Jitsi开源Web视频会议-安全认证

Jitsi安装教程、之前安装Jitsi后所有人都能访问,当实际情况是需要认证后才能访问。通过配置jitsi提供了认证方式。

Prosody认证配置

配置/etc/prosody/conf.d/meet.demo.com.cfg.lua

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
-- Plugins path gets uncommented during jitsi-meet-tokens package install - that's where token plugin is located
--plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

VirtualHost "meet.demo.com"
authentication = "internal_plain"
ssl = {
key = "/var/lib/prosody/meet.demo.com.key";
certificate = "/var/lib/prosody/meet.demo.com.crt";
}
modules_enabled = {
"bosh";
"pubsub";
}

VirtualHost "guest.meet.demo.com"
authentication = "anonymous"
c2s_require_encryption = false

admins = { "focus@auth.meet.demo.com" }

Component "conference.meet.demo.com" "muc"
Component "jitsi-videobridge.meet.demo.com"
component_secret = "password1"
Component "focus.meet.demo.com"
component_secret = "password2"

Component "callcontrol.meet.demo.com"
component_secret = "password4"

Nginx认证配置

配置/etc/nginx/sites-enabled/meet.demo.com

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
server {
listen 80;
server_name meet.demo.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name meet.demo.com;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

ssl_certificate /var/lib/prosody/meet.demo.com.crt;
ssl_certificate_key /var/lib/prosody/meet.demo.com.key;

root /var/www/jitsi-meet;
index index.html index.htm;
# error_page 404 /static/404.html;

location ~ ^/([a-zA-Z0-9=\?]+)$ {
rewrite ^/(.*)$ / break;
}

location / {
ssi on;
}

# BOSH
location /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
}

videobridge认证配置

参数start.sh

1
2
3
4
5
6
7
#!/bin/bash

export JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=videobridge -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi/videobridge -Djava.util.logging.config.file=/etc/jitsi/videobridge/logging.properties -Dlog4j.configurationFile=/etc/jitsi/videobridge/log4j2.xml"

./jvb.sh --host=localhost --domain=meet.demo.com --port=5347 --secret=password1 &

unset JAVA_SYS_PROPS

Jicofo认证配置

参数start.sh

1
2
3
4
5
6
7
8
9
10
#!/bin/bash

# mvn package -DskipTests -Dassembly.skipAssembly=false


export JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi/jicofo -Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.properties -Dlog4j.configurationFile=/etc/jitsi/jicofo/log4j2.xml -Dorg.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true"

./jicofo-linux-x64-1.1-SNAPSHOT/jicofo.sh --host=localhost --domain=meet.demo.com --secret=password2 --user_domain=auth.meet.demo.com --user_name=focus --user_password=password3 &

unset JAVA_SYS_PROPS

Jitsi-meet认证配置

config.js配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
var config = {
// Configuration
//

// Alternative location for the configuration.
// configLocation: './config.json',

// Custom function which given the URL path should return a room name.
// getroomnode: function (path) { return 'someprefixpossiblybasedonpath'; },


// Connection
//

hosts: {
// XMPP domain.
domain: 'meet.demo.com',

// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
muc: 'conference.meet.demo.com',

// When using authentication, domain for guest users.
// anonymousdomain: 'guest.example.com',

// Domain for authenticated users. Defaults to <domain>.
// authdomain: 'meet.demo.com',

// Jirecon recording component domain.
// jirecon: 'jirecon.meet.demo.com',

// Call control component (Jigasi).
call_control: 'callcontrol.meet.demo.com',

// Focus component domain. Defaults to focus.<domain>.
focus: 'focus.meet.demo.com',
bridge: 'jitsi-videobridge.meet.demo.com'
},

// BOSH URL. FIXME: use XEP-0156 to discover it.
bosh: '//meet.demo.com/http-bind',

// The name of client node advertised in XEP-0115 'c' stanza
clientNode: 'http://jitsi.org/jitsimeet',

// The real JID of focus participant - can be overridden here
// focusUserJid: 'focus@auth.meet.demo.com',


// Testing / experimental features.
//

testing: {
// Enables experimental simulcast support on Firefox.
enableFirefoxSimulcast: false,

// P2P test mode disables automatic switching to P2P when there are 2
// participants in the conference.
p2pTestMode: false

// Enables the test specific features consumed by jitsi-meet-torture
// testMode: false
},

// Disables ICE/UDP by filtering out local and remote UDP candidates in
// signalling.
// webrtcIceUdpDisable: false,

// Disables ICE/TCP by filtering out local and remote TCP candidates in
// signalling.
// webrtcIceTcpDisable: false,


// Media
//

// Audio

// Disable measuring of audio levels.
// disableAudioLevels: false,

// Start the conference in audio only mode (no video is being received nor
// sent).
// startAudioOnly: false,

// Every participant after the Nth will start audio muted.
// startAudioMuted: 10,

// Start calls with audio muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithAudioMuted: false,

// Video

// Sets the preferred resolution (height) for local video. Defaults to 720.
// resolution: 720,

// w3c spec-compliant video constraints to use for video capture. Currently
// used by browsers that return true from lib-jitsi-meet's
// util#browser#usesNewGumFlow. The constraints are independency from
// this config's resolution value. Defaults to requesting an ideal aspect
// ratio of 16:9 with an ideal resolution of 1080p.
// constraints: {
// video: {
// aspectRatio: 16 / 9,
// height: {
// ideal: 1080,
// max: 1080,
// min: 240
// }
// }
// },

// Enable / disable simulcast support.
// disableSimulcast: false,

// Suspend sending video if bandwidth estimation is too low. This may cause
// problems with audio playback. Disabled until these are fixed.
disableSuspendVideo: true,

// Every participant after the Nth will start video muted.
// startVideoMuted: 10,

// Start calls with video muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithVideoMuted: false,

// If set to true, prefer to use the H.264 video codec (if supported).
// Note that it's not recommended to do this because simulcast is not
// supported when using H.264. For 1-to-1 calls this setting is enabled by
// default and can be toggled in the p2p section.
// preferH264: true,

// If set to true, disable H.264 video codec by stripping it out of the
// SDP.
// disableH264: false,

// Desktop sharing

// Enable / disable desktop sharing
// disableDesktopSharing: false,

// The ID of the jidesha extension for Chrome.
desktopSharingChromeExtId: null,

// Whether desktop sharing should be disabled on Chrome.
desktopSharingChromeDisabled: true,

// The media sources to use when using screen sharing with the Chrome
// extension.
desktopSharingChromeSources: [ 'screen', 'window', 'tab' ],

// Required version of Chrome extension
desktopSharingChromeMinExtVersion: '0.1',

// Whether desktop sharing should be disabled on Firefox.
desktopSharingFirefoxDisabled: false,

// Optional desktop sharing frame rate options. Default value: min:5, max:5.
// desktopSharingFrameRate: {
// min: 5,
// max: 5
// },

// Try to start calls with screen-sharing instead of camera video.
// startScreenSharing: false,

// Recording

// Whether to enable recording or not.
// enableRecording: false,

// Type for recording: one of jibri or jirecon.
// recordingType: 'jibri',

// Misc

// Default value for the channel "last N" attribute. -1 for unlimited.
channelLastN: -1,

// Disables or enables RTX (RFC 4588) (defaults to false).
// disableRtx: false,

// Disables or enables TCC (the default is in Jicofo and set to true)
// (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting
// affects congestion control, it practically enables send-side bandwidth
// estimations.
// enableTcc: true,

// Disables or enables REMB (the default is in Jicofo and set to false)
// (draft-alvestrand-rmcat-remb-03). This setting affects congestion
// control, it practically enables recv-side bandwidth estimations. When
// both TCC and REMB are enabled, TCC takes precedence. When both are
// disabled, then bandwidth estimations are disabled.
// enableRemb: false,

// Defines the minimum number of participants to start a call (the default
// is set in Jicofo and set to 2).
// minParticipants: 2,

// Use XEP-0215 to fetch STUN and TURN servers.
// useStunTurn: true,

// Enable IPv6 support.
// useIPv6: true,

// Enables / disables a data communication channel with the Videobridge.
// Values can be 'datachannel', 'websocket', true (treat it as
// 'datachannel'), undefined (treat it as 'datachannel') and false (don't
// open any channel).
// openBridgeChannel: true,


// UI
//

// Use display name as XMPP nickname.
useNicks: false,

// Require users to always specify a display name.
// requireDisplayName: true,

// Whether to use a welcome page or not. In case it's false a random room
// will be joined when no room is specified.
enableWelcomePage: true,

// Enabling the close page will ignore the welcome page redirection when
// a call is hangup.
// enableClosePage: false,

