How to realize jvb connection among multiple isolated network segments through nginx forwarding

The network environment of our company is relatively strict, which is divided into internal network, office network and public network. Only the designated IP port of the internal network and the designated IP port of the office network are allowed to connect between the internal network and the office network. Then, the IP of the office network is connected with the specified IP of the public network through the specified port.

At present, jitsi meet is deployed on the intranet, and mobile users are on the Internet. Mobile users need to connect to the office network and then to the intranet through the server of the public network.

Because I’m not good at English, I searched jitsi’s official website for a long time and didn’t find a way to use nginx to forward it many times to jvb Unicom.

According to experiments and data, we can see that end users are directly connected to jvb server through udp10000, but our deployment environment does not allow direct connection across network segments. They must be connected through multiple transit servers and go through multi-layer transit. Now I am very confused about how to forward the video stream to China Unicom. UDP cannot be transferred out. Can I change it to TCP through turn service?

Please give me an idea

The participants can access to JVB (UDP/10000) through TURN. You need a customized Nginx config which redirects the turn traffic to the TURN service.

Basically clients don’t really connect to jvbs through nginx. They either:

  • connect directly through port 10000/UDP (better solution for performance)

  • connect through turn. Clients always try out UDP first, and when it fails they can find an alternate way through connecting to turn with TCP, and turn itself connects to jvb with UDP.

Clients get the turn configuration from Prosody with something along the lines of:

turncredentials = {
  { type = "turns", host = "turn.myurl.mytld", port = "443", transport = "tcp" }

Turn can be proxied if necessary (usually when only one 443 port should be used, otherwise it’s usually accessed on port 3478 tcp, see Prosody config above for an example of proxied turn).

Needless to say, client → (tcp 443) proxy → (tcp 3478) turn → (udp 10000) jvb is not as efficient as client → (udp) jvb.

1 Like