Jitsi Meet Docker - Use 443 TCP Only in case of corporate firewalls

Install & Config
, ,
#21

Use the public IP for the turn service. The loopback is blocked because of the following line

denied-peer-ip=127.0.0.0-127.255.255.255
1 Like
#22

Hi thanks for your reply. Wouldn’t i be better (and safer) to just delete:

denied-peer-ip=127.0.0.0-127.255.255.255

and keeping it this way, so that every connection remains in the internal network, since jitsi and coturn are on the same machine? Would it work?

#23

All internal services become accessible from the outside through TURN

1 Like
#24

Ok, I’ve tried commenting the line:

denied-peer-ip=10.0.0.0-10.255.255.255

and putting in nginx turn module conf the internal IP and everything works so far in TURN mode.

I tried then with the public IP but the problems appear again, no audio nor video with more than 2 partecipants. And I’m sure that the required TCP and UDP ports are forwarded from the outside.

Any suggestions?

#25

It’s needed some extra rules on the firewall/router. The firewall should handle correctly the internal requests when the destination is its public IP.

Try this from jitsi

curl https://public_ip/
#26

Ok, I’ve tried it. If I do that from the Jitsi VM, the curl just gets stuck:

root@jitsi:/tmp# curl https://public_ip/
curl: (7) Failed to connect to ... port 443: Connection refused

Also tried telnetting public_ip 443 from jitsi’s VM: it doesn’t work.

If I do that from my local mobaxterm terminal on my pc:

[myPC] ➤ curl https://public_ip/
curl: (77) error setting certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none

#27

This means that the router can not handle the internal requests

#28

Instead of deleting this, you can add the following lines to the TURN config

listening-ip=INTERNAL-IP
allowed-peer-ip=INTERNAL-IP
no-udp
1 Like
#29

Thanks very much for the help. Which way do you think would be safer/better? Adding these rules on coturn or properly set my company’s firewall?

#30

The setting firewall rules is better. The denied-peer-ip lines prevent to access to the internal IP blocks through the TURN service.

1 Like
#31

Thanks very much emrah. I will ask the firewall team to properly setup the rules.

One more question: my company is pushing towards docker deploys of Jitsi, which we have been using for a while and they work amazingly and they’re a lot more hassle free than the standard deployment.

is there a way to setup the also dockerized installation of Jitsi to use 443 TCP only, just as we did with the manual install?

#32

No idea for the Docker case