Please take your time.
I gonna describe my set up briefly .
Initial data:
External nat has address external_nat_ip
All external ports are closed except 443
>From inside allowed only http connections to ports 80, 8080, 443 and 22
Openmeetings runs in docker, I use docker-compose with the following
docker-compose.yml:
version: '3.7'
services:
openmeetings:
image: apache/openmeetings:min-5.0.0-M3
ports:
- "5080:5080"
- "5443:5443"
volumes:
- ~/openmeetings/omdata:/opt/omdata
- ~/openmeetings/logs:/opt/openmeetings/logs
environment:
- OM_KURENTO_WS_URL=ws://kurento:8888/kurento
- TURN_USER=kurento
- TURN_PASS=kurento
- TURN_URL=external_nat_ip?transport=tcp
- OM_DB_TYPE=mysql
- OM_DB_HOST=172.17.0.1
- OM_DB_PORT=3306
- OM_DB_USER=om_user
- OM_DB_PASS=om_passwd
- OM_DB_NAME=openmeetings
depends_on:
- kurento
- coturn
restart: unless-stopped
kurento:
image: kurento/kurento-media-server
ports:
- "8888:8888"
environment:
- KMS_TURN_URL=kurento:kurento@external_nat_ip?transport=tcp
restart: unless-stopped
coturn:
image: kurento/coturn-auth
ports:
- "3478:3478"
environment:
- LISTENING_PORT=3478
- REALM=kurento.org
- USER=kurento
- PASSWORD=kurento
restart: unless-stopped
I use sslh https://github.com/yrutschle/sslh to connect do different
services behind nat with the following configuration:
verbose: true
timeout: 18000;
listen:
(
{ host: "internal_nat_ip"; port: "443"; }
);
protocols:
(
# ssh:
{ name: "ssh"; service: "ssh"; host: "localhost"; port: "22";
probe: "builtin"; },
# openvpn:
{ name: "openvpn"; host: "localhost"; port: "1194"; probe: "builtin"; },
# nginx:
{ name: "ssl"; host: "localhost"; port: "2443"; probe: "builtin";
log_level: 0;},
# coturn:
{ name: "regex"; host: "localhost"; port: "3478"; regex_patterns:
[ "\x21\x12\xa4\x42" ]; }
);
transparent: true;
And nginx configuration (there are another services, I left only
openmeetings and kurento (do I really need to have kurento websocket
outside nat?))
server {
listen 2443 ssl http2;
listen [::]:2443 ssl http2;
server_name localhost;
autoindex on;
root /srv/http/;
index index.php index.html index.htm;
# ssl_certificate /etc/httpd/conf/server.crt;
# ssl_certificate_key /etc/httpd/conf/server.key;
include conf/001-certbot.conf;
# ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1; #TLSv1.2;
# ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
# ssl_prefer_server_ciphers on;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
include fastcgi.conf;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# User directories, e.g. http://example.com/~user/ :
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
index index.html index.htm;
autoindex on;
auth_pam "Restricted Zone";
auth_pam_service_name "nginx";
}
# Deny static files
location ~ ^/(README|LICENSE|ChangeLog|DCO)$ {
deny all;
}
# Deny .md files
location ~ ^/(.+\.md)$ {
deny all;
}
# Deny setup directories
location ~ ^/(doc|sql|setup)/ {
deny all;
}
}
location /openmeetings {
proxy_pass http://localhost:5080/openmeetings;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Referer 'https://$host/openmeetings/';
proxy_set_header X-Real-IP $remote_addr;
}
location /kurento {
# prevents 502 bad gateway error
proxy_buffers 8 32k;
proxy_buffer_size 64k;
# redirect all HTTP traffic to localhost:8088;
proxy_pass http://0.0.0.0:8888/kurento;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header Host $http_host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-NginX-Proxy true;
# enables WS support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 999999999;
}
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
}
On Mon, Mar 16, 2020 at 1:39 PM Maxim Solodovnik <[email protected]> wrote:
>
> Hello Yarema,
>
> sorry for keeping silence
> I'll try to investigate this config later this week
> To much day time job right now :(
>
> Please share your further findings here if any :)
>
> On Mon, 16 Mar 2020 at 09:04, YUP <[email protected]> wrote:
> >
> > Maxim,
> > I was also managed to install coturn on external server which listen
> > on port 443. Kurento connects to this port (via TURN_URL,
> > TURN_USER,TURN_PASS), I can see it in logs. I see in logs that
> > openmeetings connects to kurento. But I don't understand why all my
> > construction not working as needed? I still can't make settings test,
> > record and play sample, two users can't see each other videos from
> > cameras.
> > Here I should to see to find the solution?
> >
> > On Sun, Mar 15, 2020 at 7:23 PM YUP <[email protected]> wrote:
> > >
> > > I was able to connect to kurento websocket which is proxified by
> > > nginx, the solution was very simple, put wss instead of https,
> > > probably for some reasons openmeetings needs to have ws or wss in the
> > > input url:
> > > - OM_KURENTO_WS_URL=wss://external_server_ip_address/kurento
> > > But it is not solved the issue with recording audio/video in test and
> > > different users.
> > >
> > > On Sun, Mar 15, 2020 at 10:16 AM YUP <[email protected]> wrote:
> > > >
> > > > No, it is not a reason, checked.
> > > >
> > > > On Sun, Mar 15, 2020 at 10:10 AM YUP <[email protected]> wrote:
> > > > >
> > > > > Server has self-signed certificate, can it be a reason?
> > > > >
> > > > > On Sun, Mar 15, 2020 at 9:38 AM YUP <[email protected]> wrote:
> > > > > >
> > > > > > Just to inform you, I made proxified kurento websocket in nginx and
> > > > > > I
> > > > > > can connect to it:
> > > > > > $ wscat -n --connect https://external_server_ip_address/kurento
> > > > > > (node:24082) [DEP0123] DeprecationWarning: Setting the TLS
> > > > > > ServerName
> > > > > > to an IP address is not permitted by RFC 6066. This will be ignored
> > > > > > in
> > > > > > a future version.
> > > > > > Connected (press CTRL+C to quit)
> > > > > > >
> > > > > >
> > > > > > I set
> > > > > > - OM_KURENTO_WS_URL=https://external_server_ip_address/kurento
> > > > > > but got
> > > > > > o.a.o.c.r.KurentoHandler:124 [pool-1-thread-1] - Fail to create
> > > > > > Kurento client, will re-try in 10000 ms
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Sun, Mar 15, 2020 at 8:56 AM YUP <[email protected]> wrote:
> > > > > > >
> > > > > > > Can we just proxify kurento websocket? Something like this
> > > > > > > https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce ?
> > > > > > >
> > > > > > > On Sun, Mar 15, 2020 at 8:41 AM Maxim Solodovnik
> > > > > > > <[email protected]> wrote:
> > > > > > > >
> > > > > > > > It seems I misread your previous email "all ports except 443,
> > > > > > > > 80, 8080 and 22."
> > > > > > > > I'm afraid you need more open ports ...
> > > > > > > >
> > > > > > > > I'm not sure but I would investigate if KMS/TURN URLs can be
> > > > > > > > set up
> > > > > > > > for context i.e.
> > > > > > > > yourserver:4278/turn, yourserver:8888/kms in this case you can
> > > > > > > > proxy them ....
> > > > > > > >
> > > > > > > > On Sun, 15 Mar 2020 at 14:32, YUP <[email protected]> wrote:
> > > > > > > > >
> > > > > > > > > It nothing changes, only 443 is open to the world.
> > > > > > > > >
> > > > > > > > > On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik
> > > > > > > > > <[email protected]> wrote:
> > > > > > > > > >
> > > > > > > > > > Maybe you can set up KMS to use 8080?
> > > > > > > > > > TURN requires more open port to handle "totally closed"
> > > > > > > > > > networks ...
