Jitsi behind reverse proxy

Hello everyone,

i have one maybe silly question.
Ive installled my jitsi on debian VM server follow quick install guid. This is local server, with local IP address. Now im trying to deploy server for external use. I dont have public IP adress with available port 443 to NAT to my local IP address of jitsi.
Now the question:
Can i use my reverse proxy server with public IP address to “forward” traffic to my jitsi local server?
In this scenario works for me almost everything except video from outsiders. Local to local works great everything.
I use this “public” reverse proxy server for more local server (include some webservers, RocketChat server, etc.).

Hope i describe it understandably.

Many thanks for your help guys!

I’m running jitsi behind a haproxy, and it seems to work well. In addition to 443, you’ll also need to proxy tcp 4443 OR udp 10000. check your proxy, as not all support udp.

Thank you for you answer.

I use apache, so i think apache doesnt supporting udp.
Can you share with me please your haproxy config? I have to move all host to any other proxy. Ill try haproxy maybe, or nginx.

haproxy doesn’t support udp proxy…I think nginx does though… I’m happy to share my haproxy conifiguration, but its pretty simple…basicly just have 2 front ends, one for http/ 443 and the second tcp 4443, both going to the bankend server that host jitsi.

1 Like

@speedy01: could you share your haproxy.cfg?
Thanks!

here you go…this is a partial snip of what mine looks like

   global
   nbproc 2
   log 127.0.0.1 local2 notice
   chroot /var/lib/haproxy
   stats socket /var/lib/haproxy/stats expose-fd listeners
   stats timeout 2m
   user haproxy
   group haproxy
   daemon

   maxconn 50000

   tune.ssl.default-dh-param 2048
   ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
   ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM
   ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
   ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM

defaults
   log global
   mode http
   option forwardfor
   option dontlognull
   timeout client 30m
   timeout server 60s
#testing
   timeout client-fin 30s
   timeout tunnel 30m
   timeout connect 15s
   option httplog
   maxconn 5000

frontend fe_http-in
    bind *:80
    redirect scheme https code 301 if !{ ssl_fc }

frontend fe_https-in
    bind *:443 ssl crt /etc/pki/tls/private/cert.pem alpn h2,http/1.1
    
    http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
    http-response set-header X-Frame-Options sameorigin
    http-response set-header X-Content-Type-Options nosniff
    http-response set-header X-XSS-Protection 1;mode=block
    http-response set-header Referrer-Policy no-referrer-when-downgrade

#   Jitsi
    use_backend be_jitsi if { hdr_dom(host) -i jitsi.domain.com }

frontend fe_jitsi-tcp
    bind *:4443
    mode tcp
    use_backend be_jitsi-tcp


backend be_jitsi
    server jitsi xxx.xxx.xxx.xxx ssl verify none alpn h2,http/1.1

backend be_jitsi-tcp
    mode tcp
    server jitsi xxx.xxx.xxx.xxx
1 Like

That was the trick to make it working with http mode. Thanks!

Hi @speedy01 @christian02

I have coturn working on my site and nginx is listening on 4444. My site works fine through https://meet.domain.com.

Now, I’m trying to configure haproxy taking clues from the file pasted above. Here’s what I created/copied

global
nbproc 2
log 127.0.0.1 local2 notice
chroot /var/lib/haproxy
stats socket /var/lib/haproxy/stats expose-fd listeners
stats timeout 2m
user haproxy
group haproxy
daemon

maxconn 50000

tune.ssl.default-dh-param 2048
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM
ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM

defaults
log global
mode http
option forwardfor
option dontlognull
timeout client 30m
timeout server 60s
#testing
timeout client-fin 30s
timeout tunnel 30m
timeout connect 15s
option httplog
maxconn 5000

frontend fe_http-in
bind *:80
redirect scheme https code 301 if !{ ssl_fc }

frontend fe_https-in
bind *:443 ssl crt /etc/ssl/meet.domain.com/meet.domain.com.pem alpn h2,http/1.1
mode http

http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
http-response set-header X-Frame-Options sameorigin
http-response set-header X-Content-Type-Options nosniff
http-response set-header X-XSS-Protection 1;mode=block
http-response set-header Referrer-Policy no-referrer-when-downgrade


use_backend be_jitsi if { hdr_dom(host) -i meet.domain.com }

backend be_jitsi
server jitsi xxx.xxx.xxx.xxx:4444 ssl verify none
mode http

I can do “service haproxy restart” with the above config but meet.domain.com gives

503 Service Unavailable

No server is available to handle this request.

