Reaching from Behind Https Proxy-Audio and Video Not Working

Hello.
I am on this job for over one month, and I need your help
We have a proxy server for our company. The proxy server can transmit http/s traffic and websocket.

And we have a Jitsi server. We can connect to Jitsi server only over TCP-443, we tested it with a firewall’ed server (let’s say client1) which has all ports blocked except 80 and 443. We could have a meeting with this server configuration (client1-Jitsi server-Another client) (Stun Turn is disabled, all traffic is going through Jitsi server)(We are sure, there wasnt any packet other than tcp 443, we tested with Wireshark)
And I even disabled websockets in configs, and it worked.

But when it comes to working WITH PROXY, we can’t have a meeting (We can connect to meeting room, people can see they exist and they can message but they can’t see or here each other).
I disabled websockets for this configuration.

What might be the problem?
What I really ask is, which protocols does Jitsi use while having a conference over TCP?
If I can know this, I can maybe implement/add the protocol on the proxy.

This means that clients cannot connect to JVB directly or over the TURN server

Which protocol is needed to connect to JVB? For example maybe BOSH?

UDP.

To be able to use TCP you need a turnserver and clients to be able to establish a direct http connection to it.

I actually don’t know how this is happening, but the Jitsi installer let’s us have a connection over http. We just tested it yesterday and everything is working without a problem.

jitsi/meet/example.com-config.js var config = {
hosts: {

    domain: 'example.com',

    muc: 'conference.<!--# echo var="subdomain" default="" -->example.com'

},

bosh: '//example.com/http-bind',

clientNode: 'http://jitsi.org/jitsimeet',

testing: {

    p2pTestMode: false

},

enableNoAudioDetection: true,

enableNoisyMicDetection: true,

channelLastN: -1,

enableWelcomePage: true,

p2p: {

    enabled: false,

    stunServers: [

    ]

},

analytics: {

},

deploymentInfo: {

},

makeJsonParserHappy: 'even if last key had a trailing comma'

};

jitsi/jicofo/config JICOFO_HOST=localhost JICOFO_HOSTNAME=example.com JICOFO_AUTH_DOMAIN=auth.example.com JICOFO_AUTH_USER=focus JICOFO_AUTH_PASSWORD=SomePasswordHere JICOFO_MAX_MEMORY=3072m JICOFO_OPTS="" JAVA_SYS_PROPS="-Dconfig.file=/etc/jitsi/jicofo/jicofo.conf -Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.properties"
jitsi/jicofo/jicofo.conf jicofo {

xmpp: {

client: {

  client-proxy: focus.example.com

}

}

}

jitsi/jicofo/sip-communicator.properties org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.example.com
jitsi/videobridge/config JVB_HOSTNAME=example.com

JVB_HOST=

JVB_PORT=5347

JVB_SECRET=SomeSecret

VIDEOBRIDGE_MAX_MEMORY=3072m

JVB_OPTS="–apis=rest,"

JAVA_SYS_PROPS="-Dconfig.file=/etc/jitsi/videobridge/jvb.conf -Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=videobridge -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/videobridge/logging.properties"

jitsi/videobridge/jvb.conf videobridge {
http-servers {

    public {

        port = 9090

    }

}

websockets {

    enabled = true

    domain = "example.com:443"

    tls = true

}

}

jitsi/videobridge/sip-communicator.properties org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true

org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443

org.jitsi.videobridge.ENABLE_STATISTICS=true

org.jitsi.videobridge.STATISTICS_TRANSPORT=muc

org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost

org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.example.com

org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb

org.jitsi.videobridge.xmpp.user.shard.PASSWORD=SomeSecret

org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.example.com

org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=34c77682-3182-4f42-8940-1108595e7de1

org.jitsi.videobridge.rest.private.jetty.port=8080

org.jitsi.videobridge.rest.private.jetty.host=127.0.0.1

org.jitsi.videobridge.SINGLE_PORT_HARVESTER_PORT=10000

nginx/sites-available/example.com server_names_hash_bucket_size 64;

types {

application/wasm     wasm;

}

server {

listen 80;

listen [::]:80;

server_name example.com turn.example.com;

location ^~ /.well-known/acme-challenge/ {

    default_type "text/plain";

    root         /usr/share/jitsi-meet;

}

location = /.well-known/acme-challenge/ {

    return 404;

}

location / {

    return 301 https://$host$request_uri;

}

}

server {

listen 4444 ssl;

listen [::]:4444 ssl;

server_name example.com turn.example.com;

ssl_protocols TLSv1.2 TLSv1.3;

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

ssl_prefer_server_ciphers off;

ssl_session_timeout 1d;

ssl_session_cache shared:SSL:10m;  # about 40000 sessions

ssl_session_tickets off;

add_header Strict-Transport-Security "max-age=63072000" always;

ssl_certificate /etc/jitsi/meet/example.com.crt;

ssl_certificate_key /etc/jitsi/meet/example.com.key;

root /usr/share/jitsi-meet;

ssi on;

ssi_types application/x-javascript application/javascript;

index index.html index.htm;

error_page 404 /static/404.html;

gzip on;

gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;

gzip_vary on;

gzip_proxied no-cache no-store private expired auth;

gzip_min_length 512;

location = /config.js {

    alias /etc/jitsi/meet/example.com-config.js;

