On Thu, 10 Sep 2020 at 19:10, kaffeesurrogat <[email protected]> wrote:
> Dear list, > > this problem kept me busy for quite a while. By reading the list, > posting some messages, getting a lot of replies (many thanks for that) i > put some configuration changes together and tested them. In short, this > mail is a summary of all those messages on the list. > > I had the problem, that my openmeetings clients lost the connection to > my media server quite often, whenever I was working at my office in my > company. Sitting at home I didn't have this problem. The IT-department > didn't want to help with opening up some ports thus another solution had > to be found. > > ------------------------------------------------ > I really need to emphasize, that I can't say changing this option will > do this or that, at least for the nonobvious options. Someone with a > better understanding should have a look at all the changes i gathered > from the list to make shure things are correct. Thus this is at your own > risk, due to my limited knowledge. > > ------------------------------------------------ > > my setup: > > openmeetings server > > Ubuntu 17.04 LTS > Virtual Machine hosted by a professional IT Company, publicy reachable > > Name > Test,OpenMeetings > Version > 5.0.1-SNAPSHOT > Revision > 48b6d08 > Build date > 2020-09-09T16:34:33Z > > new builds are downloadable from > > https://ci-builds.apache.org/job/OpenMeetings > <https://ci-builds.apache.org/job/OpenMeetings/job/openmeetings/> > > two clients at my companys workplace > > client 01: > > gentoo linux, chrome > > client 02 > > windows 7 (sorry for that), chrome > > ---------------------------------------------------------- > > CHANGES > > (note: you may have adopt the path) > > > 1) /opt/open505/conf/server.xml > > From: > > <Connector port="5080" protocol="HTTP/1.1" > connectionTimeout="20000" > redirectPort="5443" /> > > To: > > <Connector port="80" protocol="HTTP/1.1" > connectionTimeout="20000" > redirectPort="443" /> > > From: > > <Connector port="5443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true"> > > To: > > <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true"> > > 2) /etc/systemd/system/openmeetings.service > > REMARK: I do use the openmeetings.service script which is located in > /opt/open505. > Copy it over to /etc/systemd/system, make shure to modify the path > variables, do a systemctl daemon-reload to make it available and you can > start and stop your new systemd script with systemctl start/stop > openmeetings > > From: > > [Service] > Type=forking > > To: > > [Service] > Type=forking > AmbientCapabilities=CAP_NET_BIND_SERVICE > > > From: > > Environment=CATALINA_PID=/var/run/openmeetings.pid > > To: > > Environment=CATALINA_PID=/var/run/openmeetings/openmeetings.pid > > > Extra steps: > > mkdir /var/run/openmeetings/ > chown nobody /var/run/openmeetings > > (nobody should be replaced by the process owner, if you follow the > instructions from Alvaro it is nobody) > > since a *.service-file was changed issue > > sudo systemctl daemon-reload > > > 3) create /opt/open505/bin/setenv.sh if it does not exist > > content of setenv.sh > ......................... > > #!/bin/sh > CATALINA_PID="/var/run/openmeetings/openmeetings.pid" > > ........................ > > (don't know about the #!/bin/sh line. I didn't need to make the *.sh > file executable, thus i guess it is not necessary. the env-variable was > set without it, strange.) > > TIP: tail -f /var/log/syslog to see if pid file is created after restart > > Maybe this step isn't not needed at all. Don't know. > > 4) /opt/open505/webapps/openmeetings/WEB-INF/classes/applicationContext.xml > > From: > > p:turnUrl="MYEXTERNALIP:3478" > > To: > > p:turnUrl="MYEXTERNALIP:3478?transport=tcp" > > This was important: Changing the ports from 5080 redirected to 5443 to > 80 redirected to 443 > wasn't enough. Coturn does not send any udp packages anymore. Just > guessing here) > To be fair I have no idea what this redirect means :( Your OM server is accessible at both 80 and 443 port (you can check it using your browser) I'm using Apache HTTP server as frontend proxy and using https://certbot.eff.org/ to renew Let'sEncrypt certificate > > BTW: Don't forget to make same changes in the CONFIGURATION options of > the openmeetings web front end. I guess, there are quite a few entries > with a :5443 port in the webaddresses. > > > 5) changes to ufw firewall > > sudo ufw status gives .... > > Zu Aktion Von > -- ------ --- > 22/tcp ALLOW Anywhere > 1895 ALLOW Anywhere > 3478/udp ALLOW Anywhere > 3478/tcp ALLOW Anywhere > 8888/tcp ALLOW Anywhere > 443/tcp ALLOW Anywhere > 80/tcp ALLOW Anywhere > 49152:65535/udp ALLOW Anywhere > 49152:65535/tcp ALLOW Anywhere > 5443 ALLOW Anywhere > 5349 ALLOW Anywhere > 22/tcp (v6) ALLOW Anywhere (v6) > 1895 (v6) ALLOW Anywhere (v6) > 3478/udp (v6) ALLOW Anywhere (v6) > 3478/tcp (v6) ALLOW Anywhere (v6) > 8888/tcp (v6) ALLOW Anywhere (v6) > 443/tcp (v6) ALLOW Anywhere (v6) > 80/tcp (v6) ALLOW Anywhere (v6) > 49152:65535/udp (v6) ALLOW Anywhere (v6) > 49152:65535/tcp (v6) ALLOW Anywhere (v6) > 5443 (v6) ALLOW Anywhere (v6) > 5349 (v6) ALLOW Anywhere (v6) > > 49152:65535/udp ALLOW OUT Anywhere > 49152:65535/tcp ALLOW OUT Anywhere > 49152:65535/udp (v6) ALLOW OUT Anywhere (v6) > 49152:65535/tcp (v6) ALLOW OUT Anywhere (v6) > > I guess you can delete the rules with port 5443 now. Still needs to be > done. > > > 5) Restart everything: > > systemctl stop openmeetings > systemctl stop kurento-media-server > systemctl stop coturn > systemctl stop mysql > > systemctl start mysql > systemctl start coturn > systemctl start kurento-media-server > systemctl start openmeetings > > My two clients are connected to my openmeetings server for about an hour > now, not a single connection loss..... > > Final remark and question: > > Since my openmeetings app is listing on a redirected (443) port 80 I > guess I will have some problems with passing the letsencrypt renew > automatism, am I right ? > > > @dennis > > sorry for being so late with this summary, but finally it is there ... > > > Many thanks to all of you, this software is awsome and your help is > incredible .... > > > Kaffeesurrogat > -- Best regards, Maxim
