Closed Lithimlin closed 2 years ago
In versions after 5142 there is a major change to using web sockets. I don't know if this is relevant to your case.
There is some information in #992 and #850 - I am still trying to figure out how to make it work with traefik (v1). It looks like so far nobody has shared a working traefik setup with the new web socket Jitsi.
As a workaround you could try to set ENABLE_XMPP_WEBSOCKET=0
but this will degrade the user experience.
I've started setting this all up a while after 5142. I'd stumbled across #850 but deemed it not relevant as it is relatively old and somewhat outdated as you said. Furthermore, the example for traefik v2 is relatively recent even if it is not officially maintained. You're right in that there does not seem a single working traefik solution out there. I tried to disable the XMPP websocket. However, this did not help.
I'm not sure why this was closed but I'm sure there is another comment with the reasoning inbound.
@Lithimlin I'm using docker swarm for jitsi setup
and traefik v2
for letsencrypt and below is the snippet of config under web services and complete stack-traefik.yml
file.
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.jitsi-secure.entrypoints=websecure"
- "traefik.http.routers.jitsi-secure.rule=Host(`mydomain.com`)"
## Middleware
- "traefik.http.routers.jitsi-secure.middlewares=security-headers@file"
## LetsEncrypt
- "traefik.http.routers.jitsi-secure.tls=true"
- "traefik.http.routers.jitsi-secure.tls.certresolver=letsencrypt"
- "traefik.http.routers.jitsi-secure.tls.domains[0].main=mydomain.com"
- "traefik.http.routers.jitsi-secure.tls.options=myoptions@file"
## Service
- "traefik.http.routers.jitsi-secure.service=jitsi" #here service name is jitsi
- "traefik.http.services.jitsi.loadbalancer.server.port=80"
- "traefik.http.services.jitsi.loadbalancer.passhostheader=true"
stack-traefik.yml
version: '3.8'
services:
traefik:
image: "traefik:v2.3.2"
hostname: "traefik"
deploy:
replicas: 1
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 5
#placement:
# constraints:
# - node.hostname == demo2
labels:
- "traefik.enable=false"
- "traefik.docker.network=proxy"
- "traefik.http.routers.api.rule=Host(`traefik.mydomain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.api.service=api@internal"
## Middlewares
#- "traefik.http.middlewares.auth.basicauth.users=user:pass"
- "traefik.http.routers.api.middlewares=security-headers@file,auth"
# enable https for api/dashboard
- "traefik.http.routers.api.tls.certresolver=letsencrypt"
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls.domains[0].main=traefik.mydomain.com"
# tls options from file
- "traefik.http.routers.api.tls.options=myoptions@file"
# dummy port
- "traefik.http.services.dummyservice.loadbalancer.server.port=1111" # In swarm mode, traefik requires a dummy Port
command:
- --api=true
- --api.dashboard=true
- --providers.file.filename=/etc/traefik/traefik-proxy-config.toml # Using file for reading the dynamic config
- --providers.file.watch=true
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.swarmMode=true
- --providers.docker.exposedbydefault=false
- --log.level=Info
- --accesslog=false
- --entryPoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --entryPoints.websecure.address=:443
#- --certificatesResolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesResolvers.letsencrypt.acme.tlsChallenge=true
- --certificatesresolvers.letsencrypt.acme.email=your_email@gmail.com
- --certificatesResolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./letsencrypt:/letsencrypt"
- "./traefik-proxy-config.toml:/etc/traefik/traefik-proxy-config.toml:ro"
networks:
proxy:
networks:
proxy:
external: true
name: proxy
traefik-proxy-config.toml
#################
#### MIDDLEWARES
#################
[http.middlewares]
[http.middlewares.security-headers.headers]
accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
#accessControlAllowOrigin = "origin-list-or-null"
accessControlMaxAge = 100
addVaryHeader = true
#frameDeny = true
sslRedirect = true
browserXssFilter = true
contentTypeNosniff = true
#
stsIncludeSubdomains = true
stsPreload = true
stsSeconds = 31536000
#####################
#### CUSTOM TLS CERT
#####################
[tls]
[tls.options]
[tls.options.myoptions]
minVersion = "VersionTLS12"
curvePreferences = ["CurveP521", "CurveP384"]
sniStrict = true
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", # tls1.2
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
#"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", # 128 bit
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", # tls1.2
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_FALLBACK_SCSV", # Client is doing version fallback. See RFC 7507.
"TLS_AES_256_GCM_SHA384", # tls1.3
"TLS_CHACHA20_POLY1305_SHA256" # tls1.3
]
@prayagsingh That looked promising but unfortunately didn't help either. I can't really see any big differences which should keep jitsi from working or being assigned a route by traefik.
Since you included it though I'll also share that extra config file for traefik:
tls:
options:
default:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
http:
routers:
webhook:
entryPoints:
- "websecure"
rule: "Host(`hook.my.domain.tld`)"
service: webhook-websecure
tls: true
services:
webhook-websecure:
loadBalancer:
servers:
- url: "http://hook.my.domain.tld:1324"
@saghul Was this issue closed because it is not related to jitsi directly? A short explanation would be nice.
I closed it because I thought those issues had the answer. Note the Traefik setup is not supported.
@Lithimlin What do you have in the browser JavaScript console?
As expected I am having errors about Websocket closed unexpectedly
- and traefik log has websocket: bad handshake with resp: 403 403 Forbidden"
.
If I understand the above traefik examples right there should be nothing specific needed for the websocket. It should just pass through traefik same as other non-websocket traffic.
I'm aware that there is no officially supported traefik setup. However, I don't see why it should not be possible to put jitsi behind a traefik reverse proxy.
I've compared the logs from jitsi's traefik and workadventure's traefik output and I can't see how they differ. The only difference is that the workadventure containers get their routes added while the jitsi ones don't.
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="No default certificate, generating one" tlsStoreName=default
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Adding certificate for domain(s) my.domain.tld,*.my.domain.tld"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" serviceName=front middlewareName=pipelining middlewareType=Pipelining routerName=front@docker entryPointName=web
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" entryPointName=web serviceName=front routerName=front@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.6:80" routerName=front@docker entryPointName=web serviceName=front serverName=0
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.6:80 now UP"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware front" routerName=front@docker entryPointName=web middlewareName=tracing middlewareType=TracingForwarder
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" routerName=jitsiweb@docker serviceName=jitsiweb middlewareName=pipelining middlewareType=Pipelining entryPointName=web
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" serviceName=jitsiweb entryPointName=web routerName=jitsiweb@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.3:80" serviceName=jitsiweb serverName=0 entryPointName=web routerName=jitsiweb@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.3:80 now UP"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware jitsiweb" entryPointName=web routerName=jitsiweb@docker middlewareName=tracing middlewareType=TracingForwarder
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareType=Pipelining routerName=pusher@docker entryPointName=web serviceName=pusher middlewareName=pipelining
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" routerName=pusher@docker entryPointName=web serviceName=pusher
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.7:8080" serviceName=pusher serverName=0 routerName=pusher@docker entryPointName=web
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.7:8080 now UP"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware pusher" middlewareType=TracingForwarder middlewareName=tracing entryPointName=web routerName=pusher@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining entryPointName=web routerName=back@docker serviceName=back
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" serviceName=back entryPointName=web routerName=back@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.8:8080" serverName=0 entryPointName=web routerName=back@docker serviceName=back
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.8:8080 now UP"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware back" middlewareType=TracingForwarder routerName=back@docker entryPointName=web middlewareName=tracing
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware noop@internal" routerName=web-to-websecure@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=web
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Setting up redirection to https 443" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Adding tracing to middleware" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal entryPointName=web
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" routerName=maps@docker serviceName=maps middlewareName=pipelining middlewareType=Pipelining entryPointName=web
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" routerName=maps@docker serviceName=maps entryPointName=web
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.5:80" entryPointName=web routerName=maps@docker serviceName=maps serverName=0
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.5:80 now UP"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware maps" entryPointName=web routerName=maps@docker middlewareType=TracingForwarder middlewareName=tracing
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" serviceName=jitsiweb middlewareName=pipelining middlewareType=Pipelining routerName=jitsiweb-ssl@docker entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" routerName=jitsiweb-ssl@docker entryPointName=websecure serviceName=jitsiweb
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.3:80" routerName=jitsiweb-ssl@docker entryPointName=websecure serviceName=jitsiweb serverName=0
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.3:80 now UP"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware jitsiweb" routerName=jitsiweb-ssl@docker entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" routerName=pusher-ssl@docker serviceName=pusher middlewareName=pipelining middlewareType=Pipelining entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" serviceName=pusher entryPointName=websecure routerName=pusher-ssl@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.7:8080" serviceName=pusher serverName=0 entryPointName=websecure routerName=pusher-ssl@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.7:8080 now UP"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware pusher" routerName=pusher-ssl@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining routerName=front-ssl@docker serviceName=front entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" serviceName=front entryPointName=websecure routerName=front-ssl@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.6:80" serviceName=front serverName=0 entryPointName=websecure routerName=front-ssl@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.6:80 now UP"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware front" routerName=front-ssl@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" routerName=wbo-ssl@docker middlewareName=pipelining middlewareType=Pipelining serviceName=wbo entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" routerName=wbo-ssl@docker serviceName=wbo entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.9:8080" entryPointName=websecure routerName=wbo-ssl@docker serviceName=wbo serverName=0
