Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

iOS Safari cannot open Jitsi Meet welcome page

See original GitHub issue

Description

When trying to open the Jitsi Meet welcome page (the page that presents random words as meeting names) in Safari (on iOS 12.4.1), an error occurs:

Safari cannot open the page because the network connection was lost.

However, Safari 13.1 on macOS 12.15.4 is able to load the page.

Analysis

The problem is that nginx proxies the browser’s HTTPS to the TURN server at 127.0.0.1:4445, which balks and responds with a TCP RST.

The problem is in /etc/nginx/modules-enabled/60-jitsi-meet.conf, which incorrectly maps the browser’s HTTP/2 request to port 4445, rather than 4444:

https://github.com/jitsi/jitsi-meet/blob/c73ba372022db0bb967d628b136934219d8c4fec/doc/debian/jitsi-meet/jitsi-meet.conf#L6-L18

Safari on iOS sends the following ALPN within the TLS Client Hello:

Extension: application_layer_protocol_negotiation (len=48)
  Type: application_layer_protocol_negotiation (16)
  Length: 48
  ALPN Extension Length: 46
  ALPN Protocol:
    ALPN string length: 2
    ALPN Next Protocol: h2
    ALPN string length: 5
    ALPN Next Protocol: h2-16
    ALPN string length: 5
    ALPN Next Protocol: h2-15
    ALPN string length: 5
    ALPN Next Protocol: h2-14
    ALPN string length: 8
    ALPN Next Protocol: spdy/3.1
    ALPN string length: 6
    ALPN Next Protocol: spdy/3
    ALPN string length: 8
    ALPN Next Protocol: http/1.1

The nginx documentation says:

$ssl_preread_alpn_protocols
list of protocols advertised by the client through ALPN (1.13.10). The values are separated by commas.

… so $ssl_preread_alpn_protocols has the string value h2,h2-16,h2-15,h-14,spdy/3.1,spdy/3,http/1.1, which is not an exact string match for any of the three values that would map the request to port 4444. Therefore, it maps to port 4445.

The correct configuration is to use regex matching:

    map $ssl_preread_alpn_protocols $upstream {
        ~\bh2\b         web;
        ~\bhttp/1.1\b   web;
        default         turn;
    }

Environment details

Server: Ubuntu 18.04.4 with jitsi-meet-2.0.4384-1, jitsi-meet-turnserver-1.0.3969-1, jitsi-meet-web-config-1.0.3969-1

Client: Safari on iOS 12.4.1

Issue Analytics

State:
Created 3 years ago
Comments:10 (4 by maintainers)

Top GitHub Comments

1reaction

sneakyxcommented, Apr 14, 2020

Same here, it happens also in every browser, it doesn’t work with

       ~\bh2\b         web;
        ~\bhttp/1.1\b   web;
        default         turn;

I can get it only to get running by default web;

0reactions

fritzfrcommented, May 19, 2020

The correct configuration is to use regex matching:

map $ssl_preread_alpn_protocols $upstream {
    ~\bh2\b         web;
    ~\bhttp/1.1\b   web;
    default         turn;
}

This blocks things like Postman or a simple http request using fetch from accessing the web stuff too. Noticed this while trying to expose a prosody plugin through nginx proxy_pass (https://community.jitsi.org/t/nginx-proxy-pass-for-muc-size-working-in-browser-but-not-postman/57805/2).