// Disable hiding of remote thumbnails when in a 1-on-1 conference call.
// disable1On1Mode: false,

// The minimum value a video's height (or width, whichever is smaller) needs
// to be in order to be considered high-definition.
minHDHeight: 540,

// Default language for the user interface.
// defaultLanguage: 'en',

// If true all users without a token will be considered guests and all users
// with token will be considered non-guests. Only guests will be allowed to
// edit their profile.
enableUserRolesBasedOnToken: false,

// Message to show the users. Example: 'The service will be down for
// maintenance at 01:00 AM GMT,
// noticeMessage: '',


// Stats
//

// Whether to enable stats collection or not in the TraceablePeerConnection.
// This can be useful for debugging purposes (post-processing/analysis of
// the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
// estimation tests.
// gatherStats: false,

// To enable sending statistics to callstats.io you must provide the
// Application ID and Secret.
// callStatsID: '',
// callStatsSecret: '',

// enables callstatsUsername to be reported as statsId and used
// by callstats as repoted remote id
// enableStatsID: false

// enables sending participants display name to callstats
// enableDisplayNameInStats: false


// Privacy
//

// If third party requests are disabled, no other server will be contacted.
// This means avatars will be locally generated and callstats integration
// will not function.
// disableThirdPartyRequests: false,


// Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
//

p2p: {
// Enables peer to peer mode. When enabled the system will try to
// establish a direct connection when there are exactly 2 participants
// in the room. If that succeeds the conference will stop sending data
// through the JVB and use the peer to peer connection instead. When a
// 3rd participant joins the conference will be moved back to the JVB
// connection.
enabled: true,

// Use XEP-0215 to fetch STUN and TURN servers.
// useStunTurn: true,

// The STUN servers that will be used in the peer to peer connections
stunServers: [
{ urls: 'stun:stun.l.google.com:19302' },
{ urls: 'stun:stun1.l.google.com:19302' },
{ urls: 'stun:stun2.l.google.com:19302' }
],

// Sets the ICE transport policy for the p2p connection. At the time
// of this writing the list of possible values are 'all' and 'relay',
// but that is subject to change in the future. The enum is defined in
// the WebRTC standard:
// https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
// If not set, the effective value is 'all'.
// iceTransportPolicy: 'all',

// If set to true, it will prefer to use H.264 for P2P calls (if H.264
// is supported).
preferH264: true

// If set to true, disable H.264 video codec by stripping it out of the
// SDP.
// disableH264: false,

// How long we're going to wait, before going back to P2P after the 3rd
// participant has left the conference (to filter out page reload).
// backToP2PDelay: 5
},

// A list of scripts to load as lib-jitsi-meet "analytics handlers".
// analyticsScriptUrls: [
// "libs/analytics-ga.js", // google-analytics
// "https://example.com/my-custom-analytics.js"
// ],

// The Google Analytics Tracking ID
// googleAnalyticsTrackingId = 'your-tracking-id-here-UA-123456-1',

// Information about the jitsi-meet instance we are connecting to, including
// the user region as seen by the server.
deploymentInfo: {
// shard: "shard1",
// region: "europe",
// userRegion: "asia"
}

// List of undocumented settings used in jitsi-meet
/**
alwaysVisibleToolbar
autoRecord
autoRecordToken
debug
debugAudioLevels
deploymentInfo
dialInConfCodeUrl
dialInNumbersUrl
dialOutAuthUrl
dialOutCodesUrl
disableRemoteControl
displayJids
enableLocalVideoFlip
etherpad_base
externalConnectUrl
firefox_fake_device
googleApiApplicationClientID
iAmRecorder
iAmSipGateway
peopleSearchQueryTypes
peopleSearchUrl
requireDisplayName
tokenAuthUrl
*/

// List of undocumented settings used in lib-jitsi-meet
/**
_peerConnStatusOutOfLastNTimeout
_peerConnStatusRtcMuteTimeout
abTesting
avgRtpStatsN
callStatsConfIDNamespace
callStatsCustomScriptUrl
desktopSharingSources
disableAEC
disableAGC
disableAP
disableHPF
disableNS
enableLipSync
enableTalkWhileMuted
forceJVB121Ratio
hiddenDomain
ignoreStartMuted
nick
startBitrate
*/
};

修改配置后,重启服务。

浏览器中输入:https://meet.demo.com/