Apache as proxy

Hello,

I’m trying to configure jitsi on a Debian server (testing) and I’m unable to obtain a running configuration.

This server has several network interfaces:

  • eth0 (LAN)
  • eth1 (WAN1)
  • eth2 (WAN2)
  • tap0 (VPN/TCP)
  • br0 (tap1 + tap2, VPN/UDP)
    and some virtual IP addresses

I’m trying to user eth1. This interface is connected to a VDSL2 modem that does NAT.

For several reasons, my apache2 server has to listen on *:80 and *:443. Thus, I have added in videobridge sip-communicator.properties:

org.jitsi.videobridge.TCP_HARVESTER_PORT=4443

Of course, this file contains also:

org.jitsi.videobridge.AUTHORIZED_SOURCE_REGEXP=focus@auth.jitsi.systella.fr/.*
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.254.1
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<ip public address>

With this file, jvb listens for example on TCP/192.168.254.1:4443 (I have checked with lsof). My apache2’s config file for jitsi is:

<VirtualHost *:80>
    ServerName jitsi.systella.fr
    Redirect permanent / https://jitsi.systella.fr/
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<VirtualHost *:443>
  ServerName jitsi.systella.fr

  SSLProtocol TLSv1 TLSv1.1 TLSv1.2
  SSLEngine on
  SSLProxyEngine on
  #SSLCertificateFile /etc/ssl/jitsi.systella.fr.crt
  #SSLCertificateKeyFile /etc/ssl/jitsi.systella.fr.key
  SSLCertificateFile /etc/letsencrypt/live/systella.fr/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/systella.fr/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/systella.fr/chain.pem
  SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED"
  SSLHonorCipherOrder on
  Header set Strict-Transport-Security "max-age=31536000"

  DocumentRoot "/usr/share/jitsi-meet"
  <Directory "/usr/share/jitsi-meet">
    Options Indexes MultiViews Includes FollowSymLinks
    AddOutputFilter Includes html
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>

  ErrorDocument 404 /static/404.html

  Alias "/config.js" "/etc/jitsi/meet/jitsi.systella.fr-config.js"
  <Location /config.js>
    Require all granted
  </Location>

  Alias "/external_api.js" "/usr/share/jitsi-meet/libs/external_api.min.js"
  <Location /external_api.js>
    Require all granted
  </Location>

  ProxyPass / http://192.168.254.1:4443/
  ProxyPassReverse / http://192.168.254.1:4443/

  ProxyPreserveHost on
  ProxyPass /http-bind http://localhost:5280/http-bind/
  ProxyPassReverse /http-bind http://localhost:5280/http-bind/

  RewriteEngine on
  RewriteRule ^/([a-zA-Z0-9]+)$ /index.html
</VirtualHost>

If I understand what I have written, all http/https requests to jitsi.systella.fr should be forwarded to 192.168.254.1:4443.

But if I try to open https://jitsi.systella.fr, I only obtain in apache log:

[Mon Apr 13 15:53:33.523903 2020] [proxy_http:error] [pid 1865806] (20014)Internal error (specific information not available): [client 192.168.10.103:34972] AH01102: error reading status line from remote server 192.168.254.1:4443, referer: https://jitsi.systella.fr/
[Mon Apr 13 15:53:33.523967 2020] [proxy:error] [pid 1865806] [client 192.168.10.103:34972] AH00898: Error reading from remote server returned by /favicon.ico, referer: https://jitsi.systella.fr/
[Mon Apr 13 15:53:41.031711 2020] [proxy_http:error] [pid 1866570] (20014)Internal error (specific information not available): [client 192.168.10.103:35000] AH01102: error reading status line from remote server 192.168.254.1:4443
[Mon Apr 13 15:53:41.031755 2020] [proxy:error] [pid 1866570] [client 192.168.10.103:35000] AH00898: Error reading from remote server returned by /
[Mon Apr 13 15:53:56.238444 2020] [proxy_http:error] [pid 1866570] (20014)Internal error (specific information not available): [client 192.168.10.103:35000] AH01102: error reading status line from remote server 192.168.254.1:4443, referer: https://jitsi.systella.fr/
[Mon Apr 13 15:54:11.551929 2020] [proxy_http:error] [pid 1866610] (20014)Internal error (specific information not available): [client 192.168.10.103:35042] AH01102: error reading status line from remote server 192.168.254.1:4443, referer: https://jitsi.systella.fr/
[Mon Apr 13 15:54:11.551983 2020] [proxy:error] [pid 1866610] [client 192.168.10.103:35042] AH00898: Error reading from remote server returned by /favicon.ico, referer: https://jitsi.systella.fr/

If I replace

  ProxyPass / http://192.168.254.1:4443/
  ProxyPassReverse / http://192.168.254.1:4443/

by

  ProxyPass / https://192.168.254.1:4443/
  ProxyPassReverse / https://192.168.254.1:4443/

I obtain following error:

Proxy Error
The proxy server could not handle the request
Reason: Error during SSL Handshake with remote server

I suppose I have done a mistake somewhere. Help will be welcome to fix my configuration.

Best regards,

JKB