[SOLVED] Looking for help with Apache Reverse proxy for Docker deployment

Hi

I installed it using the Docker compose method, I set the internal Ip in the .env, I changed the exposed http port to 28000 since 8000 is already parked.

I can get this to work in my local network so I went ahead and proxied using Apache rever proxy. The Apache server and the Jitsi Meet are running on the same server.

I can get to the initial Jitsi screen with room creation. The issue starts when I join the room, it constantly retries for a connection.

Here is my line, maybe I am missing something

Apache Reverse Proxy

  #Jitsi
        ProxyPass /jitsi/ http://LOCALLANIP:28000/
        ProxyPassReverse /jitsi/ http://LOCALLANIP:28000/


partial log

libri.ColibriStatsExtension@7c3fa85f                                                                                                                                                 [26/3180]jvb_1      | JVB 2019-06-19 21:06:38.141 INFO: [20] org.jitsi.videobridge.Videobridge.log() CAT=stat create_conf,conf_id=7dbad96055f87593 conf_name=null,logging=false,conf_count=1,ch_count=0
,v_streams=0                                                                                                                                                                                 
jvb_1      | JVB 2019-06-19 21:06:38.164 INFO: [20] org.jitsi.videobridge.health.Health.log() Performed a successful health check in 23ms. Sticky failure: false                             
web_1      | 192.168.128.1 - - [19/Jun/2019:21:06:39 +0200] "GET /RandomVegetablesSwimIndifferently HTTP/1.1" 200 11116 "https://DOMAIN.xyz/jitsi/RandomVegetablesSwimIndifferently" "Mozilla/
5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0"                                                                                                                                
jvb_1      | JVB 2019-06-19 21:06:40.394 INFO: [16] org.jitsi.xmpp.mucclient.MucClientManager.log() Setting a presence extension: net.java.sip.communicator.impl.protocol.jabber.extensions.co
libri.ColibriStatsExtension@37d18659                                                                                                                                                         
jvb_1      | JVB 2019-06-19 21:06:45.395 INFO: [16] org.jitsi.xmpp.mucclient.MucClientManager.log() Setting a presence extension: net.java.sip.communicator.impl.protocol.jabber.extensions.co
libri.ColibriStatsExtension@3400d218                                                                                                                                                         
jvb_1      | JVB 2019-06-19 21:06:45.808 INFO: [19] org.jitsi.videobridge.VideobridgeExpireThread.log() Running expire()                                                                     
jvb_1      | JVB 2019-06-19 21:06:48.164 INFO: [20] org.jitsi.videobridge.Videobridge.log() CAT=stat create_conf,conf_id=30407611db7e570e conf_name=null,logging=false,conf_count=1,ch_count=0
,v_streams=0                                                                                                                                                                                 
jvb_1      | JVB 2019-06-19 21:06:48.187 INFO: [20] org.jitsi.videobridge.health.Health.log() Performed a successful health check in 23ms. Sticky failure: false                             
jvb_1      | JVB 2019-06-19 21:06:50.395 INFO: [16] org.jitsi.xmpp.mucclient.MucClientManager.log() Setting a presence extension: net.java.sip.communicator.impl.protocol.jabber.extensions.colibri.ColibriStatsExtension@5f6a29a6
web_1      | 192.168.128.1 - - [19/Jun/2019:21:06:53 +0200] "GET / HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0; Waterfox) Gecko/20100101 Firefox/56.2.5"      
jvb_1      | JVB 2019-06-19 21:06:55.396 INFO: [16] org.jitsi.xmpp.mucclient.MucClientManager.log() Setting a presence extension: net.java.sip.communicator.impl.protocol.jabber.extensions.co
libri.ColibriStatsExtension@5e961f44                                                                                                                                                         
jvb_1      | JVB 2019-06-19 21:06:58.187 INFO: [20] org.jitsi.videobridge.Videobridge.log() CAT=stat create_conf,conf_id=d1e39bf909656aac conf_name=null,logging=false,conf_count=1,ch_count=0
,v_streams=0                                                                                                                                                                                 
jvb_1      | JVB 2019-06-19 21:06:58.227 INFO: [20] org.jitsi.videobridge.health.Health.log() Performed a successful health check in 40ms. Sticky failure: false                             
web_1      | 192.168.128.1 - - [19/Jun/2019:21:06:59 +0200] "GET /RandomVegetablesSwimIndifferently HTTP/1.1" 200 11116 "https://DOMAIN.xyz/jitsi/RandomVegetablesSwimIndifferently" "Mozilla/
5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0"                                                                                                                                
jvb_1      | JVB 2019-06-19 21:07:00.396 INFO: [16] org.jitsi.xmpp.mucclient.MucClientManager.log() Setting a presence extension: net.java.sip.communicator.impl.protocol.jabber.extensions.co
libri.ColibriStatsExtension@654eb981                                                                                                                                                         
jvb_1      | JVB 2019-06-19 21:07:05.397 INFO: [16] org.jitsi.xmpp.mucclient.MucClientManager.log() Setting a presence extension: net.java.sip.communicator.impl.protocol.jabber.extensions.co


Check this https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.example-apache#L49

1 Like

Thanks,

That gives me some ideas but given that I am using Docker compose I do not know how to go about mapping those folders. @saghul in my github ticket said that proxying 8000 (28000 in my case) is good enough to make it work, but I do not see such success here.

