search

bigbluebutton / docker

Docker files for BigBlueButton
GNU Lesser General Public License v3.0
369 stars 248 forks source link

Websocket 1002 connection issue - no audio - own STUN/TURN-server #185

Open RuudschMaHinda opened 2 years ago

RuudschMaHinda commented 2 years ago

I am using my own turn server coturn on an already existing nextcloud installation. Whenever I click on the Microphone, I get the WebSocket Connection issue Number 1002

In the .env file I added the turn server and the secret as they are configured for Talk (a Nextcloud App).

# HTTPS Proxy
# fully automated Lets Encrypt certificates
#ENABLE_HTTPS_PROXY=true

# coturn (a TURN Server)
# requires either the abhove HTTPS Proxy to be enabled
# or TLS certificates to be mounted to container
#ENABLE_COTURN=true
#COTURN_TLS_CERT_PATH=
#COTURN_TLS_KEY_PATH=

# Greenlight Frontend
# https://docs.bigbluebutton.org/greenlight/gl-overview.html
#ENABLE_GREENLIGHT=true

# STUN SERVER
# stun.freeswitch.org
STUN_IP=[PUBLIC IP OF MY SERVER]
STUN_PORT=3478

# TURN SERVER
# uncomment and adjust following two lines to add an external TURN server
TURN_SERVER=turn:signal.mydomain.de:5349?transport=udp,turn:signal.mydomain.de:5349?transport=tcp
TURN_SECRET=[long string of numbers and letters != SHARED_SECRET for BBB-connection - is secret for TURN server]

am I just missing a semicolon in the end maybe? haven't tried that yet. Though I am growing weary of deleting all containers and images and compiling everything again and again just to make certain everything is fresh.

generate-compose has been run after every change before docker-compose up -d it does work without greenlight as intended - had the same issue with greenlight enabled webcam works as well

I did not have that issue when I had BBB installed on a separate server

RuudschMaHinda commented 2 years ago

I finally found something to work with in my nginx error log:

2022/01/05 06:28:04 [crit] 64345#64345: *12 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 167.94.*.*, server: 0.0.0.0:7443
2022/01/05 06:28:17 [error] 64345#64345: *45 open() "/etc/nginx/html/ws" failed (2: No such file or directory), client: 202.61.*.* [PUBLIC IP], server: signal.mydomain.de, request: "GET /ws?sessionToken=randomlettersandnumbers HTTP/1.1", host: "10.7.7.1:7443"

The offending configuration is here in my signal.mydomain.de.conf:

upstream signaling {
server 127.0.0.1:8080;
}
server {
listen [::]:7443 ssl http2;
server_name signal.mydomain.de;
ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA>
ssl_ecdh_curve X448:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
location /standalone-signaling/ {
proxy_pass http://signaling/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /standalone-signaling/spreed {
proxy_pass http://signaling/spreed;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

Sooo... how to get the ws-token through here? If I add the following reverse proxy:

location /ws {
proxy_pass http://127.0.0.1:5349;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

I now only get this error: recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 202.61.*.*[PUBLIC IP], server: signal.mydomain.de, request: "GET /ws?sessionToken=lettersandnumbers HTTP/1.1", upstream: "http://127.0.0.1:5349/ws?sessionToken=samelettersandnumbers", host: "10.7.7.1:7443"

This is my bbb.mydomain.de.conf:

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name bbb.mydomain.de;

  ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
  ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;
  ssl_protocols TLSv1.3 TLSv1.2;
  ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
  ssl_ecdh_curve X448:secp521r1:secp384r1;
  ssl_prefer_server_ciphers on;
  ssl_stapling on;
  ssl_stapling_verify on;

  access_log  /var/log/nginx/bbb.mydomain.de.access.log;
  error_log /var/log/nginx/bbb.mydomain.de.error.log;

  location / {
    proxy_http_version 1.1;
    proxy_pass http://127.0.0.1:48087;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
   # proxy_set_header Connection $connection_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_cache_bypass $http_upgrade;
  }
}