Traefik and docker install

I have been trying to install Jitsi using Traefik to handle the certificate and routing, but it is returning a bad-gateway message for some reason.

The .env file is set with DISABLE_HTTPS=1 and only the web container is set to be picked up by traefik.

Anyone have any idea on how I can debug this?

version: '3'

services:
    # Frontend
    web:
        image: jitsi/web
        ports:
            - '${HTTP_PORT}:80'
            - '${HTTPS_PORT}:443'
        volumes:
            - ${CONFIG}/web:/config
            - ${CONFIG}/web/letsencrypt:/etc/letsencrypt
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
        environment:
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - ENABLE_LETSENCRYPT
            - ENABLE_HTTP_REDIRECT
            - ENABLE_TRANSCRIPTIONS
            - DISABLE_HTTPS
            - JICOFO_AUTH_USER
            - LETSENCRYPT_DOMAIN
            - LETSENCRYPT_EMAIL
            - PUBLIC_URL
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_BOSH_URL_BASE
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_RECORDER_DOMAIN
            - ETHERPAD_URL_BASE
            - TZ
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - ENABLE_RECORDING
        networks:
            traefik_proxy:
            meet.jitsi:
                aliases:
                    - ${XMPP_DOMAIN}
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.meet.rule=Host(`meet.domain.tld`)"
            - "traefik.http.routers.meet.tls=true"
            - "traefik.http.routers.meet.service=meet" 
            - "traefik.http.services.meet.loadbalancer.server.port=8000"
            - "traefik.http.middlewares.meet.headers.accessControlAllowCredentials=true"
            - "traefik.http.middlewares.meet.headers.browserXSSFilter=true"
            - "traefik.http.middlewares.meet.headers.contentTypeNosniff=true"
            - "traefik.http.middlewares.meet.headers.forceSTSHeader=true"
            - "traefik.http.middlewares.meet.headers.SSLHost=domain.tld"
            - "traefik.http.middlewares.meet.headers.SSLRedirect=true"
            - "traefik.http.middlewares.meet.headers.STSIncludeSubdomains=true"
            - "traefik.http.middlewares.meet.headers.STSPreload=true"
            - "traefik.http.middlewares.meet.headers.STSSeconds=315360000"

    # XMPP server
    prosody:
        image: jitsi/prosody
        expose:
            - '5222'
            - '5347'
            - '5280'
        volumes:
            - ${CONFIG}/prosody:/config
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - GLOBAL_MODULES
            - GLOBAL_CONFIG
            - LDAP_URL
            - LDAP_BASE
            - LDAP_BINDDN
            - LDAP_BINDPW
            - LDAP_FILTER
            - LDAP_AUTH_METHOD
            - LDAP_VERSION
            - LDAP_USE_TLS
            - LDAP_TLS_CIPHERS
            - LDAP_TLS_CHECK_PEER
            - LDAP_TLS_CACERT_FILE
            - LDAP_TLS_CACERT_DIR
            - LDAP_START_TLS
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_MODULES
            - XMPP_MUC_MODULES
            - XMPP_INTERNAL_MUC_MODULES
            - XMPP_RECORDER_DOMAIN
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JIGASI_XMPP_USER
            - JIGASI_XMPP_PASSWORD
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - JWT_APP_ID
            - JWT_APP_SECRET
            - JWT_ACCEPTED_ISSUERS
            - JWT_ACCEPTED_AUDIENCES
            - JWT_ASAP_KEYSERVER
            - JWT_ALLOW_EMPTY
            - JWT_AUTH_TYPE
            - JWT_TOKEN_AUTH_MODULE
            - LOG_LEVEL
            - TZ
        networks:
            meet.jitsi:
                aliases:
                    - ${XMPP_SERVER}
        labels:
            - "traefik.enable=false"

    # Focus component
    jicofo:
        image: jitsi/jicofo
        volumes:
            - ${CONFIG}/jicofo:/config
        environment:
            - ENABLE_AUTH
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JICOFO_RESERVATION_REST_BASE_URL
            - JVB_BREWERY_MUC
            - JIGASI_BREWERY_MUC
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - TZ
        depends_on:
            - prosody
        networks:
            meet.jitsi:
        labels:
            - "traefik.enable=false"

    # Video bridge
    jvb:
        image: jitsi/jvb
        ports:
            - '${JVB_PORT}:${JVB_PORT}/udp'
            - '${JVB_TCP_PORT}:${JVB_TCP_PORT}'
        volumes:
            - ${CONFIG}/jvb:/config
        environment:
            - DOCKER_HOST_ADDRESS
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JVB_BREWERY_MUC
            - JVB_PORT
            - JVB_TCP_HARVESTER_DISABLED
            - JVB_TCP_PORT
            - JVB_STUN_SERVERS
            - JVB_ENABLE_APIS
            - TZ
        depends_on:
            - prosody
        networks:
            meet.jitsi:
        labels:
            - "traefik.enable=false"

# Custom network so all services can communicate using a FQDN
networks:
    traefik_proxy:
      external:
        name: traefik_proxy
    meet.jitsi:

Hey! To me it looks like your port settings are a bit off.

My first idea would be to set your

  • ${HTTP_PORT} in the .env file to something like 8000 (default value)
  • change ports setting - '${HTTP_PORT}:80'´ to 8000`, too
  • and make sure to keep - "traefik.http.services.meet.loadbalancer.server.port=8000"

Currently your HOST:CONTAINER mapping in ports exposes the jitsi container app port as 80 to your host. In most setups that probably makes no sense. But here it also mismatches with the 8000 port you tell traefik to attach to later on.

Apart from that, I have a slightly different network setup in the docker-compose.yml. I didn’t add the traefik network as additional one, I just added the external naming reference to the existing meet.jitsi network definition in the bottom. But maybe that’s not a good approach, I don’t know.

@jakesmolka thank you for spotting that.

I think you are right about the ports, and the other problem is probably the way I configured the networks. I’m now going back and forth between a bad gateway and a gateway timeout.

It feels like trial and error at this point.

Hi there,

I am currently working on the same task, and got as far as having everything running, except for UDP connections for jitsi/jvb. It is tricky …

First of all you should change all the ports: settings to expose: since all the connections from/to the outside will be handled by traefik. I will post my (so far) working docker-compose files in the next post.

Cheers!

What I have found out so far, is that if I use docker-compose labels or the traefik_proxy network, it doesn’t work.

I got it working using the traefik.toml file in this way, but it’s not issuing a valid certificate:

[http]
	[http.routers]

		[http.routers.meet]
			entryPoints = ["https"]
			rule = "Host(`meet.domain.tld`)"
			service = "meet"
			[http.routers.meet.tls]

	[http.services]
		[http.services.meet]
			[[http.services.meet.loadBalancer.servers]]
				url = "http://192.168.1.10:8000"
				passHostHeader = true

	[http.middlewares]
		[http.middlewares.meet]
			browserXSSFilter = true
			contentTypeNosniff = true
			forceSTSHeader = true
			SSLHost = "domain.tld"
			SSLRedirect = true
			STSIncludeSubdomains = true
			STSPreload = true
			STSSeconds = 315360000
			[http.middlewares.meet.headers]
				FrameDeny = true
				SSLRedirect = true
				# CORS
				accessControlAllowMethods = ["GET", "OPTIONS", "PUT", "POST"]
				accessControlAllowOrigin = '*'
				accessControlAllowHeaders = ['DNT','User-Agent','X-Requested-With','If-Modified-Since','Cache-Control','Content-Type','Range']
				accessControlExposeHeaders = ["Content-Length","Content-Range"]
				accessControlAllowCredentials = true
				accessControlMaxAge = 100
				addVaryHeader = true

Hi,

this works here (with the above mentioned exception). You need to have entryPoints defined, depending on how you setup/run traefik. You can forget about the ipv6ula network if you don not use ipv6nat with traefik …

version: '3'


services:
    # Frontend
    web:
        image: jitsi/web
        labels:
          - "traefik.enable=true"
          - "traefik.docker.network=ipv6ula"
          - "traefik.http.routers.jitsi.rule=Host(`jitsi.domain.tld`)"
          - "traefik.http.routers.jitsi.tls.certresolver=letsencrypt"
          - "traefik.http.routers.jitsi.entrypoints=websecure"
        expose:
            - "80"
            # - '${HTTPS_PORT}:443'
        volumes:
            - ${CONFIG}/web:/config
            # - ${CONFIG}/web/letsencrypt:/etc/letsencrypt
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
        environment:
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - ENABLE_LETSENCRYPT
            - ENABLE_HTTP_REDIRECT
            - ENABLE_TRANSCRIPTIONS
            - DISABLE_HTTPS
            - JICOFO_AUTH_USER
            - LETSENCRYPT_DOMAIN
            - LETSENCRYPT_EMAIL
            - PUBLIC_URL
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_BOSH_URL_BASE
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_RECORDER_DOMAIN
            - ETHERPAD_URL_BASE
            - TZ
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - ENABLE_RECORDING
        networks:
            ipv6ula:
            meet.jitsi:
                aliases:
                    - ${XMPP_DOMAIN}

    # XMPP server
    prosody:
        image: jitsi/prosody
        expose:
            - '5222'
            - '5347'
            - '5280'
        volumes:
            - ${CONFIG}/prosody:/config
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - GLOBAL_MODULES
            - GLOBAL_CONFIG
            - LDAP_URL
            - LDAP_BASE
            - LDAP_BINDDN
            - LDAP_BINDPW
            - LDAP_FILTER
            - LDAP_AUTH_METHOD
            - LDAP_VERSION
            - LDAP_USE_TLS
            - LDAP_TLS_CIPHERS
            - LDAP_TLS_CHECK_PEER
            - LDAP_TLS_CACERT_FILE
            - LDAP_TLS_CACERT_DIR
            - LDAP_START_TLS
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_MODULES
            - XMPP_MUC_MODULES
            - XMPP_INTERNAL_MUC_MODULES
            - XMPP_RECORDER_DOMAIN
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JIGASI_XMPP_USER
            - JIGASI_XMPP_PASSWORD
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - JWT_APP_ID
            - JWT_APP_SECRET
            - JWT_ACCEPTED_ISSUERS
            - JWT_ACCEPTED_AUDIENCES
            - JWT_ASAP_KEYSERVER
            - JWT_ALLOW_EMPTY
            - JWT_AUTH_TYPE
            - JWT_TOKEN_AUTH_MODULE
            - LOG_LEVEL
            - TZ
        networks:
            meet.jitsi:
                aliases:
                    - ${XMPP_SERVER}

    # Focus component
    jicofo:
        image: jitsi/jicofo
        volumes:
            - ${CONFIG}/jicofo:/config
        environment:
            - ENABLE_AUTH
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JICOFO_RESERVATION_REST_BASE_URL
            - JVB_BREWERY_MUC
            - JIGASI_BREWERY_MUC
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - TZ
        depends_on:
            - prosody
        networks:
            meet.jitsi:

    # Video bridge
    jvb:
        image: jitsi/jvb
        labels:
          - "traefik.enable=true"
          - "traefik.docker.network=ipv6ula"
          - "traefik.udp.routers.jvb.entrypoints=jvb_udp"
          - "traefik.udp.routers.jvb.service=jvb"
          - "traefik.udp.services.jvb.loadbalancer.server.port=${JVB_PORT}"
        expose:
            - '${JVB_PORT}/udp'
            - '${JVB_TCP_PORT}'
        volumes:
            - ${CONFIG}/jvb:/config
        environment:
            - DOCKER_HOST_ADDRESS
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JVB_BREWERY_MUC
            - JVB_PORT
            - JVB_TCP_HARVESTER_DISABLED
            - JVB_TCP_PORT
            - JVB_STUN_SERVERS
            - JVB_ENABLE_APIS
            - TZ
        depends_on:
            - prosody
        networks:
            ipv6ula:
            meet.jitsi:

# Custom network so all services can communicate using a FQDN
networks:
    ipv6ula:
        external: true
    meet.jitsi:

Hi Jogi, I am trying the same, used your docker-compose. I set up entrypoints like this:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entryPoints.jvb_udp.address=:10000/udp
But I always get Gateway Timeout.
When I bind Jitsi to host port, I can reach Jitsi correctly.
I am very interested if you got a working setup.
R

Hello Jogi!

I have a problem with the jvb service with your compose config. I made the entry points for jvb udp port. A conference with 2 people working, but if the third steps is, the jvb is frozen.

If I use the jvb service without traefik it works as expected.

At my traefik docker compose config shoud I add the jvb ports too?

Can you share the traefik docker compose file and the configuration file for traefik?

Thank you for your reply!
cd334

I have a working docker swarm - traefik yaml file. My setup is a docker swarm across multiple kvms in multiple data centers. Between the nodes I am using vpncloud for a mesh vpn. Portainer is used for management. I am using deploy constraints to put individual services on specific hosts in the swarm, this is not necessary except for the jvb service. A NFS server is utilized for config storage. The mount points in the config are my nfs shares. You can change them to fit your needs

NOTES

  • your.fqdn.com = the domain name you are using for your server or at least the public entry point for people to launch the jitsi interface.
  • your.fqdn.com is added to the end of the internal network domain that is specified in the jitsi docker-compose.yml. This is because jibri looks for the name of public entry point at the end of the internal domain so it can connect and record it. More below.
  • server1.fqdn.com, server2.fqdn.com, etc. = are some of my swarm nodes. You can choose to remove the deploy constraints. If used these are the hostnames reported by docker swarm for the nodes.
  • I am using more up to date docker images for the services. You can change them back to the ones specified in the canonical docker-compose.yml
  • Ports 10000 and 4443 have to be mapped from your host to your service exactly as specified in the jvb service. They cannot be routed through traefik at this time. This is why this service needs to be pinned to host at this time. You must make sure those ports are opened through your firewall.
  • You really need to know how to setup traefik (of which I am barely competent at) and a docker swarm to understand what is happening here. All of the .env has been moved into the environment sections. These need to be reviewed and edited to fit your deployment. I am performing ssl termination and ssl cert handling in traefik. That is why under the web services environment section DISABLE_HTTPS is set to 1.

JIBRI
Jibri must be installed via docker compose on the node you want to run it on. It cannot be part of the swarm because it needs access to the audio device. Docker swarms do not expose that hardware. You can connect to the overlay jitsi network but it must be present on the node you are deploying Jibri on. This means a service of this stack must be present on the node. You might need to add a dummy service to the stack so it will create this network on the node.

Jibri seems to eat a lot of memory. I have not been able to keep it up and running on a 4GB KVM. So good luck. I have found you can use OBS to do the same thing. I will post the Jibri config I use and the url that Jibri uses to capture the stream in a subsequent post. All Jibri is doing is running a chrome driver instance access the public entry point and using FFMPEG to stream or record the session.

DOCKER STACK YAML

version: '3.7'

services:
    # Frontend
    web:
        image: quadeare/jitsi-web
        restart: unless-stopped
        volumes:
            - jitsi-web:/config
        environment:
            ENABLE_AUTH:
            ENABLE_GUESTS:
            ENABLE_RECORDING: 1
            ENABLE_TRANSCRIPTIONS:
            ETHERPAD_URL_BASE:
            DISABLE_HTTPS: 1
            JICOFO_AUTH_USER: focus
            PUBLIC_URL: https://your.fqdn.com
            XMPP_DOMAIN: meet.your.fqdn.com
            XMPP_AUTH_DOMAIN: auth.meet.your.fqdn.com
            XMPP_BOSH_URL_BASE: http://xmpp.meet.your.fqdn.com:5280
            XMPP_GUEST_DOMAIN: guest.meet.your.fqdn.com
            XMPP_MUC_DOMAIN: muc.meet.your.fqdn.com
            XMPP_RECORDER_DOMAIN: recorder.meet.your.fqdn.com
            TZ: America/Chicago
            JIBRI_BREWERY_MUC: jibribrewery
            JIBRI_PENDING_TIMEOUT: 90
            JIBRI_XMPP_USER: jibri
            JIBRI_XMPP_PASSWORD: passw0rd
            JIBRI_RECORDER_USER: recorder
            JIBRI_RECORDER_PASSWORD: passw0rd
        deploy:
          placement:
            constraints: [node.hostname == lax1.vosswerks.xyz]
          labels:
            - "traefik.enable=true"
            - "traefik.http.routers.jitsi.entrypoints=http"
            - "traefik.http.routers.jitsi.rule=Host(`your.fqdn.com`)"
            - "traefik.http.middlewares.jitsi-https-redirect.redirectscheme.scheme=https"
            - "traefik.http.routers.jitsi.middlewares=jitsi-https-redirect"
            - "traefik.http.routers.jitsi-secure.entrypoints=https"
            - "traefik.http.routers.jitsi-secure.rule=Host(`your.fqdn.com`)"
            - "traefik.http.routers.jitsi-secure.tls=true"
            - "traefik.http.routers.jitsi-secure.tls.certresolver=cloudflare"
            - "traefik.http.routers.jitsi-secure.service=jitsi"
            - "traefik.http.services.jitsi.loadbalancer.server.port=80"
            - "traefik.docker.network=proxy"
        networks:
          proxy:
          jitsi:
            aliases:
              - web.meet.your.fqdn.com

    # XMPP server
    prosody:
        image: quadeare/jitsi-prosody
        volumes:
            - prosody-config:/config
            - prosody-config:/etc/prosody
        deploy:
          placement:
            constraints: [node.hostname == server.fqdn.com]
        environment:
            AUTH_TYPE:
            ENABLE_AUTH:
            GLOBAL_CONFIG:
            GLOBAL_MODULES:
            LDAP_AUTH_METHOD:
            LDAP_URL:
            LDAP_TLS_CACERT_FILE:
            LDAP_TLS_CACERT_DIR:
            LDAP_BINDPW:
            LDAP_FILTER:
            LDAP_TLS_CHECK_PEER:
            LDAP_START_TLS:
            LDAP_VERSION:
            JICOFO_COMPONENT_SECRET: s3cr37
            JICOFO_AUTH_USER: focus
            JICOFO_AUTH_PASSWORD: passw0rd
            JVB_AUTH_USER: jvb
            JVB_AUTH_PASSWORD: passw0rd
            PUBLIC_URL: https://your.fqdn.com
            XMPP_DOMAIN: meet.your.fqdn.com
            XMPP_AUTH_DOMAIN: auth.meet.your.fqdn.com
            XMPP_BOSH_URL_BASE: http://xmpp.meet.your.fqdn.com:5280
            XMPP_GUEST_DOMAIN: guest.meet.your.fqdn.com
            XMPP_MUC_DOMAIN: muc.meet.your.fqdn.com
            XMPP_INTERNAL_MUC_DOMAIN: internal-muc.meet.your.fqdn.com
            XMPP_RECORDER_DOMAIN: recorder.meet.your.fqdn.com
            XMPP_MODULES:
            XMPP_MUC_MODULES:
            XMPP_INTERNAL_MUC_MODULES:
            TZ: America/Chicago
            JIGASI_XMPP_USER: jigasi
            JIGASI_XMPP_PASSWORD: passw0rd
            JIBRI_BREWERY_MUC: jibribrewery
            JIBRI_PENDING_TIMEOUT: 90
            JIBRI_XMPP_USER: jibri
            JIBRI_XMPP_PASSWORD: passw0rd
            JIBRI_RECORDER_USER: recorder
            JIBRI_RECORDER_PASSWORD: passw0rd
            JWT_APP_ID: 
            JWT_APP_SECRET: something long goes here
            JWT_ACCEPTED_ISSUERS:
            JWT_ALLOW_EMPTY:
            JWT_AUTH_TYPE:
            JWT_TOKEN_AUTH_MODULE:
            JWT_ACCEPTED_AUDIENCES:
            JWT_ASAP_KEYSERVER:
            LOG_LEVEL: info
        networks:
          jitsi:
             aliases:
               - meet.your.fqdn.com
               - xmpp.meet.your.fqdn.com
               - auth.meet.your.fqdn.com
               - guest.meet.your.fqdn.com
               - muc.meet.your.fqdn.com
               - internal-muc.meet.your.fqdn.com
               - focus.meet.your.fqdn.com

    # Focus component
    jicofo:
        image: quadeare/jitsi-jicofo
        volumes:
            - jicofo-config:/config
        deploy:
          placement:
            constraints: [node.hostname == server2.fqdn.com]
        environment:
            ENABLE_AUTH:
            JICOFO_COMPONENT_SECRET: s3cr37
            JICOFO_AUTH_USER: focus
            JICOFO_AUTH_PASSWORD: passw0rd
            JICOFO_RESERVATION_REST_BASE_URL:
            XMPP_DOMAIN: meet.your.fqdn.com
            XMPP_AUTH_DOMAIN: auth.meet.your.fqdn.com
            XMPP_INTERNAL_MUC_DOMAIN: internal-muc.meet.your.fqdn.com
            XMPP_SERVER: xmpp.meet.your.fqdn.com
            TZ: America/Chicago
            JIBRI_BREWERY_MUC: jibribrewery
            JIBRI_PENDING_TIMEOUT: 90
            JVB_BREWERY_MUC: jvbbrewery
            JIGASI_BREWERY_MUC: jigasibrewery
        depends_on:
            - prosody
        networks:
            jitsi:

    # Video bridge
    jvb:
        image: quadeare/jitsi-jvb:latest
        ports:
          - target: 10000
            published: 10000
            mode: host
            protocol: udp
          - target: 4443
            published: 4443
            mode: host
            protocol: tcp
        volumes:
            - jvb-config:/config
        deploy:
          placement:
            constraints: [node.hostname == server3.fqdn.com]
        environment:
            XMPP_INTERNAL_MUC_DOMAIN: internal-muc.meet.your.fqdn.com
            XMPP_AUTH_DOMAIN: auth.meet.your.fqdn.com
            XMPP_SERVER: xmpp.meet.your.fqdn.com
            TZ: America/Chicago
            JIBRI_BREWERY_MUC: jibribrewery
            JIBRI_PENDING_TIMEOUT: 90
            JVB_AUTH_USER: jvb
            JVB_AUTH_PASSWORD: passw0rd
            JVB_BREWERY_MUC: jvbbrewery
            JVB_PORT: 10000
            JVB_TCP_HARVESTER_DISABLED: 0
            JVB_TCP_PORT: 4443
            JVB_STUN_SERVERS: stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302
            JVB_ENABLE_APIS: rest,colibri
        depends_on:
            - prosody
        networks:
            jitsi:
              aliases:
                - jvb.meet.your.fqdn.com
    dummy:
      image: hello-world
      deploy:
          placement:
            constraints: [node.hostname == server4.fqdn.com]
      networks:
            jitsi:

# Custom network so all services can communicate using a FQDN
networks:
  proxy:
    external: true
  jitsi:
    attachable: true
    

volumes:
  jitsi-web:
    driver: local
    driver_opts:
      type: nfs
      o: nfsvers=4,addr=10.0.1.3,rw
      device: ":/mnt/nfsdata/jitsi"
  prosody-config:
    driver: local
    driver_opts:
      type: nfs
      o: nfsvers=4,addr=10.0.1.3,rw
      device: ":/mnt/nfsdata/prosody"
  jicofo-config:
    driver: local
    driver_opts:
      type: nfs
      o: nfsvers=4,addr=10.0.1.3,rw
      device: ":/mnt/nfsdata/jicofo"
  jvb-config:
    driver: local
    driver_opts:
      type: nfs
      o: nfsvers=4,addr=10.0.1.3,rw
      device: ":/mnt/nfsdata/jvb"
 1

JIBRI CONFIG

version: '3.7'

services:
  jibri:
    image: jitsi/jibri
    volumes:
      - jibri-config:/config
      - /dev/shm:/dev/shm
    cap_add:
      - SYS_ADMIN
      - NET_BIND_SERVICE
    devices:
      - /dev/snd:/dev/snd
    environment:
      XMPP_SERVER: xmpp.meet.your.fqdn.com
      XMPP_DOMAIN: your.fqdn.com
      XMPP_AUTH_DOMAIN: auth.meet.your.fqdn.com
      XMPP_BOSH_URL_BASE: http://xmpp.meet.your.fqdn.com:5280
      XMPP_GUEST_DOMAIN: guest.meet.your.fqdn.com
      XMPP_MUC_DOMAIN: muc.meet.your.fqdn.com
      XMPP_INTERNAL_MUC_DOMAIN: internal-muc.meet.your.fqdn.com
      XMPP_RECORDER_DOMAIN: recorder.meet.your.fqdn.com
      TZ: America/Chicago
      JIBRI_BREWERY_MUC: jibribrewery
      JIBRI_PENDING_TIMEOUT: 90
      JIBRI_XMPP_USER: jibri
      JIBRI_XMPP_PASSWORD: passw0rd
      JIBRI_RECORDER_USER: recorder
      JIBRI_RECORDER_PASSWORD: passw0rd
      DISPLAY: :0
      TZ: America/Chicago
      JIBRI_RECORDING_DIR: /config/recordings
      JIBRI_FINALIZE_RECORDING_SCRIPT_PATH: /config/finalize.sh
      JIBRI_STRIP_DOMAIN_JID: muc.meet
      JIBRI_LOGS_DIR: /config/logs
    networks:
      jitsi_jitsi:

volumes:
  jibri-config:
    driver: local
    driver_opts:
      type: nfs
      o: nfsvers=4,addr=10.0.1.3,rw
      device: ":/mnt/nfsdata/jibri"
networks:
  jitsi_jitsi:
    external: true

URL TO RECORD JITSI
https://your.fqdn.com/room-name-goes-here#config.iAmRecorder=true&config.externalConnectUrl=null&config.startWithAudioMuted=true&config.startWithVideoMuted=true&interfaceConfig.APP_NAME=“Jibri”&config.analytics.disabled=true&config.p2p.enabled=false

You cannot use Traefik to proxy the 10000/udp and 4443/ports. I tried it. It doesn’t work. You must use host networking for those ports.

I used @jogi config and picked the traffic labels and host network config for the jvb bridge from @mattvoss . I’t works in chrome based browsers. I’m not quite happy with it because it bypasses traeffic… Traeffic v2.2 supports udp traffic. I guess there is a way to configure it right but I don’t know how.

version: '3.7'

services:
    # Frontend
    web:
        image: jitsi/web
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.jitsi.entrypoints=http"
            - "traefik.http.routers.jitsi.rule=Host(`meet.domain.tld`)"
            - "traefik.http.middlewares.jitsi-https-redirect.redirectscheme.scheme=https"
            - "traefik.http.routers.jitsi.middlewares=jitsi-https-redirect"
            - "traefik.http.routers.jitsi-secure.entrypoints=https"
            - "traefik.http.routers.jitsi-secure.rule=Host(`meet.domain.tld`)"
            - "traefik.http.routers.jitsi-secure.tls=true"
            - "traefik.http.routers.jitsi-secure.tls.certresolver=http"
            - "traefik.http.routers.jitsi-secure.service=jitsi"
            - "traefik.http.services.jitsi.loadbalancer.server.port=80"
            - "traefik.docker.network=proxy"        
        expose:
            - 80
            # - '${HTTPS_PORT}:443'
        volumes:
            - ${CONFIG}/web:/config
            # - ${CONFIG}/web/letsencrypt:/etc/letsencrypt
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
        environment:
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - ENABLE_LETSENCRYPT
            - ENABLE_HTTP_REDIRECT
            - ENABLE_TRANSCRIPTIONS
            - DISABLE_HTTPS
            - JICOFO_AUTH_USER
            - LETSENCRYPT_DOMAIN
            - LETSENCRYPT_EMAIL
            - PUBLIC_URL
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_BOSH_URL_BASE
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_RECORDER_DOMAIN
            - ETHERPAD_URL_BASE
            - TZ
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - ENABLE_RECORDING
        networks:
            proxy:
            meet.jitsi:
                aliases:
                    - ${XMPP_DOMAIN}

    # XMPP server
    prosody:
        image: jitsi/prosody
        expose:
            - '5222'
            - '5347'
            - '5280'
        volumes:
            - ${CONFIG}/prosody:/config
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - GLOBAL_MODULES
            - GLOBAL_CONFIG
            - LDAP_URL
            - LDAP_BASE
            - LDAP_BINDDN
            - LDAP_BINDPW
            - LDAP_FILTER
            - LDAP_AUTH_METHOD
            - LDAP_VERSION
            - LDAP_USE_TLS
            - LDAP_TLS_CIPHERS
            - LDAP_TLS_CHECK_PEER
            - LDAP_TLS_CACERT_FILE
            - LDAP_TLS_CACERT_DIR
            - LDAP_START_TLS
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_MODULES
            - XMPP_MUC_MODULES
            - XMPP_INTERNAL_MUC_MODULES
            - XMPP_RECORDER_DOMAIN
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JIGASI_XMPP_USER
            - JIGASI_XMPP_PASSWORD
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - JWT_APP_ID
            - JWT_APP_SECRET
            - JWT_ACCEPTED_ISSUERS
            - JWT_ACCEPTED_AUDIENCES
            - JWT_ASAP_KEYSERVER
            - JWT_ALLOW_EMPTY
            - JWT_AUTH_TYPE
            - JWT_TOKEN_AUTH_MODULE
            - LOG_LEVEL
            - TZ
        networks:
            meet.jitsi:
                aliases:
                    - ${XMPP_SERVER}

    # Focus component
    jicofo:
        image: jitsi/jicofo
        volumes:
            - ${CONFIG}/jicofo:/config
        environment:
            - ENABLE_AUTH
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JICOFO_RESERVATION_REST_BASE_URL
            - JVB_BREWERY_MUC
            - JIGASI_BREWERY_MUC
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - TZ
        depends_on:
            - prosody
        networks:
            meet.jitsi:

    # Video bridge
    jvb:
        image: jitsi/jvb
        ports:
            - target: 10000
              published: 10000
              protocol: udp
            - target: 4443
              published: 4443
              protocol: tcp
        volumes:
            - ${CONFIG}/jvb:/config
        environment:
            - DOCKER_HOST_ADDRESS
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JVB_BREWERY_MUC
            - JVB_PORT
            - JVB_TCP_HARVESTER_DISABLED
            - JVB_TCP_PORT
            - JVB_STUN_SERVERS
            - JVB_ENABLE_APIS
            - TZ
        depends_on:
            - prosody
        networks:
            meet.jitsi:

# Custom network so all services can communicate using a FQDN
networks:
    proxy:
        external: true
    meet.jitsi:

Trust me I tried to proxy udp with Traefik 2.2 and it doesn’t work. I beat my head against the wall for a week before I realized that.

1 Like

I beg to differ :smile:. After some thinking and tinkering and your comment on using a different image source I have a working config now. Still not entirely bug free but the path seems to be correct. The issue now is that connections break after 3 minutes. I’ll make a new post for this. Check out my configs that I will post at the end of this Thread.

Cheers,
j.

This is how I got jitsi working behind a traefik router. I left tcp fallback for jvb disabled for now. As mentioned above a connection works for about three (3) minutes, then it breaks. See here for the bug/error report.

traefik docker-compose.yml

version: "3"

services:

  traefik:
    image: traefik:v2.2
    hostname: "traefik"
    container_name: "traefik"
    command:
      - --api=true
      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --log.level=INFO
      - --accesslog=false
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
      - --entryPoints.adminer.address=:8080
      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      - --certificatesresolvers.letsencrypt.acme.email=you@example.com
      - --certificatesResolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=web
      - --entryPoints.rtmp.address=:1935
      - --entryPoints.jvb_tcp.address=:4443
      - --entryPoints.jvb_udp.address=:10000/udp
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`docker.example.com`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.usersfile=/basicauth/usersfile"

      # add hsts headers
      - "traefik.frontend.headers.STSSeconds=31536000"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"

      # global redirect http to https
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=httpsalways"

      # middleware redirect http to https
      - "traefik.http.middlewares.httpsalways.redirectscheme.scheme=https"

      # enable https for api/dashboard
      - "traefik.http.routers.api.tls.certresolver=letsencrypt"
      - "traefik.http.routers.api.entrypoints=websecure"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
      - "1935:1935"
      - "4443:4443"
      - "10000:10000/udp"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "./letsencrypt:/letsencrypt"
      - "./basicauth:/basicauth:ro"
    networks:
      - ipv6ula
      - jitsi
    restart: unless-stopped

  whoami:
    image: "containous/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.routers.whoami.entrypoints=websecure"
    networks:
      - ipv6ula
    restart: unless-stopped

  ipv6nat:
    image: "robbertkl/ipv6nat"
    container_name: "ipv6nat"
    hostname: "ipv6nat"
    entrypoint: "/docker-ipv6nat"
    command: "-cleanup -debug"
    network_mode: host
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /lib/modules:/lib/modules:ro
    restart: unless-stopped

networks:
  ipv6ula:
    external: true
  jitsi:
    external: true

jitsi docker-compose.yml

version: '3'


services:
    # Frontend
    web:
        image: quadeare/jitsi-web
        labels:
          - "traefik.enable=true"
          - "traefik.docker.network=jitsi"
          - "traefik.http.routers.jitsi.rule=Host(`host.examle.com`)"
          - "traefik.http.routers.jitsi.tls.certresolver=letsencrypt"
          - "traefik.http.routers.jitsi.entrypoints=websecure"
        expose:
            - "80"
        volumes:
            - ${CONFIG}/web:/config
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
        environment:
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - ENABLE_LETSENCRYPT
            - ENABLE_HTTP_REDIRECT
            - ENABLE_TRANSCRIPTIONS
            - DISABLE_HTTPS
            - JICOFO_AUTH_USER
            - LETSENCRYPT_DOMAIN
            - LETSENCRYPT_EMAIL
            - PUBLIC_URL
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_BOSH_URL_BASE
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_RECORDER_DOMAIN
            - ETHERPAD_URL_BASE
            - TZ
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - ENABLE_RECORDING
        networks:
            jitsi:
                aliases:
                    - ${XMPP_DOMAIN}

    # XMPP server
    prosody:
        image: quadeare/jitsi-prosody
        expose:
            - '5222'
            - '5347'
            - '5280'
        volumes:
            - ${CONFIG}/prosody:/config
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - GLOBAL_MODULES
            - GLOBAL_CONFIG
            - LDAP_URL
            - LDAP_BASE
            - LDAP_BINDDN
            - LDAP_BINDPW
            - LDAP_FILTER
            - LDAP_AUTH_METHOD
            - LDAP_VERSION
            - LDAP_USE_TLS
            - LDAP_TLS_CIPHERS
            - LDAP_TLS_CHECK_PEER
            - LDAP_TLS_CACERT_FILE
            - LDAP_TLS_CACERT_DIR
            - LDAP_START_TLS
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_MODULES
            - XMPP_MUC_MODULES
            - XMPP_INTERNAL_MUC_MODULES
            - XMPP_RECORDER_DOMAIN
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JIGASI_XMPP_USER
            - JIGASI_XMPP_PASSWORD
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - JWT_APP_ID
            - JWT_APP_SECRET
            - JWT_ACCEPTED_ISSUERS
            - JWT_ACCEPTED_AUDIENCES
            - JWT_ASAP_KEYSERVER
            - JWT_ALLOW_EMPTY
            - JWT_AUTH_TYPE
            - JWT_TOKEN_AUTH_MODULE
            - LOG_LEVEL
            - TZ
        networks:
            jitsi:
                aliases:
                    - ${XMPP_SERVER}

    # Focus component
    jicofo:
        image: quadeare/jitsi-jicofo
        volumes:
            - ${CONFIG}/jicofo:/config
        environment:
            - ENABLE_AUTH
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JICOFO_RESERVATION_REST_BASE_URL
            - JVB_BREWERY_MUC
            - JIGASI_BREWERY_MUC
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - TZ
        depends_on:
            - prosody
        networks:
            jitsi:

    # Video bridge
    jvb:
        image: quadeare/jitsi-jvb
        labels:
          - "traefik.enable=true"
          - "traefik.docker.network=jitsi"
          - "traefik.udp.routers.jvb.entrypoints=jvb_udp"
          - "traefik.udp.routers.jvb.service=jvb"
          - "traefik.udp.services.jvb.loadbalancer.server.port=${JVB_PORT}"
        expose:
            - '${JVB_PORT}/udp'
            - '${JVB_TCP_PORT}'
        volumes:
            - ${CONFIG}/jvb:/config
        environment:
            - DOCKER_HOST_ADDRESS
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JVB_BREWERY_MUC
            - JVB_PORT
            - JVB_TCP_HARVESTER_DISABLED
            - JVB_TCP_PORT
            - JVB_STUN_SERVERS
            - JVB_ENABLE_APIS
            - TZ
        depends_on:
            - prosody
        networks:
            jitsi:

# Custom network so all services can communicate using a FQDN
networks:
    jitsi:
        external: true

remarks

You need to define both networks using docker in order to make this work and also have other services behind traefik. I fyou are not interested in ipv6 you can delete the ipv6nat part entirely.

update

There where two errors in the above docker-compose.yml for jitsi. Both `traefik.docker.network=" labels were wrong and are fixed now.

thx for investigating this further. I tried your config. It didn’t work for more than 2 participants. It might be that only the udp route and service is configured for port 10000. but not the backup port 4443/tcp. I tried to fix this by adding route and service for 4443 but was unsuccessful.

Maybe you copy/pasted the above configuration(s)? Did you notice the error I described in my update some minutes ago? I just had another test session involving three participants connected through two different networks and had a conversation going for seven minutes until this bug? hit again.

Hi all,

I revert my previously stated opinion and agree with @mattvoss that currently udp routing through traefik does not work for jitsi. However, it’s quite easy to get things going. All you have to do is make some minor changes to docker-compose.yml for traefik and jitsi and you have a running server. The downside is that you are limited to one jvb for the time being.

Complete docker-compose.yml for traefik:


services:

  traefik:
    image: traefik:v2.2
    hostname: "traefik"
    container_name: "traefik"
    command:
      - --api=true
      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --log.level=INFO
      - --accesslog=false
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      - --certificatesresolvers.letsencrypt.acme.email=you@example.com
      - --certificatesResolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=web
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`docker.example.com`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.usersfile=/basicauth/usersfile"

      # add hsts headers
      - "traefik.frontend.headers.STSSeconds=31536000"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"

      # global redirect http to https
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=httpsalways"

      # middleware redirect http to https
      - "traefik.http.middlewares.httpsalways.redirectscheme.scheme=https"

      # enable https for api/dashboard
      - "traefik.http.routers.api.tls.certresolver=letsencrypt"
      - "traefik.http.routers.api.entrypoints=websecure"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "./letsencrypt:/letsencrypt"
      - "./basicauth:/basicauth:ro"
    networks:
      - jitsi
    restart: unless-stopped

networks:
  jitsi:
    external: true

I also removed all the (maybe confusing) ipv6nat stuff from this config.
This is the docker-compose.yml for jitsi we are currently using. Basically just remove the entire labels section for the jvb container and change the expose section to port, specifying the same port external and internal. Make sure port ${JVB_UDP_PORT} is not in use by traefik.

version: '3'


services:
    # Frontend
    web:
        image: quadeare/jitsi-web
        labels:
          - "traefik.enable=true"
          - "traefik.docker.network=jitsi"
          - "traefik.http.routers.jitsi.rule=Host(`host.examle.com`)"
          - "traefik.http.routers.jitsi.tls.certresolver=letsencrypt"
          - "traefik.http.routers.jitsi.entrypoints=websecure"
        expose:
            - "80"
        volumes:
            - ${CONFIG}/web:/config
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
        environment:
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - ENABLE_LETSENCRYPT
            - ENABLE_HTTP_REDIRECT
            - ENABLE_TRANSCRIPTIONS
            - DISABLE_HTTPS
            - JICOFO_AUTH_USER
            - LETSENCRYPT_DOMAIN
            - LETSENCRYPT_EMAIL
            - PUBLIC_URL
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_BOSH_URL_BASE
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_RECORDER_DOMAIN
            - ETHERPAD_URL_BASE
            - TZ
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - ENABLE_RECORDING
        networks:
            jitsi:
                aliases:
                    - ${XMPP_DOMAIN}

    # XMPP server
    prosody:
        image: quadeare/jitsi-prosody
        expose:
            - '5222'
            - '5347'
            - '5280'
        volumes:
            - ${CONFIG}/prosody:/config
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - GLOBAL_MODULES
            - GLOBAL_CONFIG
            - LDAP_URL
            - LDAP_BASE
            - LDAP_BINDDN
            - LDAP_BINDPW
            - LDAP_FILTER
            - LDAP_AUTH_METHOD
            - LDAP_VERSION
            - LDAP_USE_TLS
            - LDAP_TLS_CIPHERS
            - LDAP_TLS_CHECK_PEER
            - LDAP_TLS_CACERT_FILE
            - LDAP_TLS_CACERT_DIR
            - LDAP_START_TLS
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_MODULES
            - XMPP_MUC_MODULES
            - XMPP_INTERNAL_MUC_MODULES
            - XMPP_RECORDER_DOMAIN
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JIGASI_XMPP_USER
            - JIGASI_XMPP_PASSWORD
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - JWT_APP_ID
            - JWT_APP_SECRET
            - JWT_ACCEPTED_ISSUERS
            - JWT_ACCEPTED_AUDIENCES
            - JWT_ASAP_KEYSERVER
            - JWT_ALLOW_EMPTY
            - JWT_AUTH_TYPE
            - JWT_TOKEN_AUTH_MODULE
            - LOG_LEVEL
            - TZ
        networks:
            jitsi:
                aliases:
                    - ${XMPP_SERVER}

    # Focus component
    jicofo:
        image: quadeare/jitsi-jicofo
        volumes:
            - ${CONFIG}/jicofo:/config
        environment:
            - ENABLE_AUTH
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JICOFO_RESERVATION_REST_BASE_URL
            - JVB_BREWERY_MUC
            - JIGASI_BREWERY_MUC
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - TZ
        depends_on:
            - prosody
        networks:
            jitsi:

    # Video bridge
    jvb:
        image: quadeare/jitsi-jvb
        ports:
            - '${JVB_PORT}:${JVB_PORT}/udp'
        volumes:
            - ${CONFIG}/jvb:/config
        environment:
            - DOCKER_HOST_ADDRESS
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JVB_BREWERY_MUC
            - JVB_PORT
            - JVB_TCP_HARVESTER_DISABLED
            - JVB_TCP_PORT
            - JVB_STUN_SERVERS
            - JVB_ENABLE_APIS
            - TZ
        depends_on:
            - prosody
        networks:
            jitsi:

# Custom network so all services can communicate using a FQDN
networks:
    jitsi:
        external: true

Cheers,
j.

@jogi I quickly tried your latest example.

I swapped out the example.docker.com for localhost and host.example.com for jitsi.docker.localhost. I also copied over the example .env file from here: https://github.com/jitsi/docker-jitsi-meet/blob/master/env.example

I then try docker-compose up on the Traefik server settings you provided and got:

ERROR: compose.cli.main.main: The Compose file './docker-compose.yml' is invalid because:
Unsupported config option for networks: 'jitsi'
Unsupported config option for services: 'traefik'

You need to add version: '3' at the top of your first paste in order to fix that error. I then removed most of the auth stuff.

I now just get:

404 page not found

on jitsi.docker.localhost

Are you able to get this example working on localhost?

traefik docker-compose.yml:

version: '3'


services:

  traefik:
    image: traefik:v2.2
    hostname: "traefik"
    container_name: "traefik"
    command:
      - --api=true
      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --log.level=INFO
      - --accesslog=false
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
      #- --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      #- --certificatesresolvers.letsencrypt.acme.email="blah@blah"
      #- --certificatesResolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      #- --certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=web
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`localhost`)"
      - "traefik.http.routers.api.service=api@internal"
      # - "traefik.http.routers.api.middlewares=auth"
      # - "traefik.http.middlewares.auth.basicauth.usersfile=/basicauth/usersfile"

      # add hsts headers
      # - "traefik.frontend.headers.STSSeconds=31536000"
      # - "traefik.frontend.headers.STSIncludeSubdomains=true"
      # - "traefik.frontend.headers.STSPreload=true"

      # global redirect http to https
      # - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      # - "traefik.http.routers.http-catchall.entrypoints=web"
      # - "traefik.http.routers.http-catchall.middlewares=httpsalways"

      # middleware redirect http to https
      # - "traefik.http.middlewares.httpsalways.redirectscheme.scheme=https"

      # enable https for api/dashboard
      # - "traefik.http.routers.api.tls.certresolver=letsencrypt"
      # - "traefik.http.routers.api.entrypoints=websecure"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      # - "${CONFIG}/letsencrypt:/letsencrypt"
      # - "${CONFIG}/basicauth:/basicauth:ro"
    networks:
        jitsi:
    restart: unless-stopped

networks:
  jitsi:
    external: true

jitsi docker-compise.yml:

version: '3'


services:
    # Frontend
    web:
        image: quadeare/jitsi-web
        labels:
          - "traefik.enable=true"
          - "traefik.docker.network=jitsi"
          - "traefik.http.routers.jitsi.rule=Host(`jitsi.docker.localhost`)"
          - "traefik.http.routers.jitsi.tls.certresolver=letsencrypt"
          - "traefik.http.routers.jitsi.entrypoints=websecure"
        expose:
            - "80"
        volumes:
            - ./web:/config
            - ./transcripts:/usr/share/jitsi-meet/transcripts
        environment:
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - ENABLE_LETSENCRYPT
            - ENABLE_HTTP_REDIRECT
            - ENABLE_TRANSCRIPTIONS
            - DISABLE_HTTPS
            - JICOFO_AUTH_USER
            - LETSENCRYPT_DOMAIN
            - LETSENCRYPT_EMAIL
            - PUBLIC_URL
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_BOSH_URL_BASE
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_RECORDER_DOMAIN
            - ETHERPAD_URL_BASE
            - TZ
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - ENABLE_RECORDING
        networks:
            jitsi:
                aliases:
                    - ${XMPP_DOMAIN}

    # XMPP server
    prosody:
        image: quadeare/jitsi-prosody
        expose:
            - '5222'
            - '5347'
            - '5280'
        volumes:
            - ${CONFIG}/prosody:/config
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - GLOBAL_MODULES
            - GLOBAL_CONFIG
            - LDAP_URL
            - LDAP_BASE
            - LDAP_BINDDN
            - LDAP_BINDPW
            - LDAP_FILTER
            - LDAP_AUTH_METHOD
            - LDAP_VERSION
            - LDAP_USE_TLS
            - LDAP_TLS_CIPHERS
            - LDAP_TLS_CHECK_PEER
            - LDAP_TLS_CACERT_FILE
            - LDAP_TLS_CACERT_DIR
            - LDAP_START_TLS
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_MODULES
            - XMPP_MUC_MODULES
            - XMPP_INTERNAL_MUC_MODULES
            - XMPP_RECORDER_DOMAIN
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JIGASI_XMPP_USER
            - JIGASI_XMPP_PASSWORD
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - JWT_APP_ID
            - JWT_APP_SECRET
            - JWT_ACCEPTED_ISSUERS
            - JWT_ACCEPTED_AUDIENCES
            - JWT_ASAP_KEYSERVER
            - JWT_ALLOW_EMPTY
            - JWT_AUTH_TYPE
            - JWT_TOKEN_AUTH_MODULE
            - LOG_LEVEL
            - TZ
        networks:
            jitsi:
                aliases:
                    - ${XMPP_SERVER}

    # Focus component
    jicofo:
        image: quadeare/jitsi-jicofo
        volumes:
            - ${CONFIG}/jicofo:/config
        environment:
            - ENABLE_AUTH
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JICOFO_RESERVATION_REST_BASE_URL
            - JVB_BREWERY_MUC
            - JIGASI_BREWERY_MUC
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - TZ
        depends_on:
            - prosody
        networks:
            jitsi:

    # Video bridge
    jvb:
        image: quadeare/jitsi-jvb
        ports:
            - '${JVB_PORT}:${JVB_PORT}/udp'
        volumes:
            - ${CONFIG}/jvb:/config
        environment:
            - DOCKER_HOST_ADDRESS
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JVB_BREWERY_MUC
            - JVB_PORT
            - JVB_TCP_HARVESTER_DISABLED
            - JVB_TCP_PORT
            - JVB_STUN_SERVERS
            - JVB_ENABLE_APIS
            - TZ
        depends_on:
            - prosody
        networks:
            jitsi:

# Custom network so all services can communicate using a FQDN
networks:
    jitsi:
        external: true

Yes, I get this example working on localhost, with a slight modification. In your docker-compose.yml for traefik you disable letsencrypt but in your docker-compose.yml for jitsi you use it. Then traefik complains

traefik    | time="2020-04-05T09:30:03Z" level=error msg="the router jitsi@docker uses a non-existent resolver: letsencrypt"

and displays the 404 in your browser.
To get your setup working, remove the label referring to certresolver=letsencrypt and change the entrypoints=websecure to entrypoints=web. Volià, a running jitsi on localhost! At least the webpage worked, didn’t try using it :wink:.

Cheers,
j.