Maxim,
I made a mistake, in nginx configuration section for openmetings port
should be 5443 instead of 5080, sorry for that.
I also forgot to mention that only tcp requests are allowed in our
firewall, udp if prohibited, as far as know.
Can you examine my configs and say what is wrong?
Regards,
Yarema
location /openmeetings {
proxy_pass http://localhost:5080/openmeetings;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Referer 'https://$host/openmeetings/';
proxy_set_header X-Real-IP $remote_addr;
}
On Mon, Mar 16, 2020 at 5:01 PM YUP <[email protected]> wrote:
>
> Please take your time.
> I gonna describe my set up briefly .
>
> Initial data:
> External nat has address external_nat_ip
> All external ports are closed except 443
> From inside allowed only http connections to ports 80, 8080, 443 and 22
>
> Openmeetings runs in docker, I use docker-compose with the following
> docker-compose.yml:
>
> version: '3.7'
> services:
> openmeetings:
> image: apache/openmeetings:min-5.0.0-M3
> ports:
> - "5080:5080"
> - "5443:5443"
> volumes:
> - ~/openmeetings/omdata:/opt/omdata
> - ~/openmeetings/logs:/opt/openmeetings/logs
> environment:
> - OM_KURENTO_WS_URL=ws://kurento:8888/kurento
> - TURN_USER=kurento
> - TURN_PASS=kurento
> - TURN_URL=external_nat_ip?transport=tcp
> - OM_DB_TYPE=mysql
> - OM_DB_HOST=172.17.0.1
> - OM_DB_PORT=3306
> - OM_DB_USER=om_user
> - OM_DB_PASS=om_passwd
> - OM_DB_NAME=openmeetings
> depends_on:
> - kurento
> - coturn
> restart: unless-stopped
> kurento:
> image: kurento/kurento-media-server
> ports:
> - "8888:8888"
> environment:
> - KMS_TURN_URL=kurento:kurento@external_nat_ip?transport=tcp
> restart: unless-stopped
> coturn:
> image: kurento/coturn-auth
> ports:
> - "3478:3478"
> environment:
> - LISTENING_PORT=3478
> - REALM=kurento.org
> - USER=kurento
> - PASSWORD=kurento
> restart: unless-stopped
>
> I use sslh https://github.com/yrutschle/sslh to connect do different
> services behind nat with the following configuration:
>
> verbose: true
> timeout: 18000;
> listen:
> (
> { host: "internal_nat_ip"; port: "443"; }
> );
> protocols:
> (
> # ssh:
> { name: "ssh"; service: "ssh"; host: "localhost"; port: "22";
> probe: "builtin"; },
> # openvpn:
> { name: "openvpn"; host: "localhost"; port: "1194"; probe: "builtin"; },
> # nginx:
> { name: "ssl"; host: "localhost"; port: "2443"; probe: "builtin";
> log_level: 0;},
> # coturn:
> { name: "regex"; host: "localhost"; port: "3478"; regex_patterns:
> [ "\x21\x12\xa4\x42" ]; }
> );
> transparent: true;
>
>
> And nginx configuration (there are another services, I left only
> openmeetings and kurento (do I really need to have kurento websocket
> outside nat?))
>
>
> server {
> listen 2443 ssl http2;
> listen [::]:2443 ssl http2;
> server_name localhost;
>
> autoindex on;
> root /srv/http/;
> index index.php index.html index.htm;
>
> # ssl_certificate /etc/httpd/conf/server.crt;
> # ssl_certificate_key /etc/httpd/conf/server.key;
>
> include conf/001-certbot.conf;
>
> # ssl on;
> ssl_session_cache builtin:1000 shared:SSL:10m;
> ssl_protocols TLSv1 TLSv1.1; #TLSv1.2;
> # ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
> # ssl_prefer_server_ciphers on;
>
>
> proxy_headers_hash_max_size 512;
> proxy_headers_hash_bucket_size 128;
>
> location ~ [^/]\.php(/|$) {
> fastcgi_split_path_info ^(.+\.php)(/.+)$;
> fastcgi_index index.php;
> fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
> include fastcgi.conf;
> fastcgi_param PATH_INFO $fastcgi_path_info;
> fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
> }
>
> # User directories, e.g. http://example.com/~user/ :
> location ~ ^/~(.+?)(/.*)?$ {
> alias /home/$1/public_html$2;
> index index.html index.htm;
> autoindex on;
> auth_pam "Restricted Zone";
> auth_pam_service_name "nginx";
> }
>
> # Deny static files
> location ~ ^/(README|LICENSE|ChangeLog|DCO)$ {
> deny all;
> }
>
> # Deny .md files
> location ~ ^/(.+\.md)$ {
> deny all;
> }
>
> # Deny setup directories
> location ~ ^/(doc|sql|setup)/ {
> deny all;
> }
> }
>
> location /openmeetings {
> proxy_pass http://localhost:5080/openmeetings;
>
> proxy_set_header Host $host;
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
>
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header Referer 'https://$host/openmeetings/';
