Reverse proxy with Apache

Hello,

Jitsi uses port 80+443/tcp by default for its web server.

However, these ports are already used by my web server for websites.

How can I configure my web server (Apache) as a reverse proxy so that Jitsi also works properly?

Jitsi (VM1) and webserver (VM2) are 2 different servers behind the same public IP address.
However, both have their own private IPs.

Could someone please send me the exact Apache configuration? :slight_smile:

Sadly I have never succeeded in having two separate physical servers for port 443 traffic as it uses encrypted packets. I understand there are ways, but I don’t know how well they work, and I believe it can cause latency issues. (others with greater knowledge than what I have will hopefully tell you how to achieve this).

Are you able to host your web server and your jitsi server on the same physical server? I did this and it works well.

Another easier method is to have two internet facing IP addresses (as I am sure you are aware). One internet facing IP address for your web server and another internet facing IP address for the jitsi server. This works very well.

As long as this is only a few milliseconds (ms), it is not so bad.

I could do that. If there is no other way.

I have been running a separate server (VM) for each service for load balancing so I can move each service to a different server.

Does Jitsi work with Apache? Important websites are hosted there and the existing vHosts must not be deleted!

For IPv4, I have only one IP address. IPv4 is NATed to the respective server. Here, port 80 and 443 are already used by the web server.

For IPv6, I have several IP addresses. But Jitsi should also be accessible for people without IPv6 :wink:

With IPv6, I can make Jitsi accessible from port 80 and 443.

But not from IPv4. So I thought of a “reverse proxy” :stuck_out_tongue:

Yes, Jitsi works well with Apache2.

I learned that LetsEncrypt required port 80.

I also had to ensure LetsEncrypt’s well-known could access my server;

    AliasMatch /.well-known/acme-challenge/(.*)$ /usr/share/jitsi-meet/.well-known/acme-challenge/$1
    <Directory /usr/share/jitsi-meet/.well-known/acme-challenge>
      AllowOverride None
      Require all granted
    </Directory>

Also see:

That is clear.

Does this have to be in the vHosts? What does this script do exactly? I have not had to add this to the web server or Jitsi yet.

But, as far as I know, doesn’t Jitsi automatically install nginx during the installation? Doesn’t that interfere with Apache?

My web server is running Debian 10 (where Jitsi will be installed in the future). I have noticed that Jitsi runs more stable on Ubuntu. Is this a problem?

I would still prefer Jitsi to stay where it already is and just forward “meet.example.com” to Jitsi.

Would be better for me :wink:

I use Debian 10 for my Jitsi server and I have never had any stability issues.

Self-Hosting Guide - Debian/Ubuntu server · Jitsi Meet Handbook

Note: The installer will check if Nginx or Apache are present (in that order) and configure a virtual host within the web server it finds to serve Jitsi Meet.

As for LetsEncrypt’s well-known, it might have been something to do with my particular install? Hard to tell, without doing several test installs.

If you succeed in setting up “reverse proxy”, please let me know how, I understand others have done this, just I never succeeded. Maybe the best it to have Jitsi server the server which has port 80 and 443, then reverse proxy normal web traffic to your web server? That way latency issues which affect audio/video sync should not be an issue?

Audio and video does not go through reverse proxy, but directly to the bridge using udp, the http traffic is for we content and signalling only.

Would this help?

DEBAMAX — Debian expertise — Blog — Installing Jitsi behind a reverse proxy
A new VirtualHost was defined on the apache2 service running as reverse proxy. The important parts are quoted below:

damencho, is there any information on how to configure a reverse proxy for jitsi ? Either using nginx and/or apache2.

I guess that this means there are no latency issues when using reverse proxy?

Yes.

damencho, thanks for that. After a quick read, it may be beyond my current skill level to follow all that. I will revisit another later and study in further detail.

I have now entered this into the vHosts:

<VirtualHost *:80>
    ServerName meet.example.com
    RedirectMatch permanent ^(?!/\.well-known/acme-challenge/).* https://meet.example.com/
</VirtualHost>

<VirtualHost *:443>
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    ProxyPass        / https://10.0.0.18/
    ProxyPassReverse / https://10.0.0.18/
</VirtualHost>

Unfortunately, I cannot then connect to Jitsi. The message “Connection error” appears.

Of course I have exchanged the IPs mentioned there for mine :wink:

@RootGER you are missing the websockets locations and passing them the upgrade headers … check the link I posted above. Not sure how that is done with apache … maybe these can help:

Thanks for the URLs!

Unfortunately, I still can’t get any further. I still get “connection error” in Jitsi.

With this link (jitsi-meet/jitsi-meet.example-apache at 32a9c94dee7145aec8894c750c829a2f33a8af53 · jitsi/jitsi-meet · GitHub), I have now copied the highlighted one (from line 41 to 51) into my vHosts in the web server.
Everything before Z41 makes no sense, I think, because Jitsi is hosted externally and not on the same server…
Or have I made a mistake in my thinking?

I have replaced “localhost” with the Jitsi IPv4 (10.0.0.18).

Then I activated all Apache modules or they were already active.

With this link (Self-Hosting Guide - Docker · Jitsi Meet Handbook) I could not really “translate” this to Apache…

Do I seriously have to switch from Apache to nginx now, just because the “reverse proxy” is described in more detail in nginx? :frowning:

When I run into a challenge, proceeding in a particular direction, while also trying to overcome the current challenge, I try thinking/finding alternate solutions, maybe you could find another way to solve your challenge.

When I had this issue, my 3rd and final solution was to get more public IP addresses, my first solution was to use port 8443, my second solution was to host Jitsi on my web server.

Another way I could have solved the issue so that I could have both my web server and my Jitsi server on different servers but on the same network, was to set up a reverse proxy for my web server in the jitsi server’s nginx config (since nginx seems better at reverse proxying). Then send all web traffic to the jitsi server and have the jitsi server redirect traffic back to my original web server.

Or alternatively, set up a separate nginx proxy server (i.e. a 3rd server) which direct traffic to either the web server or the Jitsi server. My reading about reverse proxies, this is supposed to add another level of security to your IT environment, and extra bonus. I have yet to implement/test this, maybe one day if I get free time to investigate further.

Do you have time to do a bit of reading?

https://www.nginx.com/resources/glossary/reverse-proxy-server/
https://www.cloudflare.com/en-gb/learning/cdn/glossary/reverse-proxy/
https://www.paladion.net/blogs/security-reverse-proxy/
https://www.nginx.com/resources/glossary/reverse-proxy-vs-load-balancer/
How to Configure a Nginx HTTPs Reverse Proxy on Ubuntu Bionic - Scaleway

Thank you for all the reading material!

I have now gone through everything and know a bit more about ReverseProxys.

I have now created my own server and installed “Nginx Proxy Manager” there.

It intercepts all requests on port 80/TCP and 443/TCP and forwards them to the web server or Jitsi, depending on the domain.

With this software I can now call up the frontend of Jitsi, but communication via video or audio is not possible.

So far, the routing looks like this:

80, 443/TCP to ReverseProxy (Nginx Proxy Manager)
from the ReverseProxy to the web server or Jitsi.

10000/UDP goes directly to Jitsi.

Now I can call Jitsi, but no video or audio transmission works.

I have Websockets active in NPM.


Nginx Proxy Manager



1 = screen transmission
2 = Visitor

Visitor sees and hears no transmission.

Is port forwarding for udp 10000 working or you say that the bridge machine has a public address?

I strongly assume that 10000/UDP is functional. I have set it in the host (router) so that port 10000/UDP is routed directly to Jitsi.

I have to connect my servers via NAT due to only 1 IP address.

Here is my iptables NAT config:

root@dedi1 ~ # iptables-save
# Generated by iptables-save v1.8.2 on Fri May  7 19:55:00 2021
*raw
:PREROUTING ACCEPT 
:OUTPUT ACCEPT
COMMIT
# Completed on Fri May  7 19:55:00 2021
# Generated by iptables-save v1.8.2 on Fri May  7 19:55:00 2021
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT


-A PREROUTING -i enp2s0 -p udp -m udp --dport 10000 -j DNAT --to-destination 10.0.0.18:10000 #Jitsi
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 4443 -j DNAT --to-destination 10.0.0.18:4443 #Jitsi
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 4022 -j DNAT --to-destination 10.0.0.18:4022 #Jitsi
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.10:443 #ReverseProxy
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.10:80 #ReverseProxy
-A POSTROUTING -s 10.0.0.0/24 -o enp2s0 -j MASQUERADE
COMMIT

I cannot solve the problem.

What else can I do? :pensive: