TCP only networking fails in docker-compose installation

I’ve installed Jitsi using https://github.com/jitsi/docker-jitsi-meet
I’m using Nginx as a reverse proxy, Nginx handles SSL certificate configuration. 443 port is being proxied to 8000 port which is the HTTP port of jitsi/web. When I allow traffic to 80, 443, 4443, 10000(UDP) ports everything works fine. For certain reasons, I’m trying to secure the connection with SSL certificates, even JVB packets. My first instinct was disabling UDP. If I can do this first step, I can put 4443 behind an SSL required Nginx proxy.

Looking at docker-jitsi-meet, I enabled JVB_TCP_HARVESTER properly. JVB_TCP_PORT is 4443. I configured DOCKER_HOST_ADDRESS correctly, which affects NAT_HARVESTER_PUBLIC_ADDRESS while starting JVB.

To test TCP-only connections, I disabled 10000 traffic from my firewall (i.e. AWS EC2 security groups). From my local, I opened two different sessions. I saw the following entries in JVB logs:

jvb_1      | INFO: Pair failed: 172.18.0.4:10000/udp/host -> 192.168.1.20:60251/udp/host (stream-2b468a25.RTP)
jvb_1      | Apr 14, 2020 11:56:15 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Pair failed: 172.18.0.4:10000/udp/host -> 10.0.3.2:55436/udp/host (stream-2b468a25.RTP)
jvb_1      | Apr 14, 2020 11:56:15 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Pair failed: 172.18.0.4:4443/tcp/host -> 192.168.1.20:9/tcp/host (stream-2b468a25.RTP)
jvb_1      | Apr 14, 2020 11:56:15 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Pair failed: 172.18.0.4:4443/tcp/host -> 10.0.3.2:9/tcp/host (stream-2b468a25.RTP)
jvb_1      | Apr 14, 2020 11:56:15 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Pair failed: 172.18.0.4:10000/udp/host -> 192.168.1.20:60251/udp/host (stream-2b468a25.RTP)
jvb_1      | Apr 14, 2020 11:56:15 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Pair failed: 172.18.0.4:10000/udp/host -> 10.0.3.2:55436/udp/host (stream-2b468a25.RTP)
...
jvb_1      | INFO: new Pair added: 172.18.0.4:4443/tcp/host -> 192.168.1.20:9/tcp/host (stream-96d17c1a.RTP). Local ufrag 7a4br1e5t46ug2
jvb_1      | Apr 14, 2020 11:56:15 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: new Pair added: 172.18.0.4:4443/tcp/host -> 10.0.3.2:9/tcp/host (stream-96d17c1a.RTP). Local ufrag 7a4br1e5t46ug2
jvb_1      | Apr 14, 2020 11:56:15 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Pair failed: 172.18.0.4:10000/udp/host -> 192.168.1.20:58491/udp/host (stream-96d17c1a.RTP)
jvb_1      | Apr 14, 2020 11:56:15 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Pair failed: 172.18.0.4:10000/udp/host -> 10.0.3.2:53968/udp/host (stream-96d17c1a.RTP)
jvb_1      | Apr 14, 2020 11:56:15 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Pair failed: 172.18.0.4:4443/tcp/host -> 192.168.1.20:9/tcp/host (stream-96d17c1a.RTP)
jvb_1      | Apr 14, 2020 11:56:15 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Pair failed: 172.18.0.4:4443/tcp/host -> 10.0.3.2:9/tcp/host (stream-96d17c1a.RTP)

JVB fails pairing but since this is a one-to-one call, both sides can hear & see each other.

When I add the third participant, I see the following logs:

jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Gathering candidates for component stream-351286d3.RTP. Local ufrag 4cbjr1e5t4a9e4
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Ignoring empty DtlsFingerprint extension: <transport xmlns='urn:xmpp:jingle:transports:ice-udp:1'><fingerprint xmlns='urn:xmpp:jingle:apps:dtls:0' required='false'/></transport>
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: The remote side is acting as DTLS server, we'll act as client
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Add remote candidate for stream-351286d3.RTP: 192.168.1.20:59898/udp/host
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Starting the agent with remote candidates.
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Start ICE connectivity establishment. Local ufrag 4cbjr1e5t4a9e4
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Init checklist for stream stream-351286d3
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: ICE state changed from Waiting to Running. Local ufrag 4cbjr1e5t4a9e4
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: ICE state changed old=Waiting new=Running
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Start connectivity checks. Local ufrag 4cbjr1e5t4a9e4
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Update remote candidate for stream-351286d3.RTP: 192.168.1.20:59898/udp
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Not adding duplicate remote candidate: 192.168.1.20:59898/udp
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Update remote candidate for stream-351286d3.RTP: 192.168.1.20:59898/udp
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Not adding duplicate remote candidate: 192.168.1.20:59898/udp
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Update remote candidate for stream-351286d3.RTP: 10.0.3.2:64774/udp
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Update remote candidate for stream-351286d3.RTP: 192.168.1.20:9/tcp
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Update remote candidate for stream-351286d3.RTP: 10.0.3.2:9/tcp
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: new Pair added: 172.18.0.4:4443/tcp/host -> 192.168.1.20:9/tcp/host (stream-351286d3.RTP). Local ufrag 4cbjr1e5t4a9e4
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: new Pair added: 172.18.0.4:4443/tcp/host -> 10.0.3.2:9/tcp/host (stream-351286d3.RTP). Local ufrag 4cbjr1e5t4a9e4
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: new Pair added: 172.18.0.4:10000/udp/host -> 10.0.3.2:64774/udp/host (stream-351286d3.RTP). Local ufrag 4cbjr1e5t4a9e4
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: new Pair added: 157.175.33.109:10000/udp/srflx -> 10.0.3.2:64774/udp/host (stream-351286d3.RTP). Local ufrag 4cbjr1e5t4a9e4
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Update remote candidate for stream-351286d3.RTP: 192.168.1.20:59898/udp
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Not adding duplicate remote candidate: 192.168.1.20:59898/udp
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Update remote candidate for stream-351286d3.RTP: 192.168.1.20:59898/udp
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Not adding duplicate remote candidate: 192.168.1.20:59898/udp
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Update remote candidate for stream-351286d3.RTP: 10.0.3.2:64774/udp
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Not adding duplicate remote candidate: 10.0.3.2:64774/udp
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Pair failed: 172.18.0.4:10000/udp/host -> 192.168.1.20:59898/udp/host (stream-351286d3.RTP)
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Pair failed: 172.18.0.4:10000/udp/host -> 10.0.3.2:64774/udp/host (stream-351286d3.RTP)
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Pair failed: 172.18.0.4:4443/tcp/host -> 192.168.1.20:9/tcp/host (stream-351286d3.RTP)
jvb_1      | Apr 14, 2020 11:58:04 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: Pair failed: 172.18.0.4:4443/tcp/host -> 10.0.3.2:9/tcp/host (stream-351286d3.RTP)
jvb_1      | Apr 14, 2020 11:58:07 PM org.jitsi.utils.logging2.LoggerImpl log
jvb_1      | INFO: create_conf, id=e36cd23092e39f1c gid=null logging=false
jvb_1      | Apr 14, 2020 11:58:07 PM org.jitsi.utils.logging2.LoggerImpl log

After this point, each participant loses others’ video & sound.

My questions are:

  1. Theoretically, what should I do to enable TCP pairing on the JVB side?
  2. After this step, I’m planning to bind JVB container’s 4443 port to 5443 port, host’s 4443 port to Nginx with SSL, and proxy it to 5443. So, in the end, it will be like: nginx-ssl-proxy(4443) -> host(5443) -> docker-container(4443). This is the only way I can think of since JVB broadcasts its port as 4443, the client tries to connect to 4443, and I can use SSL to encrypt messages coming to this port. Does this approach make sense? Does encrypting messages going to JVB make sense? Or is there another much easier way that I’m missing?

Thanks.