I am also wanting to proxy it to run under the domain sub path instead of the root of the domain as in https://DOMAIN/jitsi

I should also mention that my server is behind NAT. Do I need port forwarding beside 443 being handled by Apache?

thanks

have you followed this? https://github.com/jitsi/docker-jitsi-meet#running-on-a-lan-environment

Well sure, it works inside the local network. I set DOCKER_HOST_ADDRESS=LOCALLANIP which is what I put in the reverse proxy, that is in my first entry in this topic

You need to put the public IP there instead. I realize the docs are a bit lacking in this regard, I’ll try to improve them.

Interesting, I will give it a try. Would putting a domain name work too, or has to be an IP?

Also do I need to forward or open any ports on my router/firewall given that I am behind nat, and I am not sure how it will communicate all through reverse proxy?

Well, that did not work either. I still get you have been disconnected and rejoin now window :frowning:

You need an IP there, and you must forward port 10000 UDP.

Thanks, that did not work out either :frowning: Puzzling

Please see my current .env and the image below

Port range forwarding.

Screenshot_2019-06-20_14-41-39

.env
https://paste.debian.net/hidden/e6f7f09d/

Apache Reverse Proxy
#Jitsi
ProxyPass /jitsi http://LOCALLANIP:28000
ProxyPassReverse /jitsi http://LOCALLANIP:28000

Generated config.js
https://paste.debian.net/hidden/f67ff0a9/

You set the JVB port to 27000 but also configured Jigasi t use that same port. Note that you only need 1 port for the JVB, not a range.

It does not work :frowning: Read to cry for sure

I went ahead and created a new .env and deleted the config folder. Please see new settings and forwards

.env (everything is default except the http port,the public ip, config folder)
https://paste.debian.net/hidden/003368b1/

Screenshot_2019-06-20_16-41-55

netstat -na|grep -i 10000
udp        0      0 0.0.0.0:10000           0.0.0.0:* 

I also tried to catch the log when the client tries to join the room, not sure if it helps

https://paste.debian.net/hidden/e87a23cb/

an error from the log
java.nio.file.FileSystemException: /config: Operation not permitted

https://paste.debian.net/hidden/0b798c6a/

I would like to point out that this is a perfectly working server with many docker apps, reverse proxies and properly working ssl with apache. So I really doubt that it is an issue with the server itself, just not sure where the glitch is here :frowning:

edit:
I also went ahead and enabled the internal HTTPS of the docker and accessed it using https:\\MYDOMAIN:28443 (forwarded the port) Naturally the certs are self signed but it works, which tells me that forwarding UDP 10000 works. If so I am thinking that this is an issue with SSL termination and reverse proxying setting.

Can anyone take a look at my reverse proxy settings above and tell me if it can be improved?

Ok, at least we made progress! Testing with the builting self-signed cert shows that things are working at the networking level, which is the hard part when you are behind NAT. Now, let’s do this: send us the logs from the JS console, jicofo and the jvb when you try to join a room and fail.

Thanks here is the Js console

https://bin.privacytools.io/?bcd268ae8ddbf0f2#cu8nzMPmBYjv4CV+P+C46FLzHs27ecz2OVMRcUjr7xg=

It seems like http-bind address cant be found? Bear in mind I am trying to proxy it under MYDOMAIN/jitsi

Yep, it’s 404-ing right there. We have had problems with subdirectories in the past. I highly recommend you use a subdomain for this.

Well sure, just that anyone who knows about the subdomain will know a jitsi meet is running there. I will see what I can do.

Btw don’t we need TURN for jitsi-meet ? I am no expert in these issues but all the calling apps I use need a TURN server just wondering if there isa way to set this up. If not will Jitsi-meet work in all network conditions?

thanks for your help

You can enable authentication. JWT is a good option.

Not really, since in this case all traffic will traverse the JVB anyway. You do need STUN, but the Google STUN server is pre-configured. TURN helps in 1 case: for 1-to-1 calls, as you don’t need 90% of what the JVB does for you, but it will still work fine.

Thanks for the speed reply. Any good resources for JWT with how to make it work with the docker setup? I am really not familiar with all this stuff.

Checkout the dev branch, it contains 2 new authentication mechanisms: LDAP and JWT: https://github.com/jitsi/docker-jitsi-meet/tree/dev#authentication

Cool, it is just as easy as setting an app password? Or do I need to run another backend for JWT?

Sorry to bug you so much, you have been very helpful already.