Jitsi Meet Docker - Use 443 TCP Only in case of corporate firewalls

Use the public IP for the turn service. The loopback is blocked because of the following line

denied-peer-ip=127.0.0.0-127.255.255.255
1 Like

Hi thanks for your reply. Wouldn’t i be better (and safer) to just delete:

denied-peer-ip=127.0.0.0-127.255.255.255

and keeping it this way, so that every connection remains in the internal network, since jitsi and coturn are on the same machine? Would it work?

All internal services become accessible from the outside through TURN

1 Like

Ok, I’ve tried commenting the line:

denied-peer-ip=10.0.0.0-10.255.255.255

and putting in nginx turn module conf the internal IP and everything works so far in TURN mode.

I tried then with the public IP but the problems appear again, no audio nor video with more than 2 partecipants. And I’m sure that the required TCP and UDP ports are forwarded from the outside.

Any suggestions?

It’s needed some extra rules on the firewall/router. The firewall should handle correctly the internal requests when the destination is its public IP.

Try this from jitsi

curl https://public_ip/

Ok, I’ve tried it. If I do that from the Jitsi VM, the curl just gets stuck:

root@jitsi:/tmp# curl https://public_ip/
curl: (7) Failed to connect to ... port 443: Connection refused

Also tried telnetting public_ip 443 from jitsi’s VM: it doesn’t work.

If I do that from my local mobaxterm terminal on my pc:

[myPC] ➤ curl https://public_ip/
curl: (77) error setting certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none

This means that the router can not handle the internal requests

Instead of deleting this, you can add the following lines to the TURN config

listening-ip=INTERNAL-IP
allowed-peer-ip=INTERNAL-IP
no-udp
1 Like

Thanks very much for the help. Which way do you think would be safer/better? Adding these rules on coturn or properly set my company’s firewall?

The setting firewall rules is better. The denied-peer-ip lines prevent to access to the internal IP blocks through the TURN service.

1 Like

Thanks very much emrah. I will ask the firewall team to properly setup the rules.

One more question: my company is pushing towards docker deploys of Jitsi, which we have been using for a while and they work amazingly and they’re a lot more hassle free than the standard deployment.

is there a way to setup the also dockerized installation of Jitsi to use 443 TCP only, just as we did with the manual install?

No idea for the Docker case