[jitsi-dev] Video using port 443 instead 4443


#1

Hi

I have a problem in my environment because I have wired and wifi net, where
the wifi have the 4443 port blocked. So, my ask is how can I configure my
server to run only in 80 and 443.

As it is a debian box using the Jitsi's repository, was basically apt-get
install. In my env, I use nginx, so the port 80 is redirected to 443, and I
haven't idea how put in the same URL to use video through the same port. Is
possible? Isn't clear for me (yet).

I know the page tcp.html[1], but isn't easy understand what I need to do in
nginx conf and in jitsi confs.

[1]https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Some help?

Since now, I thanks.

Regards,
Claudio Ferreira


#2

Video over TCP does not use HTTP, so you can not share the same port with nginx. You could either configure jitsi-videobridge (which can multiplex video and HTTP) as your HTTP server and remove nginx, or you could make it use another port (e.g. 4444).

Regards,
Boris

···

On 12/09/2017 21:16, Claudio Ferreira wrote:

Hi

I have a problem in my environment because I have wired and wifi net, where the wifi have the 4443 port blocked. So, my ask is how can I configure my server to run only in 80 and 443.

As it is a debian box using the Jitsi's repository, was basically apt-get install. In my env, I use nginx, so the port 80 is redirected to 443, and I haven't idea how put in the same URL to use video through the same port. Is possible? Isn't clear for me (yet).

I know the page tcp.html[1], but isn't easy understand what I need to do in nginx conf and in jitsi confs.

[1]https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md


#3

Hi

Thank you, Boris, by your explanation.

I did a test in meet.jit.si with 2 browsers, each one with a cam (I have 2
cams to test jitsi) in the same room. I believe that in jit.si is the same
thing. I asked to other person to enter in a same room there in jit.si, and
I and he can't see one to other.

When I tried in other webRTC site, like appear.in, works fine one to other.

So, I believe that is a good idea to focus to this solution.

In other hand, you said that is possible use without nginx (or apache, I
believe). Where can I get more info about this configuration?

More one time, thank you.

Regards,
Claudio Ferreira

···

2017-09-12 16:45 GMT-03:00 Boris Grozev <boris@jitsi.org>:

On 12/09/2017 21:16, Claudio Ferreira wrote:

Hi

I have a problem in my environment because I have wired and wifi net,
where the wifi have the 4443 port blocked. So, my ask is how can I
configure my server to run only in 80 and 443.

As it is a debian box using the Jitsi's repository, was basically apt-get
install. In my env, I use nginx, so the port 80 is redirected to 443, and I
haven't idea how put in the same URL to use video through the same port. Is
possible? Isn't clear for me (yet).

I know the page tcp.html[1], but isn't easy understand what I need to do
in nginx conf and in jitsi confs.

[1]https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Video over TCP does not use HTTP, so you can not share the same port with
nginx. You could either configure jitsi-videobridge (which can multiplex
video and HTTP) as your HTTP server and remove nginx, or you could make it
use another port (e.g. 4444).

Regards,
Boris


#4

UDP port 10000 needs to be open for the Jitsi Meet webrtc traffic.

If that port is blocked at either end, the video/audio won't get passed
through and you won't be able to see or hear each other.

···

On Thu, 2017-09-14 at 18:59 -0300, Claudio Ferreira wrote:

Hi

Thank you, Boris, by your explanation.

I did a test in meet.jit.si with 2 browsers, each one with a cam (I
have 2
cams to test jitsi) in the same room. I believe that in jit.si is the
same
thing. I asked to other person to enter in a same room there in
jit.si, and
I and he can't see one to other.

When I tried in other webRTC site, like appear.in, works fine one to
other.

So, I believe that is a good idea to focus to this solution.

In other hand, you said that is possible use without nginx (or
apache, I
believe). Where can I get more info about this configuration?

More one time, thank you.

Regards,
Claudio Ferreira

2017-09-12 16:45 GMT-03:00 Boris Grozev <boris@jitsi.org>:

>
> On 12/09/2017 21:16, Claudio Ferreira wrote:
>
> >
> > Hi
> >
> > I have a problem in my environment because I have wired and wifi
> > net,
> > where the wifi have the 4443 port blocked. So, my ask is how can
> > I
> > configure my server to run only in 80 and 443.
> >
> > As it is a debian box using the Jitsi's repository, was basically
> > apt-get
> > install. In my env, I use nginx, so the port 80 is redirected to
> > 443, and I
> > haven't idea how put in the same URL to use video through the
> > same port. Is
> > possible? Isn't clear for me (yet).
> >
> > I know the page tcp.html[1], but isn't easy understand what I
> > need to do
> > in nginx conf and in jitsi confs.
> >
> > [1]https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp
> > .md
> >
> Video over TCP does not use HTTP, so you can not share the same
> port with
> nginx. You could either configure jitsi-videobridge (which can
> multiplex
> video and HTTP) as your HTTP server and remove nginx, or you could
> make it
> use another port (e.g. 4444).
>
> Regards,
> Boris
>
_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#5

Hi

Thank you, Boris, by your explanation.

I did a test in meet.jit.si <http://meet.jit.si> with 2 browsers, each one with a cam (I have 2 cams to test jitsi) in the same room. I believe that in jit.si <http://jit.si> is the same thing. I asked to other person to enter in a same room there in jit.si <http://jit.si>, and I and he can't see one to other.

I assume that by "jit.si" you mean "meet.jit.si" (jit.si is another service). If so, this is unexpected, but we can't find out why it happened without further details -- the logs from the javascript console would help.

When I tried in other webRTC site, like appear.in <http://appear.in>, works fine one to other.

So, I believe that is a good idea to focus to this solution.

In other hand, you said that is possible use without nginx (or apache, I believe). Where can I get more info about this configuration?

See these two docs:
https://github.com/jitsi/jitsi-videobridge/blob/master/doc/http.md
https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md

Regards,
Boris

···

On 15/09/2017 00:59, Claudio Ferreira wrote:


#6

<p>Sorry for the off topic discussion : I think exposing a UDP port to public may incur UDP flood network attack.&nbsp;</p><p>Is &quot;channel-bundle and rtcp-mux for TCP candidates&quot; the only way out ?</p><p><br /></p><p>Regards !</p><p><br /></p><p>Eric Ding</p><br /><br /><span labeltype="transpond">于 2017-09-15 06:13:12,Ian Beardslee<ian nz="" net="" catalyst="">写道:</ian></span><blockquote style="padding-left:1ex;margin:0px 0px 0px 0.8ex;border-left:#ccc 1px solid"><pre>UDP port 10000 needs to be open for the Jitsi Meet webrtc traffic.

If that port is blocked at either end, the video/audio won't get passed
through and you won't be able to see or hear each other.

···

On Thu, 2017-09-14 at 18:59 -0300, Claudio Ferreira wrote:
&gt; Hi
&gt;
&gt; Thank you, Boris, by your explanation.
&gt;
&gt; I did a test in meet.jit.si with 2 browsers, each one with a cam (I
&gt; have 2
&gt; cams to test jitsi) in the same room. I believe that in jit.si is the
&gt; same
&gt; thing. I asked to other person to enter in a same room there in
&gt; jit.si, and
&gt; I and he can't see one to other.
&gt;
&gt; When I tried in other webRTC site, like appear.in, works fine one to
&gt; other.
&gt;
&gt; So, I believe that is a good idea to focus to this solution.
&gt;
&gt; In other hand, you said that is possible use without nginx (or
&gt; apache, I
&gt; believe). Where can I get more info about this configuration?
&gt;
&gt; More one time, thank you.
&gt;
&gt; Regards,
&gt; Claudio Ferreira
&gt;
&gt; 2017-09-12 16:45 GMT-03:00 Boris Grozev <boris org="" jitsi="">:
&gt;
&gt; &gt;
&gt; &gt; On 12/09/2017 21:16, Claudio Ferreira wrote:
&gt; &gt;
&gt; &gt; &gt;
&gt; &gt; &gt; Hi
&gt; &gt; &gt;
&gt; &gt; &gt; I have a problem in my environment because I have wired and wifi
&gt; &gt; &gt; net,
&gt; &gt; &gt; where the wifi have the 4443 port blocked. So, my ask is how can
&gt; &gt; &gt; I
&gt; &gt; &gt; configure my server to run only in 80 and 443.
&gt; &gt; &gt;
&gt; &gt; &gt; As it is a debian box using the Jitsi's repository, was basically
&gt; &gt; &gt; apt-get
&gt; &gt; &gt; install. In my env, I use nginx, so the port 80 is redirected to
&gt; &gt; &gt; 443, and I
&gt; &gt; &gt; haven't idea how put in the same URL to use video through the
&gt; &gt; &gt; same port. Is
&gt; &gt; &gt; possible? Isn't clear for me (yet).
&gt; &gt; &gt;
&gt; &gt; &gt; I know the page tcp.html[1], but isn't easy understand what I
&gt; &gt; &gt; need to do
&gt; &gt; &gt; in nginx conf and in jitsi confs.
&gt; &gt; &gt;
&gt; &gt; &gt; [1]https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp
&gt; &gt; &gt; .md
&gt; &gt; &gt;
&gt; &gt; Video over TCP does not use HTTP, so you can not share the same
&gt; &gt; port with
&gt; &gt; nginx. You could either configure jitsi-videobridge (which can
&gt; &gt; multiplex
&gt; &gt; video and HTTP) as your HTTP server and remove nginx, or you could
&gt; &gt; make it
&gt; &gt; use another port (e.g. 4444).
&gt; &gt;
&gt; &gt; Regards,
&gt; &gt; Boris
&gt; &gt;
&gt; _______________________________________________
&gt; dev mailing list
&gt; dev@jitsi.org
&gt; Unsubscribe instructions and other list options:
&gt; http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev</boris></pre></blockquote><div style="height:30px;"></div><div style="height:2px;width:298px;border-bottom:solid 2px #e5e5e5"></div><div style="height:20px;"></div><a target="_blank" style="background-image:url(http://r.g.tom.com/kwap/r/app/other/suixinyou.png);background-repeat:no-repeat;background-position:left center;font-size:14px;background-size: 20px;height: 39px;line-height: 39px;padding-left: 25px;display:block;color:#333333;text-decoration: none;" href="http://mail.tom.com/webmail-static/welcomesxy.html" onmouseover="this.style.cssText='background-image:url(http://r.g.tom.com/kwap/r/app/other/suixinyou.png);background-repeat:no-repeat;background-position:left center;font-size:14px;background-size: 20px;height: 39px;line-height: 39px;padding-left: 27px;display:block;color:#4c4c4c; text-decoration:underline;'" onmouseout="this.style.cssText='background-image:url(http://r.g.tom.com/kwap/r/app/other/suixinyou.png);background-repeat:no-repeat;background-position:left center;font-size:14px;background-size: 20px;height: 39px;line-height: 39px;padding-left: 27px;display:block;color:#4c4c4c;text-decoration:none'">随心邮-在微信里收发邮件,及时省电又安心</a>


