Merge branch 'master' into openshift

matrix-org · May 8, 2024 · 0d665b9 · 0d665b9
2 parents 16757b2 + a9213f4
commit 0d665b9
Show file tree

Hide file tree

Showing 21 changed files with 85 additions and 30 deletions.
diff --git a/.github/workflows/unstable.yml b/.github/workflows/unstable.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Prosody repo
         uses: myci-actions/add-deb-repo@11
         with:
-          repo: deb https://packages.prosody.im/debian bullseye main
+          repo: deb https://packages.prosody.im/debian bookworm main
           repo-name: prosody
           keys-asc: https://prosody.im/files/prosody-debian-packages.key
       - name: Jitsi repo

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,35 @@
+## stable-9457-2
+
+Based on stable release 9457-2.
+
+* fed87fb web: update acme.sh version to 3.0.7
+* 11285cd prosody: Fixed the wrong position of the JWT_SIGN_TYPE setting in the file (#1796)
+* f9ff2a4 misc: working on unstable
+
+## stable-9457-1
+
+Based on stable release 9457-1.
+
+* 09bbfaf misc: working on unstable
+
+## stable-9457
+
+Based on stable release 9457.
+
+* 6f98bbe prosody: add ability to customize TURN TTL value
+* 8fe3139 jvb: fix autoscaler sidecar config (#1785)
+* 48d803c jigasi: fix autoscaler sidecar config for shutdown url (#1784)
+* c951116 jibri: fix autoscaler sidecar config (#1783)
+* cae1e40 feat(jigasi): Adds trusted domains option.
+* e939230 prosody: add ability to customize JWT signature type
+* b0f9eb2 prosody: integrate prosody-plugins-contrib
+* 604ba22 prosody: Switches lua gc back to incremental. (#1777)
+* 68d4b1a jibri: fix xorg modeline for 1280x720 (#1778)
+* 8094a17 web: add ability to change CORS header value
+* 03b6ca2 web: remove no longer needed mime type definition
+* 70ba4cb base: update to Debian Bookworm
+* dc5cbae misc: working on unstable
+
 ## stable-9364-1
 
 Based on stable release 9364-1.

diff --git a/Makefile b/Makefile
@@ -57,7 +57,6 @@ clean:
 	docker network prune
 
 prepare:
-	docker pull debian:bullseye-slim
 	FORCE_REBUILD=1 $(MAKE)
 
 .PHONY: all build tag push clean prepare release $(addprefix build_,$(JITSI_SERVICES))
diff --git a/base/Dockerfile b/base/Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.io/library/debian:bullseye-slim
+FROM docker.io/library/debian:bookworm-slim
 
 ENV DEBIAN_FRONTEND noninteractive
 
@@ -17,7 +17,7 @@ RUN \
     wget -qO /usr/bin/tpl https://github.com/jitsi/tpl/releases/download/v1.1.1/tpl-linux-${TPL_ARCH} && \
     wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmour > /etc/apt/trusted.gpg.d/jitsi.gpg && \
     echo "deb https://download.jitsi.org $JITSI_RELEASE/" > /etc/apt/sources.list.d/jitsi.list && \
-    echo "deb http://ftp.debian.org/debian bullseye-backports main" > /etc/apt/sources.list.d/backports.list && \
+    echo "deb http://ftp.debian.org/debian bookworm-backports main" > /etc/apt/sources.list.d/backports.list && \
     apt-dpkg-wrap apt-get update && \
     apt-dpkg-wrap apt-get dist-upgrade -y && \
     apt-cleanup && \

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -3,7 +3,7 @@ version: '3.5'
 services:
     # Frontend
     web:
-        image: jitsi/web:${JITSI_IMAGE_VERSION:-stable-9364-1}
+        image: jitsi/web:${JITSI_IMAGE_VERSION:-stable-9457-2}
         restart: ${RESTART_POLICY:-unless-stopped}
         ports:
             - '${HTTP_PORT}:80'
@@ -25,6 +25,7 @@ services:
             - COLIBRI_WEBSOCKET_JVB_LOOKUP_NAME
             - COLIBRI_WEBSOCKET_REGEX
             - CONFCODE_URL
+            - CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN
             - DEFAULT_LANGUAGE
             - DEPLOYMENTINFO_ENVIRONMENT
             - DEPLOYMENTINFO_ENVIRONMENT_TYPE
@@ -179,7 +180,7 @@ services:
 
                 # XMPP server
     prosody:
-        image: jitsi/prosody:${JITSI_IMAGE_VERSION:-stable-9364-1}
+        image: jitsi/prosody:${JITSI_IMAGE_VERSION:-stable-9457-2}
         restart: ${RESTART_POLICY:-unless-stopped}
         expose:
             - '${XMPP_PORT:-5222}'
@@ -231,6 +232,7 @@ services:
             - JWT_ALLOW_EMPTY
             - JWT_AUTH_TYPE
             - JWT_ENABLE_DOMAIN_VERIFICATION
+            - JWT_SIGN_TYPE
             - JWT_TOKEN_AUTH_MODULE
             - MATRIX_UVS_URL
             - MATRIX_UVS_ISSUER
@@ -311,7 +313,7 @@ services:
 
     # Focus component
     jicofo:
-        image: jitsi/jicofo:${JITSI_IMAGE_VERSION:-stable-9364-1}
+        image: jitsi/jicofo:${JITSI_IMAGE_VERSION:-stable-9457-2}
         restart: ${RESTART_POLICY:-unless-stopped}
         ports:
             - '127.0.0.1:${JICOFO_REST_PORT:-8888}:8888'
@@ -360,6 +362,7 @@ services:
             - JIBRI_PENDING_TIMEOUT
             - JIGASI_BREWERY_MUC
             - JIGASI_SIP_URI
+            - JIGASI_TRUSTED_DOMAINS
             - JVB_BREWERY_MUC
             - JVB_XMPP_AUTH_DOMAIN
             - JVB_XMPP_INTERNAL_MUC_DOMAIN
@@ -394,7 +397,7 @@ services:
 
                 # Video bridge
     jvb:
-        image: jitsi/jvb:${JITSI_IMAGE_VERSION:-stable-9364-1}
+        image: jitsi/jvb:${JITSI_IMAGE_VERSION:-stable-9457-2}
         restart: ${RESTART_POLICY:-unless-stopped}
         ports:
             - '${JVB_PORT:-10000}:${JVB_PORT:-10000}/udp'

diff --git a/jibri.yml b/jibri.yml
@@ -2,7 +2,7 @@ version: '3.5'
 
 services:
     jibri:
-        image: jitsi/jibri:${JITSI_IMAGE_VERSION:-stable-9364-1}
+        image: jitsi/jibri:${JITSI_IMAGE_VERSION:-stable-9457-2}
         restart: ${RESTART_POLICY:-unless-stopped}
         volumes:
             - ${CONFIG}/jibri:/config:Z
@@ -41,6 +41,8 @@ services:
             - JIBRI_USAGE_TIMEOUT
             - JIBRI_XMPP_USER
             - JIBRI_XMPP_PASSWORD
+            - JIBRI_XORG_HORIZ_SYNC
+            - JIBRI_XORG_VERT_REFRESH
             - JIBRI_BREWERY_MUC
             - JIBRI_RECORDER_USER
             - JIBRI_RECORDER_PASSWORD

