HAProxy Configuration

There is a bug that I have been trying to fix without success.
Here is whats going on.
I am using shibboleth Auth.
I have a sticky table that pareses the name of the name of the conference from the following URLS

jitsi.domain/http-bind?room=MeetinginUS
jitsi.domain/login/?machineUID=f39c7b7a40b380c0496755f43655c27f&room=MeetinginUS@muc.meet.jitsi&close=false
jitsi-domain/phoneNumberList.js?conference=MeetinginUS@muc.meet.jitsi

And I can redirect users to specific backends based on the meeting name, in this case “MeetingUS”

problem is the following scenario

User in USA, creates a meeting but doesnt authenticate. meeting name "MeetingUS" gets added to the USA sticky table.
User in Asia, opens MeetingUS and tries to authenticate
User in Asia first hits this link jitsi.domain/http-bind?room=MeetinginUS (Backend US Server)
User in Asia then hits this link jitsi.domain/login/?machineUID=f39c7b7a40b380c0496755f43655c27f&room=MeetinginUS@muc.meet.jitsi&close=false (Backend US Server)
User in Asia then hits this link jitsi.domain/Shibboleth.sso/SAML2/POST (Backend Asia Server) and authentication fails because the session got initiated in the US server. 

There is no room name in jitsi.domain/Shibboleth.sso/SAML2/POST
How can i redirect user in Asia to use the backend US server when /Shibboleth.sso/SAML2/POST is hit?

Hi, So, I tried your HAProxy Configuration. I just have a quick question. The http-bind request should directly come on HaProxy server and not Jitsi-meet server right? Then only, the table mapping will be created. How/Where we can specify that?

I modified the bosh url in domain-config.js file, however, I can start conference and then, another participant can’t join that conference and it times out at http-bind request and throws 504. Any idea, if there are changes to be made in config or nginx or anywhere else on Jitsi-Meet server to make it work?

Thanks

It goes like this Browser will load /usr/share/jitsi-meet/config.js or /etc/jitsi/meet/domain.com-config.js -> domain.com/http-bind?room=xxxxx -> HAProxy -> Sticky table on xxxxx -> Prosody http-bind.

In order to check if your prosody is reachable you can go to https://domain.com/http-bind, you should get the same result as https://meet.jit.si/http-bind.

1 Like

Hi,
I have configured haproxy for my backend jitsimeets, Iam able to join same room.
Please test my below configuration and Let me know if I need to do any changes.

HA-PROXY LOADBALANCER FOR JITSI-MEET
In jitsi meet instances:
To run jitsimeet web only on port 443 [NGINX]
sudo bash
rm -rf /etc/nginx/modules-enabled/60-jitsi-meet.conf
sed -i ‘s/4444/443/g’ /etc/nginx/sites-available/jitsione.domain.com.conf
systemctl restart nginx.service

To receive requests from different domain names to PROSODY
vim /etc/prosody/conf.d/jitsione.domain.com.cfg.lua

change false to true

cross_domain_bosh = true;

systemctl restart prosody.service

In haproxy instance:
add-apt-repository ppa:vbernat/haproxy-2.0
apt-get update
apt-get install haproxy

mkdir -p /etc/ssl/domain.com
cat /etc/letsencrypt/live/domain.com/fullchain.pem /etc/letsencrypt/live/domain.com/privkey.pem | tee /etc/ssl/domain.com/domain.com.pem

vim /etc/haproxy/haproxy.cfg

Add below line at the end of “global” secttion
tune.ssl.default-dh-param 1024

#add below lines to end of this file

frontend haproxynode
bind *:80
bind *:443 ssl crt /etc/ssl/domain.com/domain.com.pem
http-request redirect scheme https unless { ssl_fc }
option forwardfor
default_backend backendnodes

backend backendnodes
balance source
stick-table type string len 256 size 200k expire 120m
stick on url_param(room) table backendnodes
hash-type consistent
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server node1 jitsione.domain.com:443 check ssl verify none
server node2 jitsitwo.domain.com:443 check ssl verify none

sudo haproxy -c -f /etc/haproxy/haproxy.cfg
sudo systemctl restart haproxy.service

Thank you…