Jitsi behind reverse proxy 502 bad gateway

Dear all

I am using HAproxy on a pfSense to proxy a few webservers in my home lab (http and https).
So far a stable setup.

I have set up a Jitsi Meet Server (a fine piece!) which is working well on the local network.
HAproxy status page shows all up.

However, I can’t make it available to the public side. I always get an “502 bad gateway” page.
This - most likely - indicates that there is an issue with internal/external server lookup. However, I am not experienced enough to find the proper configs…

May I ask for a helping hand on that?
How to configure HAproxy as a reverse proxy for Jitsi Meet? Maybe somebody would be so kind to send me a working example?

Kind regards
niii

Setup
(followed this guide: https://www.howtoforge.de/anleitung/so-erstellen-sie-ihren-eigenen-videokonferenzserver-mit-jitsi-meet-auf-ubuntu-1804-lts/)

  • Ubuntu 18.04 headless
  • nginx Webserver
  • JRE 1.8.0_242

sip-communicator.properties
/etc/jitsi/videobridge/sip-communicator.properties
(I assume thats not required for this setup?)

Added:

  • org.ice4j.ice.harvest.ALLOWED_ADDRESSES=LocalIPJitsiMeetServer
  • org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=LocalIPJitsiMeetServer
  • org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=Public FQDN of JitsiMeetServer

Is this correct? Can I use the FQDN? The IP address changes from time to time…

PfSense Firewal Filter Rule

  • Allow UDP IPv4 10000:20000 to JitsiMeetServer from any

HAproxy Backend
All settings on default, changed below values

  • Server List

    • Mode: active
    • Name: name
    • ForwardTo: Address+Port
    • Address: LocalJitsiServerIP
    • Port: 443
    • Engrypt (SSL): Yes
  • SSL checks: no

  • Timeout/ retry settings

    • Conenction timeout 60000
    • Server timeout 60000
    • Retrys 10
  • Health checking

    • health check method: Basic

HAproxy Frontend
All settings on default, changed below values

  • Edit HAProxy Frontend

    • Listen Address: WAN address (IPv4)
    • Custom address: empty
    • Port: 443
    • SSL Offloading: checked
    • Advanced: empt
  • Default backend, access control lists and actions

    • Access Control Lists (Table)

      • Name: jitsiACL1
      • Expression: “Host Contains:”
      • CS: no
      • Value: public FQDN of JitsiMeetsServer
    • Actions Table

      • Action: Use Backend -> JitsiBackend for https
      • Condition acl names: jitsiACL1
    • Advanced Settings

      • Use “forwardfor” option: checked
      • Advanced pass thru
        • http-response set-header X-Xss-Protection 1;\ mode=block
        • http-response set-header X-Robots-Tag noindex
        • http-response set-header X-Frame-Options SAMEORIGIN
        • http-response set-header Referrer-Policy same-origin
  • SSL Offloading

    • Certificate: my public cetificate
    • Add ACL for certificate CommonName: checked
    • Add ACL for certificate Subject Alternative Names: checked
    • Advanced SSL Options:
      • force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Dear all

I have removed nginx and installed apache2 instead. To my surprise it works now without any further configuration - out of the box more or less.

So, the “easy way” to install Jitsi Meet server would be to follow this guide but, instead of installing nginx, using apache2.
https://www.howtoforge.de/anleitung/so-erstellen-sie-ihren-eigenen-videokonferenzserver-mit-jitsi-meet-auf-ubuntu-1804-lts/ )

Thanks for everyone who cared.

Greetings
N3

I am on the same boat, same setup as you, haproxy in front, reverse proxy to jitsi in lxc container.
I’m a bit lost with the last update.
I’ve tried your suggestion and it works out of the box. Thanks !
It seems with apache2, no turnserver was installed and configured.

Is it the normal behavior ?

@noviceiii I had tried installing apache2 instead of nginx. What I found is that my remote users were getting disconnected every 8 to 10 seconds. I went back to nginx and everything was fine. Sadly, I am trying to use nginx-proxy-manager to reverse proxy between my jitsi server and my apache we server. with the standard jitsi server install that includes nginx as it’s web server, my remote users get a 502 bad gateway. Any ideas?