[jitsi-dev] jvb binding port 443 on virtual if?


#1

Hi all,

I have a debian VPS hosting jitmeet that has 2 public IPs.
One IP is served using eth0 and the other is using the virtual interface
eth0:0

Now I noticed that the videobridge ICE candidates were using port 4443
instead of 443, so I investigated a little. I have nginx using 443 on eth0,
so I tried to add the following to the sip-communicator.properties file to
force it to use eth0:0 and thus bind to 443:

org.jitsi.videobridge.TCP_HARVESTER_PORT=443
org.ice4j.ice.harvest.ALLOWED_INTERFACES=eth0:0

However, when I do that I get no ICE candidates at all as can be seen in
the logs:

21:29:00.880 INFO: [19] org.jitsi.videobridge.IceUdpTransportManager.info()
Initialized TCP harvester on port 443, using SSLTCP:true
21:29:00.937 INFO: [19] org.ice4j.ice.Agent.gatherCandidates() Gather
candidates for component audio.RTP java.io.IOException: Failed to bind even
a single host candidate for component:Component id=1 parent stream=audio
no local candidates.

Does this mean that the videobridge cannot bind to virtual adapters? Any
other way I can keep 443 open for nginx on eth0 and bind ice candidates on
port 443 on eth0:0?

Cheers,

Peter


#2

Hello Peter,

Hi all,

I have a debian VPS hosting jitmeet that has 2 public IPs.
One IP is served using eth0 and the other is using the virtual interface
eth0:0

Now I noticed that the videobridge ICE candidates were using port 4443
instead of 443, so I investigated a little. I have nginx using 443 on
eth0, so I tried to add the following to the sip-communicator.properties
file to force it to use eth0:0 and thus bind to 443:

org.jitsi.videobridge.TCP_HARVESTER_PORT=443
org.ice4j.ice.harvest.ALLOWED_INTERFACES=eth0:0

However, when I do that I get no ICE candidates at all as can be seen in
the logs:

21:29:00.880 INFO: [19]
org.jitsi.videobridge.IceUdpTransportManager.info
<http://org.jitsi.videobridge.IceUdpTransportManager.info>() Initialized
TCP harvester on port 443, using SSLTCP:true
21:29:00.937 INFO: [19] org.ice4j.ice.Agent.gatherCandidates() Gather
candidates for component audio.RTP java.io.IOException: Failed to bind
even a single host candidate for component:Component id=1 parent
stream=audio
no local candidates.

Does this mean that the videobridge cannot bind to virtual adapters?

Yes. It is a limitation of the jvm and it was one of the reasons for implementing filtering by address:
org.ice4j.ice.harvest.ALLOWED_ADDRESSES=addr1;addr2

Note that it affects all harvesters (and not just TCP).

Any
other way I can keep 443 open for nginx on eth0 and bind ice candidates
on port 443 on eth0:0?

Another option is to have the bridge listen on 4443 on both interfaces, and externally redirect traffic on eth0:0 from 443 to 4443. You will also need to set the following property to make the bridge announce candidates with the desired port (443).
org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=443

This has the advantage that you don't have to specify the IP addresses beforehand, and that the bridge can run as non-root since it doesn't have to bind to 443.

Regards,
Boris

···

On 20/02/15 22:37, Peter Villeneuve wrote:


#3

Thanks Boris.
I used your 2nd option and now I can get around those pesky corporate
firewalls.

Cheers,
Peter

···

On Fri, Feb 20, 2015 at 9:57 PM, Boris Grozev <boris@jitsi.org> wrote:

Hello Peter,

On 20/02/15 22:37, Peter Villeneuve wrote:

Hi all,

I have a debian VPS hosting jitmeet that has 2 public IPs.
One IP is served using eth0 and the other is using the virtual interface
eth0:0

Now I noticed that the videobridge ICE candidates were using port 4443
instead of 443, so I investigated a little. I have nginx using 443 on
eth0, so I tried to add the following to the sip-communicator.properties
file to force it to use eth0:0 and thus bind to 443:

org.jitsi.videobridge.TCP_HARVESTER_PORT=443
org.ice4j.ice.harvest.ALLOWED_INTERFACES=eth0:0

However, when I do that I get no ICE candidates at all as can be seen in
the logs:

21:29:00.880 INFO: [19]
org.jitsi.videobridge.IceUdpTransportManager.info
<http://org.jitsi.videobridge.IceUdpTransportManager.info>() Initialized
TCP harvester on port 443, using SSLTCP:true
21:29:00.937 INFO: [19] org.ice4j.ice.Agent.gatherCandidates() Gather
candidates for component audio.RTP java.io.IOException: Failed to bind
even a single host candidate for component:Component id=1 parent
stream=audio
no local candidates.

Does this mean that the videobridge cannot bind to virtual adapters?

Yes. It is a limitation of the jvm and it was one of the reasons for
implementing filtering by address:
org.ice4j.ice.harvest.ALLOWED_ADDRESSES=addr1;addr2

Note that it affects all harvesters (and not just TCP).

Any

other way I can keep 443 open for nginx on eth0 and bind ice candidates
on port 443 on eth0:0?

Another option is to have the bridge listen on 4443 on both interfaces,
and externally redirect traffic on eth0:0 from 443 to 4443. You will also
need to set the following property to make the bridge announce candidates
with the desired port (443).
org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=443

This has the advantage that you don't have to specify the IP addresses
beforehand, and that the bridge can run as non-root since it doesn't have
to bind to 443.

Regards,
Boris

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev