The nginx config for meet as given in the docs does not work



  • Hi,

    I am trying to convert from a fully working kweb setup to nginx. Everything except meet works well with the configurations as provided on documentation.kopano.io. I can login to meet but I get a little red icon in the top right corner which tells me I am not connected and placing calls also fails. I have pasted my nginx config as well as the error from the journal below and I’d appreciate any help you can provide, please.

    /etc/nginx/sites-enabled/meet.conf

    upstream konnect {
            server 127.0.0.1:8777;
    }
    
    upstream kapi {
            server 127.0.0.1:8039;
    }
    
    upstream kwmserver {
            server 127.0.0.1:8778;
    }
    
    server {
    
        charset utf-8;
        listen 443 ssl;
        server_name <FQDN>;
        ssl on;
        client_max_body_size 1024m;
        ssl_certificate /etc/ssl/kopano/<FQDN>.crt;
        ssl_certificate_key /etc/ssl/kopano/<FQDN>.key;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES12>
        ssl_prefer_server_ciphers on;
        #
        # ssl_dhparam require you to create a dhparam.pem, this takes a long time
        ssl_dhparam /etc/ssl/kopano/dhparam.pem;
    
    
    
    location /.well-known/openid-configuration {
            proxy_pass http://konnect/.well-known/openid-configuration;
    }
    
    location /konnect/v1/jwks.json {
            proxy_pass http://konnect/konnect/v1/jwks.json;
    }
    
    location /konnect/v1/token {
            proxy_pass http://konnect/konnect/v1/token ;
    }
    
    location /konnect/v1/userinfo {
            proxy_pass http://konnect/konnect/v1/userinfo;
    }
    
    location /konnect/v1/static {
            proxy_pass http://konnect/konnect/v1/static;
    }
    
    location /konnect/v1/session {
            proxy_pass http://konnect/konnect/v1/session;
    }
    
    location /signin/ {
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://konnect/signin/;
    }
    
    location /api/gc/ {
            proxy_pass http://kapi/api/gc/;
    }
    
    # kapi pubs
    location /api/pubs/ {
            proxy_pass http://kapi/api/pubs;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
    }
    
    # disable caching for the service-worker
    location /meet/service-worker.js {
            expires -1;
    }
    
    location /meet {
            rewrite ^/meet/r/(.*)$ /meet last;
            alias /usr/share/webapps/kopano-meet/;
    }
    
    location /api/config/v1/kopano/meet/config.json {
            # When using default values this setting can be kept as it is please adapt
            # the next line ap copy config.json to /etc/kopano if user modifications
            # are needed
            alias /usr/share/webapps/kopano-meet/config.json;
    }
    
    location /api/v1/websocket/ {
            proxy_pass http://kwmserver/api/v1/websocket/;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
    }
    
    location /api/v1/ {
            proxy_pass http://kwmserver/api/v1/;
    }
    }
    

    This is taken straight from the docs here: link to meet install guide

    I have made two small adjustments:

    1. I have added a valid SSL config
    2. I have adjusted the aliases for my distribution’s paths (Arch Linux)

    All kopano services work without issue when used with kweb on the same machine.

    Errors in journal:

    Apr 04 02:19:24 testbench systemd[1]: Started A high performance web server and a reverse proxy server.
    Apr 04 02:19:35 testbench nginx[1174]: 2019/04/04 02:19:35 [error] 1176#1176: *1 open() "/etc/nginx/html/meet/service-worker.js" failed (2: No such file or directory), client: 192.168.0.1, server: <FQDN>, request: "GET /meet/service-worker.js HTTP/1.1", host: "<FQDN>"
    Apr 04 02:19:36 testbench nginx[1174]: 2019/04/04 02:19:36 [error] 1176#1176: *1 open() "/etc/nginx/html/meet/service-worker.js" failed (2: No such file or directory), client: 192.168.0.1, server: <FQDN>, request: "GET /meet/service-worker.js HTTP/1.1", host: "<FQDN>"
    Apr 04 02:19:42 testbench nginx[1174]: 2019/04/04 02:19:42 [error] 1176#1176: *19 open() "/etc/nginx/html/api/kvs/v1/kv/user/kopano-meet-recents" failed (2: No such file or directory), client: 192.168.0.1, server: <FQDN>, request: "GET /api/kvs/v1/kv/user/kopano-meet-recents?recurse=1 HTTP/1.1", host: <FQDN>, referrer: "https://<FQDN>/meet/r/call"
    Apr 04 02:19:42 testbench nginx[1174]: 2019/04/04 02:19:42 [error] 1176#1176: *20 open() "/etc/nginx/html/api/kwm/v2/rtm/connect" failed (2: No such file or directory), client: 192.168.0.1, server: <FQDN>, request: "POST /api/kwm/v2/rtm/connect HTTP/1.1", host: "<FQDN>", referrer: "https://<FQDN>/meet/r/call"
    Apr 04 02:19:43 testbench nginx[1174]: 2019/04/04 02:19:43 [error] 1176#1176: *1 open() "/etc/nginx/html/meet/service-worker.js" failed (2: No such file or directory), client: 192.168.0.1, server: <FQDN>, request: "GET /meet/service-worker.js HTTP/1.1", host: "<FQDN>", referrer: "https://<FQDN>/meet/r/call"
    Apr 04 02:19:43 testbench nginx[1174]: 2019/04/04 02:19:43 [error] 1176#1176: *1 open() "/etc/nginx/html/api/kwm/v2/rtm/connect" failed (2: No such file or directory), client: 192.168.0.1, server: <FQDN>, request: "POST /api/kwm/v2/rtm/connect HTTP/1.1", host: "<FQDN>", referrer: "https://<FQDN>/meet/r/call"
    Apr 04 02:19:44 testbench nginx[1174]: 2019/04/04 02:19:44 [error] 1176#1176: *1 open() "/etc/nginx/html/api/kwm/v2/rtm/connect" failed (2: No such file or directory), client: 192.168.0.1, server: <FQDN>, request: "POST /api/kwm/v2/rtm/connect HTTP/1.1", host: "<FQDN>", referrer: "https://<FQDN>/meet/r/call"
    Apr 04 02:19:47 testbench nginx[1174]: 2019/04/04 02:19:47 [error] 1176#1176: *1 open() "/etc/nginx/html/api/kwm/v2/rtm/connect" failed (2: No such file or directory), client: 192.168.0.1, server: <FQDN>, request: "POST /api/kwm/v2/rtm/connect HTTP/1.1", host: "<FQDN>", referrer: "https://<FQDN>/meet/r/call"
    Apr 04 02:19:50 testbench nginx[1174]: 2019/04/04 02:19:50 [error] 1176#1176: *1 open() "/etc/nginx/html/api/kwm/v2/rtm/connect" failed (2: No such file or directory), client: 192.168.0.1, server: <FQDN>, request: "POST /api/kwm/v2/rtm/connect HTTP/1.1", host: "<FQDN>", referrer: "https://<FQDN>/meet/r/call"
    

  • Kopano

    @irreleph4nt said in The nginx config for meet as given in the docs does not work:

    /etc/nginx/html/meet/service-worker.js" failed (2: No such file or directory

    You seem to have some rule in your nginx configuration that overrules the config you have shown above.



  • @fbartels
    Hi and thank you for jumping in! My nginx config looks like this:

    /etc/nginx/nginx.conf

    user http;
    worker_processes  1;
    
    error_log  /var/log/nginx/error.log  info;
    
    events {
        worker_connections  1024;
    }
    
    http {
        server_names_hash_bucket_size 64;
        server_names_hash_max_size 1024;
    
        include       mime.types;
        default_type  application/octet-stream;
    
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        access_log  /var/log/nginx/access.log  main;
    
        sendfile        on;
        keepalive_timeout 65;
    
        include /etc/nginx/sites-enabled/*;
    }
    

    I can’t spot anything that would overrule the Kopano config. If you can, please shout!
    By the way, that particular error can be worked around by adding an alias directive to the relevant nginx location, point right to where the file lives on the filesystem.
    The other error about /api/kwm however is worse. I don’t see anything in the Kopano config to handle that and can’t think of any proxy or location setting that would point it to the right place, given how I don’t even know where these requests are meant to go. :(

    Thanks for your help once again!



  • @fbartels
    I solved this. The issue is that the nginx config given in the kopano-meet installation guide is inclomplete. Looking through the overrides and proxy commands in kweb’s base.go file, I found that it contains a lot more such lines than the nginx config presented. To make meet work with nginx, the below entries had to be added. Please let me know in case I am still missing any not-so-obvious ones.

    # the alias is missing which makes nginx look for the service-worker.js file in the wrong place (/etc/nginx)
    location /meet/service-worker.js {
            alias /usr/share/webapps/kopano-meet/service-worker.js;
            expires -1;
    }
    
    # all of the below is missing, because of which meet fails to connect to kwmserverd and turnserver
    location /api/v1/rtm.connect/ {
            proxy_pass http://kwmserver/api/v1/rtm.connect/;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
    }
    
    location /api/v1/rtm.turn/ {
            proxy_pass http://kwmserver/api/v1/rtm.turn/;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
    }
    
    location /api/kwm/v2/ {
            proxy_pass http://kwmserver/api/kwm/v2/;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
    }
    
    # technically works without this one but would be lacking call history if obmitted (i.e. recent calls always empty)
    location /api/kvs/ {
            proxy_pass http://kapi/api/kvs/;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
    }
    

    EDIT: Follow-up question: Is there a way to ssl-encrypt the proxy_pass connections to the upstream kopano-services?



  • Sorry for reviving this old topic, but I came across this problem when setting up Kopano Meet (supported) on a Debian 9 with Nginx recently.
    Calls will apparently work just fine without service-worker.js, as I didn’t even notice the 502 error when the location wasn’t specified correctly in the config.

    Only when I started to set up guest access, I never was able to successfully join a conference with a guest user. It just redirected to the Meet spash-screen. The server produced those log messages, but no apparent errors:

    ... kopano-kwmserverd[10439]: level=debug msg="guest handler logon request" guest=1 manager=guest
    ... kopano-konnectd[13265]: level=error msg="inner authorize request failed"
    

    At that point I did open the browser console and I saw, that the only thing not able to be loaded was that one file, so I added the alias to the Nginx config and now everything works as expected.

    I also ran into a strange redirect issue, where guests would see the login page when they first opened the invite link, but the second time with the cookies set from the first attempt, they would be presented the steps for joining a group call. That was solved by the second part in the config snippet below which basically handles the redirect ‘internally’.

    # let nginx actually serve the JS file
    location /meet/service-worker.js {
      alias /usr/share/kopano-meet/meet-webapp/service-worker.js;
      expires -1;
    }
    
    # use try_files instead of a redirect
    location /meet {
      #rewrite ^/meet/r/(.*)$ /meet last;
      try_files $uri $uri/ /index.html =404;
      alias /usr/share/kopano-meet/meet-webapp;
    }  
    

    (I’m adding this posting, so other people might have it easier to google that particular problem)



  • Hello @Raven24 ,

    funny thing is, i can join everyting, even with guests but im getting the same error message:

    Mar 24 16:29:08 <my_server> kopano-konnectd[452]: level=error msg="inner authorize request failed"
    

    im getting the error twice. Once if i click the link to join and kopano-meets shows me the Groupname
    second, when im creating the username and join the meeting.

    But everything seems to work fine (now, after i searched for hours, then corrected one space in registration.yaml). :|

    best regards,
    coffee_is_life


  • Kopano

    @Coffee_is_life said in The nginx config for meet as given in the docs does not work:

    funny thing is, i can join everyting, even with guests but im getting the same error message:
    Mar 24 16:29:08 <my_server> kopano-konnectd[452]: level=error msg=“inner authorize request failed”

    This seems to be a wrong error message (since there was no error). Thanks all for reporting - a fix will be made. For now this message can be ignored unless additional fields (other than msg and level) are present as well.


Log in to reply