Can't connect with Android app, browsers do work: nginx or coturn misconfiguration?

Dear all, I’m stuck.

vc.kuznetsov.md that I run worked just fine before the last apt upgrade. Now users can no longer connect with the Android app, while browsers (Firefox and Chrome) work OK, even on the same android devices.

I have read similar threads and was able to track the issue down to what seems to be either nginx or coturn misconfiguration, but I can’t seem to figure out what exactly is wrong. Here’s what I was able to pinpoint:

  • adb logcat shows there’s no answer from the server, looks like TLS handshake fails;
  • Firefox thinks the certificate is perfectly OK and works;
  • both DigiCert and whatsmychaincert fail to detect TLS on the server;
  • ‘nginx’ complains in error logs:
connect() failed (111: Connection refused) while connecting to upstream, client: [IP], server: 0.0.0.0:443, upstream: "127.0.0.1:5349", bytes from/to client:0/0, bytes from/to upstream:0/0

It looks like /etc/nginx/modules-enabled/60-jitsi-meet.conf is trying to redirect the request to coturn at the default TURN port 5349:

cat /etc/nginx/modules-enabled/60-jitsi-meet.conf 

# this is jitsi-meet nginx module configuration
# this forward all http traffic to the nginx virtual host port
# and the rest to the turn server
#
# Multiplexing based on ALPN is DEPRECATED. ALPN does not play well with websockets on some browsers and reverse proxies.
# To migrate away from using it read: https://jitsi.org/multiplexing-to-bridge-ws-howto
# This file will be removed at some point and if deployment is still using it, will break.
#
stream {
    upstream web {
        server 127.0.0.1:4444;
    }
    upstream turn {
        server 127.0.0.1:5349;
    }
    # since 1.13.10
    map $ssl_preread_alpn_protocols $upstream {
        ~\bh2\b         web;
        ~\bhttp/1\.     web;
        default         turn;
    }

    server {
        listen 443;
        listen [::]:443;

        # since 1.11.5
        ssl_preread on;
        proxy_pass $upstream;

        # Increase buffer to serve video
        proxy_buffer_size 10m;
    }
}

however, no one is listening at 5349, because coturn is configured to use other ports:

cat /etc/turnserver.conf

# jitsi-meet coturn config. Do not modify this line
use-auth-secret
keep-address-family
static-auth-secret=[some secret]
realm=vc.kuznetsov.md
cert=/etc/coturn/certs/vc.kuznetsov.md.fullchain.pem
pkey=/etc/coturn/certs/vc.kuznetsov.md.privkey.pem

no-tcp
listening-port=4446
tls-listening-port=4445
external-ip=142.93.142.153

syslog
# jitsi-meet coturn relay disable config. Do not modify this line
no-multicast-peers
no-cli
no-loopback-peers
no-tcp-relay
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255

It looks like either nginx or coturn configuration has the wrong port, but which one? Or am I missing something else, totally different? I tried to have nginx expect TURN on 4445, and this makes the TLS checks pass, but the app still fails to connect, and the nginx error log says:

recv() failed (104: Connection reset by peer) while proxying and reading from upstream, client: [IP], server: 0.0.0.0:443, upstream: "127.0.0.1:4445", bytes from/to client:618/3513, bytes from/to upstream:3513/1135

Maybe this can help FAQ · Jitsi Meet Handbook

1 Like

Thank you! I had no idea.