Web request redirected to turn server on fresh Debian10 Installation

[ClundXIII]

Description

After an upgrade my installation stopped working with a 502 error. I then did a fresh reinstalled and observed the exact same behaviour. It seems like /etc/nginx/modules-enabled/60-jitsi-meet.conf does exactly the configured behaviour and redirects all traffic per default to the turnserver:

    upstream web {
        server 127.0.0.1:4444;
    }
    upstream turn {
        server 127.0.0.1:4445;
    }
    # since 1.13.10
    map $ssl_preread_alpn_protocols $upstream {
        ~\bh2\b         web;
        ~\bhttp/1\.     web;
        default         turn;
    }

The nginx error log (on the jitsi vm):

2020/04/24 16:08:38 [error] 1066#1066: *75 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.101.111, server: 0.0.0.0:443, upstream: "127.0.0.1:4445", bytes from/to client:0/0, bytes from/to upstream:0/0

Current behavior

nginx redirects main page and room links to turn server

Expected Behavior

I would like to see the welcome page

Possible Solution

Fix the nginx config

Steps to reproduce

Do a fresh install on debian 10.3

Environment details

Debian 10.3 behind a NAT and web proxy.

client <-- [https] --> web proxy <--[https]--> jitsi vm

[dpoon]

The nginx configuration was recently changed in #5649, but that is likely not the cause of this problem. Rather, I would suspect that it improves on a situation introduced in commit b991f05 by @damencho (#4959), which added the coturn server sharing TCP port 443 using ALPN as a switch.

[dpoon]

What web proxy are you using, and is it capable of doing ALPN?

[ClundXIII]

Ahhh that explains a lot. Then I guess I just need additional config for my proxy?

What web proxy are you using, and is it capable of doing ALPN?

I am using nginx v 1.14.2-2+deb10u1

[ClundXIII]

This is my current nginx config:

        location / {
            #proxy_http_version 1.1;
            #proxy_set_header Upgrade $http_upgrade;
            #proxy_set_header Connection "upgrade";
            proxy_set_header Host $http_host;

            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forward-Proto http;
            proxy_set_header X-Nginx-Proxy true;

            proxy_pass https://meet.<url>;
            proxy_ssl_verify off;
        }

[dpoon]

If jitsi-meet comes with an nginx reverse proxy, and you have your own nginx reverse proxy in front of that, then that seems a bit silly. Two suggested solutions:

• get rid of your own proxy, or
• keep your own proxy, but reconfigure it to proxy straight to either port 4444 or 4445 using ALPN-based switching, effectively bypassing jitsi-meet's proxy.

[ClundXIII]

My current setup just forwards some ports. Yes.

I cannot get rid of the first proxy, there is A LOT of stuff running on the machine. Multiple websites and services that share the same IP address. What configs do I need to change in order to keep the current solution working with port forwarding? Is there a dpkg-reconfigure that takes care of this?

Is there a way to do this with the dockerized version as well? Because I have a second jitsi server (that needs awt support) which runs via docker with different ports.

Alternatively I could get a new IP Address which I would prefer not to do.

[ClundXIII]

Any Update on this?

What configs do I need to change in order to keep the current solution working with port forwarding?

[Monty811]

Hi everyone, have a similar issue while trying to set up config in AWS with a AWS application load balancer in front of Jitsi.
My problem there is that I am not able to do ALPN switching there directly as the rules for ALPN switching are not configurable (as far as I understand the docs).
I thought that somewhere within the Jitsi conf there could be the possibility to set another subdomain like turn.jitsi.example.com to route turn server requests based on the subdomain.
The above config wihtin nginx seems to be smarter but having problems to achive it when having another proxy like AWS LB in front of it

[garrettboone]

This thread helped. I was working with the ssllabs.com server test and could not get past a B grade because of this...and couldn't figure out what it was reporting such low ciphers being used. The nginx error.log was full of "recv() failed" messages. I changed to default web and am now getting an A+.

[ghost]

The default here seems to be wrong, a lot of HTTP clients don't supply the ALPN extension. This may be a possible fix although I haven't tested extensively yet (see RFC7743):

    map $ssl_preread_alpn_protocols $upstream {
        ~\bstun\.turn\b  turn;
        default          web;
    }

[damencho]

Chrome currently does not add ALPN to the turn TCP connection, we had opened an issue there.

[damencho]

https://bugs.chromium.org/p/chromium/issues/detail?id=1014904#c2

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.