Success: Docker behind Apache reverse proxy with HTTPS and LDAP auth

I would like to share the setup of Dockerized Jitsi (ver. 8044, which is the default now) behind Apache proxy (with encryption being handled by the proxy rather than the container) and LDAP auth. As it was a lot of trial-and-error, I post it here with the hope it will be useful for someone. There are various snippets allover the place, some handling protocol upgrade requests and so on — I did not find any of this necessary, or not anymore.

If someone can see any obvious errors, please let me know. I’ve only been testing with 3 users (Firefox, Chrome, Phone) so far, but did not see any functional issues. The connection always uses VP8 for some reason, but that is okay for me.

The firewall must open 4443/tcp (for RTC/tcp) and 10000/udp (for RTC/udp), plus the obvious 80 (HTTP) and 443 (HTTPS).

Changes in .env:

PUBLIC_URL=https://meet.domain.tld
ENABLE_LETSENCRYPT=0
DISABLE_HTTPS=1         # handled by proxy
ENABLE_AUTH=1
AUTH_TYPE=ldap
# LDAP server is running on the host, unencrypted and not accessible via public IP
# not sure if there is way to get its address (host.docker.internal does not work)
LDAP_URL=ldap://172.18.0.1
LDAP_BASE=cn=users,ou=groups,dc=domain,dc=tld
LDAP_FILTER=(uid=%u)
LDAP_USE_TLS=0
#

Apache2 site original configuration (before certbot) was just this:

<VirtualHost *:80>
    ServerName meet.domain.tld
    DocumentRoot /var/www/meet.domain.tld
</VirtualHost>

After running certbot run --apache -d meet.domain.tld (IIRC), certbot creates new Apache2 config for the SSL host and adds a few rewrites to the unencrypted config. This sets up SSL between clients and Apache, the channel between Apache and Jitsi (in docker) will run unencrypted.

<VirtualHost *:443>
    ServerName meet.domain.tld
    # this needs to be added manually
    ProxyPass / http://localhost:8000/
    ProxyPassReverse / http://localhost:8000/
    SSLProxyEngine on
    # from the handbook, but using unencrypted websocket (ws:, not wss:) and corresponding port 8000
    <Location "/xmpp-websocket">
        ProxyPass "ws://localhost:8000/xmpp-websocket"
    </Location>
    <Location "/colibri-ws/">
        ProxyPass "ws://localhost:8000/colibri-ws/"
    </Location>
# added by CertBot
SSLCertificateFile /etc/letsencrypt/live/meet.lessstress.cz/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/meet.lessstress.cz/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

To run the container as s ystem service (after reboot and such), create /etc/systemd/system/jitsi.service containing:

[Unit]
Description=Jitsi server
Requires=docker.service
After=docker.service

[Service]
Type=simple
RemainAfterExit=False
Restart=always
RestartSec=3
WorkingDirectory=/root/jitsi/docker-jitsi-meet-stable-8044
ExecStart=/usr/bin/docker-compose up

[Install]
WantedBy=multi-user.target

and then run systemctl daemon-reload and systemctl enable --now jitsi. You can see the log live via journalctl -f -u jitsi (optionally pipe through | ccze -A for colors).

1 Like