jotbe/ansible-role-jitsi-docker
1
0
Fork 0
Code Issues 1 Pull requests 1 Releases Wiki Activity

Safari not working in multitenancy setup. #3

New issue
Open
opened 2021-01-10 22:30:38 +01:00 by jsydll · 2 comments
jsydll commented 2021-01-10 22:30:38 +01:00
Collaborator
Copy link

Some users in my Jitsi setup experienced problems with Safari and it seems to be related to Content Security Poliy. Note however that my setup is based on the multitenancy branch (which has slightly different Traeffik settings).

docker-jitsi-meet version: latest (should be stable-5142-3)

Some users in my Jitsi setup experienced problems with Safari and it seems to be related to Content Security Poliy. Note however that my setup is based on the multitenancy branch (which has slightly different Traeffik settings). docker-jitsi-meet version: latest (should be stable-5142-3)
Bildschirmfoto 2021-01-09 um 16.39.13.png
636 KiB
Bildschirmfoto 2021-01-09 um 16.31.52.png
1.6 MiB
Bildschirmfoto 2021-01-09 um 16.39.13.png Bildschirmfoto 2021-01-09 um 16.31.52.png
jsydll commented 2021-01-10 23:02:58 +01:00
Author
Collaborator
Copy link

I just saw that there's a new stable out so I pruned my images and updated the instances to stable-5142-4. Will test with Safari again as soon as I get a grip on a fruity device.

I just saw that there's a new stable out so I pruned my images and updated the instances to stable-5142-4. Will test with Safari again as soon as I get a grip on a fruity device.
jsydll commented 2021-01-11 20:45:34 +01:00
Author
Collaborator
Copy link

Still not working. Although FF and Chrome setups work, I see CSP related error messages there, too - only that they do not seem as restrictive as Safari is... So my best guess currently is that in general the CSP configuration of Traefik is broken in my multitenancy setup. This is the relevant part of the jitsi/web instance in my adjusted docker-compose.jitsi.yml.j2:

...
labels:
    - "traefik.enable=true"
    - "traefik.docker.network=traefik_public"
    - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.rule=Host(`{{ jitsi_virtual_host }}`)"
    - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.entrypoints=websecure"
    - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.tls=true"
    - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.tls.certresolver=defaultresolver"
    - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.SSLRedirect=true"
    - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.browserXSSFilter=true"
    - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.contentTypeNosniff=true"
    - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.forceSTSHeader=true"
    - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSSeconds=315360000"
    - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSIncludeSubdomains=true"
    - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSPreload=true"
    - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.featurePolicy=geolocation 'none'; payment 'none'"
    - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.contentSecurityPolicy=default-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content"
    - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.middlewares=jitsi{{ jitsi_multitenant_postfix }}-headers"
...
Still not working. Although FF and Chrome setups work, I see CSP related error messages there, too - only that they do not seem as restrictive as Safari is... So my best guess currently is that in general the CSP configuration of Traefik is broken in my multitenancy setup. This is the relevant part of the jitsi/web instance in my adjusted docker-compose.jitsi.yml.j2: ``` ... labels: - "traefik.enable=true" - "traefik.docker.network=traefik_public" - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.rule=Host(`{{ jitsi_virtual_host }}`)" - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.entrypoints=websecure" - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.tls=true" - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.tls.certresolver=defaultresolver" - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.SSLRedirect=true" - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.browserXSSFilter=true" - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.contentTypeNosniff=true" - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.forceSTSHeader=true" - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSSeconds=315360000" - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSIncludeSubdomains=true" - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.STSPreload=true" - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.featurePolicy=geolocation 'none'; payment 'none'" - "traefik.http.middlewares.jitsi{{ jitsi_multitenant_postfix }}-headers.headers.contentSecurityPolicy=default-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content" - "traefik.http.routers.jitsi{{ jitsi_multitenant_postfix }}.middlewares=jitsi{{ jitsi_multitenant_postfix }}-headers" ... ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
feature/expose-jitsi-metrics
fix/public-url-needed-by-all-containers
feature/multitenancy
feature/dict-vars-and-install-paths
bugfix/csp-webworker-src
feature/jitsi-update-stable-8960-1
feature/latest-upstream-docker-compose
feature/docker-image-tagging
v1.0.1
v1.0.0
0.9.0
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: jotbe/ansible-role-jitsi-docker#3
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?