Jitsi web not receiving route behind traefik

[Lithimlin]

I'm running jitsi together with workadventure on a single host. Because of this, I'm using traefik (v2.5) as a reverse proxy.

Workadventure works just fine with my setup. However, I can't get jitsi to work right. When looking at the traefik logs and the dashboard, I can see that the jitsi web container is recognized and its config is found. The appropriate services and routers are created and configured. Still, traefik does not add the route for the jitsi instance, resulting in a 404.

I'm using a modified version of the traefik v2 example in jitsi's compose file:

version: '3.5'                                                                  

services:                                                                       
    # Frontend                                                                  
    web:                                                                        
        image: jitsi/web:stable-6173                                            
        restart: ${RESTART_POLICY}                                              
        # traefik handles the ports?                                         
        #ports:                                                                 
        #    - '${HTTP_PORT}:80'                                                
        #    - '${HTTPS_PORT}:443'                                              
        volumes:                                                                
            - ${CONFIG}/web:/config:Z                                           
            - ${CONFIG}/web/letsencrypt:/etc/letsencrypt:Z                      
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
        environment:
            - [...(nothing changed here)...]                                                    
        labels:                                                                 
            - "traefik.enable=true"                                             
            - "traefik.docker.network=traefik.net"                              
            - "traefik.http.routers.jitsiweb.rule=Host(`${HOSTNAME}`)"          
            - "traefik.http.routers.jitsiweb.entryPoints=web"                   
            - "traefik.http.services.jitsiweb.loadbalancer.server.port=80"         
            - "traefik.http.services.jitsiweb.loadbalancer.passhostheader=true" 
            - "traefik.http.routers.jitsiweb-ssl.service=jitsiweb"              
            - "traefik.http.routers.jitsiweb-ssl.rule=Host(`${HOSTNAME}`)"         
            - "traefik.http.routers.jitsiweb-ssl.entryPoints=websecure"         
            - "treafik.http.routers.jitsiweb-ssl.tls=true"                            
        networks:                                                               
            traefik.net:                                                        
            meet.jitsi:                                                         
                aliases:                                                        
                    - ${XMPP_DOMAIN}                                            

    # XMPP server                                                               
    prosody:                                                                    
        image: jitsi/prosody:stable-6173                                        
        restart: ${RESTART_POLICY}
        #[...]                                                     
        networks:                                                               
            meet.jitsi:                                                         
                aliases:                                                        
                    - ${XMPP_SERVER}                             

    # Focus component                                                           
    jicofo:                                                                     
        image: jitsi/jicofo:stable-6173                                         
        restart: ${RESTART_POLICY}    
        #[...]                                                            
        networks:                                                               
            meet.jitsi:                                                         

    # Video bridge                                                              
    jvb:                                                                        
        image: jitsi/jvb:stable-6173                                            
        restart: ${RESTART_POLICY}                                              
        ports:                                                                  
            - '${JVB_PORT}:${JVB_PORT}/udp'                                     
            - '${JVB_TCP_MAPPED_PORT}:${JVB_TCP_PORT}'        
        #[...]
        #labels:        
        #    - "traefik.enable=true"                                                          
        #    - "traefik.udp.routers.jvb.entryPoints=video"                       
        #    - "traefik.udp.routers.jvb.service=jvb"                             
        #    - "traefik.udp.services.jvb.loadbalancer.server.port=10000"         
        networks:                                                               
            traefik.net:                                                        
            meet.jitsi:                                                         
                aliases:                                                        
                    - jvb.meet.jitsi                                            

# Custom network so all services can communicate using a FQDN                   
networks:                                                                       
    meet.jitsi:                                                                 
    traefik.net:                                                                
        external: true

Jitsi uses this .env file:

#[...(security section omitted)...]
#                                                                               
# Basic configuration options                                                   
#                                                                               

# Directory where all configuration will be stored                              
CONFIG=/opt/jitsi-meet-cfg                                                      

# Exposed HTTP port                                                             
HTTP_PORT=8080                                                                  

# Exposed HTTPS port                                                            
HTTPS_PORT=8443                                                                 

# System time zone                                                              
TZ=Europe/Berlin                                                                

# Hostname for traefik                                                                              
HOSTNAME=meet.my.domain.tld      

# Public URL for the web service (required)                                     
PUBLIC_URL=https://meet.my.domain.tld                            

# IP address of the Docker host                                                 
DOCKER_HOST_ADDRESS=10.10.10.10    

ENABLE_XMPP_WEBSOCKET=0 # as suggested below  
#[...(rest not relevant or not changed)...]

