRI_RECORDER_PASSWORD || -z $JIBRI_XMPP_PASSWORD ]]; then
|
||||||
|
echo 'FATAL ERROR: Jibri recorder password and auth password must be set'
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
# DISPLAY is necessary for start
|
# DISPLAY is necessary for start
|
||||||
[ -z "${DISPLAY}" ] \
|
[ -z "${DISPLAY}" ] \
|
||||||
&& ( echo -e "\e[31mERROR: Please set DISPLAY variable.\e[39m"; kill 1; exit 1 )
|
&& ( echo -e "\e[31mERROR: Please set DISPLAY variable.\e[39m"; kill 1; exit 1 )
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
#!/usr/bin/with-contenv bash
|
#!/usr/bin/with-contenv bash
|
||||||
|
|
||||||
|
if [[ -z $JICOFO_COMPONENT_SECRET || -z $JICOFO_AUTH_PASSWORD ]]; then
|
||||||
|
echo 'FATAL ERROR: Jicofo component secret and auth password must be set'
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ ! -f /config/sip-communicator.properties ]]; then
|
if [[ ! -f /config/sip-communicator.properties ]]; then
|
||||||
tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
|
tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
|
||||||
fi
|
fi
|
||||||
|
@ -8,4 +13,4 @@ if [[ ! -f /config/logging.properties ]]; then
|
||||||
cp /defaults/logging.properties /config
|
cp /defaults/logging.properties /config
|
||||||
fi
|
fi
|
||||||
|
|
||||||
chown -R jicofo:jitsi /config
|
chown -R jicofo:jitsi /config
|
||||||
|
|
|
@ -6,4 +6,3 @@ DAEMON_DIR=/usr/share/jicofo/
|
||||||
DAEMON_OPTS="--domain=$XMPP_DOMAIN --host=$XMPP_SERVER --secret=$JICOFO_COMPONENT_SECRET --user_name=$JICOFO_AUTH_USER --user_domain=$XMPP_AUTH_DOMAIN --user_password=$JICOFO_AUTH_PASSWORD"
|
DAEMON_OPTS="--domain=$XMPP_DOMAIN --host=$XMPP_SERVER --secret=$JICOFO_COMPONENT_SECRET --user_name=$JICOFO_AUTH_USER --user_domain=$XMPP_AUTH_DOMAIN --user_password=$JICOFO_AUTH_PASSWORD"
|
||||||
|
|
||||||
exec s6-setuidgid jicofo /bin/bash -c "cd $DAEMON_DIR; JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" exec $DAEMON $DAEMON_OPTS"
|
exec s6-setuidgid jicofo /bin/bash -c "cd $DAEMON_DIR; JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" exec $DAEMON $DAEMON_OPTS"
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
#!/usr/bin/with-contenv bash
|
#!/usr/bin/with-contenv bash
|
||||||
|
|
||||||
|
if [[ -z $JIGASI_XMPP_PASSWORD ]]; then
|
||||||
|
echo 'FATAL ERROR: Jigasi auth password must be set'
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ ! -f /config/sip-communicator.properties ]]; then
|
if [[ ! -f /config/sip-communicator.properties ]]; then
|
||||||
tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
|
tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -16,4 +16,3 @@ org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
|
||||||
org.jitsi.videobridge.ENABLE_STATISTICS=true
|
org.jitsi.videobridge.ENABLE_STATISTICS=true
|
||||||
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
|
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
|
||||||
org.jitsi.videobridge.STATISTICS_INTERVAL=5000
|
org.jitsi.videobridge.STATISTICS_INTERVAL=5000
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
#!/usr/bin/with-contenv bash
|
#!/usr/bin/with-contenv bash
|
||||||
|
|
||||||
|
if [[ -z $JVB_AUTH_PASSWORD ]]; then
|
||||||
|
echo 'FATAL ERROR: JVB auth password must be set'
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ ! -f /config/sip-communicator.properties ]]; then
|
if [[ ! -f /config/sip-communicator.properties ]]; then
|
||||||
tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
|
tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -34,7 +34,18 @@ if [[ ! -f $PROSODY_CFG ]]; then
|
||||||
tpl /defaults/prosody.cfg.lua > $PROSODY_CFG
|
tpl /defaults/prosody.cfg.lua > $PROSODY_CFG
|
||||||
tpl /defaults/conf.d/jitsi-meet.cfg.lua > /config/conf.d/jitsi-meet.cfg.lua
|
tpl /defaults/conf.d/jitsi-meet.cfg.lua > /config/conf.d/jitsi-meet.cfg.lua
|
||||||
|
|
||||||
|
if [[ -z $JICOFO_COMPONENT_SECRET || -z $JICOFO_AUTH_PASSWORD ]]; then
|
||||||
|
echo 'FATAL ERROR: Jicofo component secret and auth password must be set'
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
prosodyctl --config $PROSODY_CFG register $JICOFO_AUTH_USER $XMPP_AUTH_DOMAIN $JICOFO_AUTH_PASSWORD
|
prosodyctl --config $PROSODY_CFG register $JICOFO_AUTH_USER $XMPP_AUTH_DOMAIN $JICOFO_AUTH_PASSWORD
|
||||||
|
|
||||||
|
if [[ -z $JVB_AUTH_PASSWORD ]]; then
|
||||||
|
echo 'FATAL ERROR: JVB auth password must be set'
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
prosodyctl --config $PROSODY_CFG register $JVB_AUTH_USER $XMPP_AUTH_DOMAIN $JVB_AUTH_PASSWORD
|
prosodyctl --config $PROSODY_CFG register $JVB_AUTH_USER $XMPP_AUTH_DOMAIN $JVB_AUTH_PASSWORD
|
||||||
|
|
||||||
if [[ ! -z $JIBRI_XMPP_USER ]] && [[ ! -z $JIBRI_XMPP_PASSWORD ]]; then
|
if [[ ! -z $JIBRI_XMPP_USER ]] && [[ ! -z $JIBRI_XMPP_PASSWORD ]]; then
|
||||||
|
|
Loading…
Reference in New Issue
Block a user