VIDEO GUIDE ** How to Setup Jitsi in Docker with a Reverse Proxy **


67 posts in this topic Last Reply

Recommended Posts

2 hours ago, r8z0r1 said:

Hi I always follow your guides and usually all goes well, just can get this one to work. Various issues, however the main one to start is an ngix 502 bad gateway, I'm using duckdns with the url meetnantwich.duckdns.org. any help would be appreceated?

Please, don't just keep quoting people asking the same question. It's a saturday and might take some time to get an answer. Did you reboot your server? Can you post some logs from your jitsi containers to help narrow down what the issue could be? 

Link to post
  • Replies 66
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

How to install the Jitsi stack and run through a reverse proxy. This guide uses docker compose and portainer.      

I'm no pro, but here's how I'm doing updates. You will need docker-compose, so get it as is shown in the video or via nerd tools   1) Get and replace (appdata/jitsi/github/docker-jitsi-meet)

Try prosodyctl deluser username

Posted Images

7 hours ago, r8z0r1 said:

Did you get this working, I am having similar issues with ngix bad gateway 502 when trying to use duckdns?

Not yet.

 

Wil try to describe what I have tried so far. I can ping my meet.subdomain.duckdns.org from my mobile or my lan. But when I look at my router NAT rules for letsencrypt, both for tcp port 80 and udp port 443, no traffic is coming in. Neither on NAT rule for Jitsi on port 10000.

My letsencrypt log is ok.

In portainer if I look at docker-jitsi-meet published ports, I can access Jitsi welcome page for starting a meeting in:  8443:443 and 8000:80. In :443 I need to type in my browser https://ip_unraidserver:8443. Then I can start a meeting (test10). But If I type in my mobile meet.subdomain.duckdns.org I cant reach that meeting. When I am in the created meeting(at home), I can obtain a link for this meeting to share it, but it is: ip_unraidserver:8443/test10

 

Edited by luca2
Link to post
19 hours ago, adambeck7 said:

Please, don't just keep quoting people asking the same question. It's a saturday and might take some time to get an answer. Did you reboot your server? Can you post some logs from your jitsi containers to help narrow down what the issue could be? 

It's ok I dont want your help with that sort of attitude, pretty much what I thought this forum would be like.

Link to post
On 5/9/2020 at 10:20 PM, luca2 said:

Not yet.

 

Wil try to describe what I have tried so far. I can ping my meet.subdomain.duckdns.org from my mobile or my lan. But when I look at my router NAT rules for letsencrypt, both for tcp port 80 and udp port 443, no traffic is coming in. Neither on NAT rule for Jitsi on port 10000.

My letsencrypt log is ok.

In portainer if I look at docker-jitsi-meet published ports, I can access Jitsi welcome page for starting a meeting in:  8443:443 and 8000:80. In :443 I need to type in my browser https://ip_unraidserver:8443. Then I can start a meeting (test10). But If I type in my mobile meet.subdomain.duckdns.org I cant reach that meeting. When I am in the created meeting(at home), I can obtain a link for this meeting to share it, but it is: ip_unraidserver:8443/test10

 

ok the issue I had was due to the video from Spaceinvader One and the associated text file renaming the docker containers in Portainer the wrong way around, it looks like meet.jitsi and xxmp.meet.jitsi are transversed, swap them around restart all 4 containers and then restart letsencrypt and about 2 mins later all started working.

Link to post
19 hours ago, r8z0r1 said:

ok the issue I had was due to the video from Spaceinvader One and the associated text file renaming the docker containers in Portainer the wrong way around, it looks like meet.jitsi and xxmp.meet.jitsi are transversed, swap them around restart all 4 containers and then restart letsencrypt and about 2 mins later all started working.

Yep, I already discovered that, but it is still not working.

Just to confirm, how does Jitsi recognize that the original wan packet sent to 443 goes through letsencrypt´s docker to 1443 and then to 443 in jitsi docker? As seen below, I do not see a connection between port 1443 and the active ports portainer shows me for meet.jitsi  /  video.neet.jitsi:

 

         wan           letsencript          meet.jitsi                 /       video.neet.jitsi

----> tcp 443 ----->       1443   ------->   8443:443 8000:80 / 10000:10000 4443:4443

 

Shouldn´t I change here 443 with 1443:

    listen 443 ssl http2;
        listen [::]:443 ssl http2;

 

Edited by luca2
add last line
Link to post

Does anyone have any steps for adding jitsi with Nginx Proxy Manager?  

 

NEVERMIND, I figured it out.  I'll do my best to write it below for what I did.  

 

I added two new CNAME records to my DNS entries on Godaddy, jitsi and xmpp.

 

In nginx proxy manager, I added two proxy hosts.  The first was for the URL I wanted to use to access the server.  The IP is the LAN address of your unRAID server.  Port 8000 because I wasn't using the default port from when we edited the .env file.

w76TVj8.png

 

The second proxy host was what I found my issue to be.  Below is the entry for the second host and then why I made it and had to change one line in a config file.

dO8krOD.png

 

It is forwarding port 5280 with the reverse prodxy to the other docker container xmpp.meet.jipsi.  In portainer, I looked at the log of the meet.jitsi container and it was telling me 

Quote

nginx: [emerg] host not found in upstream "xmpp.meet.jitsi" in /config/nginx/meet.conf:35

I found meet.conf and changed the entry on line 35 to

proxy_pass http://xmpp.MYDOMAINNAME.com:5280/http-bind;

I restared the jitsi containers and after that, everything worked as expected.  IF, and I stress IF, this isn't the right way to do it, please help me and anyone else out with the proper way, but so far, all is good.  Now to do more testing.

 

I however now have issues with video working so its not a fix.

Edited by johnomaz
Link to post

Hi again,

Have been really busy trying to setup Jitsi. I realised the first thing I had to do is learn about host, subdomain, A record, Ddns, Cname, ...

So finally I deleted everything and started from scratch. I also bought a domain and heve been setting it up. Now I can ping my unraid from the wan and I get the right IP. Also, Letsencryt is finally working again.

I managed to connect to my jitsi docker from a laptop in the wan by typing http://meet.mydomain.com.

But When I try https://meet.mydomain.com it is not working. I checked that I can connect to any https web with my browser. Also that my NAT rule is active for unraid_ip ports 443(wan)>1443(lan) . But if I use a web portal to check for open ports, I get "Port 443 is closed".

I looked at the logs and found in Portainer this:

2020/05/19 19:37:00 http error: Invalid JWT token (err=Invalid JWT token) (code=401)

Any idea what is causing this?

 

Link to post
Hi again,
Have been really busy trying to setup Jitsi. I realised the first thing I had to do is learn about host, subdomain, A record, Ddns, Cname, ...
So finally I deleted everything and started from scratch. I also bought a domain and heve been setting it up. Now I can ping my unraid from the wan and I get the right IP. Also, Letsencryt is finally working again.
I managed to connect to my jitsi docker from a laptop in the wan by typing http://meet.mydomain.com.
But When I try https://meet.mydomain.com it is not working. I checked that I can connect to any https web with my browser. Also that my NAT rule is active for unraid_ip ports 443(wan)>1443(lan) . But if I use a web portal to check for open ports, I get "Port 443 is closed".
I looked at the logs and found in Portainer this:
2020/05/19 19:37:00 http error: Invalid JWT token (err=Invalid JWT token) (code=401)

Any idea what is causing this?
 

Solved: natted 443 was set to udp and not tcp.

Enviado desde mi HMA-L29 mediante Tapatalk

Link to post

4 questions.

 

1. How do you remove a user

2. Is the previous post for updates the recommended method for updates (then re-setup authentication)?

3. Having problems when 3rd person joins we loose video to person who joined second.  I'm running on a G4900, is it a CPU limitation? (I have a i3-9100 on order). Seems to be a related issue but not sure how it relates to our install method: https://community.jitsi.org/t/not-working-for-more-than-2-people-in-the-room/18821/115

4. Is the below "limited" message correct/normal for Portainer?

 

Thanks

Screen Shot 2020-05-30 at 11.38.17 AM.png

Edited by Flyinace2000
Added #4 and a picture
Link to post
9 hours ago, Flyinace2000 said:

4 questions.

 

1. How do you remove a user

2. Is the previous post for updates the recommended method for updates (then re-setup authentication)?

3. Having problems when 3rd person joins we loose video to person who joined second.  I'm running on a G4900, is it a CPU limitation? (I have a i3-9100 on order). Seems to be a related issue but not sure how it relates to our install method: https://community.jitsi.org/t/not-working-for-more-than-2-people-in-the-room/18821/115

4. Is the below "limited" message correct/normal for Portainer?

 

Thanks

Screen Shot 2020-05-30 at 11.38.17 AM.png

Did some digging

 

1. and 2 still would like input from the community.

#3 - My router UDP forward didn't save the first time.  Added that back in to forward 10000 to 10000 to my UnRaid server and I was able to get 4 clients into a meeting.  The little G4900 is feeling it though, CPU load doesn't drop below 50% will sit around 80 to 90 for stretches. 

#4 matches the video so the "Limited" is as expected

Link to post

And I’m back to not being able to have meetings with greater than three participants outside my network.  If i join on my desktop and iPad (both on my network 10.0.1.0/24) I can have a third person join outside (from my iPhone on LTE).  But if i try to have a call with my dad (outside network), my iPad, and my iPhone (on LTE) we loose audio/video.  Same happens if my dad tries to join from his phone and desktop.  

 

Any ideas?  Should i pony up the $20 for SpaceInvaderOne direct support? 🙂

Link to post
On 6/5/2020 at 3:51 PM, Flyinace2000 said:

And I’m back to not being able to have meetings with greater than three participants outside my network.  If i join on my desktop and iPad (both on my network 10.0.1.0/24) I can have a third person join outside (from my iPhone on LTE).  But if i try to have a call with my dad (outside network), my iPad, and my iPhone (on LTE) we loose audio/video.  Same happens if my dad tries to join from his phone and desktop.  

 

Any ideas?  Should i pony up the $20 for SpaceInvaderOne direct support? 🙂

 

I was having the same issue until I found a script here which I modified to work with SpaceInvader's tutorial and UnRaid. It required me to install bind and lmdb from the Nerd Tools plugin so that 'host' is installed. It sets and updates your public IP inside the sip-communicator.properties file. I have this as a user script running hourly. 

 

#!/bin/bash

#Domain that points to your public IP
DNSNAME="meet.changethistoyourdomain.com"

# get the actual IP from the Internet
IPint=$(host -tA $DNSNAME 8.8.8.8 | grep address | cut -d " " -f4 )

# get the configured IP of Jitsi
IPjitsi=$(grep 'NAT_HARVESTER_PUBLIC_ADDRESS' /mnt/user/appdata/jitsi/jitsi-meet-cfg/jvb/sip-communicator.properties |  grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+")

if [ "$IPjitsi" = "$IPint" ]
then
        echo "IP has not been changed!"
        exit 0
fi

#clear config
sed -i '/NAT_HARVESTER_PUBLIC_ADDRESS/d' /mnt/user/appdata/jitsi/jitsi-meet-cfg/jvb/sip-communicator.properties

#get IP and renew line
echo org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=$IPint >> /mnt/user/appdata/jitsi/jitsi-meet-cfg/jvb/sip-communicator.properties

#Restart jocofo
docker restart focus.meet.jitsi
#Restart video
docker restart video.meet.jitsi

 

Link to post

two questions on this:

 

1) The setup guide includes the required terminal line to add a registered user. Can someone provide the necessary modification to remove a registered user?

 

2) I've seen several posts in other threads where people have lost the Published Ports configuration for jvb and web containers in Portainer (currently also experiencing this issue.) Can the steps be provided to add them back?

 

Many thanks

Link to post
13 hours ago, jonathanm said:

Try

prosodyctl deluser username

root@5f8f2764cd31:/# prosodyctl deluser username


**************************
Prosody was unable to find the configuration file.
We looked for: /etc/prosody/prosody.cfg.lua
A sample config file is included in the Prosody download called prosody.cfg.lua.dist
Copy or rename it to prosody.cfg.lua and edit as necessary.
More help on configuring Prosody can be found at https://prosody.im/doc/configure
Good luck!
**************************

root@5f8f2764cd31:/# 

 

Link to post
1 minute ago, Flyinace2000 said:

Prosody was unable to find the configuration file.

