-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
It's not tested at all and has problems. The recommendation is to use a TURN server for TCP.
- Loading branch information
Showing
3 changed files
with
0 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What problems does it have in particular?
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not tested nor used by us and we've seen weird deadlocks IIRC. Our recommendation is to use a TURN server instead.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have this feature in use productively and heard only good feedback about it.
We were very happy to have it running like this without the overhead/added complexity of a turn server.
Seeing it getting removed means we'll have to rework our setup again :(
Is the functionality in the jvb itself even planned to be removed?
I think, as long as that's not the case, it seems strange to have the support for an existing feature removed from the docker setup.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will eventually get removed from the JVB yeah.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here. What I hear from operations, it is even more robust than a TURN server in settings, where communication partners have aggressive firewalls and we set the fallback port to TCP 443. That is because TCP 443 is allowed through quite often with firewalls.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can run the TURN server yourself, then the problem disappears.
While you might not have run into issues yet, they exist, believe me.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@saghul thanks for the info, can you be more specific what the root or the cause of the issues may be?
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I said, deadlocks IIRC.
I guess that if we knew precisely how to fix it we’d have done that ;-) After some analysis we concluded using an external TURN server was a better option going forward.
We have been using coturn successfully in production for a long time now.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got to agree with @saghul we had a few issues with JVB TCP, we now run a few TURN servers on port 443 for aggressive firewalls.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@saghul @DanielMcAssey thanks for sharing your experiences!
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another reason we use TURN/TLS instead of ICE/TCP is that ICE/TCP uses a fake SSL handshake that can be detected and blocked by firewalls.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could someone elaborate a bit on how to set up a TURN server and configure it in the Docker environment variables? The documentation in the handbook is, depending how you look at it, either not applicable or partially missing. We use the TCP mode of JVB almost exclusively, and while it has its quirks, it works flawlessly. It might be buggy, but it still works better than other WebRTC products that use UDP.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can configure an external TURN server as follows:
docker-jitsi-meet/env.example
Line 370 in 1b51c77
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was using JVB TCP as well in production and it was working fine.
Now I have to switch to TURN. Are you going to implement a TURN server docker in the docker-jitsi-meet ? I see there is a
TURN server.
line available inTODO
section of the github page.Any recommendations on which docker image / open source TURN server product I shall use for Jitsi?
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The debian packages by default use coturn with this config: https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-turn/turnserver.conf
You need to take care of using valid certificates for the domain used to access the turn server.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like there is an official docker image for coturn: https://github.com/coturn/coturn/tree/master/docker/coturn
Going to check whether I can configure docker-jitsi-meet to run with this docker image over TCP correctly
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am trying to force jitsi to use TCP with no UDP and no P2P (
config.webrtcIceUdpDisable=true&config.webrtcIceTcpDisable=false&config.p2p.enabled=false
).Can an external TURN server such as coturn work in this case?
I have tried many configs and still cant get jitsi running in TCP with coturn
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I managed to run coturn docker image successfully and validated the TURN server by using Trickle ICE
Jitsi meet docker does not still work when UDP is disabled with the TURN server.
Has anybody here been able to use jitsi / TCP with coturn ?
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean? The turn server should be able to use udp, as it needs it to connect to jvb.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These config flags probably don't work as you intend with TURN. When allocating through TURN/TLS the candidate's protocol will be 'UDP', so
webrtcIceUdpDisable=true
will effectively disable TURN. Also, these only supress signaling certain candidates, while they may still be used. I suggest not using webrtcIceUdpDisable and webrtcIceTcpDisable and blocking the network instead.7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've managed to get it working by setting these environment variables in the deployment:
And then blocking udp port 10000 traffic with:
And then starting the Jitsi meeting. With a
tcpdump
you will then see all traffic going to the TURN server on port 443, instead of the Jitsi server on port 10000.Don't forget you need to at least have 3 participants in the meeting otherwise you will have a peer-to-peer connection.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I eventually managed to run a coturn-docker on the same server as the jitsi-docker server and force TLS/port 4443 for all clients.
First, p2p can be disabled by adding
config.p2p.enabled=false
to the URL of the jitsi meet room. This will make all clients to use JVB.Second, You may disable direct UDP connections to JVB if you wish your clients to always use TLS/TCP. I commented out the
DOCKER_HOST_ADDRESS=
line in the .env file of docker-jitsi-meet for this purpose. This way, the Videobridge will advertise the internal IP address of the Docker which is inaccessible by clients.Third, Configure the turn server in jitsi-docker .env file:
Since coturn-docker is hosted on the same server as jitsi-docker,
TURNS_HOST
is set to the same domain that we have used for jitsi and we have got a SSL for it usingLETSENCRYPT_DOMAIN
section of the .env file.Fourth, Add the following entries in the
docker-compose.yml
file of docker-jitsi-meet-stable-7001, to set up a coturn container alongside other containers:Finally the content of
/usr/src/docker-jitsi-meet-stable-7001/turnserver.conf
should be the default jitsi config file for coturn:the docker ip range needs to be commented out in the above denied-peer-ip if you wish the coturn docker access your jvb using its internal IP rather than the public IP
Note that Jitsi does not show you anything about the TURN server / port in the connection information, and it shows the JVB IP / port . It would be nice if the turn server / port is also shown in the connection information.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@madmatah Adding the "denied-peer-ip" is a security requirement, otherwise, you are exposing your internal network to the world, you better add them. The coturn will be accessing jvb on its public address when you drop the external-ip config from the coturn config.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How are you making sure the HTTPS traffic doesn’t go to coturn?
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You were right! It worked when I dropped the external-ip line in coturn config. It was not also required for coturn to be on the same network as jvb. I have updated this in my post above.
I'm actually using port 4443 in production. I have updated my post above with the correct port.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think 443 can be used if you configure nginx to proxy the traffic to coturn using SNI for detecting the domain, but I'm not sure if there might be incompatibilities.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is apparently not possible according to coturn/coturn#43
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like it might be possible in certain scenarios (coturn/coturn#702) but not as straightforward as I thought, oh well.
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting. I have Jitsi and coturn running in the same Kubernetes cluster, so I had the same issue that when looking in the connection stats in Jitsi itself for my self-view, I could see the internal 10.x.x.x IP address of the Jitsi JVB pod as the remote address, and the internal 10.x.x.x IP address of the coturn pod as the local address. So I was connecting via TCP to coturn (obviously over the internet, over the public LoadBalancer service in k8s towards coturn) but coturn was connecting via UDP to JVB using the internal k8s connection, hence I could see both the internal IPs in my connection view.
Since then, I have added the
denied-peer-ip
lines and removed theexternal-ip
line from theturnserver.conf
file, which is still working, but now shows a slightly different status in my connection self-view:Remote address
is now the public IP address of the JVB service,Local address
is still the 10.x.x.x IP address of the coturn pod. So I'm not entirely sure how the connection is now flowing. It is still working fine though for people with UDP blocked, but I would actually expect to see the coturn public IP address in there. Or maybe this is just something that is inherent to docker/k8s internal networking?Anyway, adding the
denied-peer-ip
lines and blocking tcp relaying is probably a good idea, otherwise coturn could in theory relay network traffic to my other internal Kubernetes services.7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure this is applicable here, but it can be done behind proxy using a different DNS https://jitsi.github.io/handbook/docs/devops-guide/turn#use-turn-server-on-port-443
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mghadam: Thanks for providing 7a93978#commitcomment-68759524. That fixed our setup behind a loadbalancer. Thanks!
7a93978
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's what I mentioned about SNI, but there seem to be some bugs? coturn/coturn#702