nginx broken after fresh installation (existing services present)

[natrius]

Description

Having an existing Ubuntu 18.04 server install with some other services (Nextcloud, Matrix, Hauk) serving and working fine, after installing Jitsi i'm not able to restart nginx anymore and all my other services are unreachable with errors. Even after deleting the files from /etc/nginx/sites-available/ and /etc/nginx/sites-enabled/ nginx won't restart anymore. So it seems like the installation is completely messing with my existing nginx config.

I found this https://github.com/jitsi/jitsi-meet/issues/5487 issue and it seems related, if not the same. I'm not quite willing to replicate again because that would mean to make my services again unaccessible. What i can retrieve from my previous searches, this error was present nginx[7683]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)

I tried various installation-tutorials, some suggesting installing openjdk-8-jre-headless for example: https://community.jitsi.org/t/installation-on-ubuntu-18-04-4-not-working/22773/3 The first one was https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md but there was the same problem present. Tried some other tutorials as well.

I tried to just use sudo letsencrypt --nginx as well so it creates a letsencrypt-cert for me without changing anything else, but thats not working as well because of the nginx error.

Current behavior

nginx cannot be restartet, errors, other services unreachable, even after deleting sites-available and sites-enabled

Expected Behavior

working nginx. Just jitsi not working if there is a problem.

Steps to reproduce

Have services present, install Jitsi.

Environment details

Ubuntu Server 18.04 Nextcloud Collabora Matrix - Synapse Hauk

[nhumrich]

I ran into this as well. I was not able to fix it. Instead I used debian instead of ubuntu, and that issue went away.

[licaon-kter]

@natrius you need to provide the config...nginx...other multiplexer etc

[fwolfst]

Did you delete the nginx jitsi module conf file like written in https://github.com/jitsi/jitsi-meet/issues/5596 ? Or updated to current version?

[tsvetomir]

Try moving /etc/nginx/modules-enabled/60-jitsi-meet.conf to /etc/nginx/modules-available/ and restarting nginx. This module contains a server config that listens on 443.

Maybe related to this section of the docs:

If you are already running Nginx on port 443 on the same machine you better skip the turnserver configuration as it will conflict with your current port 443, so use the command apt install --no-install-recommends jitsi-meet.

[subversion23]

Had the same issue. Some jvb component tried to listen on port 443 and blocked nginx from using it. This causes the error. I added in /etc/jitsi/videobridge/sip-communicator.properties:

org.jitsi.videobridge.TCP_HARVESTER_PORT=88
org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=4443

so it uses some unused ports.(they behind a firewall anyways) and restartet all jitsi services and nginx. it worked.

If this doesn't work for you, look at netstat -tulpn and find out whats process is listening on port 443.

[sellth]

Try moving /etc/nginx/modules-enabled/60-jitsi-meet.conf to /etc/nginx/modules-available/ and restarting nginx. This module contains a server config that listens on 443.

This config file is the main culprit, but your solution will break the Jitsi web service. Instead one should try sudo apt purge jitsi-meet-turnserver for now. Alternative workaround if you do not want to miss the turn server: Change the port in all other server blocks from 443 to 4444. (not tested)

Edit: Can we somehow make the turn server conf coexist happily with other services on 443?

[natrius]

So, Jitsi should go and detect if there is something listening already on Port 443 and ask if you would like to change the port to some alterantive port ("Jitsi detected the application xxx is already running on Port 443. Would you like to change the port to 4444 for Jitsi?" or something like that)? That would be a good solution and it would still be an easy installation.

[sellth]

Actually it's not that simple. The NGINX module installed by the jitsi-turnserver package listens for ALPN protocols declared by the accessing party, then directs HTTP traffic to port 4444 and all other traffic to port 4445. This means that clients which don't support ALPN or don't use it are always directed to port 4445 i. e. the turn server.

I found this a problem with the Nextcloud Desktop client and the SSL Labs ssltest website. I'm not an expert here, but can we not specifically listen for TURN traffic and default all other traffic towards 4444?

[damencho]

We opened a bug on Chrome tracker for this, as they do not specify ALPN on the turn tcp connection, not sure when that will be fixed. We also need to test this with the rest of the browsers, but as this was a stopper we dropped that approach.

[sellth]

In a probably very naive approach I changed /etc/nginx/modules-enabled/60-jitsi-meet.conf to also consider the server name.

map $ssl_preread_server_name:$ssl_preread_alpn_protocols $upstream {
    ~my.domain.tld:\bh2\b         web;
    ~my.domain.tld:\bhttp/1\.     web;
    ~my.domain.tld:.*             turn;
    default                       web;
}

So far this seems to be working, any reason why it might break? Even in a multi-domain setup stun and turn servers are advertised using the primary domain, right?

[damencho]

Yes, it is using the primary domain. But in the latest packages turn is not configured when 443 listening site is available to stop breaking people deployments. This will work for people that want to do a manual install and not break rest of the website. Maybe this just needs to be documented.

[phillipbroberts]

Can this get documented? I am not sure what is being updated and have been trying to get this to work on Debian 10. Did you update the existing map or add this to the ssl section?

[jarbus]

I'm trying to set up jitsi but am still getting this issue. Has this been fixed in the current version on apt? All fixes mentioned in this thread have failed to work thus far.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[cobordism]

I've been struggling with this for days before finally finding this thread/issue!

After adding a specific IP address to /etc/nginx/modules-enabled/60-jitsi-meet.conf, I could at least run another webserver on port 443 on my other IP address. However, since I cannot add a server_name directive in 60-jitsi-meet.conf, it still prevents me from hosting separate https services on the jitsi IP but using a different domain name.

I am still confused about the following: How do I need to change the jitsi configuration so that it listens on port 443 only on a specific IP and answers only to a specific server_name?