Videobridge behind nginx proxy (443 => 4443 because 4443 port is closed)


#1

Hello !

I have some instances of Jitsi Meet behind a firewall which blocks all ports except 443/TCP.

Using nginx, I managed to proxify Jitsi meet, http-bind (ejabberd), admin (ejabberd) and onlyoffice using path routing.

But I never solved the main issue on our instances : videobridge needs a separate port to run (10000/UDP or 4443/TCP or another).

I tried the following settings :
org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=443
org.jitsi.videobridge.TCP_HARVESTER_PORT=4443

It seems to work, like my browser tries to contact 443 to connect with Jitsi meet, but I have absolutly no idea of how identify and redirect the request to videobridge (if it’s possible).

Thanks a lot for your help !! :slight_smile:


#2

If you want to do it with nginx you need to configure multiplexing in nginx so it can recognize http traffic and proxy it to prosody or serve the web or the rest which is the media to be forwarded to jvb. I was recently reading about that and this could be possible with latest nginx, but was never tested.
Another option is to have jvb on different machine with different public ip address and it bind to port 443, or you can have it on the same nginx machine but with a second public address there where nginx bind to the first public address on port 443 and jvb binds to the second public address on port 443.
And a third option will be to deploy a turn server (coturn we currently use for meet.jit.si) which needs to be configured in prosody and which will be used for relay using its tcp port 443.


#3

Thanks for your propositions !

It appears that I can’t do multiplexing with the latest stable nginx version available in my OS :sob:

The others options are unfortunately also inconceivable as I can’t ask my customers for more ressources…

Is there any configuration available to ask the media stream to use a path in it’s requests (server.exemple.org:443/videostream for exemple) ?

Also can I have somewhere (client or server side) a trace of the video stream requests for debugging propose ? They don’t appears in network section of the browser console.


#4

You are looking for chrome://webrtc-internals.

So the media is not using http protocol so there is no path, it just uses address and port to connect. So this is not possible.

So if you cannot allocate new public ip-address or cannot deploy a turn server then the only option is to drop nginx and use the jetty inside jvb. So jvb will be serving web and will be doing the multiplexing. This is the default deployment option if you do not have apache or nginx installed and java8 is available on the machine.


#5

Yep that’s logical, sorry for the question -_-’ !

Ok I will try to use jetty (https://github.com/jitsi/jitsi-videobridge/blob/master/doc/http.md).

Maybe can I try to use jetty as a multiplexer and redirect non media traffic to nginx by asking nginx to listen on an internal port ?


#6

You will need to modify the code of jvb to proxy those requests as it just serves the content now.


#7

Outch…

Okay I’ll keep you informed of my progress.


#8

Damn… I tried to use port 80 for jvb as my customers may also have this port opened but… http://lists.jitsi.org/pipermail/users/2016-November/011923.html

Confirmed, this port (and only this port) doesn’t works with JVB.

Unlucky ! :smiley: