keithkhl
commented
1 week ago Many great open source solutions lack in support for custom installations, and I think BBB is no exception. The instruction given in the doc is awfully confusing. I was going to say it is wrong, but since I am not an expert, I will reserve that claim for now. Below is the proxy server installation insturctions.
From the above link, I can feel that it is written by an extremely highly experienced Nginx dev or a complete novice.
For starters, you can't have another URL in proxy pass without a defined server block, at lesat in my best of knowledge. But in below code lines for Nginx,
location /bbb-01/html5client/ { proxy_pass https://bbb-01.example.com/bbb-01/html5client/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; }
Either the author assumed that 'bbb-01.example.com' is pre-defined in the proxy server, or must have used it as an alias. I checked both cases.
Case 1: Predefined downstream server specific subdomain for BBB If you assumed predefined server block in the proxy server, what was the bbb-01.example.com's forwarding port to the downstream servers? Is it port 80 and 443? In the hard machine installation of BBB, I can see port 80 is redirected to port 81 and 82 in Nginx server blocks, but it also mentions HA proxy handles other ports. But, whichever the port that I forward from proxy to downstream, I get no connection error on 443. There must be 443 open and it redirects to port 81 or 82 on Nginx, but with below, I could not make it work.
server { listen 80; server_name bbb-01.example.com;
location / {
proxy_pass http://192.168.1.1:80;
include /etc/nginx/all_other_forward.conf;
} }
server { listen 443; server_name bbb-01.example.com;
include /etc/nginx/sss.conf; #For both privkey and cert
location / {
proxy_pass https://192.168.1.1:443;
include /etc/nginx/all_other_forward.conf;
} }
Case 2: Alias In this case, I just have to change the proxy_pass value to backend server's internal IPs and ports.
server { listen 80; listen 443 ssl; server_name bbb-proxy.example.com;
include /etc/nginx/sss.conf; #For both privkey and cert
location / {
proxy_pass http://192.168.1.1:80;
include /etc/nginx/all_other_forward.conf;
} }
The problem in this case is that, in the backend, all traffics to port 80 is forwarded to backend server's port 443 and later to 81 and 82, depending on the logic in 'HA proxy'. Here, since the SSL port (443) is also defined in proxy server, backend port 80's forward to 443 will bring the traffic back to proxy server. Then, proxy brings traffic to backend, and again and again. Redirection loop creates error in the end.
Why don't I exclude 'listen 443 SSL' in the proxy? Then, where should that traffic go? How should I response to that traffic? I also set to send proxy's 443 traffic directly to backend's 81 and/or 82, but it also did not work.
In either way, the recommended code does not make sense, at least to best of my knowledge.
I typically define upstream variables in the proxy server to point backend server's internal IPs and ports. This way, I can make sure that Nginx does the load balancing properly.
upstream example_backend { ip_hash; server 192.168.1.1:80 max_fails=3 fail_timeout=30s; server 192.168.1.2:80 max_fails=3 fail_timeout=30s; }
I am not saying that my version is right. It's just that the proposed version seems missing details while it does not take the load balanching into the consideration, in addition to the security issues that the author mentioned at the end of the document.
For services like this, you need a lot of ports. I get that. HA Proxy, yes, I can understand that. But the proposed solution for proxy server case does not make sense, or at least highly confusing.
I can make it work with Docker installations, but I really want to try this 3.0-dev version on my existing server, not on a clean machine.
srkn0
I try to install BBB v3.0 beta release on a hard machine / via a docker (v.2.7.3 for this)
I have proxy server that handles all SSL handshaking and pass the traffic to backend. Reading this doc(https://docs.bigbluebutton.org/administration/cluster-proxy/), I thought my set up is supported.
First, I tried to install BBB without SSL, so with -d option.
Though it is recommended to use different URL for each installations behind the proxy, I thought it is just an illustration purpose. I usually do this with backend stream block in Nginx. For this one, plz let me know if I really have to set diferent sub-domains for each BBB installation and keep the clean sub-domain at proxy server.
then, after the hard machine installation, I get connection failure for HTTP/2 (so HTTPS). I changed all nginx configurations in /etc/nginx/sites-enabled/bigbluebutton, but it did not work.
So, I gave up and run without -d and added back -e myemail@example.com in the installation command. It will do double SSL handshakes, so websites should be slower, but I can respect BBB style.
Now, even after that, I still cannot see the website.
What other configuration setting modification(s) is/are needed?
I have
for other required UDP ports, 16384 - 32768, I also added them to Router OS, but they all go to proxy server. Not sure what should be done. At least, I cannot load balance them in my Router OS. It has to be done at Nginx proxy, but have no clue for this.
In case relevant, I have two BBB servers at the backend, each with 30 cores 100 GB RAM, and I want them to share the traffic.
When it comes to video storage, I am going to use S3 compatible internal video/stream server.
I guess I just need to change a little big of setting, but can't figure out from the docs.