【发布时间】:2020-05-20 11:18:23
【问题描述】:
我有一台运行 Ubuntu 18.04 和 Nginx 的服务器,并在其上托管了一个功能齐全的 Jitsi Meet 实例。 另一方面,我有 2 个其他站点(一个是响应前端,另一个是后端),我需要它们具有 ssl 证书,因为我们从前端使用 Jitsi Meet api,而 chrome 不允许我们授予权限麦克风和摄像头,因为前端不安全。
所以我尝试安装 certbot 并获取 Let's Encrypt 证书,但是当我得到它并尝试重新启动 nginx 时,它失败了。
我认为这与 Jitsi 使用端口 443 或其他什么有关,但我真的无法判断...
这是 jitsi 域的 nginx 配置文件:
server_names_hash_bucket_size 64;
server {
listen 80;
listen [::]:80;
server_name video.<base-domain>;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root <path-to-jitsi>;
}
location = /.well-known/acme-challenge/ {
return 404;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 4444 ssl http2;
listen [::]:4444 ssl http2;
server_name video.<base-domain>;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:E$
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /etc/letsencrypt/live/video.<base-domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/video.<base-domain>/privkey.pem;
root <path-to-jitsi>;
# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;
index index.html index.htm;
error_page 404 /static/404.html;
gzip on;
gzip_types text/plain text/css application/javascript application/json;
gzip_vary on;
location = /config.js {
alias /etc/jitsi/meet/video.<base-domain>-config.js;
}
#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias <path-to-jitsi>/$1/$2;
}
# BOSH
location = /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
tcp_nodelay on;
}
location ~ ^/([^/?&:'"]+)$ {
try_files $uri @root_path;
}
location @root_path {
rewrite ^/(.*)$ / break;
}
location ~ ^/([^/?&:'"]+)/config.js$
{
set $subdomain "$1.";
set $subdir "$1/";
alias /etc/jitsi/meet/video.<base-domain>-config.js;
}
#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ {
set $subdomain "$1.";
set $subdir "$1/";
rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
}
# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /http-bind;
}
# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /xmpp-websocket;
}
}
这是前端域的 nginx conf:
server{
server_name app.<base-domain> www.app.<base-domain>;
root <path-to-front>;
index index.html index.htm;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
charset utf-8;
location / {
try_files $uri /index.html;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/default-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/app.<base-domain>/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/app.<base-domain>/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = app.<base-domain>) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name app.<base-domain> www.app.<base-domain>;
listen 80;
return 404; # managed by Certbot
}
这是 nginx 错误日志:
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: still could not bind()
我希望有人能告诉我应该如何配置它以确保 jitsi 和前端的安全。
我还要补充一点,这两个域实际上都是子域...意思是 jitsi 域是 video..com 前面是app..com
真正的配置有正确指定的基域和路径...如果我从前端 nginx 配置中删除所有 ssl 配置,一切都会再次运行。
【问题讨论】:
-
我想我遇到了同样的问题。澄清一下:你能看到另一个进程是否为自己绑定了
443端口吗?我们看不到它被任何东西束缚,对吗?您能看到防火墙中打开的端口吗?如果您看不到谁绑定了它,并且端口在 FW 中打开,那么我很确定我们遇到了完全相同的问题。 -
嗨,我忘了回复这个。显然问题出在转向服务器上。我卸载了它,它工作。我关注了此线程中的一位 cmets community.jitsi.org/t/bind-to-0-0-0-0-443-failed/28615/2
-
我明白了。我们通过基本上卸载所有 jitsi 独有的东西并进行自定义安装来解决它,这样它就无法控制端口 443。这非常困难(jitsi 似乎真的想在服务器中单独存在),但它有效:3
标签: ssl nginx lets-encrypt jitsi jitsi-meet