Traefik is set up using the following compose file:

version: "3.5"                                                                  

services:                                                                       
  reverse-proxy:                                                                
    image: traefik:latest                                                       
    command:                                                                    
      - --log.level=${LOG_LEVEL}                                                
      #- --api.insecure=true                                                    
      - --api.dashboard=true                                                    
      - --providers.docker                                                      
      - --providers.docker.exposedbydefault=false                               
      - --providers.docker.network=traefik.net                                  
      - --providers.file.directory=/configs/                                    
      - --entryPoints.web.address=:${HTTP_PORT}                                 
      - --entrypoints.web.http.redirections.entryPoint.to=websecure             
      - --entrypoints.web.http.redirections.entryPoint.scheme=https             
      - --entryPoints.websecure.address=:${HTTPS_PORT}                          
      #- --entryPoints.video.address=:10000/udp                                 
      - --certificatesresolvers.dnsresolver.acme.email=${ACME_EMAIL}            
      - --certificatesresolvers.dnsresolver.acme.storage=/acme.json             
      # Let's Encrypt's staging server                                          
      # uncomment during testing to avoid rate limiting                         
      #- --certificatesresolvers.dnsresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      # DNS challenge                                                           
      - --certificatesresolvers.dnsresolver.acme.dnsChallenge.provider=rfc2136 
    ports:                                                                      
      - ${HTTP_PORT}:80                                                         
      - ${HTTPS_PORT}:443                                                       
      # The Web UI (enabled by --api.insecure=true)                             
      #- "8080:8080"                                                            
    environment:                                                                
      - LEGO_EXPERIMENTAL_CNAME_SUPPORT                                         
      - RFC2136_TSIG_KEY                                                        
      - RFC2136_TSIG_SECRET                                                     
      - RFC2136_TSIG_ALGORITHM                                                  
      - RFC2136_NAMESERVER                                                      
    volumes:                                                                    
      - /var/run/docker.sock:/var/run/docker.sock                               
      - ${DATA_DIR}/letsencrypt/acme.json:/acme.json                            
      - ${DATA_DIR}/traefik.yaml:/configs/traefik_tls.yaml                      
    labels:                                                                     
      - "traefik.enable=true"                                                   
      - "traefik.http.services.traefik.loadbalancer.server.port=888"            
      - "traefik.http.routers.traefik.rule=Host(`${ADMIN_HOST}`)"               
      - "traefik.http.routers.traefik.entrypoints=websecure"                    
      - "traefik.http.routers.traefik.tls=true"                                 
      - "traefik.http.routers.traefik.tls.certresolver=dnsresolver"             
      - "traefik.http.routers.traefik.tls.domains[0].main=${DOMAIN}"            
      - "traefik.http.routers.traefik.tls.domains[0].sans=*.${DOMAIN}"          
      - "traefik.http.routers.traefik.service=api@internal"                     
      - "traefik.http.routers.traefik.middlewares=traefik-auth"                 
      - "traefik.http.middlewares.traefik-auth.basicauth.users=<credentials>."
    networks:                                                                   
      traefik.net:                                                              
    restart: unless-stopped                                                     

networks:                                                                       
  traefik.net:

With these variables:

#                                                                               
# Basic configuration                                                           
#                                                                               

DOMAIN=my.domain.tld                                          
HTTP_PORT=80                                                                    
HTTPS_PORT=443                                                                  

DATA_DIR=/opt/traefik-data                                                      

ADMIN_HOST=admin.my.domain.tld                              

LOG_LEVEL=DEBUG 

For comparison, here are the labels for one of the workadventure containers which works completely fine:

labels:                                                                     
      - "traefik.enable=true"                                                   
      - "traefik.http.routers.front.rule=Host(`${FRONT_HOST}`)"                 
      - "traefik.http.routers.front.entryPoints=web"                            
      - "traefik.http.services.front.loadbalancer.server.port=80"               
      - "traefik.http.routers.front-ssl.rule=Host(`${FRONT_HOST}`)"             
      - "traefik.http.routers.front-ssl.entryPoints=websecure"                  
      - "traefik.http.routers.front-ssl.service=front"                          
      - "traefik.http.routers.front-ssl.tls=true" 

I get the following log output from traefik:

# Config received from docker:
reverse-proxy_1  | time="2021-08-23T14:38:32Z" level=debug msg="Provider event received {Status:start ID:f22b7005a78f01bf1f0e2d6a057a9793566e18f4c75bdb417e4e8a6817953be7 From:jitsi/web:stable-6173 Type:container Action:start Actor:{ID:f22b7005a78f01bf1f0e2d6a057a9793566e18f4c75bdb417e4e8a6817953be7 Attributes:map[com.docker.compose.config-hash:be4ae0d6ace0211c24b773057dd327a520bd9b8710489503a28f996cce7c1c9e com.docker.compose.container-number:1 com.docker.compose.oneoff:False com.docker.compose.project:docker-jitsi-meet-stable-6173 com.docker.compose.service:web com.docker.compose.version:1.21.0 image:jitsi/web:stable-6173 name:docker-jitsi-meet-stable-6173_web_1 traefik.http.routers.jitsiweb-ssl.entryPoints:websecure traefik.http.routers.jitsiweb-ssl.rule:Host(`meet.my.domain.tld`) traefik.http.routers.jitsiweb-ssl.service:jitsiweb traefik.http.routers.jitsiweb.entryPoints:web traefik.http.routers.jitsiweb.rule:Host(`meet.my.domain.tld`) traefik.http.services.jitsiweb.loadbalancer.server.port:80 treafik.http.routers.jitsiweb-ssl.tls:true]} Scope:local Time:1629729512 TimeNano:1629729512594350361}" providerName=docker
reverse-proxy_1  | time="2021-08-23T14:38:32Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"jitsiweb\":{\"entryPoints\":[\"web\"],\"service\":\"jitsiweb\",\"rule\":\"Host(`meet.my.domain.tld`)\"},\"jitsiweb-ssl\":{\"entryPoints\":[\"websecure\"],\"service\":\"jitsiweb\",\"rule\":\"Host(`meet.my.domain.tld`)\"},\"traefik\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"traefik-auth\"],\"service\":\"api@internal\",\"rule\":\"Host(`admin.my.domain.tld`)\",\"tls\":{\"certResolver\":\"dnsresolver\",\"domains\":[{\"main\":\"my.domain.tld\",\"sans\":[\"*.my.domain.tld\"]}]}}},\"services\":{\"jitsiweb\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.21.0.3:80\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.21.0.2:888\"}],\"passHostHeader\":true}}},\"middlewares\":{\"traefik-auth\":{\"basicAuth\":{\"users\":[\"<credentials>\"]}}}},\"tcp\":{},\"udp\":{\"routers\":{\"jvb\":{\"entryPoints\":[\"video\"],\"service\":\"jvb\"}},\"services\":{\"jvb\":{\"loadBalancer\":{\"servers\":[{\"address\":\"172.21.0.4:10000\"}]}}}}}" providerName=docker
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="No default certificate, generating one" tlsStoreName=default
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Adding certificate for domain(s) my.domain.tld,*.my.domain.tld"
# Creation of jitsi-relevant middleware and routers
# First for jitsiweb-ssl service over websecure
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating middleware" serviceName=jitsiweb entryPointName=websecure routerName=jitsiweb-ssl@docker middlewareName=pipelining middlewareType=Pipelining
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=jitsiweb-ssl@docker serviceName=jitsiweb
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating server 0 http://172.21.0.3:80" serviceName=jitsiweb serverName=0 entryPointName=websecure routerName=jitsiweb-ssl@docker
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="child http://172.21.0.3:80 now UP"
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Added outgoing tracing middleware jitsiweb" routerName=jitsiweb-ssl@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=websecure middlewareName=traefik-internal-recovery
# Then for jitsiweb over web
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating middleware" entryPointName=web routerName=jitsiweb@docker serviceName=jitsiweb middlewareName=pipelining middlewareType=Pipelining
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating load-balancer" serviceName=jitsiweb entryPointName=web routerName=jitsiweb@docker
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating server 0 http://172.21.0.3:80" routerName=jitsiweb@docker serverName=0 serviceName=jitsiweb entryPointName=web
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="child http://172.21.0.3:80 now UP"
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Added outgoing tracing middleware jitsiweb" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=jitsiweb@docker
# Adding middleware for redirects
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Added outgoing tracing middleware noop@internal" routerName=web-to-websecure@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=web
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating middleware" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Setting up redirection to https 443" middlewareType=RedirectScheme entryPointName=web routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Adding tracing to middleware" middlewareName=redirect-web-to-websecure@internal entryPointName=web routerName=web-to-websecure@internal
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
# Stuff for traefik dashboard
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=websecure routerName=traefik@docker middlewareName=tracing middlewareType=TracingForwarder
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating middleware" middlewareName=traefik-auth@docker middlewareType=BasicAuth routerName=traefik@docker entryPointName=websecure
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Adding tracing to middleware" entryPointName=websecure routerName=traefik@docker middlewareName=traefik-auth@docker
# A webhook defined in an extra traefik config file (see comments below)
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating middleware" entryPointName=websecure routerName=webhook@file serviceName=webhook-websecure middlewareName=pipelining middlewareType=Pipelining
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating load-balancer" serviceName=webhook-websecure entryPointName=websecure routerName=webhook@file
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating server 0 http://hook.adventure.emergencity.de:1324" serviceName=webhook-websecure entryPointName=websecure serverName=0 routerName=webhook@file
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="child http://hook.some.domain.tld:1324 now UP"
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Added outgoing tracing middleware webhook-websecure" entryPointName=websecure routerName=webhook@file middlewareType=TracingForwarder middlewareName=tracing
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
# Routes added for "hook." and "admin.", but not for "meet.":
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Adding route for hook.my.domain.tld with TLS options default" entryPointName=websecure
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Adding route for admin.my.domain.tld with TLS options default" entryPointName=websecure
# jvb's UDP entrypoint
reverse-proxy_1  | time="2021-08-23T14:38:33Z" level=debug msg="Creating UDP server 0 at 172.21.0.4:10000" serviceName=jvb entryPointName=video routerName=jvb@docker serverName=0

I'm not sure why meet. is the only DN which does not get its route added. When I pull up the workadventure stack which as a very similar configuration for traefik, the routes get added correctly.