diff --git a/jibri/rootfs/defaults/autoscaler-sidecar.config b/jibri/rootfs/defaults/autoscaler-sidecar.config
@@ -9,6 +9,7 @@ export TERMINATE_SCRIPT="/opt/jitsi/jibri/shutdown.sh"
 export ENABLE_REPORT_STATS=true
 export POLLING_URL="{{ .Env.AUTOSCALER_URL  }}/sidecar/poll"
 export STATUS_URL="{{ .Env.AUTOSCALER_URL }}/sidecar/status"
+export SHUTDOWN_URL="{{ .Env.AUTOSCALER_URL }}/sidecar/shutdown"
 export STATS_RETRIEVE_URL="http://localhost:{{ $JIBRI_HTTP_API_EXTERNAL_PORT }}/jibri/api/v1.0/health"
 export STATS_REPORT_URL="{{ .Env.AUTOSCALER_URL }}/sidecar/stats"
 export ASAP_SIGNING_KEY_FILE="{{ .Env.AUTOSCALER_SIDECAR_KEY_FILE }}"

diff --git a/jibri/rootfs/defaults/xorg-video-dummy.conf b/jibri/rootfs/defaults/xorg-video-dummy.conf
@@ -1,4 +1,6 @@
 {{ $JIBRI_RECORDING_RESOLUTION := .Env.JIBRI_RECORDING_RESOLUTION | default "1280x720" -}}
+{{ $JIBRI_HORIZ_SYNC := .Env.JIBRI_XORG_HORIZ_SYNC | default "43.0 - 47.0" -}}
+{{ $JIBRI_VERT_REFRESH := .Env.JIBRI_XORG_VERT_REFRESH | default "58.0 - 62.0" -}}
 
 # This xorg configuration file is meant to be used by xpra
 # to start a dummy X11 server.
@@ -24,8 +26,8 @@ EndSection
 
 Section "Monitor"
   Identifier "dummy_monitor"
-  HorizSync   5.0 - 1000.0
-  VertRefresh 5.0 - 200.0
+  HorizSync   {{ $JIBRI_HORIZ_SYNC }}
+  VertRefresh {{ $JIBRI_VERT_REFRESH }}
   #This can be used to get a specific DPI, but only for the default resolution:
   #DisplaySize 508 317
   #NOTE: the highest modes will not work without increasing the VideoRam
@@ -63,6 +65,7 @@ Section "Monitor"
   Modeline "1360x768" 24.49 1360 1392 1480 1512 768 786 789 807
   Modeline "1024x768" 18.71 1024 1056 1120 1152 768 786 789 807
   Modeline "768x1024" 19.50 768 800 872 904 1024 1048 1052 1076
+  Modeline "1280x720@60" 73.78 1280 1312 1592 1624 720 735 742 757
 
 
   #common resolutions for android devices (both orientations):

diff --git a/jigasi.yml b/jigasi.yml
@@ -3,7 +3,7 @@ version: '3.5'
 services:
     # SIP gateway (audio)
     jigasi:
-        image: jitsi/jigasi:${JITSI_IMAGE_VERSION:-stable-9364-1}
+        image: jitsi/jigasi:${JITSI_IMAGE_VERSION:-stable-9457-2}
         restart: ${RESTART_POLICY:-unless-stopped}
         ports:
             - '${JIGASI_PORT_MIN:-20000}-${JIGASI_PORT_MAX:-20050}:${JIGASI_PORT_MIN:-20000}-${JIGASI_PORT_MAX:-20050}/udp'

diff --git a/jigasi/rootfs/defaults/autoscaler-sidecar.config b/jigasi/rootfs/defaults/autoscaler-sidecar.config
@@ -9,6 +9,7 @@ export TERMINATE_SCRIPT="/opt/jitsi/shutdown.sh"
 export ENABLE_REPORT_STATS=true
 export POLLING_URL="{{ .Env.AUTOSCALER_URL  }}/sidecar/poll"
 export STATUS_URL="{{ .Env.AUTOSCALER_URL }}/sidecar/status"
+export SHUTDOWN_URL="{{ .Env.AUTOSCALER_URL }}/sidecar/shutdown"
 export STATS_RETRIEVE_URL="http://localhost:{{ $JIGASI_STATS_PORT }}/about/stats"
 export STATS_REPORT_URL="{{ .Env.AUTOSCALER_URL }}/sidecar/stats"
 export ASAP_SIGNING_KEY_FILE="{{ .Env.AUTOSCALER_SIDECAR_KEY_FILE }}"

