Nginx stream with coturn: all https traffic logs as coming from 127.0.0.1

we’re almost there :slight_smile:

So 60-jitsi-meet.conf implements a stream to peek in the ssl packet to identify if it is a TURN thing or regular https traffic. If the first, forward to port 4445, if the latter forward to port 4444. Port 4444 then is also handled by nginx in the regular sitename.conf, just like always. As I understand that is the way the config is intended when doing a clean package install, and it seems to be fully functional.

The downside of this, as it seems, is that all web-traffic now seems to be coming from 127.0.0.1 because it has already passed the nginx proxy part first. It is not possible to use proxy_set_header because that cannot work in a stream section (which makes sense if you think about it).

How do you guys keep stats sane? Is there a fix I missed?

Thanks!

2 Likes

Hi @florianoverkamp, it seems there is an issue with the module config. I have a massive issue today, as the module config interferes with my sites-available config and blocks NGINX from starting.
I had to make a workaround to start NGINX, as the main website needed to be up again. However Jitsi doesnt work anymore

EDIT: If you have a hint how to get a workaround, I am more then happy to hear about it :wink: I am not really familiar with nginx and modules

Good catch, I hope there is a fix for that in that configuration, but I don’t know of one, sorry.

I’m currently looking into SSLH this might be a better solution for directing traffic to nginx or CoTURN.

Before I dive into this rabbit hole, did anyone tried this route?

I tried SSLH and came with the same results. Apparently it should be able to support transparten SSL proxying mode, but i didnt manage to get it to work. So i have given up on the TCP routing of SSL traffic method.

I’m going to revert the nginx config back to the old style and let it listen to 443 and open another port on the firewall (port 4445) to allow direct access to the turnserver. After that I only need to change the Jitsi meet config (etc/jitsi/meet/HOSTNAME-config.js) to change the port of the STUN server.

Then I will have my proper accesslog’s with client IP’s :slight_smile:

You also need to change prosody config.

Hi @Nemo, hi @damencho, after figuring out this issue (it took a night, as I didn’t find this thread back then) I just turned off STUN and P2P in jitsi-meet’s config and moved the nginx config back to the port 443.

AFAIK it worked fine and in my particular use case (classroom of nearly 30 people) it shouldn’t make much difference (or maybe I’m missing something?), but actually it would be nice to have such optimization.

What changes to the prosody’s config did you need?