Problems with jitsi behind nginx reverse proxy (http-bind 502) non docker installation

I’ve set up Jitsi behind a separated Nginx reverse proxy looking like this
Nat (all to RP except 10000 UDP which is send to jitsi) → Nginx RP → jitsi

all separate machines and VM’s and all machine are not cloud hosted, I have the physical machines.
and I’ve looked at a variety of posts on the subject including:

and on other websites:

and some dead end reddit threads.

but still cant get it to work; I get to the web end but I cant start a room, I’m simply unable to progress from the welcome page. I suspect this is because i cant get all the back end web processes through the RP but I’m not sure what I’ve configured incorrectly.

/etc/jitsi/videobridge/sip-communicator.properties looks like:

open

#org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
#org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
org.jitsi.videobridge.ENABLE_STATISTICS=true
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost
org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.Domain name
org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb
org.jitsi.videobridge.xmpp.user.shard.PASSWORD=e9EznRMP
org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.Domain name
org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=cdc7403b-8a29-47aa-9440-feab7a6048ba
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=>>192.168.1.166<<
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=>>PUBLICIP<<

I’ve commented the top two line as suggested in other posts

the RP Nginx nginx jitsi RP config - Pastebin.com

the Jitsi Nginx has remained the default.
I did do as this post suggests Jitsi meet in DMZ behind NAT and Nginx reverse proxy - #11 by Noreu and comment the ssl configs in the Jitsi Nginx config but it caused syntax errors so I decided not to.

ill post log as requested most have no record of contact but the main one of note is the /var/log/nginx/access.log on the RP which says “POST /http-bind?room=test HTTP/1.1” 502 559 “https:///test” which i believe to mean that http-bind returns a 502 and 559 error

Jitsi side fire wall allows all ports as requested in the docs: Self-Hosting Guide - Debian/Ubuntu server | Jitsi Meet

in the end having Jitsi behind a RP is pretty common on most if not all work environment’s and the fact that i cant find much on it is surprising with how much of a no brainer this should be. I just want to be able to host multiple services on my network and if I have to give on a Nginx RP and move to a different program I will (HA proxy seems it might work) I’m also maybe overlooking some thing simple as most problems usualy end up being, but I greatly appreciate any help you can offer.

Check your prosody logs, do you see any errors there?

What do you see when you open it in the browser like this: Prosody BOSH endpoint

prosody log

Aug 26 00:00:01 avmoderation.domain name:tls info Certificates reloaded
Aug 26 00:00:01 focus.domain name:tls info Certificates reloaded
Aug 26 11:06:41 mod_bosh info New BOSH session, assigned it sid ‘1c1ec06a-596c-4f4c-a6d7-aa01ffead982’
Aug 26 11:06:41 bosh1c1ec06a-596c-4f4c-a6d7-aa01ffead982 info Authenticated as f1er4un6lxbjnswy0–5o3fg@domain name
Aug 26 11:06:44 bosh1c1ec06a-596c-4f4c-a6d7-aa01ffead982 info BOSH client disconnected: session close
Aug 26 11:06:44 speakerstats.domain name:speakerstats_component warn A module has been configured that triggers external events.
Aug 26 11:06:44 speakerstats.domain name:speakerstats_component warn Implement this lib to trigger external events.

the logs not helpful in this case as I changed the nat forwarding to ignore the RP and go straight to the the server so it would be up during active hours and theres no logs from the time it was routed through the RP

in short its empty, no connections.

I didn’t expect so quick of a reply but the server is in the up state atm and ill try rerouting and testing the prosody BOSH endpoint when I can next put it in a down state which is tomorrow mourning (UK)

hello I put /http-bind on the end of the domain as suggested to test the bosh endpoint and it says 502 bad gateway.

@thomas_wood Can share your nginx configs? (Never mind I see them now)

Also, I’m curious why you are doing it this way.

You said:

Maybe if you explained more about your setup it would help us understand better.

From the RP… (Or on the same 192… LAN) what does curl http://192.168.1.166:5280/http-bind return?

It should return something that says It works! ...

I’ve got the physical hardware so I want to be able to host multiple services behind my router specifically:
jitsi, nextcloud, mattermost, a my-sql database’s connecting to external devices. but I’ve not had any problem with those programs and this isn’t the forum for them anyway. I was using nginx for them but i might end up swapping to a different solution (maybe HA proxy) if i cant get jitsi to play nice with nginx.

sorry i should have been more clear.

today I set it up through the RP again and it replied to a /http-bind test with a 502 this lead me to conclude that there’s some type of fault with my Nginx config. a ‘nginx -t’ test says there’s no syntax errors.
I’m not sure what wrong with my nginx config.

192.168.1.166 is the internal ip of my jitsi server and is on the same lan as the RP just behind it.
curl http://192.168.1.166:5280/http-bind from the RP says: Failed to connect to 192.168.1.166 port 5280: Connection refused

because I’m not getting error on the jitsi side I believe it a problem with my ngnix config and I’m not sure what it is.
maybe I’m missing a plug-in on the RP side? I’m not sure what plug-ins were added to nginx on the jitsi side as it was auto installed and config by the jitsi installer

thanks for the help

That’s bad. I assume your RP is 192.168.1.xxx? If so your jitsi server is not listening? Or otherwise unreachable…

What do you get from the jitsi server (ssh to 192.168.1.166) if you run:

curl http://127.0.0.1:5280/http-bind

the jitsi server works fine if i send the nat forwarding to it directly
this is the response to : curl http://127.0.0.1:5280/http-bind

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>404 Not Found</title>
<style>
body{margin-top:14%;text-align:center;background-color:#f8f8f8;font-family:sans-serif}
h1{font-size:xx-large}
p{font-size:x-large}
p.warning>span{font-size:large;background-color:yellow}
p.extra{font-size:large;font-family:courier}
@media(prefers-color-scheme:dark){
body{background-color:#161616;color:#eee}
p.warning>span{background-color:inherit;color:yellow}
}
</style>
</head>
<body>
<h1> 404 Not Found</h1>
<p>Whatever you were looking for is not here. Keep looking.</p>

<p class="extra">Unknown host: 127.0.0.1</p>
</body>
</html>

it works when just putting /http-bind at the end domain name to test the bosh endpoint
since its fine when not through the RP I assume the above reply is fine reply is fine

The above reply is not fine. It should give you a It Works! page, as seen here:

https://meet.jit.si/http-bind

Keep in mind that’s correctly reverse proxied from port 443 to 5280 on Jitsi’s infrastructure.

when i put: domain-name/http-bind into a browser i get the its works page, when i type the command
curl http://127.0.0.1:5280/http-bind into the jitsi’s ubuntu terminal it gives me the quoted lines above, also its working fine when not put through the RP.

The localhost thing is normal, you have bosh activated for that domain only in virtualhosts in prosody.
So the RP is different machine which forwards to the nginx running on the jitsi-meet machine?

yes that’s right.
nat forwarding router → nginx RP Rasberry pie → vm ubuntu 20.04 non docker install Jitsi.

Hum. So for a request you get 502 on RP do you see that request on the jitsi-meet nginx in access.log?

no i double checked todays log too

all of this has lead me to believe that it some error in how ive set up the RP’s Nginx

Yep. You have two matching of http-bind for example … You need to better order them … I’m not so familiar with nginx matching … but yeah seems a problem in that nginx. Maybe you can find some examples from a community member by searching in the docker issue tracker open & closed ticket, I remember seeing one …