Haproxy configuration

Hi,

I try to setup haproxy without success. I can’t find a complete (!) haproxy config example for Jitsi any where. My config generated by OpnSense looks like this:

frontend JitsiMeetSSL
    bind 1.2.3.4:443 name 1.2.3.4:443 ssl  crt-list /path/to/cert
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 30s
    option httplog
    reqadd X-Forwarded-Proto:\ https
    default_backend JistMeetSSL

backend JistMeetSSL
    mode http
    balance source
    stick-table type ip size 50k expire 30m  
    stick on src
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server JitsiMeetSSL 172.27.19.10:443 ssl verify none

When I try to connect in the NginX logs of the Jitsi server I see:

2020/04/23 22:35:48 [error] 5749#5749: *3258 connect()
failed (111: Connection refused) while connecting to upstream,
client: 172.27.19.254, server: 0.0.0.0:443, upstream: "127.0.0.1:4445",
bytes from/to client:0/0, bytes from/to upstream:0/0

And on the Client I get the message:

503 Service Unavailable
No server is available to handle this request.

When I directly connect to the Jitsi server everything works as expected.

I’ve no clue what is going wrong. Can some one please help?

EDIT: By enabling logging of “stream” in NginX I found out what the problem is but I still have no solution. In error.log a normal request looks like this:

2020/04/24 09:30:28 [debug] 1179#1179: *33 stream map started
2020/04/24 09:30:28 [debug] 1179#1179: *33 stream script var: "h2,http/1.1"
2020/04/24 09:30:28 [debug] 1179#1179: *33 stream map: "h2,http/1.1" "web"
2020/04/24 09:30:28 [debug] 1179#1179: *33 stream script var: "web"

and when it comes in vi haproxy it looks like this:

2020/04/24 09:27:08 [debug] 1179#1179: *17 stream map started
2020/04/24 09:27:08 [debug] 1179#1179: *17 stream script var: ""
2020/04/24 09:27:08 [debug] 1179#1179: *17 stream map: "" "turn"
2020/04/24 09:27:08 [debug] 1179#1179: *17 stream script var: "turn"

While writing this and looking for “h2,http/1.1” in conjunction with haproxy I found the solution. “alpn h2,http/1.1” has to be added to “server” and “bind”. The config has to look like this:

frontend JitsiMeetSSL
    bind 1.2.3.4:443 name 1.2.3.4:443 ssl alpn h2,http/1.1 crt-list /path/to/cert
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 30s
    option httplog
    reqadd X-Forwarded-Proto:\ https
    default_backend JistMeetSSL

backend JistMeetSSL
    mode http
    balance source
    stick-table type ip size 50k expire 30m  
    stick on src
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server JitsiMeetSSL 172.27.19.10:443 ssl verify none alpn h2,http/1.1

have you been able to solve it?

Yes, as written in the edit of my post. I had to add “alpn h2,http/1.1” in frontend and backend.

My haproxy is running on debian and due to this I had an other problem and a fix. See:

Hello Guys,

I need help to configure Jigasi with haproxy.

For your front end section what is this 1.2.3.4 name 1.2.3.4 bit? Is that 1.2.3.4 supposed to be replaced with something meaningful?

bind PUBLIC-IP-HERE:443 name my.jitsi-domain.com:443 ssl alpn h2,http/1.1 crt-list /path/to/cert

1 Like