Jitsi behind Nginx reverse proxy and NAT. Help!

Hi all! I’m trying to set up a jitsi vm behind NAT and an additional nginx.

I’ve tried many different options, but none of them work. I can create a room, connect 3 users, but I can’t see an image or hear sound. Firewall set to 443 → RP Nginx, 10000UDP → jitsi VM.

Nginx reverse proxy:

server_names_hash_bucket_size 64;

types {
        application/wasm     wasm;

server {
        listen  80;
        server_name meet.my.domain;
        return 301 https://meet.domain.tld$request_uri;

server {
        server_name meet.my.domain;
        listen 443 ssl http2;

        ssl_certificate /etc/letsencrypt/live/meet.my.domain/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/meet.my.domain/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        add_header Strict-Transport-Security "max-age=63072000" always;

        access_log /var/log/nginx/meet.access.log;
        error_log /var/log/nginx/meet.error.log;

        location / {

                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;

                # WebSocket support
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";


Nginx on VM Jitsi:

server {
    listen 80;
#    listen [::]:443 ssl;
     server_name meet.my.domain;

     set_real_ip_from (internal address my RP nginx);
     real_ip_header X-Real-IP;
     set $prefix "";
     root /usr/share/jitsi-meet;
     ssi on;
     ssi_types application/x-javascript application/javascript;

     index index.html index.htm;
     error_page 404 /static/404.html;


You may put a module config into /etc/nginx/modules-enabled similar to this one on the reverse proxy.

Am I understanding the setting correctly? Need to open additional ports?

# this is jitsi-meet nginx module configuration customized by jitsi installer.
# this forwards all turn traffic to the coturn port
# and the rest to the nginx virtualhost port.
# you need a second FQDN for the turn server.

stream {
    upstream web {
    upstream turn {
        server ___LOCAL_IP___:5349; --> ip my internal lan nginx reverse proxy address

    map $ssl_preread_server_name $upstream {
        ___TURN_HOST___         turn; --> ip my vm with jitsi
        default                 web;

    server {
        listen 443;
        listen [::]:443;

        ssl_preread on;
        proxy_pass $upstream;

        # Increase buffer to serve video
        proxy_buffer_size 10m;

I added the configuration, but nothing has changed (

The current form doesn’t suit your use-case. You should update it according to your use-case.

Do I need to specify only IP addresses or something else? Can you explain in more detail?

stream layer allows to redirect requests to an upstream without terminating SSL.

Catch jitsi related requests by checking their address and redirects them to Jitsi’s TCP/443 if matched.

For other domains, the upstream should be the reverse proxy itself to not break the old domains.