#7

I don't understand what your concern is. Webrtc has been designed for UDP, and is most often used with UDP. It uses consent checks to prevent traffic being sent to destinations that don't want it.

You can just block UDP on your installation, and if it is configured correctly it will fallback to TCP. But your quality will suffer.

Regards,
Boris

···

On 15/09/2017 10:54, globaltrotter wrote:

Sorry for the off topic discussion : I think exposing a UDP port to public may incur UDP flood network attack.

Is "channel-bundle and rtcp-mux for TCP candidates" the only way out ?


#8

<p>My concern is about the incoming rubbish udp packets ( UDP flood attack ) rushing to the UPD port of JVB . </p><p>Will it collapse JVB ?</p><p><br /></p><p>There is no OVH in our country and the service charge of anti-network-attack is very high. Does any of you have experience on network security issues when you implement&nbsp; JITSI-MEET at a public server ?</p><p><br /></p><p>Regards !</p><p><br /></p><p>Eric Ding</p><p><br /><br /><span labeltype="transpond">于 2017-09-15 23:14:52,Boris Grozev<boris org="" jitsi="">写道:</boris></span></p><blockquote style="padding-left:1ex;margin:0px 0px 0px 0.8ex;border-left:#ccc 1px solid"><pre>On 15/09/2017 10:54, globaltrotter wrote:
&gt; Sorry for the off topic discussion : I think exposing a UDP port to
&gt; public may incur UDP flood network attack.
&gt;
&gt; Is &quot;channel-bundle and rtcp-mux for TCP candidates&quot; the only way out ?

I don't understand what your concern is. Webrtc has been designed for
UDP, and is most often used with UDP. It uses consent checks to prevent
traffic being sent to destinations that don't want it.

You can just block UDP on your installation, and if it is configured
correctly it will fallback to TCP. But your quality will suffer.

Regards,
Boris
</pre></blockquote><div style="height:30px;"></div><div style="height:2px;width:298px;border-bottom:solid 2px #e5e5e5"></div><div style="height:20px;"></div><a target="_blank" style="background-image:url(http://r.g.tom.com/kwap/r/app/other/suixinyou.png);background-repeat:no-repeat;background-position:left center;font-size:14px;background-size: 20px;height: 39px;line-height: 39px;padding-left: 25px;display:block;color:#333333;text-decoration: none;" href="http://mail.tom.com/webmail-static/welcomesxy.html" onmouseover="this.style.cssText='background-image:url(http://r.g.tom.com/kwap/r/app/other/suixinyou.png);background-repeat:no-repeat;background-position:left center;font-size:14px;background-size: 20px;height: 39px;line-height: 39px;padding-left: 27px;display:block;color:#4c4c4c; text-decoration:underline;'" onmouseout="this.style.cssText='background-image:url(http://r.g.tom.com/kwap/r/app/other/suixinyou.png);background-repeat:no-repeat;background-position:left center;font-size:14px;background-size: 20px;height: 39px;line-height: 39px;padding-left: 27px;display:block;color:#4c4c4c;text-decoration:none'">随心邮-在微信里收发邮件,及时省电又安心</a>