diff --git a/jigasi/rootfs/defaults/sip-communicator.properties b/jigasi/rootfs/defaults/sip-communicator.properties
@@ -12,6 +12,8 @@
 {{ $SHUTDOWN_REST_ENABLED := .Env.SHUTDOWN_REST_ENABLED | default "false" | toBool -}}
 {{ $DISABLE_SIP := .Env.JIGASI_DISABLE_SIP | default "false" | toBool -}}
 {{/* assign env from context, preserve during range when . is re-assigned */}}
+{{ $TRUSTED_DOMAIN_LIST := .Env.JIGASI_TRUSTED_DOMAINS | default "" -}}
+{{ $TRUSTED_DOMAINS := splitList "," $TRUSTED_DOMAIN_LIST -}}
 {{ $ENV := .Env -}}
 
 net.java.sip.communicator.impl.protocol.SingleCallInProgressPolicy.enabled=false
@@ -180,3 +182,8 @@ org.jitsi.jigasi.DEFAULT_JVB_ROOM_NAME={{ .Env.JIGASI_SIP_DEFAULT_ROOM }}
 {{ end }}
 
 org.jitsi.jigasi.MUC_SERVICE_ADDRESS={{ $XMPP_MUC_DOMAIN }}
+
+# when checking other participants whether they are jibri/jigasi we can also check the the domain they use for connecting
+{{ if $TRUSTED_DOMAIN_LIST }}
+org.jitsi.jigasi.TRUSTED_DOMAINS=[ {{ range $index, $element := $TRUSTED_DOMAINS }}{{ if gt $index 0 }},{{ end }}"{{ $element }}"{{ end}} ]
+{{ end }}
diff --git a/jvb/rootfs/defaults/autoscaler-sidecar.config b/jvb/rootfs/defaults/autoscaler-sidecar.config
@@ -9,6 +9,7 @@ export TERMINATE_SCRIPT="/opt/jitsi/shutdown.sh"
 export ENABLE_REPORT_STATS=true
 export POLLING_URL="{{ .Env.AUTOSCALER_URL  }}/sidecar/poll"
 export STATUS_URL="{{ .Env.AUTOSCALER_URL }}/sidecar/status"
+export SHUTDOWN_URL="{{ .Env.AUTOSCALER_URL }}/sidecar/shutdown"
 export STATS_RETRIEVE_URL="http://localhost:{{ $JVB_COLIBRI_PORT }}/colibri/stats"
 export STATS_REPORT_URL="{{ .Env.AUTOSCALER_URL }}/sidecar/stats"
 export ASAP_SIGNING_KEY_FILE="{{ .Env.AUTOSCALER_SIDECAR_KEY_FILE }}"

diff --git a/prosody/Dockerfile b/prosody/Dockerfile
@@ -31,7 +31,7 @@ ARG VERSION_JITSI_CONTRIB_PROSODY_PLUGINS="20240117"
 ARG VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN="1.8.0"
 
