Unable to connect to Jitsi - Help

I am unable to connect to my Jitsi install and am trying to troubleshoot to find the problem. Possible issues could be permissions related, acme challenge, Nginx misconfiguration.

Starting with Nginx, I see the following in /var/log/nginx/error.log:

2021/02/23 08:56:08 [error] 32168#32168: *366 connect() failed (111: Connection refused) while connecting to upstream, client: 109.253.136.89, server: 0.0.0.0:443, upstream: "127.0.0.1:4444", bytes from/to client:0/0, bytes from/to upstream:0/0
2021/02/23 08:56:08 [error] 32168#32168: *368 connect() failed (111: Connection refused) while connecting to upstream, client: 109.253.136.89, server: 0.0.0.0:443, upstream: "127.0.0.1:4444", bytes from/to client:0/0, bytes from/to upstream:0/0
2021/02/23 08:56:09 [error] 32168#32168: *370 connect() failed (111: Connection refused) while connecting to upstream, client: 109.253.136.89, server: 0.0.0.0:443, upstream: "127.0.0.1:4444", bytes from/to client:0/0, bytes from/to upstream:0/0
2021/02/23 08:56:09 [error] 32168#32168: *372 connect() failed (111: Connection refused) while connecting to upstream, client: 109.253.136.89, server: 0.0.0.0:443, upstream: "127.0.0.1:4444", bytes from/to client:0/0, bytes from/to upstream:0/0
2021/02/23 08:56:14 [error] 32168#32168: *374 connect() failed (111: Connection refused) while connecting to upstream, client: 109.253.136.89, server: 0.0.0.0:443, upstream: "127.0.0.1:4444", bytes from/to client:0/0, bytes from/to upstream:0/0
2021/02/23 08:56:14 [error] 32168#32168: *376 connect() failed (111: Connection refused) while connecting to upstream, client: 109.253.136.89, server: 0.0.0.0:443, upstream: "127.0.0.1:4444", bytes from/to client:0/0, bytes from/to upstream:0/0
2021/02/23 08:56:44 [error] 32168#32168: *378 connect() failed (111: Connection refused) while connecting to upstream, client: 109.253.136.89, server: 0.0.0.0:443, upstream: "127.0.0.1:4444", bytes from/to client:0/0, bytes from/to upstream:0/0
2021/02/23 08:56:44 [error] 32168#32168: *380 connect() failed (111: Connection refused) while connecting to upstream, client: 109.253.136.89, server: 0.0.0.0:443, upstream: "127.0.0.1:4444", bytes from/to client:0/0, bytes from/to upstream:0/0
2021/02/23 09:14:45 [error] 32168#32168: *382 connect() failed (111: Connection refused) while connecting to upstream, client: 61.219.11.153, server: 0.0.0.0:443, upstream: "127.0.0.1:5349", bytes from/to client:0/0, bytes from/to upstream:0/0
2021/02/23 09:20:00 [error] 32168#32168: *384 connect() failed (111: Connection refused) while connecting to upstream, client: 192.241.224.185, server: 0.0.0.0:443, upstream: "127.0.0.1:5349", bytes from/to client:0/0, bytes from/to upstream:0/0

’ps auxf | grep nginx’ output:

root      4039  0.0  0.0   6076   820 pts/0    S+   09:43   0:00  |       \_ grep nginx
root     32166  0.0  0.8 109080  8944 ?        Ss   Feb22   0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 32168  0.0  0.6  78616  6520 ?        S    Feb22   0:00  \_ nginx: worker process

’netstat -plnt’ output:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:5269            0.0.0.0:*               LISTEN      3183/lua5.2
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2764/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      767/exim4
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      2844/sshd: root@pts
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      32166/nginx: master
tcp        0      0 143.132.11.23:4445      0.0.0.0:*               LISTEN      507/turnserver
tcp        0      0 127.0.0.1:4445          0.0.0.0:*               LISTEN      507/turnserver
tcp        0      0 143.132.11.23:4445      0.0.0.0:*               LISTEN      507/turnserver
tcp        0      0 127.0.0.1:4445          0.0.0.0:*               LISTEN      507/turnserver
tcp        0      0 0.0.0.0:5280            0.0.0.0:*               LISTEN      3183/lua5.2
tcp        0      0 127.0.0.1:5347          0.0.0.0:*               LISTEN      3183/lua5.2
tcp        0      0 0.0.0.0:5222            0.0.0.0:*               LISTEN      3183/lua5.2
tcp6       0      0 127.0.0.1:8080          :::*                    LISTEN      2993/java
tcp6       0      0 :::5269                 :::*                    LISTEN      3183/lua5.2
tcp6       0      0 :::22                   :::*                    LISTEN      2764/sshd
tcp6       0      0 :::8888                 :::*                    LISTEN      3095/java
tcp6       0      0 ::1:25                  :::*                    LISTEN      767/exim4
tcp6       0      0 ::1:6010                :::*                    LISTEN      2844/sshd: root@pts
tcp6       0      0 :::443                  :::*                    LISTEN      32166/nginx: master
tcp6       0      0 ::1:4445                :::*                    LISTEN      507/turnserver
tcp6       0      0 ::1:4445                :::*                    LISTEN      507/turnserver
tcp6       0      0 :::5280                 :::*                    LISTEN      3183/lua5.2
tcp6       0      0 :::9090                 :::*                    LISTEN      2993/java
tcp6       0      0 ::1:5347                :::*                    LISTEN      3183/lua5.2
tcp6       0      0 :::5222                 :::*                    LISTEN      3183/lua5.2

’ufw status’ output:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
10000:20000/udp            ALLOW       Anywhere
80,443/tcp                 ALLOW       Anywhere
5000,10000/udp             ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)
10000:20000/udp (v6)       ALLOW       Anywhere (v6)
80,443/tcp (v6)            ALLOW       Anywhere (v6)
5000,10000/udp (v6)        ALLOW       Anywhere (v6)

My Jitsi configuration:

server_names_hash_bucket_size 64;

server {
    listen 80;
    listen [::]:80;
    server_name example.domain;

     location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root         /usr/share/jitsi-meet;
    }
 
   location = /.well-known/acme-challenge/ {
        return 404;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.domain;

    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000" always;

    ssl_certificate /etc/letsencrypt/rsa/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/rsa/key.pem;

    root /usr/share/jitsi-meet;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    index index.html index.htm;
    error_page 404 /static/404.html;

    gzip on;
    gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
    gzip_vary on;
    gzip_proxied no-cache no-store private expired auth;
    gzip_min_length 512;

    location = /config.js {
        alias /etc/jitsi/meet/example.domain-config.js;
    }

    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    # ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;

        # cache all versioned files
        if ($arg_v) {
            expires 1y;
        }
    }

    # BOSH
    location = /http-bind {
        proxy_pass       http://localhost:5280/http-bind;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # xmpp websockets
    location = /xmpp-websocket {
        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        tcp_nodelay on;
    }

    # colibri (JVB) websockets for jvb1
    location ~ ^/colibri-ws/default-id/(.*) {
        proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        tcp_nodelay on;
    }

    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location @root_path {
        rewrite ^/(.*)$ / break;
    }

    location ~ ^/([^/?&:'"]+)/config.js$
    {
        set $subdomain "$1.";
        set $subdir "$1/";

        alias /etc/jitsi/meet/example.domain-config.js;
    }

    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }

    # BOSH for subdomains
    location ~ ^/([^/?&:'"]+)/http-bind {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /http-bind;
    }

    # websockets for subdomains
    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /xmpp-websocket;
    }
}

I’m at a loss as to what’s wrong and would appreciate any help.

Thanks.

It looks like nginx is forwarding calls to a backend on port 4444. Netstat shows you don’t have anything running on 4444.

Were you by any chance following this – Setting up TURN · Jitsi Meet Handbook? If you do indeed want to use Nginx to front both Jitsi meet and coturn, then you need to change your jitsi nginx site config to listen to 4444 instead of 443.