502 Proxy Error

Hi there,

after installing jitsi everything works fine on my local network, except external access. I have a Sophos XG Firewall where I configured a WAF-rule and it shows:

502 Proxy Error
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request.

Reason: Error reading from remote server

I wonder if the error is from the Sophos firewall or from the nginx server on the jitsi vm?

I configured /etc/jitsi/videobridge/sip-communicator.properties like this:

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=INTERNAL IP
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=EXTERNAL IP

What logfiles can I look at to investigate the problem?

Kind regards

Christian

Here is the line from the nginx error.log:

2020/04/23 14:21:17 [error] 828#828: *13 connect() failed (111: Connection refused) while connecting to upstream, client: *SOPHOS-Firewall-IP*, server: 0.0.0.0:443, upstream: "127.0.0.1:4445", bytes from/to client:0/0, bytes from/to upstream:0/0

I solved the problem by adding proxy_read_timeout 1800; to /http-bind location
But I’m not sure this solves everything

Hi hkhait! And thank you for your answer. Can you please tell me in wich config-file I have to add the line?

/etc/nginx/site-enabled/your-domain.conf
location /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header Host $http_host;
proxy_read_timeout 1800;
}

1 Like

or use websockets as mentionned here Sometime BOSH http-bind return 502

Tried the timeout setting - didn’t work :roll_eyes:

Hum well upgrade it to websockets then

I’m glad I found the reason of the 502 error. My jitsi server was configured to listen to port 4444 but in the WAF rule on the Sophos firewall port 443 was configured.
https://github.com/jitsi/jitsi-meet/issues/5487#issuecomment-606652846
Thanks to @tomiboy78

Hi damencho, that fix worked on an SG Firewall. I´m not shrue that it will fix on a XG. and it was a different Problem.

Everything is fine, with an older instance of jitsi. with the latest released version i´m facing the same Problems.

Hi,
i have the same problems with Sophos UTM. I installed jitsi yesterday, with the actual ubunu updates.
with the local ip works fine, but the external with the WAF and Port 443 is the same error “502 Proxy Error”.

have anyone a idea?

Hello matze-pe,

please have a look in your /etc/nginx/sites-enabled/server.example.local.conf.

Search this line to verify the port jitsi is listening:

server {
listen 4444 ssl http2;

hello chris,
yes i have check this port, here is my settings. The Port 4444 was default.

server {
listen 4444 ssl http2;
listen [::]:4444 ssl http2;
server_name meet.mydomain.de;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

Ok. Since we have a XG I don’t know if it’s the same on UTM…
On the XG I have to create a webserver object for my internal jitsi-server. There I have to set port 4444. The default port 443 will result in the 502 proxy error.

It’s the same with UTM.
I created a real web server “internal IP with port 443 and https”, then a virtual web server with “HTTPS forwarding” and the letsencrpyt cert to a real web server

when changing the real webserver port from 443 to 4444 it runs in timeout, internal can not open the port https://local-IP:4444

its runs :slight_smile:
the realwebserver must have the Port 4444, and the jitsi / ngnix webserver have the UFW Firewall. Here must be allow the TCP Port 4444:

ufw allow 4444/tcp
ufw status (check if open)

Next Problem, i have no video or audio signal in my meeting room.
UDP Ports are open (10000-20000), and a DNAT-Rule too, to the Jitsi Server with UDP10000:20000.
In UFW Firewall on jitsi Server is UDP10000-2000 open too.

have you an idea?

FritzBox are “Exposed Host, all Ports open to Sophos”

Glad it works :grinning:

Don’t forget to edit your /etc/jitsi/videobridge/sip-communicator.properties:

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=INTERNAL IP
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=EXTERNAL IP

yeeahhh…it works fine :slight_smile: thanks…

i have in my homelab an dynamic public ip. do you have a idea, who can fix it with a batch or a other trick :slight_smile: .?

best regards
matthias