Cannot open kmeet with intranet plugin

white-eagle

Hello,

i think there is no extra plugin for Kopano Meet like the plugin for webmeetings … right !?
So i tried to use webapp Intranet plugin to use kmeet inside my webapp. This works great for Kopano Deskapp, but when i open my webapp in Google Chrome for example, the displayed tab leaves blank. When i use Microsoft’s Edge it says, that the site could not be displayed in a Frame (sorry, the exact message is in german). However, when i am connecting to kmeet using it’s url (https://meetings.x.x/meet) everything is ok in Chrome.

Kopano WebApp and Kopano Meet are not on the same server.
I use kweb to host kmeet.

Is there any solution for using kmeet within browser-webapp ?

Thanks

fbartels

Hi @white-eagle,

at the moment there is indeed no extra plugin to include Meet visually into WebApp. Its on our list, but we did not yet get to this.

But the plugin would also not really help in your case, as it would be failing due to the same mechanic that makes the Intranet plugin fail.

Kweb is enforcing a content security policy for Meet that disallows embedding it from other domains, than the one service Meet (so webapp.domain.com/webapp is forbidden to include meet.domain.com/meet). The reason this works in DeskApp is because it has a setting to ignore these policies (and you could install an extension to your browser to do the same).

The better approach in your case would be to make sure to serve meet from the same domain as your webapp, or modify the webserver of meet (in this case kweb) to add an exception to the csp. The latter is currently not possible in meet.

PS: moved this topic into the Meet section of the forum.

white-eagle

Hi Felix,

thank you very much for your answer.
The idea behind hosting kmeet on its own server was to evaluate KMeet beside Webmeetings without changing our production system.
I think we will give KMeet a chance, because it offers improvements in performance (very nice on smartphones) and usability in comparison to webmeetings.

I tried csp extension in chrome (only for testing) and you are right, that did the job.
I am not sure if it is possible to host kmeet on the same domain as webapp, because we have 2 webapps hosted (on LAN side for internal usage and on DMZ side for external usage), and the domain for both webapps is for example webapp.domain.com (with different DNS resolution). Connecting to different webapps depending on internal or external usage with the same domain works fine, but i think it is only possible to connect to ONE kmeet instance, isn’t it ?
So i think this is my dilemma …
Is it possible to get this work if i use nginx instead of kweb ?

Kind Regards

fbartels

@white-eagle said in Cannot open kmeet with intranet plugin:

but i think it is only possible to connect to ONE kmeet instance, isn’t it ?

That setup seems a bit convoluted. I would recommend to get in touch with either your partner or our support to straighten it out. What is the benefit of hosting the exact same apps twice?

@white-eagle said in Cannot open kmeet with intranet plugin:

Is it possible to get this work if i use nginx instead of kweb ?

Indeed as kweb currently does not have the functionality for it your could either provide konnect/kapi/kwmserver/kapi through another webserver to modify csp or simply proxy from the other webserver to kweb and modify there.

white-eagle

Hi Felix,

the idea behind hosting some apps twice is … if kopano services (webapp, z-push) are under attack from outside to simply disable WAN access by shutting down the server while LAN users still can use the services.

I will contact our partner next week to discuss the setup.

Thank you very much for your assistance !

Kind Regards

thctlo

Just use one name for LAN and WAN for this.

The only difference is that the lan side resolves to a CNAME on the LAN side , which resolves to the webserver the same name as the external side.

And disabling WAN in this case, works the same for me as what you want.

my setup.
lan hostname server : mail.internal.domain.tld
wan hostname server mail.domain.tld
apache listenin on 2 interaces ( lan + wan )
apache vhost hostname : mail.domain.tld
alias : mail.internal.domain.tld
listening on 2 ip’s wan/lan

In the LAN DNS point mail.domain.tld CNAME to mail.internal.domain.tld
ssl cert to mail.domain.tld

Any client should point to mail.domain.tld only then you dont have problem with certificates for LAN and WAN resolving.

white-eagle

This post is deleted!

white-eagle

Hi thctlo,

thank you for your answer.

I think hosting kmeet under same domain as webapp ist the only possibility to open kmeet with intranet plugin in browser.

It would be nice if kweb offers the possibility to disable CSP.
Using nginx instead of kweb didn’t really work for me (https://documentation.kopano.io/kopano_meet_manual/installation.html#nginx). I always get HTTP 400 errors after login if i use nginx. So i have to use kweb.

Kind Regards

longsleep

@white-eagle said in Cannot open kmeet with intranet plugin:

It would be nice if kweb offers the possibility to disable CSP.

Well the CSP is for security - so to disable it is not the best idea. Though since this use case is valid it will eventually be possible to extend/configure the CSP.

@white-eagle said in Cannot open kmeet with intranet plugin:

I always get HTTP 400 errors after login if i use nginx.

Well this means your Nginx configuration is not in order. More information might be found if you enable debug logging of the backend services so they do log client related connection issues. Error 400 can have many causes - most likely reason in relation to Nginx configuration might be wrong/no configuration for websocket reverse proxy.

Remember kweb does nothing special - it just simplifies configuration. Without it you need a rather complex Nginx configuration to get the same level of security but functionality wise, the minimal Nginx configuration is not particular complicated.

Coffee_is_life

Hello Forum,

this CSP is actually really annoying because even on the same domain but different subdomains it blocks the content.

I got the setup:
KC on CentOS 7
Webapp on CentOS 7
Since Meet got no rpm package yet: Meet on Debian 10

webapp adress is webapp.domain.com
meet address is meet.domain.com

even this isnt possible which i think is quite “oversecure”.
will there be a config-switch which allows cross sub-domains or domains? this would be highly needed.

in the meantime i will setup nginx on the meetserver to provide a site which i include into intranet and this site proxys to the actual meet. - i hope this works, maybe with open in new tab.

(btw even with CSP disabled in firefox, i cant make calls from withing intranet integration. The site is loading i can authorize myself but i cant access screen-sharing, microphone or webcam).

best regards,
Coffee_is_life