(Solved) Lost of functiunalities after upgrade (TURN not working anymore)

processor · December 17, 2020, 8:56am

Hi,

I have a Jitsi server installed on an Ubuntu 18.04
I setup on it :
Jicofo
Jibri
Jigasi

This is the version of software installed :

jitsi-meet 2.0.5142-1
jitsi-meet-prosody 1.0.4466-1 (prosodyctl indicate 0.10.0)
jitsi-meet-turnserver 1.0.4466-1
jitsi-meet-web 1.0.4466-1
jitsi-meet-web-config 1.0.4466-1
jitsi-videobridge2 2.1-376-g9f12bfe2-1

So it worked for month without any issue.
I recently did an dist-upgrade of my server (October - not a release upgrade)

I choose during this upgrade to not update the config files, to prevent the lost of hours of configuration.

And then even like that some things had changed.
First I had an error in the nginx conf that prevent the web server from starting.

Once corrected I get back the main functionalities of the product. Jicofo and Jigasi were Ok (few) But the jibri part does not work anymore.

Even if it’s a problem, I know that I’ll be able to correct it by myself.
But the real problem is the Turn server that is not working correctly anymore, I meant that without using udp port 10 000 or being in P2P, A lot of my users can’t use Jitisi anymore.

They can see their own camera, the thumbs of other users, but they can’t interact with others, neither see or hear them.

A wireshark show clearly that they try to access the meeting using port 10 000 wihtout any success.

I look into /etc/prosody/conf.avail/jitsi.mydomain.com.cfg.lua and it seems ok

turncredentials = {
  { type = "stun", host = "jitsi.mydomain.com", port = "4446" },
  { type = "turn", host = "jitsi.mydomain.com", port = "4446", transport = "udp" },
  { type = "turns", host = "jitsi.mydomain.com", port = "443", transport = "tcp" }
};

or in /etc/jitsi/meet/jitsi.mydomain.com-config.js where useStunTurn is still set to true for standard or P2P connection.

I’m a total noob in turn server and I take any help that would help me in this case.
So I don’t really know what to do check what’s going wrong.
Tell me what you need to provide help.

Many thanks by advance.

Proc.

gpatel-fr · December 16, 2020, 10:00am

What has changed:

note that websockets are not really related to turn, it’s a different problem - AFAIK it’s not mandatory yet.

processor · December 16, 2020, 3:53pm

Hi,

Ok, Thanks I’ll take a look at it.
Strange that I read a lot topics saying a Turn is the solution to avoid issues because of a firewall blocking port 10 000.

gpatel-fr · December 16, 2020, 5:55pm

last version has not eliminated turn use, it has changed the way it’s done.

processor · December 16, 2020, 6:18pm

Unfortunately it had no effect. People with port 10 000 blocked are still not able to reach a meeting with 2 people or more.

I can provide any log that could help in this debug. Just tell me what’s needed.

These are my config files (Domain name changed on purpose)

Turnserver :

# jitsi-meet coturn config. Do not modify this line
use-auth-secret
keep-address-family
static-auth-secret=some secret (changed on purpose, same as in prosody domain config)
realm=jitsi.mydomain.com
cert=/etc/coturn/certs/jitsi.mydomain.com.fullchain.pem
pkey=/etc/coturn/certs/jitsi.mydomain.com.privkey.pem

no-tcp
listening-port=4446
tls-listening-port=5349
external-ip=;; connection timed out; no servers could be reached

syslog
# jitsi-meet coturn relay disable config. Do not modify this line
no-multicast-peers
no-cli
no-loopback-peers
no-tcp-relay
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255

Nginx /etc/nginx/sites-available/jitsi.mydomain.com.conf :

server_names_hash_bucket_size 64;

server {
    listen 80;
    #listen [::]:80;
    server_name jitsi.mydomain.com;

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root         /usr/share/jitsi-meet;
    }
    location = /.well-known/acme-challenge/ {
       return 404;
    }
    location / {
       return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl http2;
    #listen [::]:4444 ssl http2;
    server_name jitsi.mydomain.com;
    rewrite ^/(.*)/$ /$1 permanent;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

    add_header Strict-Transport-Security "max-age=31536000";

    ssl_certificate /etc/letsencrypt/live/jitsi.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/jitsi.mydomain.com/privkey.pem;

    root /usr/share/jitsi-meet;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    index index.html index.htmi index.php;
    error_page 404 /static/404.html;

    gzip on;
    gzip_types text/plain text/css application/javascript application/json;
    gzip_vary on;

    location /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
                 fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
    }

    location = /config.js {
        alias /etc/jitsi/meet/jitsi.mydomain.com-config.js;
    }

    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    #ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;
    }

    # BOSH
    location = /http-bind {
        proxy_pass      http://localhost:5280/http-bind;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # xmpp websockets
    location = /xmpp-websocket {
        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        tcp_nodelay on;
    }

  # colibri (JVB) websockets for jvb1
  location ~ ^/colibri-ws/default-id/(.*) {
     proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
     tcp_nodelay on;
  }

    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location @root_path {
        rewrite ^/(.*)$ / break;
    }

    location ~ ^/([^/?&:'"]+)/config.js$
    {
       set $subdomain "$1.";
       set $subdir "$1/";

       alias /etc/jitsi/meet/jitsi.mydomain.com-config.js;
    }

    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }

    # BOSH for subdomains
    location ~ ^/([^/?&:'"]+)/http-bind {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /http-bind;
    }

    # websockets for subdomains
    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /xmpp-websocket;
    }
}

/etc/prosody/conf.avail/jitsi.mydomain.com.cfg.lua

 plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "jitsi.mydomain.com";

turncredentials_secret = "some secret";

turncredentials = {
  { type = "stun", host = "jitsi.mydomain.com", port = "4446" },
  { type = "turn", host = "jitsi.mydomain.com", port = "4446", transport = "udp" },
  { type = "turns", host = "rjitsi.mydomain.com", port = "5349", transport = "tcp" }
};
...

/etc/jitsi/meet/jitsi.mydomain.com-config.js got :

    openBridgeChannel: 'websocket',

/etc/jitsi/videobridge/jvb.conf (already set as this) :

videobridge {
    http-servers {
        public {
            port = 9090
        }
    }
    websockets {
        enabled = true
        domain = "jitsi.mydomain.com:443"
        tls = true
    }
}

Many thanks by advance for any help.

Proc.

gpatel-fr · December 16, 2020, 6:29pm

The default fix is to give access through port 5349 and that is not advancing much the problem for people having port 10000/udp blocked since they also have port 5349/tcp blocked. I presume that’s where your issue is.

The way to handle it is to have another DNS entry for the turn server, serve turn over 443, and switch between turn and jitsi based on the domain name (another server entry in nginx).
It’s basically the same solution than before, but based on standard https instead of ALPN.
This has already been posted to death on this forum.

processor · December 16, 2020, 7:39pm

Ok What’s strange it’s this was working without doing anything previously…So I supposed it should have been the same for the next releases.

So as you guessed using 5349 instead of 10 000 is just moving the issue, but it remains entirely.
To be honest I did not clearly understood the solution you proposed.

I’m totally noob in turn sever and more comfortable with apache config than nginx, so i’m not very helped.
I’ll try to find topic about this as you said this was already been post a lot of before.

Thanks

processor · December 16, 2020, 8:19pm

Something else strange.

Port udp 10000 is still used and blocking it block jitsi access even if port 5349 is no locked neither on client side or server side.

processor · December 17, 2020, 7:51pm

Solution here :

It was indeed a turn server issue.

I thought at first it was dedicated to P2P, it works for all.

Thanks GPatel-fr you lead me to the solution.

Merci à toi !!!