I get an error when I enter the conference on the public network, /http-bind?room 404

Hi, everyone, I encountered difficulties when using this, please help me take a look, thank you

I installed the service in a local virtual machine, and the intranet can be accessed normally. Then I use the public network port to map the port of my intranet, use the public network to access, the home page can be opened normally, but an error will be reported when entering the meeting, the error is as follows:

The following is my js error:

Below is my videobridge/sip-communicator.properties:

org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
org.jitsi.videobridge.ENABLE_STATISTICS=true
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost
org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.172.16.168.8
org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb
org.jitsi.videobridge.xmpp.user.shard.PASSWORD=IdedBTFM
org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.172.16.168.8
org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=d0d1a0de-921e-4bfe-a6c5-eafacaa06f30
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=172.16.168.8
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=112.17.180.214

Below is my /jitsi/meet/config.js:

bosh: '//xjgt.richplug.cn:8446/http-bind',

Below is my nginx.conf:

server_names_hash_bucket_size 64;

types {
# nginx's default mime.types doesn't include a mapping for wasm
    application/wasm     wasm;
}
server {
    listen 80;
    listen [::]:80;
    server_name 172.16.168.8;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root         /usr/share/jitsi-meet;
    }
    location = /.well-known/acme-challenge/ {
        return 404;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name 172.16.168.8;

    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000" always;
    set $prefix "";

    ssl_certificate /etc/jitsi/meet/172.16.168.8.crt;
    ssl_certificate_key /etc/jitsi/meet/172.16.168.8.key;

    root /usr/share/jitsi-meet;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    index index.html index.htm;
    error_page 404 /static/404.html;

    gzip on;
    gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
    gzip_vary on;
    gzip_proxied no-cache no-store private expired auth;
    gzip_min_length 512;

    location = /config.js {
        alias /etc/jitsi/meet/172.16.168.8-config.js;
    }

    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    # ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;

        # cache all versioned files
        if ($arg_v) {
            expires 1y;
        }
    }

    # BOSH
    location = /http-bind {
        proxy_pass http://127.0.0.1:5280/http-bind?prefix=$prefix&$args;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # xmpp websockets
    location = /xmpp-websocket {
        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        tcp_nodelay on;
    }

    # colibri (JVB) websockets for jvb1
    location ~ ^/colibri-ws/default-id/(.*) {
        proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        tcp_nodelay on;
    }

    # load test minimal client, uncomment when used
    #location ~ ^/_load-test/([^/?&:'"]+)$ {
    #    rewrite ^/_load-test/(.*)$ /load-test/index.html break;
    #}
    #location ~ ^/_load-test/libs/(.*)$ {
    #    add_header 'Access-Control-Allow-Origin' '*';
    #    alias /usr/share/jitsi-meet/load-test/libs/$1;
    #}

    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location @root_path {
        rewrite ^/(.*)$ / break;
    }

    location ~ ^/([^/?&:'"]+)/config.js$
    {
        set $subdomain "$1.";
        set $subdir "$1/";

        alias /etc/jitsi/meet/172.16.168.8-config.js;
    }

    # BOSH for subdomains
    location ~ ^/([^/?&:'"]+)/http-bind {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /http-bind;
    }

    # websockets for subdomains
    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /xmpp-websocket;
    }

    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }
}

Below are my hosts

127.0.0.1       localhost
127.0.1.1       minzh-VirtualBox

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Below are my prosody/conf.d/172.16.168.8.cfg.lua

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "172.16.168.8";

external_service_secret = "R1n16wowhsjcInzn";
external_services = {
     { type = "stun", host = "172.16.168.8", port = 3478 },
     { type = "turn", host = "172.16.168.8", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "172.16.168.8", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
    protocol = "tlsv1_2+";
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}

unlimited_jids = {
    "focus@auth.172.16.168.8",
    "jvb@auth.172.16.168.8"
}

VirtualHost "172.16.168.8"
    -- enabled = false -- Remove this line to enable this host
    authentication = "anonymous"
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    --app_id="example_app_id"
    --app_secret="example_app_secret"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/172.16.168.8.key";
        certificate = "/etc/prosody/certs/172.16.168.8.crt";
    }
    av_moderation_component = "avmoderation.172.16.168.8"
    speakerstats_component = "speakerstats.172.16.168.8"
    conference_duration_component = "conferenceduration.172.16.168.8"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "external_services";
        "conference_duration";
        "muc_lobby_rooms";
        "muc_breakout_rooms";
        "av_moderation";
    }
    c2s_require_encryption = false
    lobby_muc = "lobby.172.16.168.8"
    breakout_rooms_muc = "breakout.172.16.168.8"
    main_muc = "conference.172.16.168.8"
    -- muc_lobby_whitelist = { "recorder.172.16.168.8" } -- Here we can whitelist jibri to enter lobby enabled rooms

Component "conference.172.16.168.8" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "polls";
        --"token_verification";
        "muc_rate_limit";
    }
    admins = { "focus@auth.172.16.168.8" }
    muc_room_locking = false
    muc_room_default_public_jids = true

Component "breakout.172.16.168.8" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        --"token_verification";
        "muc_rate_limit";
        "polls";
    }
    admins = { "focus@auth.172.16.168.8" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.172.16.168.8" "muc"
    storage = "memory"
    modules_enabled = {
        "ping";
    }
    admins = { "focus@auth.172.16.168.8", "jvb@auth.172.16.168.8" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.172.16.168.8"
    ssl = {
        key = "/etc/prosody/certs/auth.172.16.168.8.key";
        certificate = "/etc/prosody/certs/auth.172.16.168.8.crt";
    }
    modules_enabled = {
        "limits_exception";
    }
    authentication = "internal_hashed"

-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.172.16.168.8" "client_proxy"
    target_address = "focus@auth.172.16.168.8"

Component "speakerstats.172.16.168.8" "speakerstats_component"
    muc_component = "conference.172.16.168.8"

Component "conferenceduration.172.16.168.8" "conference_duration_component"
    muc_component = "conference.172.16.168.8"

Component "avmoderation.172.16.168.8" "av_moderation_component"
    muc_component = "conference.172.16.168.8"

Component "lobby.172.16.168.8" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true
    modules_enabled = {
        "muc_rate_limit";
        "polls";
    }

Above is my error message, hope someone can help me, thank you!

This is my port mapping relationship:

Nginx doesn’t listen for the requested FQDN

So I need to change this in nginx to

Server_name 112.17.180.214

or

Server_name xjgt.richplug.can

like this?
I will try this method at work tomorrow, thank you so much

But it can jump to the home page normally, and the static resources and some js in meet can also be loaded normally

This will not work because FQDN is used in many places.

The setup address and the site address must be the same.

My public network address can only be port-mapped. Write the setup address as the machine IP, and then use the public network port to map it. I have done this before, and it has been successful, but this time, I don’t know why it is wrong.

It still doesn’t work, some one help me, please :sob:

@damencho help

Please don’t tag people in your requests for help unless they’re already helping you with the issue at hand.

OK, I am sorry for this.

Do you have valid certificates? You need https to run Jitsi.

Thank you for answering me.
I just try change to valid certificates in Nginx.conf like this:

ssl_certificate /etc/jitsi/meet/7285858_xjgt.richplug.cn.pem;
ssl_certificate_key /etc/jitsi/meet/7285858_xjgt.richplug.cn.key;

and it still doesn’t work.
Does the certificates in prosody need to be replaced?
image
image

Why not just run the letsencrypt script to generate certs? You’re trying to do a lot of things unconventionally and that appears to be causing issues for you.

I just tried what you said and it returned me the following message:

Requested name 172.16.168.8 is an IP address. The Let's Encrypt certificate authority will not issue certificates for a bare IP address.

You need a FQDN for letsencrypt.

I really can’t figure out how to map this port to a virtual machine. Then I went to get a public network server, built it on this, and then I can access it. thank you for your help. thank you all.