Proxy jvb websocket & coturn

Hi,

I’m running a jitsi instance and tried to configure Websockets for the the videobridge but when proxying the request trough nginx it fails with Chrome. Interestingly it works with Firefox.

After a bit of debugging I found out that requests from Chrome to the wss:// address are forwarded to coturn.

I assume the map statement in /etc/nginx/modules-enabled/60-jitsi-meet.conf need to extended. When I set the default to web for testing the request get forwarded correctly.

map $ssl_preread_alpn_protocols $upstream {
    ~\bh2\b         web;
    ~\bhttp/1\.     web;
    default         turn;
}

Could you please advise which pattern to add to correctly forward the wss:// requests?

EDIT: Same also happens for /xmpp-websocket

Ok, looks like Chrome is not sending ALPN protocols in websocket request but Firefox does.

First is Chrome, Second is Firefox

Any Ideas how to solve this?

I’m seeing the same thing…websocket fail when trying to muliplex.

I tried adding ~\bwss\b web;
and although I got more info from the failed websocket connection, it didn’t resolve the issue.

So, this probably catches the websocket but as Chrome (and probably all other Blink based browsers) don’t use ALPN in the initial http1.1 request this will still hit turn instead of web.

Maybe it’s possible to add an other map in front of $ssl_preread_alpn_protocols that matches against $uri (don’t know if it is available inside the stream directive) or somthing else.

Did some tests and $uri is not available at this point of the connection. What seems to work is matching against $ssl_preread_server_name and using a different domain for the turn server like turn.example.net instead of meet.example.net. But this might be problematic if you use letsencrypt with http-01 challenge as all traffic for that domain goes to the coturn instance. With dns-01 and wildcard certificates this shouldn’t be a problem.

map $ssl_preread_server_name $upstream {
  "turn.example.net" turn;
  default web;
}

I wonder if it makes since to use proxy_protocal for the web traffic

I don’t have any experience with the proxy protocol but from the coturn docs it looks it is supported. So it might be possible.

I’ve now configured our Jitsi installation to match against $ssl_preread_server_name and it is working fine. I just had to change one more thing which is to set the upstream addresses to the external (ipv4) address of the server as coturn was rejecting connections from localhost with 401: unauthorized.

My 60-jitsi-meet.conf now looks like this.

stream {
    upstream web {
        server <external-ip>:4444;
    }
    upstream turn {
        server <external-ip>:4445;
    }

    map $ssl_preread_server_name $upstream {
        "turn.<your-domain.net>" turn;
        default                  web;
    }

    server {
        listen 443;
        listen [::]:443;

        ssl_preread on;
        proxy_pass $upstream;
        proxy_buffer_size 10m;
    }
}

2 Likes

Thanks for sharing. We were thinking to remove current multiplexing and leave a doc with instructions how to configure this, the way you did it.

Hi, Having made this change in nginx to send traffic for turn.mydomain.net to coturn, what other config changes do I need to make in Jitsi/Prosody to get it to use turn.mydomain.net?