> > > > > > > > > >
> > > > > > > > > > On Sun, 15 Mar 2020 at 14:18, YUP <[email protected]>
> > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > It seems to me that I found what is happening. Firewall
> > > > > > > > > > > blocks all non
> > > > > > > > > > > http requests out to all ports except 443, 80, 8080 and
> > > > > > > > > > > 22. That is
> > > > > > > > > > > why I don't have connection to outside turn ans stun
> > > > > > > > > > > servers. Is it
> > > > > > > > > > > possible to connect to those server in such conditions?
> > > > > > > > > > > Tunnels?
> > > > > > > > > > >
> > > > > > > > > > > On Fri, Mar 13, 2020 at 1:09 AM YUP <[email protected]>
> > > > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > Hello all,
> > > > > > > > > > > > Could someone help me with configuration of my OM
> > > > > > > > > > > > setup? Any help will
> > > > > > > > > > > > be greatly appreciated.
> > > > > > > > > > > > I have a server which is for several reasons behind
> > > > > > > > > > > > NAT, only 443 port
> > > > > > > > > > > > is open. There is sslh balancer, which redirect
> > > > > > > > > > > > external traffic to
> > > > > > > > > > > > different targets: nginx, openvpn, etc. Openmeetings
> > > > > > > > > > > > 5.0.0-M3 minimal
> > > > > > > > > > > > installed in container behind nginx proxy and works
> > > > > > > > > > > > well, except audio
> > > > > > > > > > > > and video. When I perform setup check after logged in
> > > > > > > > > > > > (video camera
> > > > > > > > > > > > and microphone) I can see myself in camera and can also
> > > > > > > > > > > > see increasing
> > > > > > > > > > > > and decreasing green line, which indicate microphone
> > > > > > > > > > > > level, but I
> > > > > > > > > > > > can't save and replay the testing record. As far I
> > > > > > > > > > > > understand the
> > > > > > > > > > > > problem is in NAT, so I had to use kurento server with
> > > > > > > > > > > > TURN server. I
> > > > > > > > > > > > did that by adding the environment variables for
> > > > > > > > > > > > kurento server in
> > > > > > > > > > > > docker container with the corresponding data for
> > > > > > > > > > > > turn.anyfirewall.com:
> > > > > > > > > > > >
> > > > > > > > > > > > - KMS_STUN_IP=130.211.143.110
> > > > > > > > > > > > - KMS_STUN_PORT=443
> > > > > > > > > > > > -
> > > > > > > > > > > > KMS_TURN_URL=webrtc:[email protected]:443?transport=tcp
> > > > > > > > > > > > and the same for openmeetings docker container:
> > > > > > > > > > > >
> > > > > > > > > > > > - TURN_USER=webrtc
> > > > > > > > > > > > - TURN_PASS=webrtc
> > > > > > > > > > > > - TURN_URL=130.211.143.110:443?transport=tcp
> > > > > > > > > > > >
> > > > > > > > > > > > After restarting it allowed me immediately to perform
> > > > > > > > > > > > network test
> > > > > > > > > > > > (except ip ping), but not resolved the issue with
> > > > > > > > > > > > camera and
> > > > > > > > > > > > microphone.
> > > > > > > > > > > > When I connect to OM server with help of vpn (so I and
> > > > > > > > > > > > OM server are
> > > > > > > > > > > > in the same network) everything works as needed. I can
> > > > > > > > > > > > save and replay
> > > > > > > > > > > > video, I can hear myself, two OM users connected by vpn
> > > > > > > > > > > > to OM server
> > > > > > > > > > > > can talk to each other, etc. But it is not an option
> > > > > > > > > > > > use vpn
> > > > > > > > > > > > connection...
> > > > > > > > > > > > I spent two days to find what I did wrong. I tried
> > > > > > > > > > > > another TURN and
> > > > > > > > > > > > STUN servers, different type of configurations and so
> > > > > > > > > > > > on, nothing
> > > > > > > > > > > > helped.
> > > > > > > > > > > >
> > > > > > > > > > > > Regards,
> > > > > > > > > > > > Yarema
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > WBR
> > > > > > > > > > Maxim aka solomax
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > WBR
> > > > > > > > Maxim aka solomax
>
>
>
> --
> WBR
> Maxim aka solomax
