RESOLVED: New installation - ERR_EMPTY_RESPONSE

This is a new Jitsi installation on a Debian 10 virtual server. Web server is nginx and there are several domains already installed. Jitsi is set up on one of the existing domains as “meet.domain-name.net”. Firewall is set up as recommended in the documentation and the other web sites work fine. This is a default Jitsi installation (no tinkering with the config yet) with a self-signed certificate.

When attempting to connect from the outside, the ERR_EMPTY_RESPONSE error is received (Chromium browser.) The only error message in the nginx log is for favicon not found.

Curl run on the server returns the following:

<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>

Permissions for /usr/share/jitsi/meet are 755, owned by user and group root. Contents are all root ownership with owner read/write and everyone else read permission.

I’m a complete newbie with Jitsi, so any help with this will be greatly appreciated! (Probably the first of additional obstacles…)

We probably need to see the nginx conf file… also, are you accessing https (vs http).

Anything interesting in your nginx access.log or error.log ?

Do you see activity in that log when you try to access the site?

Thanks, the conf file, as well as the access and error logs, are below. Access is via https. (Though I’d like to have automatic redirect from http to https as I use on other sites.) As I said, this is still the default, out-of-the-box configuration immediately after installation. (Also, no harm in putting out the actual hostname, meet.pcs2000.net, will secure it when it’s working.)

nginx conf file:

server_names_hash_bucket_size 64;

server {
    listen 80;
    listen [::]:80;
    server_name meet.pcs2000.net;

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root         /usr/share/jitsi-meet;
    }
    location = /.well-known/acme-challenge/ {
       return 404;
    }
    location / {
       return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name meet.pcs2000.net;

# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000" always;

    ssl_certificate /etc/jitsi/meet/meet.pcs2000.net.crt;
    ssl_certificate_key /etc/jitsi/meet/meet.pcs2000.net.key;

    root /usr/share/jitsi-meet;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    index index.html index.htm;
    error_page 404 /static/404.html;

    gzip on;
    gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
    gzip_vary on;
    gzip_proxied no-cache no-store private expired auth;
    gzip_min_length 512;

    location = /config.js {
        alias /etc/jitsi/meet/meet.pcs2000.net-config.js;
    }

    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    #ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;

        # cache all versioned files
        if ($arg_v) {
          expires 1y;
        }
    }

    # BOSH
    location = /http-bind {
        proxy_pass      http://localhost:5280/http-bind;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # xmpp websockets
    location = /xmpp-websocket {
        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        tcp_nodelay on;
    }

    # colibri (JVB) websockets for jvb1
    location ~ ^/colibri-ws/default-id/(.*) {
       proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       tcp_nodelay on;
    }

    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location @root_path {
        rewrite ^/(.*)$ / break;
    }

    location ~ ^/([^/?&:'"]+)/config.js$
    {
       set $subdomain "$1.";
       set $subdir "$1/";

       alias /etc/jitsi/meet/meet.pcs2000.net-config.js;
    }

    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }

    # BOSH for subdomains
    location ~ ^/([^/?&:'"]+)/http-bind {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /http-bind;
    }

    # websockets for subdomains
    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /xmpp-websocket;
    }

}

Access log:

199.229.249.116 - - [15/Oct/2020:08:46:20 -0400] "GET /favicon.ico HTTP/1.1" 404 564 "http://meet.pcs2000.net/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.143 Safari/537.36"

Error log:

2020/10/15 08:46:20 [error] 1503#1503: *658 open() "/var/www/meet.pcs2000.net/public/favicon.ico" failed (2: No such file or directory), client: 199.229.249.116, server: meet.pcs2000.net, request: "GET /favicon.ico HTTP/1.1", host: "meet.pcs2000.net", referrer: "http://meet.pcs2000.net/"

The path in the error log and the root path in config didn’t match

Good call, I hadn’t noticed that! Not sure where that’s coming from, it’s not in the config.

However, I finally figured out that the problem was the “listen” entries in the default configuration for IPV6. I’m currently not using that protocol and it’s disabled via kernel option at boot time. (I know, I should learn it and enable it and will do so at some point in the future.) Commenting out the IPV6 lines in the Jitsi config now allows the main page to come up. It’s working to the extent that I can see myself on the screen and get an indicator that the microphone is working.

For now I’m going to shut down the Jitsi server until I secure it with a password. :wink: