Jitsi behind NAT and HAproxy

Hello everyone. I tried a lot of configurations to make it works but finally i gave up :frowning: and need help. Of course there is a problem with third connection. With 2 using PvP works OK.

Internal server (Ubuntu installed) serve jitsi-meet by nginx conf:

server_names_hash_bucket_size 64;

server {
    listen 1188;
    server_name jitsi.domain.net;

    add_header Strict-Transport-Security "max-age=31536000";

    ssl_certificate /etc/jitsi/meet/jitsi.domain.net.crt;
    ssl_certificate_key /etc/jitsi/meet/jitsi.domain.net.key;

    root /usr/share/jitsi-meet;
    ssi on;
    index index.html index.htm;
    error_page 404 /static/404.html;

    location = /config.js {
        alias /etc/jitsi/meet/jitsi.domain.net-config.js;
    }

    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    #ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;
    }

    # BOSH
    location = /http-bind {
        proxy_pass      http://localhost:5280/http-bind;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location @root_path {
        rewrite ^/(.*)$ / break;
    }
}

nginx is behind haproxy

global
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats
    stats socket *:1999 level admin
    stats socket /var/run/haproxy.sock mode 600 level admin
    server-state-file /etc/haproxy/haproxy.state 
    tune.ssl.default-dh-param 2048

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

listen stats 
    bind *:8085 
    stats enable
    stats uri /stats
    stats realm HAProxy-04\ Statistics
    stats auth admin:pass
    stats admin if TRUE 

frontend wildcard.domain.com
    bind *:80
    bind *:443 ssl crt /etc/ssl/certs/domain_net_2019_06_15.pem
    reqadd X-Forwarded-Proto:\ https
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    redirect scheme https if !{ ssl_fc }

    # Define hosts
    acl host_jitsi hdr(host) -i jitsi.domain.net

    ## figure out which one to use
    use_backend nginx if host_jitsi

backend nginx
    option httpclose
    option forwardfor
    server 192.168.31.10 192.168.31.10:1188 cookie A check

cat /etc/jitsi/videobridge/sip-communicator.properties (current [lot time modified] setup)

org.jitsi.videobridge.AUTHORIZED_SOURCE_REGEXP=focus@auth.jitsi.domain.net/.*
org.ice4j.ipv6.DISABLED=true
org.jitsi.videobridge.TCP_HARVESTER_PORT=4443
org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=4443
org.jitsi.videobridge.rest.jetty.port=4444
org.jitsi.videobridge.SINGLE_PORT_HARVESTER_PORT=12345
org.ice4j.ice.harvest.ALLOWED_ADDRESSES=192.168.31.10
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.31.10
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=1.2.3.4

Haproxy is at same IP as jitsi 192.168.31.10 and haproxy is behind NAT - there are port forwarding on ports 443, 4443-4444 and 12345

You need to port forward udp 10000 from 1.2.3.4 to 192.168.31.10 .

thanks for response - even with this parameter?

@damencho can you explain me how to understand this:

a=candidate:3505284190 1 udp 2122260223 192.168.43.142 53541 typ host generation 0 network-id 1 network-cost 10
a=candidate:2657982638 1 tcp 1518280447 192.168.43.142 9 typ host tcptype active generation 0 network-id 1 network-cost 10
a=candidate:476273613 1 udp 1686052607 46.134.18.106 12955 typ srflx raddr 192.168.43.142 rport 53541 generation 0 network-id 1 network-cost 10
a=candidate:476273613 1 udp 1686052607 46.134.18.106 27349 typ srflx raddr 192.168.43.142 rport 53541 generation 0 network-id 1 network-cost 10
a=candidate:476273613 1 udp 1686052607 46.134.18.106 23378 typ srflx raddr 192.168.43.142 rport 53541 generation 0 network-id 1 network-cost 10

I suppose these are from your P2P peer connection.

OK. Solved it. To anyone reading this topic. It’s REALLY important to solve all logs errors. Firstly I reinstalled everything. Then I started to solve logs issues. Last one was related to this topic issue. I saw PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target and fixed it by workaround mentioned by @damencho here https://github.com/jitsi/jitsi-meet/issues/2676#issuecomment-377039435 . Now everything works as expected.

I have the very same problem… Server is Debian buster + Apache, basic install + jitsi and nothing else.

The web UI appears OK. Everything going through port 443 (and haproxy) is fine. However, no video stream ever shows up. And no meaningful error in the logs either (only lots of “INFOS” lines).

Port 10000 on the WAN IP is already used, so I set up 10111 instead:

#org.jitsi.videobridge.AUTHORIZED_SOURCE_REGEXP=focus@auth.jitsi.test.com/.*
org.jitsi.videobridge.SINGLE_PORT_HARVESTER_PORT=10111

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.1.147
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=1.2.3.4


org.jitsi.videobridge.ENABLE_STATISTICS=true
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost
org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.jitsi.test.com
org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb
org.jitsi.videobridge.xmpp.user.shard.PASSWORD=xxxxxxx
org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.jitsi.test.com
org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=xxxx-xxx-xxx

The firewall redirect port 10111 to the right IP, but nothing never hits this port. I also redirected port 5347 because jetty seems to be listening there, no change. I also checked chrome://webrtc-internals and setRemoteDescription lists the right ports and IPs (both private and public IPs).

But no video and no sound… Any idea?