}

location = /external_api.js {

    alias /usr/share/jitsi-meet/libs/external_api.min.js;

}

location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$

{

    add_header 'Access-Control-Allow-Origin' '*';

    alias /usr/share/jitsi-meet/$1/$2;

    if ($arg_v) {

        expires 1y;

    }

}

location = /http-bind {

    proxy_pass       http://localhost:5280/http-bind;

    proxy_set_header X-Forwarded-For $remote_addr;

    proxy_set_header Host $http_host;

}

location = /xmpp-websocket {

    proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;

    proxy_http_version 1.1;

    proxy_set_header Upgrade $http_upgrade;

    proxy_set_header Connection "upgrade";

    proxy_set_header Host $http_host;

    tcp_nodelay on;

}

location ~ ^/colibri-ws/default-id/(.*) {

    proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;

    proxy_http_version 1.1;

    proxy_set_header Upgrade $http_upgrade;

    proxy_set_header Connection "upgrade";

    tcp_nodelay on;

}

location ~ ^/colibri-ws/([0-9.]*)/(.*) {

    proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;

    proxy_http_version 1.1;

    proxy_set_header Upgrade $http_upgrade;

    proxy_set_header Connection "upgrade";

    tcp_nodelay on;

}

location ~ ^/([^/?&:'"]+)$ {

    try_files $uri @root_path;

}

location @root_path {

    rewrite ^/(.*)$ / break;

}

location ~ ^/([^/?&:'"]+)/config.js$

{

    set $subdomain "$1.";

    set $subdir "$1/";

    alias /etc/jitsi/meet/example.com-config.js;

}

location ~ ^/([^/?&:'"]+)/(.*)$ {

    set $subdomain "$1.";

    set $subdir "$1/";

    rewrite ^/([^/?&:'"]+)/(.*)$ /$2;

}

location ~ ^/([^/?&:'"]+)/http-bind {

    set $subdomain "$1.";

    set $subdir "$1/";

    set $prefix "$1";

    rewrite ^/(.*)$ /http-bind;

}

location ~ ^/([^/?&:'"]+)/xmpp-websocket {

    set $subdomain "$1.";

    set $subdir "$1/";

    set $prefix "$1";

    rewrite ^/(.*)$ /xmpp-websocket;

}

}

Currently running programs:

jicofo.service - loaded active running LSB: - Jitsi conference Focus
jitsi-videobridge2.service - loaded active running - Jitsi Videobridge
coturn.service - loaded active running - coTURN STUN/TURN Server
nginx.service - loaded active running - A high performance web server and a reverse proxy server
prosody.service - loaded active running - Prosody XMPP Server

When I stop coturn, the conferences end. So, I guess the installer uses coTurn too, which means it has a Turn server which enables communicating over Http. Here is the installer: installers/jitsi-base-installer at main · jitsi-contrib/installers · GitHub

What can be the problem with the proxy? And how does the Turn server communicate over tcp 443? Which protocol does it use?

Does your proxy differ web and TURN traffic according to domain names?

I dont think so, what should be done at this point?
We havent considered about Turn traffic until Jitsi. We are just Http/s proxy, and we support websockets. How to differ Turn traffic and what to do after differing? Thanks a lot.

Here is an example how you can differ turn traffic based on DNS with nginx:

You need to forward the stream to the turnserver, you cannot proxy it.

I tried the webpage, and I lost being able to talk over TCP-443.

I have already given a domain name for turn, which is turn.example.com. (I used your installer @emrah )
And I found a conf file under /usr/local/share/nginx/modules-available/jitsi-meet.conf
The file includes these:

# this is jitsi-meet nginx module configuration customized by jitsi installer.
# this forwards all turn traffic to the coturn port
# and the rest to the nginx virtualhost port.
# you need a second FQDN for the turn server.
stream {
    upstream web {
        server 127.0.0.1:4444;
    }
    upstream turn {
        server 11.22.33.44:5349;
    }
    map $ssl_preread_server_name $upstream {
        turn.example.com         turn;
        default                 web;
    }
    server {
        listen 443;
        listen [::]:443;
        ssl_preread on;
        proxy_pass $upstream;
        # Increase buffer to serve video
        proxy_buffer_size 10m;
    }
}

I guess this handles the situation. (If it doesnt, please let me know)
We can talk over TCP - 443 but we can’t talk over proxy server.
I blocked every port, except 443 and 80, and we could have a conversation.

Same file exists in /etc/nginx/modules-enabled/99-jitsi-meet-custom.conf

You also need to make sure your web server config listens on 4444 .

Have you followed Setting up TURN · Jitsi Meet Handbook all this is described there?

Yes, I have shared the configurations for the web server under one of the answers:

I am on this issue for more than a month, I really need your help. Thanks

Your proxy should bind the TURN traffic to coturn without completing the HTTPS handshaking.

1 Like