Right, you need to use the command the same way you do to register users, just substitute deluser instead of register

prosodyctl --config /config/prosody.cfg.lua deluser <fill in the user you want to delete here>

 

You can't just type prosodyctl deluser username

Link to post

Right, sorry.  So I've tried that command and its asking for the JID?

 

root@5f8f2764cd31:/# prosodyctl --config /config/prosody.cfg.lua deluser username
Failed to understand JID, please supply the JID to the user account you want to delete
Usage: /usr/bin/prosodyctl deluser user@host
root@5f8f2764cd31:/# 

 

Link to post
1 minute ago, Flyinace2000 said:

Right, sorry.  So I've tried that command and its asking for the JID?

 


root@5f8f2764cd31:/# prosodyctl --config /config/prosody.cfg.lua deluser username
Failed to understand JID, please supply the JID to the user account you want to delete
Usage: /usr/bin/prosodyctl deluser user@host
root@5f8f2764cd31:/# 

 

Unless you have a user called "username", you need to

3 minutes ago, jonathanm said:

<fill in the user you want to delete here>

 

Link to post
2 hours ago, Flyinace2000 said:

Got it

need to use deluder <username>@meet.jitisi


prosodyctl --config /config/prosody.cfg.lua deluser username@meet.jitsi

 

this worked for me. I was able to blow away the user I didn't want.

 

I'm now having the "something went wrong" error that I've seen posted elsewhere. And i'm getting this even after wiping the entire configuration (uninstalling everything including Portainer and letsencrypt and starting over.) I can get to the subdomain on my server, create a meeting name, click connect, allow my camera and mic, then endless loops of "something went wrong" without being asked for credentials.

 

I am using DNS verification with a wildcard, but i still have the ports forwarded on my router for now: 80-to-180, 443-to-1443, 4443, and 10000 all pointing at my Unraid reserved LAN IP. My plan was to start closing them down and rely on DNS verification once I got everything working. Not there yet :)

 

I've subbed out actual IP addresses with logical names below. "myunrainlanip" and "mydesktopip" are what they sound like

 

The issue I had earlier where Portainer lost the ports magically went away after a reboot. They were always showing in the Docker containers, but they weren't showing in Portainer. Clicking on them now: "8000:80" under meet.jisti pulls up the meeting creation screen. Clicking "8443:443" yields a "400 Bad Request. The plain HTTP request was sent to the HTTPS port." Clicking either the "10000:10000" or "4443:4443" under the jvb ports yields "Unable to connect. Firefox can't esablish a conection to the server at myunraidlanip:4443"

 

In the logs:

letencrypt - is running with no errors

 

Portainer error: http error: Invalid JWT token (err=Invalid JWT token) (code=401)

 

focus.meet.jitsi error: Jicofo 2020-06-13 13:28:13.407 SEVERE: [368] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.log() Failed to connect/login: SASLError using SCRAM-SHA-1: not-authorized

 

meet.jitsi log (e.g. not an error): mydesktoplanip - - [13/Jun/2020:13:23:27 -0400] "GET /images/watermark.png HTTP/1.1" 200 33340 "http://myunraidlanip:8000/css/all.css?v=4127" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0"

 

video.meet.jisti log (e.g. not an error): Jun 13, 2020 1:33:33 PM org.jitsi.utils.logging2.LoggerImpl log INFO: Performed a successful health check in PT0.003S. Sticky failure: false

 

xmpp.meet.jitsi error: focus.meet.jitsi:component [1minfo[0m Component authentication failed for focus.meet.jitsi
mod_component [1minfo[0m Disconnecting component, <stream:error> is: <stream:error><not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text xmlns='urn:ietf:params:xml:ns:xmpp-streams'>Given token does not match calculated token</text></stream:error>
jcp5614e797b580 [1minfo[0m component disconnected: focus.meet.jitsi (stream error)

 

This is all after a clean restart.

 

Any help is appreciated.

 

Edited by jem
rather than doubleposting...
Link to post
  • 1 month later...
  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.