 RUN wget -qO /etc/apt/trusted.gpg.d/prosody.gpg https://prosody.im/files/prosody-debian-packages.key && \
-    echo "deb http://packages.prosody.im/debian bullseye main" > /etc/apt/sources.list.d/prosody.list && \
+    echo "deb http://packages.prosody.im/debian bookworm main" > /etc/apt/sources.list.d/prosody.list && \
     apt-dpkg-wrap apt-get update && \
     apt-dpkg-wrap apt-get install -y \
       lua5.4 \
@@ -64,9 +64,8 @@ RUN wget -qO /etc/apt/trusted.gpg.d/prosody.gpg https://prosody.im/files/prosody
     rm -rf prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz && \
     wget -q https://github.com/jitsi-contrib/prosody-plugins/archive/refs/tags/v$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS.tar.gz && \
     tar -xf v$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS.tar.gz && \
-    mv prosody-plugins-$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS/auth_hybrid_matrix_token/mod_auth_hybrid_matrix_token.lua /prosody-plugins && \
-    mv prosody-plugins-$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS/auth_hybrid_matrix_token/mod_matrix_affiliation.lua /prosody-plugins && \
-    mv prosody-plugins-$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS/auth_hybrid_matrix_token/mod_matrix_lobby_bypass.lua /prosody-plugins && \
+    mkdir /prosody-plugins-contrib && \
+    cp -a prosody-plugins-$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS/*  /prosody-plugins-contrib && \
     rm -rf prosody-plugins-$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS v$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS.tar.gz
 
 COPY rootfs/ /

diff --git a/prosody/rootfs/defaults/conf.d/brewery.cfg.lua b/prosody/rootfs/defaults/conf.d/brewery.cfg.lua
@@ -10,7 +10,7 @@ admins = {
     "{{ $JVB_AUTH_USER }}@{{ $JVB_XMPP_AUTH_DOMAIN }}"
 }
 
-plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
+plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom", "/prosody-plugins-contrib" }
 
 VirtualHost "{{ $JVB_XMPP_AUTH_DOMAIN }}"
     authentication = "internal_hashed"

diff --git a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
@@ -34,6 +34,7 @@
 {{ $TURN_PORT := .Env.TURN_PORT | default "443" -}}
 {{ $TURN_TRANSPORT := .Env.TURN_TRANSPORT | default "tcp" -}}
 {{ $TURN_TRANSPORTS := splitList "," $TURN_TRANSPORT -}}
+{{ $TURN_TTL := .Env.TURN_TTL | default "86400" -}}
 {{ $TURNS_HOST := .Env.TURNS_HOST | default "" -}}
 {{ $TURNS_HOSTS := splitList "," $TURNS_HOST -}}
 {{ $TURNS_PORT := .Env.TURNS_PORT | default "443" -}}
@@ -75,7 +76,7 @@ unlimited_jids = {
     "{{ $JVB_AUTH_USER }}@{{ $XMPP_AUTH_DOMAIN }}"
 }
 
-plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
+plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom", "/prosody-plugins-contrib" }
 
 muc_mapper_domain_base = "{{ $XMPP_DOMAIN }}";
 muc_mapper_domain_prefix = "{{ $XMPP_MUC_DOMAIN_PREFIX }}";
@@ -95,15 +96,15 @@ external_services = {
     {{- range $idx1, $host := $TURN_HOSTS -}}
       {{- range $idx2, $transport := $TURN_TRANSPORTS -}}
         {{- if or $STUN_HOST $idx1 $idx2 -}},{{- end }}
-        { type = "turn", host = "{{ $host }}", port = {{ $TURN_PORT }}, transport = "{{ $transport }}", secret = true, ttl = 86400, algorithm = "turn" }
+        { type = "turn", host = "{{ $host }}", port = {{ $TURN_PORT }}, transport = "{{ $transport }}", secret = true, ttl = {{ $TURN_TTL }}, algorithm = "turn" }
       {{- end -}}
     {{- end -}}
   {{- end -}}
 
