[SOLVED] Looking for help with Apache Reverse proxy for Docker deployment

Thanks,

That gives me some ideas but given that I am using Docker compose I do not know how to go about mapping those folders. @saghul in my github ticket said that proxying 8000 (28000 in my case) is good enough to make it work, but I do not see such success here.

I am also wanting to proxy it to run under the domain sub path instead of the root of the domain as in https://DOMAIN/jitsi

I should also mention that my server is behind NAT. Do I need port forwarding beside 443 being handled by Apache?

thanks

have you followed this? https://github.com/jitsi/docker-jitsi-meet#running-on-a-lan-environment

Well sure, it works inside the local network. I set DOCKER_HOST_ADDRESS=LOCALLANIP which is what I put in the reverse proxy, that is in my first entry in this topic

You need to put the public IP there instead. I realize the docs are a bit lacking in this regard, I’ll try to improve them.

Interesting, I will give it a try. Would putting a domain name work too, or has to be an IP?

Also do I need to forward or open any ports on my router/firewall given that I am behind nat, and I am not sure how it will communicate all through reverse proxy?

Well, that did not work either. I still get you have been disconnected and rejoin now window :frowning:

You need an IP there, and you must forward port 10000 UDP.

Thanks, that did not work out either :frowning: Puzzling

Please see my current .env and the image below

Port range forwarding.

Screenshot_2019-06-20_14-41-39

.env
https://paste.debian.net/hidden/e6f7f09d/

Apache Reverse Proxy
#Jitsi
ProxyPass /jitsi http://LOCALLANIP:28000
ProxyPassReverse /jitsi http://LOCALLANIP:28000

Generated config.js
https://paste.debian.net/hidden/f67ff0a9/

You set the JVB port to 27000 but also configured Jigasi t use that same port. Note that you only need 1 port for the JVB, not a range.

It does not work :frowning: Read to cry for sure

I went ahead and created a new .env and deleted the config folder. Please see new settings and forwards

.env (everything is default except the http port,the public ip, config folder)
https://paste.debian.net/hidden/003368b1/

Screenshot_2019-06-20_16-41-55

netstat -na|grep -i 10000
udp        0      0 0.0.0.0:10000           0.0.0.0:* 

I also tried to catch the log when the client tries to join the room, not sure if it helps

https://paste.debian.net/hidden/e87a23cb/

an error from the log
java.nio.file.FileSystemException: /config: Operation not permitted

https://paste.debian.net/hidden/0b798c6a/

I would like to point out that this is a perfectly working server with many docker apps, reverse proxies and properly working ssl with apache. So I really doubt that it is an issue with the server itself, just not sure where the glitch is here :frowning:

edit:
I also went ahead and enabled the internal HTTPS of the docker and accessed it using https:\\MYDOMAIN:28443 (forwarded the port) Naturally the certs are self signed but it works, which tells me that forwarding UDP 10000 works. If so I am thinking that this is an issue with SSL termination and reverse proxying setting.

Can anyone take a look at my reverse proxy settings above and tell me if it can be improved?

Ok, at least we made progress! Testing with the builting self-signed cert shows that things are working at the networking level, which is the hard part when you are behind NAT. Now, let’s do this: send us the logs from the JS console, jicofo and the jvb when you try to join a room and fail.

Thanks here is the Js console

https://bin.privacytools.io/?bcd268ae8ddbf0f2#cu8nzMPmBYjv4CV+P+C46FLzHs27ecz2OVMRcUjr7xg=

It seems like http-bind address cant be found? Bear in mind I am trying to proxy it under MYDOMAIN/jitsi

Yep, it’s 404-ing right there. We have had problems with subdirectories in the past. I highly recommend you use a subdomain for this.

Well sure, just that anyone who knows about the subdomain will know a jitsi meet is running there. I will see what I can do.

Btw don’t we need TURN for jitsi-meet ? I am no expert in these issues but all the calling apps I use need a TURN server just wondering if there isa way to set this up. If not will Jitsi-meet work in all network conditions?

thanks for your help

You can enable authentication. JWT is a good option.

Not really, since in this case all traffic will traverse the JVB anyway. You do need STUN, but the Google STUN server is pre-configured. TURN helps in 1 case: for 1-to-1 calls, as you don’t need 90% of what the JVB does for you, but it will still work fine.

1 Like

Thanks for the speed reply. Any good resources for JWT with how to make it work with the docker setup? I am really not familiar with all this stuff.

Checkout the dev branch, it contains 2 new authentication mechanisms: LDAP and JWT: https://github.com/jitsi/docker-jitsi-meet/tree/dev#authentication

Cool, it is just as easy as setting an app password? Or do I need to run another backend for JWT?

Sorry to bug you so much, you have been very helpful already.

You can use the shared password approach, yeah. You’ll need a library / service to generate the tokens. https://jwt.io/ is a good start for all things JWT.

Cheers!

1 Like

For the record if anyone else ends up in a similar situation. Basic reverse proxy like I gave above works fine if you deploy it under subdomain.

Here is the full proxy lines for Apache

        ProxyPreserveHost on
        RequestHeader set X-Forwarded-Proto "https"
        ProxyPass / http://127.0.0.1:8000/
        ProxyPassReverse / http://127.0.0.1:8000/
      
        ProxyPass /http-bind http://localhost:8000/http-bind/
        ProxyPassReverse /http-bind http://localhost:8000/http-bind/

I also tested internal Prosody password protection, that works too.