[bluikko]

In versions after 5142 there is a major change to using web sockets. I don't know if this is relevant to your case. There is some information in #992 and #850 - I am still trying to figure out how to make it work with traefik (v1). It looks like so far nobody has shared a working traefik setup with the new web socket Jitsi. As a workaround you could try to set ENABLE_XMPP_WEBSOCKET=0 but this will degrade the user experience.

[Lithimlin]

I've started setting this all up a while after 5142. I'd stumbled across #850 but deemed it not relevant as it is relatively old and somewhat outdated as you said. Furthermore, the example for traefik v2 is relatively recent even if it is not officially maintained. You're right in that there does not seem a single working traefik solution out there. I tried to disable the XMPP websocket. However, this did not help.

[Lithimlin]

I'm not sure why this was closed but I'm sure there is another comment with the reasoning inbound.

[prayagsingh]

@Lithimlin I'm using docker swarm for jitsi setup and traefik v2 for letsencrypt and below is the snippet of config under web services and complete stack-traefik.yml file.

labels:
            - "traefik.enable=true"
            - "traefik.docker.network=proxy"
            - "traefik.http.routers.jitsi-secure.entrypoints=websecure"
            - "traefik.http.routers.jitsi-secure.rule=Host(`mydomain.com`)"
            ## Middleware
            - "traefik.http.routers.jitsi-secure.middlewares=security-headers@file"
            ## LetsEncrypt
            - "traefik.http.routers.jitsi-secure.tls=true"
            - "traefik.http.routers.jitsi-secure.tls.certresolver=letsencrypt"
            - "traefik.http.routers.jitsi-secure.tls.domains[0].main=mydomain.com"
            - "traefik.http.routers.jitsi-secure.tls.options=myoptions@file"
            ## Service
            - "traefik.http.routers.jitsi-secure.service=jitsi" #here service name is jitsi
            - "traefik.http.services.jitsi.loadbalancer.server.port=80"
            - "traefik.http.services.jitsi.loadbalancer.passhostheader=true"

stack-traefik.yml

version: '3.8'

services:

  traefik:
    image: "traefik:v2.3.2"
    hostname: "traefik"
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 5
      #placement:
      #  constraints:
       #   - node.hostname == demo2
      labels:
        - "traefik.enable=false"
        - "traefik.docker.network=proxy"
        - "traefik.http.routers.api.rule=Host(`traefik.mydomain.com`)  && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
        - "traefik.http.routers.api.service=api@internal"
        ## Middlewares
        #- "traefik.http.middlewares.auth.basicauth.users=user:pass"
        - "traefik.http.routers.api.middlewares=security-headers@file,auth"
        # enable https for api/dashboard
        - "traefik.http.routers.api.tls.certresolver=letsencrypt"
        - "traefik.http.routers.api.entrypoints=websecure"
        - "traefik.http.routers.api.tls.domains[0].main=traefik.mydomain.com"
        # tls options from file
        - "traefik.http.routers.api.tls.options=myoptions@file"
        # dummy port
        - "traefik.http.services.dummyservice.loadbalancer.server.port=1111" # In swarm mode, traefik requires a dummy Port

    command:
      - --api=true
      - --api.dashboard=true
      - --providers.file.filename=/etc/traefik/traefik-proxy-config.toml # Using file for reading the dynamic config
      - --providers.file.watch=true
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false
      - --log.level=Info
      - --accesslog=false
      - --entryPoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --entryPoints.websecure.address=:443
      #- --certificatesResolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesResolvers.letsencrypt.acme.tlsChallenge=true
      - --certificatesresolvers.letsencrypt.acme.email=your_email@gmail.com
      - --certificatesResolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
    ports:
      - target: 80
        published: 80
        mode: host

      - target: 443
        published: 443
        mode: host

    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "./letsencrypt:/letsencrypt"
      - "./traefik-proxy-config.toml:/etc/traefik/traefik-proxy-config.toml:ro"
    networks:
      proxy:

networks:
  proxy:
    external: true
    name: proxy

traefik-proxy-config.toml

#################
#### MIDDLEWARES
#################
[http.middlewares]
  [http.middlewares.security-headers.headers]
    accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
    #accessControlAllowOrigin = "origin-list-or-null"
    accessControlMaxAge = 100
    addVaryHeader = true
    #frameDeny = true
    sslRedirect = true
    browserXssFilter = true
    contentTypeNosniff = true
    #
    stsIncludeSubdomains = true
    stsPreload = true
    stsSeconds = 31536000

#####################
#### CUSTOM TLS CERT
#####################

[tls]
  [tls.options]
    [tls.options.myoptions]
      minVersion = "VersionTLS12"
      curvePreferences = ["CurveP521", "CurveP384"]
      sniStrict = true

      cipherSuites = [
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", # tls1.2
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        #"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", # 128 bit
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", # tls1.2
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_FALLBACK_SCSV", # Client is doing version fallback. See RFC 7507.
        "TLS_AES_256_GCM_SHA384",  # tls1.3
        "TLS_CHACHA20_POLY1305_SHA256" # tls1.3

      ]

[Lithimlin]

@prayagsingh That looked promising but unfortunately didn't help either. I can't really see any big differences which should keep jitsi from working or being assigned a route by traefik.

Since you included it though I'll also share that extra config file for traefik:

tls:
  options:
    default:
      sniStrict: true
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

http:
  routers:
    webhook:
      entryPoints:
        - "websecure"
      rule: "Host(`hook.my.domain.tld`)"
      service: webhook-websecure
      tls: true
  services:
    webhook-websecure:
      loadBalancer:
        servers:
          - url: "http://hook.my.domain.tld:1324"

@saghul Was this issue closed because it is not related to jitsi directly? A short explanation would be nice.

[saghul]

I closed it because I thought those issues had the answer. Note the Traefik setup is not supported.

[bluikko]

@Lithimlin What do you have in the browser JavaScript console?

As expected I am having errors about Websocket closed unexpectedly - and traefik log has websocket: bad handshake with resp: 403 403 Forbidden".

If I understand the above traefik examples right there should be nothing specific needed for the websocket. It should just pass through traefik same as other non-websocket traffic.

[Lithimlin]

I'm aware that there is no officially supported traefik setup. However, I don't see why it should not be possible to put jitsi behind a traefik reverse proxy.

I've compared the logs from jitsi's traefik and workadventure's traefik output and I can't see how they differ. The only difference is that the workadventure containers get their routes added while the jitsi ones don't.

reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="No default certificate, generating one" tlsStoreName=default
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Adding certificate for domain(s) my.domain.tld,*.my.domain.tld"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" serviceName=front middlewareName=pipelining middlewareType=Pipelining routerName=front@docker entryPointName=web
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" entryPointName=web serviceName=front routerName=front@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.6:80" routerName=front@docker entryPointName=web serviceName=front serverName=0
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.6:80 now UP"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware front" routerName=front@docker entryPointName=web middlewareName=tracing middlewareType=TracingForwarder
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" routerName=jitsiweb@docker serviceName=jitsiweb middlewareName=pipelining middlewareType=Pipelining entryPointName=web
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" serviceName=jitsiweb entryPointName=web routerName=jitsiweb@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.3:80" serviceName=jitsiweb serverName=0 entryPointName=web routerName=jitsiweb@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.3:80 now UP"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware jitsiweb" entryPointName=web routerName=jitsiweb@docker middlewareName=tracing middlewareType=TracingForwarder
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareType=Pipelining routerName=pusher@docker entryPointName=web serviceName=pusher middlewareName=pipelining
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" routerName=pusher@docker entryPointName=web serviceName=pusher
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.7:8080" serviceName=pusher serverName=0 routerName=pusher@docker entryPointName=web
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.7:8080 now UP"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware pusher" middlewareType=TracingForwarder middlewareName=tracing entryPointName=web routerName=pusher@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining entryPointName=web routerName=back@docker serviceName=back
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" serviceName=back entryPointName=web routerName=back@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.8:8080" serverName=0 entryPointName=web routerName=back@docker serviceName=back
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.8:8080 now UP"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware back" middlewareType=TracingForwarder routerName=back@docker entryPointName=web middlewareName=tracing
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware noop@internal" routerName=web-to-websecure@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=web
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Setting up redirection to https 443" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Adding tracing to middleware" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal entryPointName=web
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" routerName=maps@docker serviceName=maps middlewareName=pipelining middlewareType=Pipelining entryPointName=web
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" routerName=maps@docker serviceName=maps entryPointName=web
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.5:80" entryPointName=web routerName=maps@docker serviceName=maps serverName=0
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.5:80 now UP"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware maps" entryPointName=web routerName=maps@docker middlewareType=TracingForwarder middlewareName=tracing
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" serviceName=jitsiweb middlewareName=pipelining middlewareType=Pipelining routerName=jitsiweb-ssl@docker entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" routerName=jitsiweb-ssl@docker entryPointName=websecure serviceName=jitsiweb
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.3:80" routerName=jitsiweb-ssl@docker entryPointName=websecure serviceName=jitsiweb serverName=0
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.3:80 now UP"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware jitsiweb" routerName=jitsiweb-ssl@docker entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" routerName=pusher-ssl@docker serviceName=pusher middlewareName=pipelining middlewareType=Pipelining entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" serviceName=pusher entryPointName=websecure routerName=pusher-ssl@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.7:8080" serviceName=pusher serverName=0 entryPointName=websecure routerName=pusher-ssl@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.7:8080 now UP"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware pusher" routerName=pusher-ssl@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining routerName=front-ssl@docker serviceName=front entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" serviceName=front entryPointName=websecure routerName=front-ssl@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.6:80" serviceName=front serverName=0 entryPointName=websecure routerName=front-ssl@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.6:80 now UP"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware front" routerName=front-ssl@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" routerName=wbo-ssl@docker middlewareName=pipelining middlewareType=Pipelining serviceName=wbo entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" routerName=wbo-ssl@docker serviceName=wbo entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.9:8080" entryPointName=websecure routerName=wbo-ssl@docker serviceName=wbo serverName=0
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.9:8080 now UP"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware wbo" middlewareType=TracingForwarder entryPointName=websecure routerName=wbo-ssl@docker middlewareName=tracing
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" serviceName=maps entryPointName=websecure middlewareName=pipelining middlewareType=Pipelining routerName=maps-ssl@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=maps-ssl@docker serviceName=maps
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.5:80" routerName=maps-ssl@docker serviceName=maps entryPointName=websecure serverName=0
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.5:80 now UP"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware maps" routerName=maps-ssl@docker middlewareType=TracingForwarder middlewareName=tracing entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" serviceName=back middlewareName=pipelining middlewareType=Pipelining entryPointName=websecure routerName=back-ssl@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=back-ssl@docker serviceName=back
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.8:8080" serverName=0 entryPointName=websecure routerName=back-ssl@docker serviceName=back
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.8:8080 now UP"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware back" middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure routerName=back-ssl@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" entryPointName=websecure routerName=webhook@file middlewareName=pipelining middlewareType=Pipelining serviceName=webhook-websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=webhook@file serviceName=webhook-websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://hook.adventure.emergencity.de:1324" serverName=0 entryPointName=websecure routerName=webhook@file serviceName=webhook-websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="child http://hook.adventure.emergencity.de:1324 now UP"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware webhook-websecure" middlewareType=TracingForwarder entryPointName=websecure routerName=webhook@file middlewareName=tracing
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining routerName=hedgedoc-ssl@docker entryPointName=websecure serviceName=hedgedoc
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating load-balancer" entryPointName=websecure serviceName=hedgedoc routerName=hedgedoc-ssl@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating server 0 http://172.21.0.10:3000" routerName=hedgedoc-ssl@docker entryPointName=websecure serviceName=hedgedoc serverName=0
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="child http://172.21.0.10:3000 now UP"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Propagating new UP status"
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware hedgedoc" middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure routerName=hedgedoc-ssl@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=websecure routerName=traefik@docker middlewareName=tracing middlewareType=TracingForwarder
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareType=BasicAuth entryPointName=websecure routerName=traefik@docker middlewareName=traefik-auth@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Adding tracing to middleware" middlewareName=traefik-auth@docker entryPointName=websecure routerName=traefik@docker
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=websecure middlewareName=traefik-internal-recovery
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Adding route for admin.my.domain.tld with TLS options default" entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Adding route for pusher.my.domain.tld with TLS options default" entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Adding route for my.domain.tld with TLS options default" entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Adding route for api.my.domain.tld with TLS options default" entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Adding route for hook.adventure.emergencity.de with TLS options default" entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Adding route for maps.my.domain.tld with TLS options default" entryPointName=websecure
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="Looking for provided certificate(s) to validate [\"my.domain.tld\" \"*.my.domain.tld\"]..." providerName=dnsresolver.acme
reverse-proxy_1  | time="2021-08-24T12:15:15Z" level=debug msg="No ACME certificate generation required for domains [\"my.domain.tld\" \"*.my.domain.tld\"]." providerName=dnsresolver.acme

[Lithimlin]

@Lithimlin What do you have in the browser JavaScript console?

@bluikko For jitsi's browser output it's just a 404 on the domain meet.my.domain.tld. I don't even get any connection to it.

[Lithimlin]

If I understand the above traefik examples right there should be nothing specific needed for the websocket. It should just pass through traefik same as other non-websocket traffic.

That's also the way I understand it but I'm not even getting a route from traefik that lets me connect to jitsi.

[bluikko]

a 404 on the domain meet.my.domain.tld. I don't even get any connection to it.

That sounds like a much more simple problem, your traefik labels/configuration must have something wrong.

[Lithimlin]

That sounds like a much more simple problem, your traefik labels/configuration must have something wrong.

That's what I'm thinking as well but I can't find the error for the life of me.

I'm using the same labels and config as for my workadventure containers which work fine for those but for some reason, jitsi does not get a correct route.

[bluikko]

That sounds like a much more simple problem, your traefik labels/configuration must have something wrong.

That's what I'm thinking as well but I can't find the error for the life of me.

You don't need the traefik.enable=true?

[Lithimlin]

I don't since I'm disabling containers I don't need traefik for instead of enabling those that need it. The number of containers that need it is much greater as of now. I can try changing that around but doubt it'll change anything

[Lithimlin]

Yeah, as expected, that didn't change anything

[Lithimlin]

Updated my initial post to reflect the changes made

[Lithimlin]

I could confirm that my redirect from http://meet.my.domain.tld to https://meet.my.domain.tld works. However, after that I get that 404. I also can't find the sent request anywhere in any logs, neither from traefik nor from prosody or the web container.

[prayagsingh]

I could confirm that my redirect from http://meet.my.domain.tld to https://meet.my.domain.tld works. However, after that I get that 404. I also can't find the sent request anywhere in any logs, neither from traefik nor from prosody or the web container.

Can you please check if https is disabled on jitsi-web?

[Lithimlin]

Can you please check if https is disabled on jitsi-web?

It was enabled, as well as the http redirect inside the .env file, but disabling either or both did not change anything.

[Lithimlin]

Can you please check if https is disabled on jitsi-web?

I thought about this again and realized that I do actually want to have the jitsi-web service handle the certificates. I specifically created a script to convert Traefik's acme.json into the cert and key files and then copies them to the web service's volume. However, the workadventure services also don't handle their own certificates but have Traefik handle it instead.

[prayagsingh]

I thought about this again and realized that I do actually want to have the jitsi-web service handle the certificates.

Then why are you using Tarefik with jitsi? Jitsi by itself can handle SSL cert for you.

[Lithimlin]

Because Traefik occupies ports 80 and 443 already and needs those ports in order for the challenge to work. However, when I change jitsi's ports to 8080 and 8443, I get the same 404 error and still no usable output from the logs.

Apart from that, I also don't understand why jitsi isn't working even when I disable https.

[prayagsingh]

@Lithimlin Can you please check curl your_domain.com/config.js is working or now?

[Lithimlin]

@Lithimlin Can you please check curl your_domain.com/config.js is working or now?

@prayagsingh This also results in a 404.

[prayagsingh]

This also results in a 404.

The request is going via Traefik? Please disable Traefik for now and simply spin-up the jitsi setup. Exec into the VM and try curl https://localhost:8443/config.js if this is working then the problem is with Traefik routing.

[Lithimlin]

The request is going via Traefik?

Traefik was disabled for jitsi but still turned on. When turning off traefik completely, I get a curl: (7) Failed to connect to my_domain.com port 80 after 24 ms: Connection refused. This is with jitsi running on 8080 and 8443 and using curl my_domain.com/config.js. When using curl https://my_domain.com/config.js, I get the same thing on port 443. When using curl my_domain.com:8443/config.js, I get a timeout after about two minutes.

Please disable Traefik for now and simply spin-up the jitsi setup. Exec into the VM and try curl https://localhost:8443/config.js if this is working then the problem is with Traefik routing.

When doing this I get an SSL error because the certificate does not match the name localhost.

[prayagsingh]

When doing this I get an SSL error because the certificate does not match the name localhost

Use -k flag with curl.

[prayagsingh]

Traefik was disabled for jitsi but still turned on

This looks like a problem with Traefik. Try different version.

[Lithimlin]

Use -k flag with curl.

Yup, works now. Just to make sure though: Should jitsi be availble from the outside as of now (with traefik turned off and jitsi on ports 8080 and 8443)?

This looks like a problem with Traefik. Try different version.

I can certainly try out a few older versions and see if that changes anything.

[Lithimlin]

This looks like a problem with Traefik. Try different version.

I can certainly try out a few older versions and see if that changes anything.

I've now tried with Traefik 2.3 to 2.5 and sadly no luck with any of the versions. On a side note: This is what I see in the dashboard. Not sure if that is any indication as to what might be going wrong. I'll probably move to the traefik forums though and see if I can find a fix for this there. I'll let you know if I have a working config.

[prayagsingh]

Should jitsi be availble from the outside as of now (with traefik turned off and jitsi on ports 8080 and 8443)?

You won't be able to get an SSL certificate using LetsEncrypt if using these ports.

[Lithimlin]

You won't be able to get an SSL certificate using LetsEncrypt if using these ports.

I am aware of that but I also don't need an extra SSL certificate from LE because I use a DNS challenge and then copy the certificates to the web container's volume.

Or do you mean that the SSL certificate I have won't work? Because it does work for the workadventure containers.

[prayagsingh]

Or do you mean that the SSL certificate I have won't work?

I meant that LE won't be able to pass the tls challenge because of the different ports.

I use a DNS challenge and then copy the certificates to the web container's volume.

Wildcard cert?

I never tried SSL cert with a port other than 443 hence do not whether it will work or not.

[Lithimlin]

Wildcard cert?

yes.

I never tried SSL cert with a port other than 443 hence do not whether it will work or not.

With Traefik, I won't even be providing ports so I assume Traefik will handle the forwarding then. It does work. Somehow. I'm not 100% certain about the inner workings of Traefik though.

[matodrobec]

Hello,

I am using swarm with traefik (traefik:v2.2) and jitsi (stable-6173). The webpage is working but I am always getting websocket errro in chrome debug tool

strophe.umd.js:5463 WebSocket connection to 'wss://meet.example.com/xmpp-websocket?room=test' failed: 
_connect @ strophe.umd.js:5463
Logger.js:154 2021-09-19T09:59:44.805Z [JitsiMeetJS.js] <Object.getGlobalOnErrorHandler>:  UnhandledError: Strophe: Websocket error [object Event] Script: null Line: null Column: null StackTrace:  Error: Strophe: Websocket error [object Event]
    at Object.s.Strophe.log (https://meet.example.com/libs/lib-jitsi-meet.min.js?v=5211:17:16531)
    at Object.error (https://meet.example.com/libs/lib-jitsi-meet.min.js?v=5211:1:24368)
    at N.Websocket._onError (https://meet.example.com/libs/lib-jitsi-meet.min.js?v=5211:1:63842)

When I set up ENABLE_XMPP_WEBSOCKET=0 then it is working. Now the question is... how to handle this websocket error and run the webpage with websocket.

Thank you

[Lithimlin]

Unfortunately I couldn't get it to work with traefik

[matodrobec]

Hello, I am move under swarm without traefik and I have always same problem with WebSocket. When I set ENABLE_XMPP_WEBSOCKET=0 then it is working well. Then WebSocket is general problem with or without traefik

[bluikko]

Same here, not sure what would be the way forward or maybe we just can't update Jitsi anymore.

[saghul]

You can disable WebSockets altogether (check the handbook for how, and note there are 2 parts, XMPP and data channels).

I don't know about traefik, so I can't help you there alas. "Standard" setups work just fine.

[prayagsingh]

Same here, not sure what would be the way forward or maybe we just can't update Jitsi anymore.

I'm using swarm with Traefik and it's working fine. I'll try to push all the files to jitsi-contrib in next couple of weeks(probably 1st week of October).

[fmoledina]

My working Traefik config is below using the stable-7001 release.

Mods to docker-compose.yml:

version: '3'

services:
    # Frontend
    web:
        image: jitsi/web:latest
        restart: ${RESTART_POLICY}
        # ports:
        #     - '${HTTP_PORT}:80'
        #     - '${HTTPS_PORT}:443'
        ...
        labels:
            - "traefik.enable=true"
            ## HTTP Routers
            - "traefik.http.routers.jitsi-web.entrypoints=websecure"
            - "traefik.http.routers.jitsi-web.rule=Host(`$XMPP_DOMAIN`)"
            ## Middlewares
            - "traefik.http.routers.jitsi-web.middlewares=chain-jitsi-auth@file"
            ## HTTP Services
            - "traefik.http.services.jitsi-web.loadbalancer.server.port=80"

    # XMPP server
    prosody:
        image: jitsi/prosody:latest
        ...
        labels:
            - "traefik.enable=true"
            ## HTTP Routers
            - "traefik.http.routers.jitsi-prosody-ws.entrypoints=websecure"
            - "traefik.http.routers.jitsi-prosody-ws.rule=Host(`$XMPP_DOMAIN`) && Path(`/xmpp-websocket`)"
            ## Middlewares
            - "traefik.http.routers.jitsi-prosody-ws.middlewares=chain-jitsi-auth@file"
            ## HTTP Services
            - "traefik.http.services.jitsi-prosody-ws.loadbalancer.server.port=5280"

    # Focus component
    jicofo:
        image: jitsi/jicofo:latest
        ...

    # Video bridge
    jvb:
        image: jitsi/jvb:latest
        ...
        labels:
            - "traefik.enable=true"
            ## HTTP Routers
            - "traefik.http.routers.jitsi-colibri-ws.entrypoints=websecure"
            - "traefik.http.routers.jitsi-colibri-ws.rule=Host(`$XMPP_DOMAIN`) && PathPrefix(`/colibri-ws`)"
            ## Middlewares
            - "traefik.http.routers.jitsi-colibri-ws.middlewares=chain-jitsi-auth@file"
            ## HTTP Services
            - "traefik.http.services.jitsi-colibri-ws.loadbalancer.server.port=9090"

networks:
    meet.jitsi:
        external:
            name: traefik_proxy  ## existing external network that Traefik is listening on

The chain-jitsi-auth middleware includes the following secure headers for Jitsi:

http:
  middlewares:
    middlewares-secure-headers-jitsi:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: "allow-from https:example.com"
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: "same-origin"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
          server: ""

Also, I set DOCKER_HOST_ADDRESS to my public IPv4 address in the .env file.

Hope this helps someone out there.