Hi,
I try to setup haproxy without success. I can’t find a complete (!) haproxy config example for Jitsi any where. My config generated by OpnSense looks like this:
frontend JitsiMeetSSL
bind 1.2.3.4:443 name 1.2.3.4:443 ssl crt-list /path/to/cert
mode http
option http-keep-alive
option forwardfor
timeout client 30s
option httplog
reqadd X-Forwarded-Proto:\ https
default_backend JistMeetSSL
backend JistMeetSSL
mode http
balance source
stick-table type ip size 50k expire 30m
stick on src
timeout connect 30s
timeout server 30s
http-reuse safe
server JitsiMeetSSL 172.27.19.10:443 ssl verify none
When I try to connect in the NginX logs of the Jitsi server I see:
2020/04/23 22:35:48 [error] 5749#5749: *3258 connect()
failed (111: Connection refused) while connecting to upstream,
client: 172.27.19.254, server: 0.0.0.0:443, upstream: "127.0.0.1:4445",
bytes from/to client:0/0, bytes from/to upstream:0/0
And on the Client I get the message:
503 Service Unavailable
No server is available to handle this request.
When I directly connect to the Jitsi server everything works as expected.
I’ve no clue what is going wrong. Can some one please help?
EDIT: By enabling logging of “stream” in NginX I found out what the problem is but I still have no solution. In error.log a normal request looks like this:
2020/04/24 09:30:28 [debug] 1179#1179: *33 stream map started
2020/04/24 09:30:28 [debug] 1179#1179: *33 stream script var: "h2,http/1.1"
2020/04/24 09:30:28 [debug] 1179#1179: *33 stream map: "h2,http/1.1" "web"
2020/04/24 09:30:28 [debug] 1179#1179: *33 stream script var: "web"
and when it comes in vi haproxy it looks like this:
2020/04/24 09:27:08 [debug] 1179#1179: *17 stream map started
2020/04/24 09:27:08 [debug] 1179#1179: *17 stream script var: ""
2020/04/24 09:27:08 [debug] 1179#1179: *17 stream map: "" "turn"
2020/04/24 09:27:08 [debug] 1179#1179: *17 stream script var: "turn"
While writing this and looking for “h2,http/1.1” in conjunction with haproxy I found the solution. “alpn h2,http/1.1” has to be added to “server” and “bind”. The config has to look like this:
frontend JitsiMeetSSL
bind 1.2.3.4:443 name 1.2.3.4:443 ssl alpn h2,http/1.1 crt-list /path/to/cert
mode http
option http-keep-alive
option forwardfor
timeout client 30s
option httplog
reqadd X-Forwarded-Proto:\ https
default_backend JistMeetSSL
backend JistMeetSSL
mode http
balance source
stick-table type ip size 50k expire 30m
stick on src
timeout connect 30s
timeout server 30s
http-reuse safe
server JitsiMeetSSL 172.27.19.10:443 ssl verify none alpn h2,http/1.1