Apache Directives/Jitsi Meet?

Discussion in 'General' started by Xase, Sep 25, 2018.

  1. Xase

    Xase Member

    So, I ran a test setup, and over wrote the main config for my main site with the jitsi meet vhost information, TEMPORARILY of course. It worked like that, but obviously I wanted to incorporate it as subdomain (actually a full site using a subdomain so I could specify apache directives).

    So I have the cutdown directives inserted
    Code:
    SSLProtocol TLSv1 TLSv1.1 TLSv1.2
    SSLProxyEngine on
    SSLCertificateFile /etc/jitsi/meet/meet.gethosting.today.crt
    SSLCertificateKeyFile /etc/jitsi/meet/meet.gethosting.today.key
    
    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!ECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED"
    
    Header set Strict-Transport-Security "max-age=31536000"
    
    DocumentRoot "/usr/share/jitsi-meet"
    
    <Directory "/usr/share/jitsi-meet">
        Options Indexes MultiViews Includes FollowSymLinks
        AddOutputFilter Includes html
        AllowOverride All
        Order allow,deny
        Allow from all
      </Directory>
    
    ErrorDocument 404 /static/404.html
    
      Alias "/config.js" "/etc/jitsi/meet/meet.gethosting.today-config.js"
      <Location /config.js>
        Require all granted
      </Location>
    
    ProxyPreserveHost on
      ProxyPass /http-bind http://localhost:5280/http-bind/
      ProxyPassReverse /http-bind http://localhost:5280/http-bind/
    
    
      RewriteEngine on
      RewriteRule ^/([a-zA-Z0-9]+)$ /index.html
    It currently works in Firefox, but not Chrome. Chrome isn't very explicit or helpful (are there any flags I could set for chrome to combat this? if anyone knows)

    Chrome throws this error
    It worked before in chrome, when I overwrote ISPConfigs vhost file for gethosting.today with the vhost file provided as is from Jitsi.
    I think it's something to do possibly with ISPConfigs built in SSL settings in the vhost file, specifying All -SSLv2 -SSLv3 or another configuration from somewhere in the file

    Here is the default vhosts file provided by Jitsi itself
    Code:
      
    <VirtualHost *:80>
        ServerName meet.gethosting.today
        Redirect permanent / https://meet.gethosting.today/
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    </VirtualHost>
    
    <VirtualHost *:443>
    
      ServerName meet.gethosting.today
    
      SSLProtocol TLSv1 TLSv1.1 TLSv1.2
      SSLEngine on
      SSLProxyEngine on
      SSLCertificateFile /etc/letsencrypt/live/meet.gethosting.today/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/meet.gethosting.today/privkey.pem
      SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED"
      SSLHonorCipherOrder on
      Header set Strict-Transport-Security "max-age=31536000"
    
      DocumentRoot "/usr/share/jitsi-meet"
      <Directory "/usr/share/jitsi-meet">
        Options Indexes MultiViews Includes FollowSymLinks
        AddOutputFilter Includes html
        AllowOverride All
        Order allow,deny
        Allow from all
      </Directory>
    
      ErrorDocument 404 /static/404.html
    
      Alias "/config.js" "/etc/jitsi/meet/meet.gethosting.today-config.js"
      <Location /config.js>
        Require all granted
      </Location>
    
      ProxyPreserveHost on
      ProxyPass /http-bind http://localhost:5280/http-bind/
      ProxyPassReverse /http-bind http://localhost:5280/http-bind/
    
      RewriteEngine on
      RewriteRule ^/([a-zA-Z0-9]+)$ /index.html
    </VirtualHost>
    
    
    If anyone has some insight I'd be interested.
     
  2. ahrasis

    ahrasis Well-Known Member

    From my side, I can see you are using self-signed certs and you can still use it if you add the certs on your browsers exceptions.
     
  3. Xase

    Xase Member

    In firefox, it loaded the Let's Encrypt cert properly ... I wonder when it reverted to a self signed cert. I had it working both on Chrome and Firefox with no certs...
    ... I didn't see a self signed cert when I ran this https://www.ssllabs.com/ssltest/analyze.html?d=meet.gethosting.today I did see a LE cert for both my domains and another for Carnival-Funfair.blog ( my site as well) as well attached to it though, and I didn't know how to get rid of it.

    But you're right I see a self signed Cert on Firefox now... still see cipher mismatch on chrome though.
    Also... I don't know when it came up again. But I had carefully added directives one by one, making sure each one worked last night... now this error is back
    Code:
    CONFIGURATION ERROR
    
    2018-09-25 07:24 :
    Job for apache2.service failed because the control process exited with error code.
    See "systemctl status apache2.service" and "journalctl -xe" for details.
    which only tells me so much. I guess I should've given each directive a 30 minute cooling period to make sure it wasn't throwing errors.

    Update while writing:: I fixed the SSL cert problem and the apache2 load error, by backtracking some of my directives it seems

    But I still get a cipher mismatch in chrome
     
  4. Xase

    Xase Member

    So I fixed the cipher mismatch :O by using the commented ISPConfig ciphersuite in my site's apache directive. It was a more thorough list anyhow.
     

Share This Page