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.9:8080 now UP"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware wbo" middlewareType=TracingForwarder entryPointName=websecure routerName=wbo-ssl@docker middlewareName=tracing
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" serviceName=maps entryPointName=websecure middlewareName=pipelining middlewareType=Pipelining routerName=maps-ssl@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=maps-ssl@docker serviceName=maps
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.5:80" routerName=maps-ssl@docker serviceName=maps entryPointName=websecure serverName=0
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.5:80 now UP"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware maps" routerName=maps-ssl@docker middlewareType=TracingForwarder middlewareName=tracing entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" serviceName=back middlewareName=pipelining middlewareType=Pipelining entryPointName=websecure routerName=back-ssl@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=back-ssl@docker serviceName=back
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.8:8080" serverName=0 entryPointName=websecure routerName=back-ssl@docker serviceName=back
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.8:8080 now UP"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware back" middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure routerName=back-ssl@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" entryPointName=websecure routerName=webhook@file middlewareName=pipelining middlewareType=Pipelining serviceName=webhook-websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=webhook@file serviceName=webhook-websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://hook.adventure.emergencity.de:1324" serverName=0 entryPointName=websecure routerName=webhook@file serviceName=webhook-websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="child http://hook.adventure.emergencity.de:1324 now UP"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware webhook-websecure" middlewareType=TracingForwarder entryPointName=websecure routerName=webhook@file middlewareName=tracing
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining routerName=hedgedoc-ssl@docker entryPointName=websecure serviceName=hedgedoc
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" entryPointName=websecure serviceName=hedgedoc routerName=hedgedoc-ssl@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.10:3000" routerName=hedgedoc-ssl@docker entryPointName=websecure serviceName=hedgedoc serverName=0
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.10:3000 now UP"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware hedgedoc" middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure routerName=hedgedoc-ssl@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=websecure routerName=traefik@docker middlewareName=tracing middlewareType=TracingForwarder
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareType=BasicAuth entryPointName=websecure routerName=traefik@docker middlewareName=traefik-auth@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Adding tracing to middleware" middlewareName=traefik-auth@docker entryPointName=websecure routerName=traefik@docker
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=websecure middlewareName=traefik-internal-recovery
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Adding route for admin.my.domain.tld with TLS options default" entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Adding route for pusher.my.domain.tld with TLS options default" entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Adding route for my.domain.tld with TLS options default" entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Adding route for api.my.domain.tld with TLS options default" entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Adding route for hook.adventure.emergencity.de with TLS options default" entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Adding route for maps.my.domain.tld with TLS options default" entryPointName=websecure
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="Looking for provided certificate(s) to validate [\"my.domain.tld\" \"*.my.domain.tld\"]..." providerName=dnsresolver.acme
reverse-proxy_1 | time="2021-08-24T12:15:15Z" level=debug msg="No ACME certificate generation required for domains [\"my.domain.tld\" \"*.my.domain.tld\"]." providerName=dnsresolver.acme
@Lithimlin What do you have in the browser JavaScript console?
@bluikko For jitsi's browser output it's just a 404 on the domain meet.my.domain.tld
. I don't even get any connection to it.
If I understand the above traefik examples right there should be nothing specific needed for the websocket. It should just pass through traefik same as other non-websocket traffic.
That's also the way I understand it but I'm not even getting a route from traefik that lets me connect to jitsi.
a 404 on the domain
meet.my.domain.tld
. I don't even get any connection to it.
That sounds like a much more simple problem, your traefik labels/configuration must have something wrong.
That sounds like a much more simple problem, your traefik labels/configuration must have something wrong.
That's what I'm thinking as well but I can't find the error for the life of me.
I'm using the same labels and config as for my workadventure containers which work fine for those but for some reason, jitsi does not get a correct route.
That sounds like a much more simple problem, your traefik labels/configuration must have something wrong.
That's what I'm thinking as well but I can't find the error for the life of me.
You don't need the traefik.enable=true
?
I don't since I'm disabling containers I don't need traefik for instead of enabling those that need it. The number of containers that need it is much greater as of now. I can try changing that around but doubt it'll change anything
Yeah, as expected, that didn't change anything
Updated my initial post to reflect the changes made
I could confirm that my redirect from http://meet.my.domain.tld
to https://meet.my.domain.tld
works. However, after that I get that 404.
I also can't find the sent request anywhere in any logs, neither from traefik nor from prosody or the web container.
I could confirm that my redirect from
http://meet.my.domain.tld
tohttps://meet.my.domain.tld
works. However, after that I get that 404. I also can't find the sent request anywhere in any logs, neither from traefik nor from prosody or the web container.
Can you please check if https is disabled on jitsi-web?
Can you please check if https is disabled on jitsi-web?
It was enabled, as well as the http redirect inside the .env
file, but disabling either or both did not change anything.
Can you please check if https is disabled on jitsi-web?
I thought about this again and realized that I do actually want to have the jitsi-web service handle the certificates. I specifically created a script to convert Traefik's acme.json
into the cert and key files and then copies them to the web service's volume.
However, the workadventure services also don't handle their own certificates but have Traefik handle it instead.
I thought about this again and realized that I do actually want to have the jitsi-web service handle the certificates.
Then why are you using Tarefik with jitsi? Jitsi by itself can handle SSL cert for you.
Because Traefik occupies ports 80 and 443 already and needs those ports in order for the challenge to work. However, when I change jitsi's ports to 8080 and 8443, I get the same 404 error and still no usable output from the logs.
Apart from that, I also don't understand why jitsi isn't working even when I disable https.
@Lithimlin Can you please check curl your_domain.com/config.js
is working or now?
@Lithimlin Can you please check
curl your_domain.com/config.js
is working or now?
@prayagsingh This also results in a 404.
This also results in a 404.
The request is going via Traefik?
Please disable Traefik for now and simply spin-up the jitsi setup. Exec into the VM and try curl https://localhost:8443/config.js
if this is working then the problem is with Traefik routing.
The request is going via Traefik?
Traefik was disabled for jitsi but still turned on. When turning off traefik completely, I get a curl: (7) Failed to connect to my_domain.com port 80 after 24 ms: Connection refused
. This is with jitsi running on 8080 and 8443 and using curl my_domain.com/config.js
.
When using curl https://my_domain.com/config.js
, I get the same thing on port 443. When using curl my_domain.com:8443/config.js
, I get a timeout after about two minutes.
Please disable Traefik for now and simply spin-up the jitsi setup. Exec into the VM and try
curl https://localhost:8443/config.js
if this is working then the problem is with Traefik routing.
When doing this I get an SSL error because the certificate does not match the name localhost
.
When doing this I get an SSL error because the certificate does not match the name localhost
Use -k
flag with curl.
Traefik was disabled for jitsi but still turned on
This looks like a problem with Traefik. Try different version.
Use
-k
flag with curl.
Yup, works now. Just to make sure though: Should jitsi be availble from the outside as of now (with traefik turned off and jitsi on ports 8080 and 8443)?
This looks like a problem with Traefik. Try different version.
I can certainly try out a few older versions and see if that changes anything.
This looks like a problem with Traefik. Try different version.
I can certainly try out a few older versions and see if that changes anything.
I've now tried with Traefik 2.3 to 2.5 and sadly no luck with any of the versions. On a side note: This is what I see in the dashboard. Not sure if that is any indication as to what might be going wrong. I'll probably move to the traefik forums though and see if I can find a fix for this there. I'll let you know if I have a working config.
Should jitsi be availble from the outside as of now (with traefik turned off and jitsi on ports 8080 and 8443)?
You won't be able to get an SSL certificate using LetsEncrypt if using these ports.
You won't be able to get an SSL certificate using LetsEncrypt if using these ports.
I am aware of that but I also don't need an extra SSL certificate from LE because I use a DNS challenge and then copy the certificates to the web container's volume.
Or do you mean that the SSL certificate I have won't work? Because it does work for the workadventure containers.
Or do you mean that the SSL certificate I have won't work?
I meant that LE won't be able to pass the tls challenge because of the different ports.
I use a DNS challenge and then copy the certificates to the web container's volume.
Wildcard cert?
I never tried SSL cert with a port other than 443 hence do not whether it will work or not.
Wildcard cert?
yes.
I never tried SSL cert with a port other than 443 hence do not whether it will work or not.
With Traefik, I won't even be providing ports so I assume Traefik will handle the forwarding then. It does work. Somehow. I'm not 100% certain about the inner workings of Traefik though.
