feat: Enable bridge websockets by default for new installs (#7781)

* feat: Drops multiplexing support by default.

* fix: Fix purge of jitsi-meet-prosody.

Clean the accounts when there is a - in the domain name.
Removes the certificate so reinstall will not cause problems.

* feat: Enables bridge websockets by default.

* fix: External-ip conflicts with denied-peer-ip.

In cases where the bridge and coturn are on the same machine and the local address is any of the networks from denied-peer-ip, coturn is not using its public address to probe it and communication fails as the other address is deneid.

* squash: Fix a comment.

config.js

@@ -337,6 +337,7 @@ var config = {
     // 'datachannel'), undefined (treat it as 'datachannel') and false (don't
     // open any channel).
     // openBridgeChannel: true,
+    openBridgeChannel: 'websocket',
 
 
     // UI

debian/jitsi-meet-prosody.postrm

@@ -45,8 +45,12 @@ case "$1" in
             rm -rf /var/lib/prosody/$JICOFO_AUTH_DOMAIN.*
             rm -rf /var/lib/prosody/$JVB_HOSTNAME.*
 
-            # clean created users
-            rm -rf /var/lib/prosody/`echo $JICOFO_AUTH_DOMAIN | sed -e "s/\./%2e/g"`
+            # clean created users, replace '.' with '%2e', replace '-' with '%2d'
+            rm -rf /var/lib/prosody/`echo $JICOFO_AUTH_DOMAIN | sed -e "s/\./%2e/g"| sed -e "s/-/%2d/g"`
+
+            # clean the prosody cert from the trust store
+            rm -rf /usr/local/share/ca-certificates/$JICOFO_AUTH_DOMAIN.*
+            update-ca-certificates -f
         fi
 
         # Clear the debconf variable

debian/jitsi-meet-turnserver.install

@@ -1,3 +1,2 @@
 doc/debian/jitsi-meet-turn/turnserver.conf          /usr/share/jitsi-meet-turnserver/
-doc/debian/jitsi-meet/jitsi-meet.conf               /usr/share/jitsi-meet-turnserver/
 doc/debian/jitsi-meet-turn/coturn-certbot-deploy.sh /usr/share/jitsi-meet-turnserver/

debian/jitsi-meet-turnserver.postinst

@@ -36,26 +36,6 @@ case "$1" in
         NGINX_CONFIG="/etc/nginx/sites-available/$JVB_HOSTNAME.conf"
         JITSI_MEET_CONFIG="/etc/jitsi/meet/$JVB_HOSTNAME-config.js"
 
-        NGINX_SITES_ENABLED="/etc/nginx/sites-enabled/"
-        NGINX_CONFIG_ENABLED="${NGINX_SITES_ENABLED}${JVB_HOSTNAME}.conf"
-        NGINX_MULTIPLEXING="true"
-        for site in ${NGINX_SITES_ENABLED}*; do
-            # if it is not a file continue
-            [ -f "${site}" ] || continue
-            # if it is our config skip
-            [ "${site}" != "${NGINX_CONFIG_ENABLED}" ] || continue
-            # check whether other enabled hosts has listen 443
-            if cat ${site} | grep -v "^[[:space:]]*#" | grep listen | grep -q "^.*[[:space:]:]443[;[:space:]].*" ; then
-                # nothing to do
-                echo "------------------------------------------------"
-                echo ""
-                echo "turnserver is listening on tcp 5349 as other nginx sites use port 443"
-                echo ""
-                echo "------------------------------------------------"
-                NGINX_MULTIPLEXING="false"
-            fi
-        done
-
         # if there was a turn config backup it so we can configure
         # we cannot recognize at the moment is this a user config or default config when installing coturn
         if [[ -f $TURN_CONFIG ]] && ! grep -q "jitsi-meet coturn config" "$TURN_CONFIG" ; then
@@ -133,19 +113,9 @@ denied-peer-ip=240.0.0.0-255.255.255.255" >> $TURN_CONFIG
         TURN_SECRET="$RET"
 
         # no turn config exists, lt's copy template and fill it in
-        PUBLIC_IP=$(dig -4 +short myip.opendns.com a @resolver1.opendns.com) || true
-        if [ -z "$PUBLIC_IP" ] ; then
-            PUBLIC_IP="127.0.0.1"
-            echo "------------------------------------------------"
-            echo "Warning! Could not resolve your external ip address! Error:^"
-            echo "Your turn server will not work till you edit your $TURN_CONFIG config file."
-            echo "You need to set your external ip address in external-ip and restart coturn service."
-            echo "------------------------------------------------"
-        fi
         cp /usr/share/jitsi-meet-turnserver/turnserver.conf $TURN_CONFIG
         sed -i "s/jitsi-meet.example.com/$JVB_HOSTNAME/g" $TURN_CONFIG
         sed -i "s/__turnSecret__/$TURN_SECRET/g" $TURN_CONFIG
-        sed -i "s/__external_ip_address__/$PUBLIC_IP/g" $TURN_CONFIG
 
         # SSL for nginx
         db_get jitsi-meet/cert-choice
@@ -170,18 +140,14 @@ denied-peer-ip=240.0.0.0-255.255.255.255" >> $TURN_CONFIG
         invoke-rc.d coturn restart || true
 
         NGINX_STREAM_CONFIG="/etc/nginx/modules-enabled/60-jitsi-meet.conf"
-        if [ $NGINX_MULTIPLEXING = "true" ] && [ ! -f $NGINX_STREAM_CONFIG ] && [ -f $NGINX_CONFIG ] ; then
-            ln -s /usr/share/jitsi-meet-turnserver/jitsi-meet.conf $NGINX_STREAM_CONFIG
-            sed -i "s/listen 443 ssl/listen 4444 ssl http2/g" $NGINX_CONFIG
-            sed -i "s/listen \[\:\:\]\:443 ssl/listen \[\:\:\]\:4444 ssl http2/g" $NGINX_CONFIG
-            invoke-rc.d nginx reload || true
-        else
-            PROSODY_HOST_CONFIG="/etc/prosody/conf.avail/$JVB_HOSTNAME.cfg.lua"
-            if [ -f $PROSODY_HOST_CONFIG ] ; then
-                # If we are not multiplexing we need to change the port in prosody config
-                sed -i 's/"443"/"5349"/g' $PROSODY_HOST_CONFIG
-                invoke-rc.d prosody restart || true
-            fi
+        if [ -f $NGINX_STREAM_CONFIG ] ; then
+            echo "------------------------------------------------"
+            echo ""
+            echo "You have multiplexing enabled, it is recommended to disable it and migrate to using websockets for the bridge channel."
+            echo "The support for sctp data channels is deprecated and will be dropped at some point."
+            echo "How to do it at: https://jitsi.org/multiplexing-to-bridge-ws-howto"
+            echo ""
+            echo "------------------------------------------------"
         fi
 
         # Enable turn server in config.js

debian/jitsi-meet-turnserver.postrm

@@ -24,7 +24,6 @@ set -e
 
 case "$1" in
     remove)
-        rm -rf /etc/nginx/modules-enabled/60-jitsi-meet.conf
         if [ -x "/etc/init.d/nginx" ]; then
             invoke-rc.d nginx reload || true
         fi
@@ -33,7 +32,6 @@ case "$1" in
         fi
     ;;
     purge)
-        rm -rf /etc/nginx/modules-enabled/60-jitsi-meet.conf
         rm -rf /etc/turnserver.conf
         if [ -x "/etc/init.d/nginx" ]; then
             invoke-rc.d nginx reload || true

doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example

@@ -8,7 +8,7 @@ turncredentials_secret = "__turnSecret__";
 turncredentials = {
   { type = "stun", host = "jitmeet.example.com", port = "3478" },
   { type = "turn", host = "jitmeet.example.com", port = "3478", transport = "udp" },
-  { type = "turns", host = "jitmeet.example.com", port = "443", transport = "tcp" }
+  { type = "turns", host = "jitmeet.example.com", port = "5349", transport = "tcp" }
 };
 
 cross_domain_bosh = false;

doc/debian/jitsi-meet-turn/turnserver.conf

@@ -12,7 +12,6 @@ no-tcp-relay
 no-tcp
 listening-port=3478
 tls-listening-port=5349
-external-ip=__external_ip_address__
 no-tlsv1
 no-tlsv1_1
 # https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4

doc/debian/jitsi-meet/jitsi-meet.conf

@@ -1,30 +0,0 @@
-# this is jitsi-meet nginx module configuration
-# this forward all http traffic to the nginx virtual host port
-# and the rest to the turn server
-
-stream {
-    upstream web {
-        server 127.0.0.1:4444;
-    }
-    upstream turn {
-        server 127.0.0.1:5349;
-    }
-    # since 1.13.10
-    map $ssl_preread_alpn_protocols $upstream {
-        ~\bh2\b         web;
-        ~\bhttp/1\.     web;
-        default         turn;
-    }
-
-    server {
-        listen 443;
-        listen [::]:443;
-
-        # since 1.11.5
-        ssl_preread on;
-        proxy_pass $upstream;
-
-        # Increase buffer to serve video
-        proxy_buffer_size 10m;
-    }
-}

doc/debian/jitsi-meet/jitsi-meet.example

@@ -87,6 +87,15 @@ server {
         tcp_nodelay on;
     }
 
+    # colibri (JVB) websockets for jvb1
+    location ~ ^/colibri-ws/default-id/(.*) {
+       proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
+       proxy_http_version 1.1;
+       proxy_set_header Upgrade $http_upgrade;
+       proxy_set_header Connection "upgrade";
+       tcp_nodelay on;
+    }
+
     location ~ ^/([^/?&:'"]+)$ {
         try_files $uri @root_path;
     }