> proxy_set_header X-Real-IP $remote_addr;
> }
>
> location /kurento {
> # prevents 502 bad gateway error
> proxy_buffers 8 32k;
> proxy_buffer_size 64k;
> # redirect all HTTP traffic to localhost:8088;
> proxy_pass http://0.0.0.0:8888/kurento;
> # proxy_set_header X-Real-IP $remote_addr;
> # proxy_set_header Host $http_host;
> # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> #proxy_set_header X-NginX-Proxy true;
> # enables WS support
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
> proxy_read_timeout 999999999;
> }
>
> add_header X-Frame-Options SAMEORIGIN;
> add_header X-Content-Type-Options nosniff;
> }
>
>
>
> On Mon, Mar 16, 2020 at 1:39 PM Maxim Solodovnik <[email protected]> wrote:
> >
> > Hello Yarema,
> >
> > sorry for keeping silence
> > I'll try to investigate this config later this week
> > To much day time job right now :(
> >
> > Please share your further findings here if any :)
> >
> > On Mon, 16 Mar 2020 at 09:04, YUP <[email protected]> wrote:
> > >
> > > Maxim,
> > > I was also managed to install coturn on external server which listen
> > > on port 443. Kurento connects to this port (via TURN_URL,
> > > TURN_USER,TURN_PASS), I can see it in logs. I see in logs that
> > > openmeetings connects to kurento. But I don't understand why all my
> > > construction not working as needed? I still can't make settings test,
> > > record and play sample, two users can't see each other videos from
> > > cameras.
> > > Here I should to see to find the solution?
> > >
> > > On Sun, Mar 15, 2020 at 7:23 PM YUP <[email protected]> wrote:
> > > >
> > > > I was able to connect to kurento websocket which is proxified by
> > > > nginx, the solution was very simple, put wss instead of https,
> > > > probably for some reasons openmeetings needs to have ws or wss in the
> > > > input url:
> > > > - OM_KURENTO_WS_URL=wss://external_server_ip_address/kurento
> > > > But it is not solved the issue with recording audio/video in test and
> > > > different users.
> > > >
> > > > On Sun, Mar 15, 2020 at 10:16 AM YUP <[email protected]> wrote:
> > > > >
> > > > > No, it is not a reason, checked.
> > > > >
> > > > > On Sun, Mar 15, 2020 at 10:10 AM YUP <[email protected]> wrote:
> > > > > >
> > > > > > Server has self-signed certificate, can it be a reason?
> > > > > >
> > > > > > On Sun, Mar 15, 2020 at 9:38 AM YUP <[email protected]> wrote:
> > > > > > >
> > > > > > > Just to inform you, I made proxified kurento websocket in nginx
> > > > > > > and I
> > > > > > > can connect to it:
> > > > > > > $ wscat -n --connect https://external_server_ip_address/kurento
> > > > > > > (node:24082) [DEP0123] DeprecationWarning: Setting the TLS
> > > > > > > ServerName
> > > > > > > to an IP address is not permitted by RFC 6066. This will be
> > > > > > > ignored in
> > > > > > > a future version.
> > > > > > > Connected (press CTRL+C to quit)
> > > > > > > >
> > > > > > >
> > > > > > > I set
> > > > > > > - OM_KURENTO_WS_URL=https://external_server_ip_address/kurento
> > > > > > > but got
> > > > > > > o.a.o.c.r.KurentoHandler:124 [pool-1-thread-1] - Fail to create
> > > > > > > Kurento client, will re-try in 10000 ms
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Sun, Mar 15, 2020 at 8:56 AM YUP <[email protected]> wrote:
> > > > > > > >
> > > > > > > > Can we just proxify kurento websocket? Something like this
> > > > > > > > https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce ?
> > > > > > > >
> > > > > > > > On Sun, Mar 15, 2020 at 8:41 AM Maxim Solodovnik
> > > > > > > > <[email protected]> wrote:
> > > > > > > > >
> > > > > > > > > It seems I misread your previous email "all ports except 443,
> > > > > > > > > 80, 8080 and 22."
> > > > > > > > > I'm afraid you need more open ports ...
> > > > > > > > >
> > > > > > > > > I'm not sure but I would investigate if KMS/TURN URLs can be
> > > > > > > > > set up
> > > > > > > > > for context i.e.
> > > > > > > > > yourserver:4278/turn, yourserver:8888/kms in this case you
> > > > > > > > > can proxy them ....
> > > > > > > > >
> > > > > > > > > On Sun, 15 Mar 2020 at 14:32, YUP <[email protected]> wrote:
> > > > > > > > > >
> > > > > > > > > > It nothing changes, only 443 is open to the world.
> > > > > > > > > >
> > > > > > > > > > On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik
> > > > > > > > > > <[email protected]> wrote:
> > > > > > > > > > >
> > > > > > > > > > > Maybe you can set up KMS to use 8080?
> > > > > > > > > > > TURN requires more open port to handle "totally closed"
> > > > > > > > > > > networks ...
> > > > > > > > > > >
> > > > > > > > > > > On Sun, 15 Mar 2020 at 14:18, YUP <[email protected]>
> > > > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > It seems to me that I found what is happening. Firewall
> > > > > > > > > > > > blocks all non
> > > > > > > > > > > > http requests out to all ports except 443, 80, 8080 and
> > > > > > > > > > > > 22. That is
> > > > > > > > > > > > why I don't have connection to outside turn ans stun
> > > > > > > > > > > > servers. Is it
> > > > > > > > > > > > possible to connect to those server in such conditions?
> > > > > > > > > > > > Tunnels?
> > > > > > > > > > > >
> > > > > > > > > > > > On Fri, Mar 13, 2020 at 1:09 AM YUP
> > > > > > > > > > > > <[email protected]> wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > Hello all,
> > > > > > > > > > > > > Could someone help me with configuration of my OM
> > > > > > > > > > > > > setup? Any help will
> > > > > > > > > > > > > be greatly appreciated.
> > > > > > > > > > > > > I have a server which is for several reasons behind
> > > > > > > > > > > > > NAT, only 443 port
> > > > > > > > > > > > > is open. There is sslh balancer, which redirect
> > > > > > > > > > > > > external traffic to
> > > > > > > > > > > > > different targets: nginx, openvpn, etc. Openmeetings
> > > > > > > > > > > > > 5.0.0-M3 minimal
> > > > > > > > > > > > > installed in container behind nginx proxy and works
> > > > > > > > > > > > > well, except audio
> > > > > > > > > > > > > and video. When I perform setup check after logged in
> > > > > > > > > > > > > (video camera
> > > > > > > > > > > > > and microphone) I can see myself in camera and can
> > > > > > > > > > > > > also see increasing
> > > > > > > > > > > > > and decreasing green line, which indicate microphone
> > > > > > > > > > > > > level, but I
> > > > > > > > > > > > > can't save and replay the testing record. As far I
> > > > > > > > > > > > > understand the
> > > > > > > > > > > > > problem is in NAT, so I had to use kurento server
> > > > > > > > > > > > > with TURN server. I
> > > > > > > > > > > > > did that by adding the environment variables for
> > > > > > > > > > > > > kurento server in
> > > > > > > > > > > > > docker container with the corresponding data for
> > > > > > > > > > > > > turn.anyfirewall.com:
> > > > > > > > > > > > >
> > > > > > > > > > > > > - KMS_STUN_IP=130.211.143.110
> > > > > > > > > > > > > - KMS_STUN_PORT=443
> > > > > > > > > > > > > -
> > > > > > > > > > > > > KMS_TURN_URL=webrtc:[email protected]:443?transport=tcp
> > > > > > > > > > > > > and the same for openmeetings docker container:
> > > > > > > > > > > > >
> > > > > > > > > > > > > - TURN_USER=webrtc
> > > > > > > > > > > > > - TURN_PASS=webrtc
> > > > > > > > > > > > > - TURN_URL=130.211.143.110:443?transport=tcp
> > > > > > > > > > > > >
> > > > > > > > > > > > > After restarting it allowed me immediately to perform
> > > > > > > > > > > > > network test
> > > > > > > > > > > > > (except ip ping), but not resolved the issue with
> > > > > > > > > > > > > camera and
> > > > > > > > > > > > > microphone.
> > > > > > > > > > > > > When I connect to OM server with help of vpn (so I
> > > > > > > > > > > > > and OM server are
> > > > > > > > > > > > > in the same network) everything works as needed. I
> > > > > > > > > > > > > can save and replay
> > > > > > > > > > > > > video, I can hear myself, two OM users connected by
> > > > > > > > > > > > > vpn to OM server
> > > > > > > > > > > > > can talk to each other, etc. But it is not an option
> > > > > > > > > > > > > use vpn
> > > > > > > > > > > > > connection...
> > > > > > > > > > > > > I spent two days to find what I did wrong. I tried
> > > > > > > > > > > > > another TURN and
> > > > > > > > > > > > > STUN servers, different type of configurations and so
> > > > > > > > > > > > > on, nothing
> > > > > > > > > > > > > helped.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Regards,
> > > > > > > > > > > > > Yarema
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > WBR
> > > > > > > > > > > Maxim aka solomax
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > WBR
> > > > > > > > > Maxim aka solomax
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