Hello,
I am using swarm with traefik (traefik:v2.2) and jitsi (stable-6173). The webpage is working but I am always getting websocket errro in chrome debug tool
strophe.umd.js:5463 WebSocket connection to 'wss://meet.example.com/xmpp-websocket?room=test' failed:
_connect @ strophe.umd.js:5463
Logger.js:154 2021-09-19T09:59:44.805Z [JitsiMeetJS.js] <Object.getGlobalOnErrorHandler>: UnhandledError: Strophe: Websocket error [object Event] Script: null Line: null Column: null StackTrace: Error: Strophe: Websocket error [object Event]
at Object.s.Strophe.log (https://meet.example.com/libs/lib-jitsi-meet.min.js?v=5211:17:16531)
at Object.error (https://meet.example.com/libs/lib-jitsi-meet.min.js?v=5211:1:24368)
at N.Websocket._onError (https://meet.example.com/libs/lib-jitsi-meet.min.js?v=5211:1:63842)
When I set up ENABLE_XMPP_WEBSOCKET=0 then it is working. Now the question is... how to handle this websocket error and run the webpage with websocket.
Thank you
Unfortunately I couldn't get it to work with traefik
Hello, I am move under swarm without traefik and I have always same problem with WebSocket. When I set ENABLE_XMPP_WEBSOCKET=0 then it is working well. Then WebSocket is general problem with or without traefik
Same here, not sure what would be the way forward or maybe we just can't update Jitsi anymore.
You can disable WebSockets altogether (check the handbook for how, and note there are 2 parts, XMPP and data channels).
I don't know about traefik, so I can't help you there alas. "Standard" setups work just fine.
Same here, not sure what would be the way forward or maybe we just can't update Jitsi anymore.
I'm using swarm with Traefik and it's working fine. I'll try to push all the files to jitsi-contrib in next couple of weeks(probably 1st week of October).
My working Traefik config is below using the stable-7001
release.
Mods to docker-compose.yml:
version: '3'
services:
# Frontend
web:
image: jitsi/web:latest
restart: ${RESTART_POLICY}
# ports:
# - '${HTTP_PORT}:80'
# - '${HTTPS_PORT}:443'
...
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.jitsi-web.entrypoints=websecure"
- "traefik.http.routers.jitsi-web.rule=Host(`$XMPP_DOMAIN`)"
## Middlewares
- "traefik.http.routers.jitsi-web.middlewares=chain-jitsi-auth@file"
## HTTP Services
- "traefik.http.services.jitsi-web.loadbalancer.server.port=80"
# XMPP server
prosody:
image: jitsi/prosody:latest
...
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.jitsi-prosody-ws.entrypoints=websecure"
- "traefik.http.routers.jitsi-prosody-ws.rule=Host(`$XMPP_DOMAIN`) && Path(`/xmpp-websocket`)"
## Middlewares
- "traefik.http.routers.jitsi-prosody-ws.middlewares=chain-jitsi-auth@file"
## HTTP Services
- "traefik.http.services.jitsi-prosody-ws.loadbalancer.server.port=5280"
# Focus component
jicofo:
image: jitsi/jicofo:latest
...
# Video bridge
jvb:
image: jitsi/jvb:latest
...
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.jitsi-colibri-ws.entrypoints=websecure"
- "traefik.http.routers.jitsi-colibri-ws.rule=Host(`$XMPP_DOMAIN`) && PathPrefix(`/colibri-ws`)"
## Middlewares
- "traefik.http.routers.jitsi-colibri-ws.middlewares=chain-jitsi-auth@file"
## HTTP Services
- "traefik.http.services.jitsi-colibri-ws.loadbalancer.server.port=9090"
networks:
meet.jitsi:
external:
name: traefik_proxy ## existing external network that Traefik is listening on
The chain-jitsi-auth
middleware includes the following secure headers for Jitsi:
http:
middlewares:
middlewares-secure-headers-jitsi:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
customFrameOptionsValue: "allow-from https:example.com"
contentTypeNosniff: true
browserXssFilter: true
referrerPolicy: "same-origin"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
server: ""
Also, I set DOCKER_HOST_ADDRESS
to my public IPv4 address in the .env
file.
Hope this helps someone out there.
I'm running jitsi together with workadventure on a single host. Because of this, I'm using traefik (v2.5) as a reverse proxy.
Workadventure works just fine with my setup. However, I can't get jitsi to work right. When looking at the traefik logs and the dashboard, I can see that the jitsi web container is recognized and its config is found. The appropriate services and routers are created and configured. Still, traefik does not add the route for the jitsi instance, resulting in a 404.
I'm using a modified version of the traefik v2 example in jitsi's compose file:
Jitsi uses this
.env
file:Traefik is set up using the following compose file:
With these variables:
For comparison, here are the labels for one of the workadventure containers which works completely fine:
I get the following log output from traefik:
I'm not sure why
meet.
is the only DN which does not get its route added. When I pull up the workadventure stack which as a very similar configuration for traefik, the routes get added correctly.