   {{- if $TURNS_HOST -}}
     {{- range $idx, $host := $TURNS_HOSTS -}}
         {{- if or $STUN_HOST $TURN_HOST $idx -}},{{- end }}
-        { type = "turns", host = "{{ $host }}", port = {{ $TURNS_PORT }}, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
+        { type = "turns", host = "{{ $host }}", port = {{ $TURNS_PORT }}, transport = "tcp", secret = true, ttl = {{ $TURN_TTL }}, algorithm = "turn" }
     {{- end }}
   {{- end }}
 };
@@ -143,6 +144,9 @@ VirtualHost "jigasi.meet.jitsi"
 VirtualHost "{{ $XMPP_DOMAIN }}"
 {{ if $ENABLE_AUTH }}
   {{ if eq $PROSODY_AUTH_TYPE "jwt" }}
+  {{ if .Env.JWT_SIGN_TYPE }}
+       signature_algorithm = "{{ .Env.JWT_SIGN_TYPE }}"
+    {{ end -}}
     authentication = "{{ $JWT_AUTH_TYPE }}"
     app_id = "{{ .Env.JWT_APP_ID }}"
     app_secret = "{{ .Env.JWT_APP_SECRET }}"

diff --git a/prosody/rootfs/defaults/conf.d/visitors.cfg.lua b/prosody/rootfs/defaults/conf.d/visitors.cfg.lua
@@ -20,6 +20,7 @@
 {{ $TURN_PORT := .Env.TURN_PORT | default "443" -}}
 {{ $TURN_TRANSPORT := .Env.TURN_TRANSPORT | default "tcp" -}}
 {{ $TURN_TRANSPORTS := splitList "," $TURN_TRANSPORT -}}
+{{ $TURN_TTL := .Env.TURN_TTL | default "86400" -}}
 {{ $TURNS_HOST := .Env.TURNS_HOST | default "" -}}
 {{ $TURNS_HOSTS := splitList "," $TURNS_HOST -}}
 {{ $TURNS_PORT := .Env.TURNS_PORT | default "443" -}}
@@ -36,7 +37,7 @@
 {{ $XMPP_SERVER_S2S_PORT := .Env.XMPP_SERVER_S2S_PORT | default $S2S_PORT -}}
 {{ $XMPP_RECORDER_DOMAIN := .Env.XMPP_RECORDER_DOMAIN | default "recorder.meet.jitsi" -}}
 
-plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
+plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom", "/prosody-plugins-contrib" }
 
 muc_mapper_domain_base = "v{{ $VISITOR_INDEX }}.{{ $VISITORS_XMPP_DOMAIN }}";
 muc_mapper_domain_prefix = "{{ $XMPP_MUC_DOMAIN_PREFIX }}";
@@ -53,15 +54,15 @@ external_services = {
     {{- range $idx1, $host := $TURN_HOSTS -}}
       {{- range $idx2, $transport := $TURN_TRANSPORTS -}}
         {{- if or $idx1 $idx2 -}},{{- end }}
-        { type = "turn", host = "{{ $host }}", port = {{ $TURN_PORT }}, transport = "{{ $transport }}", secret = true, ttl = 86400, algorithm = "turn" }
+        { type = "turn", host = "{{ $host }}", port = {{ $TURN_PORT }}, transport = "{{ $transport }}", secret = true, ttl = {{ $TURN_TTL }}, algorithm = "turn" }
       {{- end -}}
     {{- end -}}
   {{- end -}}
 
   {{- if $TURNS_HOST -}}
     {{- range $idx, $host := $TURNS_HOSTS -}}
         {{- if or $TURN_HOST $idx -}},{{- end }}
-        { type = "turns", host = "{{ $host }}", port = {{ $TURNS_PORT }}, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
+        { type = "turns", host = "{{ $host }}", port = {{ $TURNS_PORT }}, transport = "tcp", secret = true, ttl = {{ $TURN_TTL }}, algorithm = "turn" }
     {{- end }}
   {{- end }}
 };

diff --git a/prosody/rootfs/defaults/prosody.cfg.lua b/prosody/rootfs/defaults/prosody.cfg.lua
@@ -4,8 +4,8 @@
 {{ $ENABLE_VISITORS := .Env.ENABLE_VISITORS | default "0" | toBool -}}
 {{ $ENABLE_S2S := or $ENABLE_VISITORS ( .Env.PROSODY_ENABLE_S2S | default "0" | toBool ) }}
 {{ $ENABLE_IPV6 := .Env.ENABLE_IPV6 | default "true" | toBool -}}
-{{ $GC_TYPE := .Env.GC_TYPE | default "generational" -}}
-{{ $GC_INC_TH := .Env.GC_INC_TH | default 150 -}}
+{{ $GC_TYPE := .Env.GC_TYPE | default "incremental" -}}
+{{ $GC_INC_TH := .Env.GC_INC_TH | default 400 -}}
 {{ $GC_INC_SPEED := .Env.GC_INC_SPEED | default 250 -}}
 {{ $GC_INC_STEP_SIZE := .Env.GC_INC_STEP_SIZE | default 13 -}}
 {{ $GC_GEN_MIN_TH := .Env.GC_GEN_MIN_TH | default 20 -}}

diff --git a/prosody/rootfs/usr/bin/init_jitsi_prosody b/prosody/rootfs/usr/bin/init_jitsi_prosody
@@ -26,6 +26,9 @@ if [[ "$(stat -c %U /prosody-plugins-custom)" != "prosody" ]]; then
     chown -R prosody /prosody-plugins-custom
 fi
 
+if [[ "$(stat -c %U /prosody-plugins-contrib)" != "prosody" ]]; then
+    chown -R prosody /prosody-plugins-contrib
+fi
 
 mkdir /config/certs
 cp -r /defaults/* /config

diff --git a/web/Dockerfile b/web/Dockerfile
@@ -8,7 +8,7 @@ LABEL org.opencontainers.image.url="https://jitsi.org/jitsi-meet/"
 LABEL org.opencontainers.image.source="https://github.com/jitsi/docker-jitsi-meet"
 LABEL org.opencontainers.image.documentation="https://jitsi.github.io/handbook/"
 
-ADD https://raw.githubusercontent.com/acmesh-official/acme.sh/2.8.8/acme.sh /opt
+ADD https://raw.githubusercontent.com/acmesh-official/acme.sh/3.0.7/acme.sh /opt
 COPY rootfs/ /
 
 RUN apt-dpkg-wrap apt-get update && \

diff --git a/web/rootfs/defaults/meet.conf b/web/rootfs/defaults/meet.conf
@@ -8,6 +8,7 @@
 {{ $ENABLE_SUBDOMAINS := .Env.ENABLE_SUBDOMAINS | default "true" | toBool -}}
 {{ $XMPP_DOMAIN := .Env.XMPP_DOMAIN | default "meet.jitsi" -}}
 {{ $XMPP_BOSH_URL_BASE := .Env.XMPP_BOSH_URL_BASE | default "http://xmpp.meet.jitsi:5280" -}}
+{{ $CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN := .Env.CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN | default "*" }}
 
 server_name _;
 
@@ -60,7 +61,7 @@ location = /_api/room-info {
 
 # ensure all static content can always be found first
 location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$ {
-    add_header 'Access-Control-Allow-Origin' '*';
+    add_header 'Access-Control-Allow-Origin' '{{ $CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN }}';
     alias /usr/share/jitsi-meet/$1/$2;
 
     # cache all versioned files
@@ -192,7 +193,7 @@ location @root_path {
         rewrite ^/_load-test/(.*)$ /load-test/index.html break;
     }
     location ~ ^/_load-test/libs/(.*)$ {
-        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Access-Control-Allow-Origin' '{{ $CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN }}';
         alias /usr/share/jitsi-meet/load-test/libs/$1;
     }
 

diff --git a/web/rootfs/defaults/nginx.conf b/web/rootfs/defaults/nginx.conf
@@ -32,8 +32,6 @@ http {
 
  	include /etc/nginx/mime.types;
 	types {
-		# add support for wasm MIME type, that is required by specification and it is not part of default mime.types file
-		application/wasm wasm;
 		# add support for the wav MIME type that is requried to playback wav files in Firefox.
 		audio/wav        wav;
 	}