-
Notifications
You must be signed in to change notification settings - Fork 542
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Installation behind proxy server w/o SSL #757
Comments
Many great open source solutions lack in support for custom installations, and I think BBB is no exception. The instruction given in the doc is awfully confusing. I was going to say it is wrong, but since I am not an expert, I will reserve that claim for now. Below is the proxy server installation insturctions. From the above link, I can feel that it is written by an extremely highly experienced Nginx dev or a complete novice. For starters, you can't have another URL in proxy pass without a defined server block, at lesat in my best of knowledge. But in below code lines for Nginx, location /bbb-01/html5client/ { Either the author assumed that 'bbb-01.example.com' is pre-defined in the proxy server, or must have used it as an alias. I checked both cases. Case 1: Predefined downstream server specific subdomain for BBB server {
} server {
} Case 2: Alias server {
} The problem in this case is that, in the backend, all traffics to port 80 is forwarded to backend server's port 443 and later to 81 and 82, depending on the logic in 'HA proxy'. Here, since the SSL port (443) is also defined in proxy server, backend port 80's forward to 443 will bring the traffic back to proxy server. Then, proxy brings traffic to backend, and again and again. Redirection loop creates error in the end. Why don't I exclude 'listen 443 SSL' in the proxy? Then, where should that traffic go? How should I response to that traffic? I also set to send proxy's 443 traffic directly to backend's 81 and/or 82, but it also did not work. In either way, the recommended code does not make sense, at least to best of my knowledge. I typically define upstream variables in the proxy server to point backend server's internal IPs and ports. This way, I can make sure that Nginx does the load balancing properly. upstream example_backend { I am not saying that my version is right. It's just that the proposed version seems missing details while it does not take the load balanching into the consideration, in addition to the security issues that the author mentioned at the end of the document. For services like this, you need a lot of ports. I get that. HA Proxy, yes, I can understand that. But the proposed solution for proxy server case does not make sense, or at least highly confusing. I can make it work with Docker installations, but I really want to try this 3.0-dev version on my existing server, not on a clean machine. |
Thank you for sharing the details of your setup. I’m trying to configure BigBlueButton behind a Traefik reverse proxy using only HTTP, intending to handle SSL termination at the proxy level. However, I haven’t found documentation on setting it up without SSL. Has anyone managed to get a similar setup working, or are there any tips on how to approach this? Any insights would be very helpful. Additionally, is the documentation you mentioned (https://docs.bigbluebutton.org/administration/cluster-proxy/) the one I should be looking at for this configuration? |
@srkn0 hey, I gave up installing non-docker version on private IP behind the firewall. The installer sh's SSL setting is one thing and coturn server was another. The only setting that I was able to make it working is to install coturn on a standalone server with public IP and to install Docker version BBB on backend servers behind proxy. I do SSL handshake at the proxy server. I wish I dont have to rely on the docker version, but it was too much for me. Plz share your findings if you can find any better solution. |
I try to install BBB v3.0 beta release on a hard machine / via a docker (v.2.7.3 for this)
I have proxy server that handles all SSL handshaking and pass the traffic to backend.
Reading this doc(https://docs.bigbluebutton.org/administration/cluster-proxy/), I thought my set up is supported.
First, I tried to install BBB without SSL, so with -d option.
Though it is recommended to use different URL for each installations behind the proxy, I thought it is just an illustration purpose. I usually do this with backend stream block in Nginx. For this one, plz let me know if I really have to set diferent sub-domains for each BBB installation and keep the clean sub-domain at proxy server.
then, after the hard machine installation, I get connection failure for HTTP/2 (so HTTPS). I changed all nginx configurations in /etc/nginx/sites-enabled/bigbluebutton, but it did not work.
So, I gave up and run without -d and added back -e myemail@example.com in the installation command. It will do double SSL handshakes, so websites should be slower, but I can respect BBB style.
Now, even after that, I still cannot see the website.
What other configuration setting modification(s) is/are needed?
I have
for other required UDP ports, 16384 - 32768, I also added them to Router OS, but they all go to proxy server. Not sure what should be done. At least, I cannot load balance them in my Router OS. It has to be done at Nginx proxy, but have no clue for this.
In case relevant, I have two BBB servers at the backend, each with 30 cores 100 GB RAM, and I want them to share the traffic.
When it comes to video storage, I am going to use S3 compatible internal video/stream server.
I guess I just need to change a little big of setting, but can't figure out from the docs.
The text was updated successfully, but these errors were encountered: