Jitsi Docker behind Reverse apache RP

[Chico0008]

Hi Still New here

I managed to make my jitsi conf work with ldap authentification.
works ok for testing on http://serverip:8443

now i want to make jisti available via our reverse proxy.

our reverse proxy is an apache2 server
here's my conf for now, but i can't make it work.

<Virtualhost *:*>
        ServerName jitsi.domain.net
        ProxyPreserveHost on
        ProxyPass / https://10.0.0.201:8443/
        ProxyPassReverse / https://10.0.0.201:8443/
       <IfModule mod_proxy.c>
            <IfModule mod_proxy_wstunnel.c>
                  ProxyTimeout 900
                  ProxyPass /xmpp-websocket ws://10.0.0.201:8000/xmpp-websocket
                  ProxyPass /colibri-ws/ ws://10.0.0.201:8000/colibri-ws/
                  ProxyPass / http://10.0.0.201:8000/
                  ProxyPassReverse / http://10.0.0.201:8000/
            </IfModule>
      </IfModule>
</VirtualHost>

10.0.0.201 is the server where the docker is hosted
jitsi.domain.net point to the reverse proxy server
on the docker i set PUBLIC_URL to jitsi.domain.net
if on chrome i go to http://jitsi.domain.net i have a internal server error (500)
going to https://jitsi.domain.net gives me an unavailable web site ERR_CONNECION_REFUSED

[saghul]

Take a look here: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#apache

[Chico0008]

This is what i followed.
required apache module are enabled.

[saghul]

Make sure you proxy to the HTTP port, not the HTTPS one.

[Chico0008]

OK
Si here's my apache conf to reverse proxy

<Virtualhost *:*>
        ServerName jitsi.viry.net
        ProxyPreserveHost on
        <IfModule mod_proxy.c>
            <IfModule mod_proxy_wstunnel.c>
                ProxyTimeout 900
                ProxyPass /xmpp-websocket ws://10.0.0.201:8000/xmpp-websocket
                ProxyPass /colibri-ws/ ws://10.0.0.201:8000/colibri-ws/
                ProxyPass / http://10.0.0.201:8000/
                ProxyPassReverse / http://10.0.0.201:8000/
            </IfModule>
        </IfModule>
</VirtualHost>

Here's the result if i connect with google chrome

[saghul]

You need to access your URL using HTTPS. But when you proxy, proxy to the HTTP endpoint.

[Chico0008]

i'm not sure what you mean.
if i access with https://jitsi.domain.net i have an unavailable web site, with error ERR_CONNECTION_REFUSED.

so what do i need to do on my apache conf, or docker conf (.env or docker-compose file) ?

[saghul]

if i access with https://jitsi.domain.net i have an unavailable web site, with error ERR_CONNECTION_REFUSED.

That suggests you have a problem in your apache config. Sorry I'm not very familiar with apache RP to know what's wrong there.

[Chico0008]

Apache get not error when connecting to https://jitsi.domain.net
nothing in browser console

[saghul]

<Virtualhost *:*>

Shouldn't this be <Virtualhost *:443> perhaps?

[Chico0008]

already tried, changes nothing

[saghul]

Sorry, I don't know enough Apache config to help you. By the look of it, the problem seems to the there. Perhaps check the logs and serve a static page at your desired domain first, then once that works introduce the proxy to the Docker setup.

[Chico0008]

going to the docker withouth RP work
i can go to https://10.0.0.201:8443, jitsi works fine

but going to https://jitsi.domain.net (to go through RP) won't work.

if an apache expert could help to set the conf, and maybe if there is something to do in jitsi docker .env or conf ?

I have other docker on 10.0.0.201 working through RP with juste proxpass and proxypassreverse

[Chrysocyon1]

Hi,

I had a similar problem, the fix in my case was to remover :${HTTPS_PORT} at the PUBLIC_URL in .env .
Maybe it will be useful for you.

server-with-apache-and-docker-jitsi-with-nginx

[Chico0008]

tried removing, but still nope :(

my RP is a server recovering connection to jitsi.domain.net
my jitsi docker is on another server

PUBLIC URL must bi docker server ip ? or the dns used to reach it ?
tried https://10.0.0.201 (docker server) or https://jitsi.domain.net

both didn't worked.

[saghul]

Can you please draw a little diagram of how your stuff is connected?

[Chico0008]

[Client] --> using https://jitsi.domain.net --> [Reverse Proxy/10.0.0.100] ----> [Docker Server/10.0.0.201]

In my lan i can reach jitsi via https://10.0.0.201:8443, but the goal is to go via RP, because later my RP will be exposed to internet , but not the docker server.
(we have a public certificate for our public IP/DNS)
On docker server i have multiple container (Striling PDF, Handbrake) and i can reach them through reverse proxy.

[saghul]

Alright in this configuration your PUBLIC_URL should be set to https://jitsi.domain.net and the RP should proxy to 10.0.0.201.

You also need to set JVB_ADVERTISE_IPS to the public IP of the host where the JVB is running and make sure port 10000 is open.

You can check the access logs in the web container. If you don't see any requests coming in, it means the problem is in the RP.

[Chico0008]

on docker server, jitsi .env file for docker compose
PUBLIC_URL=https://jitsi.domain.net
JVB_ADVERTISE_IPS=10.0.0.201

On Reverse proxy server
proxypass and proxypassreverse / https://10.0.0.201:8443/

this is what i did, but https://viry.domain.net gives me a ERR_CONNECTION_REFUSED

[saghul]

Don't proxy over https, I mentioned before you do it over http to port 8000.

