Port confusion in multi host setup

I am trying to setup a little jitsi cluster on two machines. But it seems the two machines cannot yet talk to each other. As soon as a second person joins the meeting we are getting the “something is wrong” error. Flip-flopping between the persons.

Here is a quick run down of the install:

machine #1 (jms): 
  - jicofo
  - prosody
  - nginx

machine #2 (jvb):
  - jvb

Host OS is Debian Buster. Packages on machine #1 are

  - prosody
  - jicofo
  - jitsi-meet-web
  - jitsi-meet-prosody
  - jitsi-meet-web-config

and one machine #2

  - jitsi-videobridge2

I’ve installed java8 as JRE.

I’ve checked many articles and the docs but the ports mentioned do not exactly match what I am seeing on the machines.

jms # netstat -ntulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:5222            0.0.0.0:*               LISTEN      26917/lua5.2        
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5942/nginx: master  
tcp        0      0 0.0.0.0:5269            0.0.0.0:*               LISTEN      26917/lua5.2        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      10138/sshd          
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5942/nginx: master  
tcp        0      0 0.0.0.0:5280            0.0.0.0:*               LISTEN      26917/lua5.2        
tcp        0      0 127.0.0.1:5347          0.0.0.0:*               LISTEN      26917/lua5.2        
tcp6       0      0 :::5222                 :::*                    LISTEN      26917/lua5.2        
tcp6       0      0 :::5269                 :::*                    LISTEN      26917/lua5.2        
tcp6       0      0 :::22                   :::*                    LISTEN      10138/sshd          
tcp6       0      0 :::8888                 :::*                    LISTEN      25276/java          
tcp6       0      0 :::5280                 :::*                    LISTEN      26917/lua5.2        
tcp6       0      0 ::1:5347                :::*                    LISTEN      26917/lua5.2 

jvb # netstat -ntulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      10021/sshd          
tcp6       0      0 127.0.0.1:8080          :::*                    LISTEN      28545/java          
tcp6       0      0 :::22                   :::*                    LISTEN      10021/sshd          
tcp6       0      0 :::9090                 :::*                    LISTEN      28545/java          
udp        0      0 0.0.0.0:68              0.0.0.0:*                           763/dhclient        
udp        0      0 0.0.0.0:68              0.0.0.0:*                           512/dhclient        
udp        0      0 127.0.0.1:323           0.0.0.0:*                           9769/chronyd        
udp6       0      0 ::1:323                 :::*                                9769/chronyd     

On the JMS I opened ports 80, 443, 5222 but I am wondering about 5269, 5280 and 5347 that listens just on localhost. I am also wondering if it is OK to have 5222 open to the world or whether it should/needs to be shared only on a LAN.

On the JVB it feels totally off from the docs. A local port 8080 and 9090 open to the world - and no jitsi related UDP at all? I’ve opened 443, 4443 and UDP 10000 - but I am not sure for what.

In the JVB logs I can see that it does not find the XMPP server yet.

2020-10-18 14:39:35.027 WARNING: [17] [hostname=localhost id=shard] MucClient.lambda$getConnectAndLoginCallable$7#673: [MucClient id=shard hostname=localhost] error connecting
org.jivesoftware.smack.SmackException$ConnectionException: The following addresses failed: 'localhost:5222' failed because: localhost/127.0.0.1 exception: java.net.ConnectException: Connection refused (Connection refused)

Now the JVB config does not even mention port 5222 and what I thought could be relevant looks like this:

JVB_HOSTNAME=jitsi.foo.com
JVB_HOST=
JVB_PORT=5347

videobridge {
    http-servers {
        public {
            port = 9090
        }
    }
    websockets {
        enabled = true
        domain = "jitsi.foo.com:443"
        tls = true
    }
}

org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=jitsi.foo.com
org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.jitsi.foo.com

My first guess is that the JVB also needs a nginx that proxy passes to 9090?
But that does not seem to be in line with the docs at all.

Does anyone have pointers on checking a multi host setup?

These are all you need on JMS

TCP/5222 should be accessible by JVB (and by Jibri if you have one…) Not needed for clients.

Only UDP/10000 for JVB…

Easy way to create a Jitsi cluster based on Debian Buster

But from a security standpoint it would be OKish to have it exposed? I guess that would also allow adding JVBs from other networks without an overlay network.

But can why isn’t there a listen on 10000?
And what are the ports 8080 and 9000 for?

Wow - I’ll dig and see if I can pick up some things there. Thanks!

I don’t know the internal mechanism but since this is the standard XMPP port and need authentication, it should be secure to open it publicly. The newly created JVB instance has a random IP on an auto-scaling scenario, therefore this port is open publicly in most use cases.

Probably the videobridge service doesn’t run or there is a config issue

systemctl status jitsi-videobridge2.service

ps aux | grep jvb

TCP/8080 is the colibri port, the rest api for JVB
TCP/9090 is newly added (I think on the latest stable) and I have no idea

I had XMPP issues. Seems like it’s only listening on 10000 when there is a connection to the XMPP server. So that clears things up.

But that isn’t really used?

It would so nice if there was page in the docs describing all the ports. At least I didn’t find one.

Thanks for the help!

It’s useful for the server admin, not required to server operation