WSS Error Behind Apache HTTPD Reverse Proxy

lmat · May 3, 2022, 2:58pm

I’m trying to set up jitsi on my server, https://meet.brightlight.today/FoolsDropIn. I see the following in the console

WebSocket connection to ‘wss://meet.brightlight.today/xmpp-websocket?room=foolsdropin’ failed:

The four jitsi docker containers are running behind an Apache HTTPD reverse proxy. The HTTPD configuration looks like this:

<VirtualHost *:443>
    ServerName meet.brightlight.today
    ProxyPass "/" "http://jitsi-web/"
    ProxyPreserveHost On
    SSLEngine on
    SSLCertificateFile "/certs/brightlight.today/fullchain.cer"
    SSLCertificateKeyFile "/certs/brightlight.today/brightlight.today.key"
    <Location "/xmpp-websocket/">
        ProxyPass "ws://jitsi-jvb:4443/xmpp-websocket"
    </Location>
    <Location "/colibri-ws/">
        ProxyPass "ws://jitsi-jvb:4443/colibri-ws/"
    </Location>
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule ^/?(.*)/ ws://jitsi-jvb:4443/$1 [P,L]
</VirtualHost>

That should be forwarding any WSS requests to WS:jitsi-jvb:4443 I think. The HTTPD error log shows

Connection refused: AH00957: WS: attempt to connect to 10.0.90.67:4443 (*) failed
AH02452: failed to make connection to backend: jitsi-jvb

I was following instructions I found here and there to put this together, but several things might be wrong. First, I’m forwarding to WS:… rather than WSS: because SSL termination is done at the reverse proxy, so jvb shouldn’t be doing any SSL communication, right? Port 4443 sure seems like a port that should be https/wss…

Further, when I ss -antl; I see listening on :9090 and :8080, no :4443. The reason I thought it should be listening on port 4443 is because in my environment configuration I have JVB_TCP_PORT=4443 and JVB_TCP_MAPPED_PORT=4443.

Are there any other debugging procedures I should be aware of?

saghul · May 3, 2022, 3:06pm

THis option is gone, are you running an old version of the containers?

lmat · May 3, 2022, 3:08pm

This option is gone, are you running an old version of the containers?

Thank you for the pointer. I just upgraded the containers from version stable-5142 to version stable-7210-2. That would explain why it seem that the container isn’t picking up the configuration!

lmat · May 3, 2022, 6:56pm

After updating the four docker images, the only other changes I made are:

Publish the jvb container on port 8080 rather than 4443
Add ProxyPass "/xmpp-websocket" "ws://jitsi-web:80/xmpp-websocket" and ProxyPass "/colibri-ws" "ws://jitsi-web:80/colibri-ws/" to the httpd VirtualHost definition

Based on what @saghul is saying, port 8080 in jvb container is no longer customizable. The handbook makes it look like it is still customizable: Self-Hosting Guide - Docker | Jitsi Meet under JVB_TCP_PORT.

Regarding ProxyPass, I was trying to follow instructions here: Self-Hosting Guide - Docker | Jitsi Meet where it says ProxyPass "wss://localhost:8443/xmpp-websocket". I thought localhost was the jvb server, so I was ProxyPassing to the jvb server.

I just ran a test call with a friend and it appears to work fine now. Thank you!