When I change the backend to

backend be_jitsi
server jitsi xxx.xxx.xxx.xxx:4444 ssl verify none alpn h2,http/1.1
mode http

haproxy give following error [ALERT] 098/002807 (1855) : parsing [/etc/haproxy/haproxy.cfg:57] : ‘server jitsi’ unknown keyword ‘alpn’. Registered keywords :

Any ideas/suggestions what should go in the haproxy file or what I should do to debug?

Thank you!

what version of haproxy are you trying to use? I’m using 2.0.14 you can find out by haproxy -v

your version may not support h2. in this case simply remove alpn h2,http/1.1 from your front end and back end

also I should note, that I’m using a wildcard cert. if you are using sni and host headers for different domains, you’ll want to load all the certs for each domain.

you may also concider adding default_backend to your front end configuration.

Thanks for looking at this.

haproxy is 1.8.8 which supports alpn per their documentation. Also, it’s on Ubuntu 18.04.

I only have one domain and the certificate at front-end was created by "cat"ing letsencrypt files for the domain together.

sudo cat /etc/letsencrypt/live/meet.domain.com/fullchain.pem /etc/letsencrypt/live/meet.domain.com/privkey.pem | sudo tee /etc/ssl/meet.domain.com/meet.domain.com.pem

Here’s the FE and BE now.

frontend fe_https-in
bind :443 ssl crt /etc/ssl/meet.domain.com/meet.domain.com.pem
mode http
#use_backend be_jitsi
default_backend be_jitsi

backend be_jitsi
server do-meet xxx.xxx.xxx.xxx:4444 ssl verify none
mode http

It still gives this message:

503 Service Unavailable

No server is available to handle this request.

Have you confirmed that you don’t have any routing or firewall issues?
you can try using curl from haproxy server to xxx.xxx.xxx.xxx:4444 to see if you get a response. if not, than you may have other issues!

Thank you again.

haproxy is running on the same server as meet i.e. xxx.xxx.xxx.xxx:4444

Does that require any different settings?

hmmm…not sure why you are trying to do that…

usually a reverse proxy is used at the edge or the dmz to protect/hide services behind it that run on different servers. it doesn’t make much sense to have anything other than haproxy running on the server.

.f you installed jitsi using tehe quick install guide, you might have nginx listing on 443 too. you might want to do a netstat to see. the quick install adds a configuration to use nginx for multiplexing and proxy.

I’m trying to setup HA environment for jitsi. Reverse proxy is not my goal.

Does that mean I would need 2 servers running just haproxy, 1 floating ip (meet.domain.com) and two servers running the jitsi meet package?

Tried 443 port in the config file but it didn’t work. nginx config file is listening on 4444 and I confirmed with netstat. Thank you!

is your setup working

i have mine running behind a Caddy v2 reverse-proxy

here’s my caddy file. since meet already pulls a letsencrypt cert, i make caddy not to check for that.

You still have to open UDP ports (NAT) directly to the jitsi server

HT to @gpatel-fr

meet.mydomain.com {
    reverse_proxy 192.168.11.31:443 {
    transport http {
        tls
        tls_insecure_skip_verify
    }
    }
}

Hi,
I have used your haproxy.cfg but showing some errors. After replacing mode tcp with http there are no errors. But when I open conference I am unable to access camera & microphone.
Please help me to resolve this.
Thank you.

have you forwarded UDP Port 10000 to the internal IP of jitsi server?

1 Like

No, I haven’t did that. Can you please explain me how to do that.Iam using jitsi inside aws ec2 instance(ubuntu). I allowed port 10000/UDP to public in security group.
Thank you very much for your reply.

if you run jitsi in ec2, then you dont need reverse proxy at all… just make sure ports 80, 443 & 10000 are open in the security group that contains jitsi & jibri servers