search

mumble-voip / mumble

Mumble is an open-source, low-latency, high quality voice chat software.
https://www.mumble.info
Other
6.28k stars 1.11k forks source link

How to deploy mumble inside docker and behind a nginx reserve proxy? #5743

Closed JobberRT closed 2 years ago

JobberRT commented 2 years ago

The issue

My situation is that, I deploy mumble inside a docker container, mount the TLS key and cert(for mumble and for nginx) to the container, and expose its 64738 port to the host's 10004. Then I use a nginx as a reserve proxy for it, Nginx's mumble.XXX.com reserve to localhost:10004. But after few attemps, I still can't figure how to achieve this.

My network to mumble is good and I don't need that kind of low latency or performance that UDP brings, TCP is enough to me.

Here's why I do or need this

Here's my problem:

  1. (This I believe is normal and excepted, not a problem, but I just wonder if there's any resution.)I have to set the host in murmur.ini or mumble-server.ini to 0.0.0.0 to make it start. If I set to mumble.XXX.com, since its DNS points to my host's public IP, and mumble-server is in the container, so it shows the error address XXX.XXX.XXX.XXX:64738 not reachable.
  2. I mount the TLS key and cert file to the container, and mumble reads it successfully, and start successfully. But the client can't connect and shows error this server is using an older encryption standard, I will put my log, container's openssl version, nginx's ssl_protocols below.
  3. (Don't know if this is a problem)I can't set the port of mumble to 64738 and expose it to the host's 10004(see logs), since mumble doesn't know it's in a container, and it will look for mumble.XXX.com for IP(which is my host's public IP) and use the port 64738 in the config file to connect. And because on the host only localhost:10004 will be used by nginx, so it shows Connection failed, please make sure your server is publicly reachable.

Any idea that can help me deploy my mumble-server inside the container with nginx reserve proxy to it, and have TLS enabled at the same time?

Mumble version

Server: 1.5.0(from log) Client: 1.4.230

Mumble component

Both

OS

Linux, Windows

Additional information

Mumble's log

Failed to set initial capabilities
<X>2022-07-14 15:26:32.063 SSL: OpenSSL version is 'OpenSSL 3.0.2 15 Mar 2022'
<W>2022-07-14 15:26:32.063 Initializing settings from /mumble/mumble_server.ini (basepath /mumble)
<W>2022-07-14 15:26:32.063 Binding to address 0.0.0.0
<C>2022-07-14 15:26:32.068 MetaParams: Adding 2 intermediate certificates from certificate file.
<W>2022-07-14 15:26:32.069 MetaParams: TLS cipher preference is "************"
<C>2022-07-14 15:26:32.070 WARNING: You are running murmurd as root, without setting a uname in the ini file. This might be a security risk.
<W>2022-07-14 15:26:32.070 Resource limits were 0 0
<C>2022-07-14 15:26:32.070 Failed to set priority limits.
<C>2022-07-14 15:26:32.070 Failed to set final capabilities
<W>2022-07-14 15:26:32.306 ServerDB: Opened SQLite database /mumble/mumble_server.sqlite
<W>2022-07-14 15:26:32.306 ServerDB: Using SQLite's default rollback journal.
<W>2022-07-14 15:26:33.407 Performed initial PBKDF2 benchmark. Will use 16000 iterations as default
<W>2022-07-14 15:26:33.407 Generating new tables...
<W>2022-07-14 15:26:33.423 Murmur 1.5.0 (1.5.0) running on Linux: Ubuntu 22.04 LTS [x64]: Booting servers
<W>2022-07-14 15:26:33.456 1 => Password for 'SuperUser' set to '********'
<W>2022-07-14 15:26:33.485 1 => Server listening on 0.0.0.0:64738
<W>2022-07-14 15:26:33.493 1 => Failed to set IPV6_RECVPKTINFO for 0.0.0.0:64738
<W>2022-07-14 15:26:33.501 1 => Registering zeroconf service...
<W>2022-07-14 15:26:33.501 Zeroconf: Third-party API reports error -65537, service registration probably failed
<W>2022-07-14 15:28:58.499 1 => Registration: Attempting to connect to ***.***.***.***:64738...
Connection failed, please make sure your server is publicly reachable.

<W>2022-07-14 15:29:20.727 1 => <0:(-1)> New connection: 192.168.1.1:47868
<W>2022-07-14 15:29:20.737 1 => <0:(-1)> Connection closed: Error during SSL handshake: error:0A00009C:SSL routines::http request [13]

Nginx's config: ssl_protocols TLSv1.2 TLSv1.3;

vitoyucepi commented 2 years ago

@JobberRT your problem is that you are using http to connect from nginx to mumble-server. I think it will help more if you provide minimal configs for nginx and mumble.

Nevertheless there are some options.

  1. Ignore nginx and expose mumble ports in docker.
  2. Use nginx module stream without SSL termination.
  3. Try to use module stream and terminate SSL encryption.
  4. SSL termination in nginx and then reencryption to mumble-server.

Check this docs https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/. Though I'm not sure if the required function are present in open source version.

JobberRT commented 2 years ago

@vitoyucepi Yes, I' trying to use http to mumble cause I think http is also a TCP package.

BTW, I just gave up, I expose the port to the public, and everything works~ Thanks for helping!

vitoyucepi commented 2 years ago

@JobberRT you could also publish both tcp and udp ports using docker.

For some reason I've never tried to strip ssl in nginx for mumble, because I've found a way to properly rotate LE certs in docker container without restarting mumble process.