[aaronkvanmeerten]

This is proxying to the SSL port on nginx. You want to proxy to the non-SSL port on the nginx.

[Chico0008]

@saghul
on port 8000
so http://jitsi.domain.net i got this

@aaronkvanmeerten
My RP is apache2, not Nginx

[aaronkvanmeerten]

But you are proxying to an nginx container (docker server) listening on both 443 and 8080 and bound to your host on 8443 and 8000 respectively, serving the web content and proxying to the other components.
So that's the nginx I mean.

It looks like you have it working now, and your next step is to look at supported browsers. Does this same browser work on meet.jit.si?

[saghul]

I think he might be accessing it via http. Which explains that page.

[Chico0008]

the same browser work meet.jit.si

Recap again (in case)
on .env for jitsi docker

HTTP_PORT=8000
HTTPS_PORT=8443
PUBLIC_URL=https://jitsi.domain.net
JVB_ADVERTISE_IPS=10.0.0.201

if i check docker running, exposed ports are 8000 (routed to 80 inside docker) and 8443 (routed to 443 inside docker)
if i follow the logic, my RP apache2 conf should be this

<Virtualhost *:80>
        ServerName jitsi.domain.net
        ProxyPreserveHost on
        ErrorLog ${APACHE_LOG_DIR}/rp_jitsi_error.log
        CustomLog ${APACHE_LOG_DIR}/rp_jitsi_access.log combined

        <IfModule mod_proxy.c>
            <IfModule mod_proxy_wstunnel.c>
                ProxyTimeout 900
                ProxyPass /xmpp-websocket ws://10.0.0.201:8000/xmpp-websocket
                ProxyPass /colibri-ws/ ws://10.0.0.201:8000/colibri-ws/
                ProxyPass / http://10.0.0.201:8000/
                ProxyPassReverse / http://10.0.0.201:8000/
            </IfModule>
        </IfModule>
</VirtualHost>
<VirtualHost *:443>
        ServerName jitsi.domain.net
        ProxyPreserveHost on
        ErrorLog ${APACHE_LOG_DIR}/rp_jitsi_error.log
        CustomLog ${APACHE_LOG_DIR}/rp_jitsi_access.log combined
        ProxyPass / https://10.0.0.201:8443/
        proxypassReverse / https://10.0.0.201:8443/
</VirtualHost>

with this, i can go to http://jitsi.domain.net, i get the page telling unsuported browser
going to https://jitsi.domain.net giv err_connection_refused

tryed changing RP the proxy https part with no port (juste https://jitsi.domain.net/), still nogood.

[Chico0008]

Sooooo after multiples tries
seems i needed a certificate, hopefully i had my wildcard validate with my ADCS inside my network.

But still no perfect
i can acces Jitsi meet page to create a conference room, but when i want to join a room, i'm beeing disconected

Jitsi docker .env file

HTTP_PORT=8000
HTTPS_PORT=8443
PUBLIC_URL=https://10.0.0.201:${HTTPS_PORT}
JVB_ADVERTISE_IPS=10.0.0.201

jitsi docker compose file
i added my certificate files
under web: volumes:

- /etc/ssl/wildcard.domain.net.key:/config/keys/cert.key
- /etc/ssl/wildcard.domain.net.cer:/config/keys/cert.crt

my apache2 conf

<Virtualhost *:80>
        ServerName jitsi.viry.net
        ProxyPreserveHost on
        ErrorLog ${APACHE_LOG_DIR}/rp_jitsi_error.log
        CustomLog ${APACHE_LOG_DIR}/rp_jitsi_access.log combined

        <IfModule mod_proxy.c>
            <IfModule mod_proxy_wstunnel.c>
                ProxyTimeout 900
                ProxyPass /xmpp-websocket ws://10.0.0.201:8000/xmpp-websocket
                ProxyPass /colibri-ws/ ws://10.0.0.201:8000/colibri-ws/
                ProxyPass / http://10.0.0.201:8000/
                ProxyPassReverse / http://10.0.0.201:8000/
            </IfModule>
        </IfModule>
</VirtualHost>
<VirtualHost *:443>
        ServerName jitsi.viry.net

        SSLProxyEngine on
        SSLCertificateFile      /etc/ssl/wildcard.domain.net.cer
        SSLCertificateKeyFile   /etc/ssl/wildcard.domain.net.key

        ProxyPreserveHost on
        ErrorLog ${APACHE_LOG_DIR}/rp_jitsi_error.log
        CustomLog ${APACHE_LOG_DIR}/rp_jitsi_access.log combined
        ProxyPass / https://10.0.0.201:8443/
        proxypassReverse / https://10.0.0.201:8443/
</VirtualHost>

When connecting to a room, i have a error : you've been disconnected, check your network.
i can try again, but still stuck on beeing disconnected.

[aaronkvanmeerten]

Generally your PUBLIC_URL should match the URL users consume your service, so like PUBLIC_URL=https://itsi.viry.net

Check out: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker/ for more guidance on how configuration variables should be set.

According to the docs mod_proxy_wstunnel is deprecated and instead mod_proxy_http should be used:
https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#protoupgrade

So it appears you should switch to mod_proxy_http and then add the "upgrade" statement after the two websocket URLs

[Chico0008]

Alright
juste changed
ProxyPass / https://10.0.0.201:8443/
to : ProxyPass / https://10.0.0.201:8443/ upgrade=websocket

seems to work now.
i'll make some test with my coworkers to check if it's all ok.