feat: Adds new module to unlimit jicofo and jvb connections.

In case limited those connection will be whitelisted and unlimited. Updates existing configurations to make sure prosody update will not break it by limiting too much. Uses 28c16c93d79a version of the module: https://modules.prosody.im/mod_limits_exception.html Will be available in prosody 0.12.
2021-05-24 15:52:25 -05:00 · 2021-05-24 15:52:25 -05:00 · 15c08f90c4
parent c4677be87a
commit 15c08f90c4
3 changed files with 44 additions and 5 deletions
--- a/debian/jitsi-meet-prosody.postinst
+++ b/debian/jitsi-meet-prosody.postinst
@ -125,11 +125,11 @@ case "$1" in

        # Check whether prosody config has the internal muc, if not add it,
        # as we are migrating configs
-        if [ -f $PROSODY_HOST_CONFIG ] && ! grep -q "internal.auth.$JVB_HOSTNAME" $PROSODY_HOST_CONFIG; then
-            echo -e "\nComponent \"internal.auth.$JVB_HOSTNAME\" \"muc\"" >> $PROSODY_HOST_CONFIG
+        if [ -f $PROSODY_HOST_CONFIG ] && ! grep -q "internal.$JICOFO_AUTH_DOMAIN" $PROSODY_HOST_CONFIG; then
+            echo -e "\nComponent \"internal.$JICOFO_AUTH_DOMAIN\" \"muc\"" >> $PROSODY_HOST_CONFIG
            echo -e "    storage = \"memory\"" >> $PROSODY_HOST_CONFIG
            echo -e "    modules_enabled = { \"ping\"; }" >> $PROSODY_HOST_CONFIG
-            echo -e "    admins = { \"$JICOFO_AUTH_USER@auth.$JVB_HOSTNAME\", \"jvb@auth.$JVB_HOSTNAME\" }" >> $PROSODY_HOST_CONFIG
+            echo -e "    admins = { \"$JICOFO_AUTH_USER@$JICOFO_AUTH_DOMAIN\", \"jvb@$JICOFO_AUTH_DOMAIN\" }" >> $PROSODY_HOST_CONFIG
        fi

        # Convert the old focus component config to the new one.
@ -140,7 +140,7 @@ case "$1" in
        # Component "focus.jitmeet.example.com" "client_proxy"
        #    target_address = "focus@auth.jitmeet.example.com"
        if grep -q "Component \"focus.$JVB_HOSTNAME\"" $PROSODY_HOST_CONFIG && ! grep "Component \"focus.$JVB_HOSTNAME\" \"client_proxy\"" $PROSODY_HOST_CONFIG ;then
-            sed -i "s/Component \"focus.$JVB_HOSTNAME\"/Component \"focus.$JVB_HOSTNAME\" \"client_proxy\"\n    target_address = \"$JICOFO_AUTH_USER@auth.$JVB_HOSTNAME\"/g" $PROSODY_HOST_CONFIG
+            sed -i "s/Component \"focus.$JVB_HOSTNAME\"/Component \"focus.$JVB_HOSTNAME\" \"client_proxy\"\n    target_address = \"$JICOFO_AUTH_USER@$JICOFO_AUTH_DOMAIN\"/g" $PROSODY_HOST_CONFIG
            PROSODY_CONFIG_PRESENT="false"
        fi

@ -155,10 +155,17 @@ case "$1" in
        MAIN_MUC_PATTERN="Component \"conference.$JVB_HOSTNAME\" \"muc\""
        if ! grep -A 2 -- "${MAIN_MUC_PATTERN}" $PROSODY_HOST_CONFIG | grep -q "restrict_room_creation" ;then
            sed -i "s/${MAIN_MUC_PATTERN}/${MAIN_MUC_PATTERN}\n    restrict_room_creation = true/g" $PROSODY_HOST_CONFIG
+            PROSODY_CONFIG_PRESENT="false"
+        fi
+
+        if ! grep -q -- 'unlimited_jids' $PROSODY_HOST_CONFIG ;then
+            sed -i "1s/^/unlimited_jids = { \"$JICOFO_AUTH_USER@$JICOFO_AUTH_DOMAIN\", \"jvb@$JICOFO_AUTH_DOMAIN\" }\n/" $PROSODY_HOST_CONFIG
+            sed -i "s/VirtualHost \"$JICOFO_AUTH_DOMAIN\"/VirtualHost \"$JICOFO_AUTH_DOMAIN\"\n    modules_enabled = { \"limits_exception\"; }/g" $PROSODY_HOST_CONFIG
+            PROSODY_CONFIG_PRESENT="false"
        fi

        # Make sure the focus@auth user's roster includes the proxy component (this is idempotent)
-        prosodyctl mod_roster_command subscribe focus.$JVB_HOSTNAME $JICOFO_AUTH_USER@auth.$JVB_HOSTNAME
+        prosodyctl mod_roster_command subscribe focus.$JVB_HOSTNAME $JICOFO_AUTH_USER@$JICOFO_AUTH_DOMAIN

        if [ ! -f /var/lib/prosody/$JVB_HOSTNAME.crt ]; then
            # prosodyctl takes care for the permissions
--- a/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
+++ b/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
@ -20,6 +20,11 @@ ssl = {
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 }

+unlimited_jids = {
+    "focusUser@auth.jitmeet.example.com",
+    "jvb@auth.jitmeet.example.com"
+}
+
 VirtualHost "jitmeet.example.com"
    -- enabled = false -- Remove this line to enable this host
    authentication = "anonymous"
@ -77,6 +82,9 @@ Component "internal.auth.jitmeet.example.com" "muc"
    muc_room_default_public_jids = true

 VirtualHost "auth.jitmeet.example.com"
+    modules_enabled = {
+        "limits_exception";
+    }
    authentication = "internal_hashed"

 -- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
--- a/resources/prosody-plugins/mod_limits_exception.lua
+++ b/resources/prosody-plugins/mod_limits_exception.lua
@ -0,0 +1,24 @@
+-- we use async to detect Prosody 0.10 and earlier
+local have_async = pcall(require, 'util.async');
+
+if not have_async then
+	return;
+end
+
+local unlimited_jids = module:get_option_inherited_set("unlimited_jids", {});
+
+if unlimited_jids:empty() then
+	return;
+end
+
+module:hook("authentication-success", function (event)
+	local session = event.session;
+	local jid = session.username .. "@" .. session.host;
+	if unlimited_jids:contains(jid) then
+		if session.conn and session.conn.setlimit then
+			session.conn:setlimit(0);
+		elseif session.throttle then
+			session.throttle = nil;
+		end
+	end
+end);