Trying to install Jitsi Meet on Debian 10 Nginx Virtualmin - 403 Forbidden

Help! (Home for newbies)
1

Hi,

I’m trying to install Jitsi-Meet on a fresh Virtualmin Debian 10 Nginx vps (sh ./install --bundle LEMP). I’m also using the vps as a DNS server to itself (need nameserver 127.0.01 in /etc/resolv.conf).

In the Jitsi install instructions, it says to put your fqdn for the 127.0.0.1 entry in /etc/hosts. I already had (and still have) an my.vps.ip.address with the same fqdn in /etc/hosts. But following Jitsi install instructions, I altered the 127.0.0.1 entry for my.vps.fqdn. (Perhaps I should have added another 127.0.0.1 and kept the original 127.0.0.1 localhost entry?)

I went through the Jitsi install instructions and it installs a self-signed certificate for itself. Supposedly it installs Jitsi-Meet in /usr/share/jitsi-meet. The Jitsi files are indeed there.

My problem is that when I enter in my browser https://my.vps.fqdn, I get a Nginx 403 Forbidden message. This is after the browser indicates a self-signed certificate, which I assume is from the Virtualmin install. After clicked Advanced and go ahead, then I get the 403 Forbidden.

I’m not sure where my problem is.

  • is it a problem that this vps is a DNS server to itself and thus I can’t use fqdn twice?

  • should I not have two entries (one is 127.0.0.1 and the other is my.vps.ip.addr) for my.vps.fqdn in /etc/hosts?

  • is there something else that needs to happen to my Nginx config?

    root@love:~# cat /etc/resolv.conf # Added by Virtualmin. nameserver 127.0.0.1 nameserver 127.0.0.1 nameserver 8.8.8.8 nameserver 8.8.4.4 root@love:~#
root@love:~# cat /etc/hosts 127.0.0.1 localhost my.vps.fqdn 198.50.169.197 debian10 
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
my.vps.id.addr  my.vps.fqdn        my
root@love:~#
root@love:~# cat /etc/nginx/nginx.conf user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; 
events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
#       server_names_hash_bucket_size 128;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}
root@love:~#
root@love:~# cat /etc/nginx/sites-enabled/my.vps.fqdn.conf server_names_hash_bucket_size 64; 
server {
    listen 80;
    listen [::]:80;
    server_name my.vps.fqdn;

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root         /usr/share/jitsi-meet;
    }
    location = /.well-known/acme-challenge/ {
       return 404;
    }
    location / {
       return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name my.vps.fqdn;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

    add_header Strict-Transport-Security "max-age=31536000";

    ssl_certificate /etc/jitsi/meet/my.vps.fqdn.crt;
    ssl_certificate_key /etc/jitsi/meet/my.vps.fqdn.key;

    root /usr/share/jitsi-meet;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    index index.html index.htm;
    error_page 404 /static/404.html;

    gzip on;
    gzip_types text/plain text/css application/javascript application/json;
    gzip_vary on;

    location = /config.js {
        alias /etc/jitsi/meet/my.vps.fqdn-config.js;
    }

    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    #ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;
    }

    # BOSH
    location = /http-bind {
        proxy_pass      http://localhost:5280/http-bind;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # xmpp websockets
    location = /xmpp-websocket {
        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        tcp_nodelay on;
    }

    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location @root_path {
        rewrite ^/(.*)$ / break;
    }

    location ~ ^/([^/?&:'"]+)/config.js$
    {
       set $subdomain "$1.";
       set $subdir "$1/";

       alias /etc/jitsi/meet/my.vps.fqdn-config.js;
    }

    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }

    # BOSH for subdomains
    location ~ ^/([^/?&:'"]+)/http-bind {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /http-bind;
    }

    # websockets for subdomains
    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /xmpp-websocket;
    }
}
root@love:~#
root@love:~# ls -lah /etc/jitsi/meet/my.vps.fqdn* -rw-r--r-- 1 root root 18K Apr 10 23:43 /etc/jitsi/meet/my.vps.fqdn-config.js -rw-r--r-- 1 root root 2.0K Apr 10 23:43 /etc/jitsi/meet/my.vps.fqdn.crt -rw------- 1 root root 3.2K Apr 10 23:43 /etc/jitsi/meet/my.vps.fqdn.key root@love:~#

If anyone has any suggestions and directions for me to troubleshoot this 403 Forbidden, I would appreciate it.

2

Here is the solution to use Jitsi with Virtualmin on Apache: https://community.jitsi.org/t/help-noob-for-fresh-install/23125/8?u=nielhirjee

3

Thanks for the suggestion. I will have a look at it and see how I might apply it to Nginx.

Partly, it’s my inexperience with Nginx, and https SSL with Nginx.

I created a Wordpress site, which could be accessed on the non SSL port 80, but no response from the SSL port 443.

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.