1

nginx error:

 2020/12/01 06:54:05 [error] 4718#4718: *1 connect() failed (111:Connection refused while connecting to upstream, client 192.168.1.1, server: www.some-place.org, request: "Get /bigbluebutton/api HTTP/1.1", upstream: "http://127.0.0.1:8090/bigbluebutton/api", host: "www.some-place.org"

Question Updated Sunday 06 December 2020 at 09:36 CET.

Here is the problem:

Cannot reach bigbluebutton/api (our online classroom platform) on 'http://127.0.0.1:8090'

  1. Check if port 8090 is active: (already port-forwarded in router)

(Classroom public IP address: XXX.X.XX.XX)

  1. sudo telnet XXX.X.XX.XX 8090

telnet: Unable to connect to remote host: Connection refused

  1. Check error logs (2 logs):

sudo bbb-conf --debug

  • Errors found in /var/log/nginx/error.log: (10 errors, same as in title above)
2020/12/01 06:54:05 [error] 4718#4718: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.1, server: www.some-place.org, request: "GET /bigbluebutton/api HTTP/1.1", upstream: "http://127.0.0.1:8090/bigbluebutton/api", host: "www.some-place.org"
2020/12/01 06:54:05 [error] 4718#4718: *1 open() "/var/www/nginx-default/50x.html" failed (2: No such file or directory), client: 192.168.1.1, server: www.some-place.org, request: "GET /bigbluebutton/api HTTP/1.1", upstream: "http://127.0.0.1:8090/bigbluebutton/api", host: "www.some-place.org"
2020/12/01 06:54:06 [error] 4718#4718: *3 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.1, server: www.some-place.org, request: "GET /bigbluebutton/api HTTP/1.1", upstream: http://127.0.0.1:8090/bigbluebutton/api", host: "www.some-place.org"
2020/12/01 06:54:06 [error] 4718#4718: *3 open() "/var/www/nginx-default/50x.html" failed (2: No such file or directory), client: 192.168.1.1, server: www.some-place.org, request: "GET /bigbluebutton/api HTTP/1.1", upstream: "http://127.0.0.1:8090/bigbluebutton/api", host: "www.some-place.org"
2020/12/01 06:54:07 [error] 4718#4718: *5 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.1, server: www.some-place.org, request: "GET /bigbluebutton/api HTTP/1.1", upstream: "http://127.0.0.1:8090/bigbluebutton/api", host: "www.some-place.org"
2020/12/01 06:54:07 [error] 4718#4718: *5 open() "/var/www/nginx-default/50x.html" failed (2: No such file or directory), client: 192.168.1.1, server: www.some-place.org, request: "GET /bigbluebutton/api HTTP/1.1", upstream: "http://127.0.0.1:8090/bigbluebutton/api", host: "www.some-place.org" 2020/12/01 06:54:08 [error] 4718#4718: *7 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.1, server: www.some-place.org, request: "GET /bigbluebutton/api HTTP/1.1", upstream: "http://127.0.0.1:8090/bigbluebutton/api", host: "www.some-place.org"
2020/12/01 06:54:08 [error] 4718#4718: *7 open() "/var/www/nginx-default/50x.html" failed (2: No such file or directory), client: 192.168.1.1, server: www.some-place.org, request: "GET /bigbluebutton/api HTTP/1.1", upstream: "http://127.0.0.1:8090/bigbluebutton/api", host: "www.some-place.org"
2020/12/01 06:54:09 [error] 4718#4718: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.1, server: www.some-place.org, request: "GET /bigbluebutton/api HTTP/1.1", upstream: "http://127.0.0.1:8090/bigbluebutton/api", host: "www.some-place.org"
2020/12/01 06:54:09 [error] 4718#4718: *9 open() "/var/www/nginx-default/50x.html" failed (2: No such file or directory), client: 192.168.1.1, server: www.some-place.org, request: "GET /bigbluebutton/api HTTP/1.1", upstream: "http://127.0.0.1:8090/bigbluebutton/api", host: "www.some-place.org"
  • Errors found in /var/log/syslog (2 errors):
Dec 1 06:53:44 bbb-server red5-shutdown.sh[4167]: Exception connecting to 127.0.0.1
Dec 1 06:53:44 bbb-server red5-shutdown.sh[4167]: java.lang.ArrayIndexOutOfBoundsException: 0
  1. Check if all applications are running:

sudo bbb-conf --status

14 checked active (nginx; freeswitch; redis-server; bbb-apps-akka; bbb-transcode-akka; bbb-fesl-akka; red5; tomcat7; mongod; bbb-html5; bbb-webrtc-sfu; kurento-media-server; etherpad; bbb-web).

  1. Next, check if any firewalls are active:

sudo ufw status

Status: inactive

  1. Next, check if bbb-web is listening on port 8090:

sudo netstat -atnp ¦ grep 8090

tcp6 0 0 127.0.0.1:8090 :::* LISTEN 1464/java
  1. Next, perform an nginx dump and pipe the result to the nano editor:

sudo nginx -T ¦ nano

As the output from this command is greater than the 30 000 characters allowed in this body, I have posted the second half today. I will then replace it with the first half again in a couple of days for those who missed it.

# configuration file /etc/bigbluebutton/nginx/presentation-slides.nginx:
#
# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
#
# Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
#
# This program is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the 
# Free Software Foundation; either version 3.0 of the License, or (at your option) any later version.
#
# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License along with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
#
# Have nginx serve the presentation slides instead of tomcat as large files causes tomcat to OOM. (ralam sept 20, 2018)
location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/svg\/(?<page_num>\d+)$ {
default_type image/svg+xml;
    alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/svgs/slide$page_num.svg;
}

location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/slide\/(?<page_num>\d+)$ {
    alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/slide-$page_num.swf;
}

location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/thumbnail\/(?<page_num>\d+)$ {
default_type image/png;
    alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/thumbnails/thumb-$page_num.png;
}

location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/textfiles\/(?<page_num>\d+)$ {
default_type text/plain;
    alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/textfiles/slide-$page_num.txt;
}

# configuration file /etc/bigbluebutton/nginx/presentation.nginx:
#
# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
#
# Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
#
# This program is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the 
# Free Software Foundation; either version 3.0 of the License, or (at your option) any later version.
#
# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License along with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
#
location /playback/presentation/playback.html {
return 301 /playback/presentation/0.81/playback.html?$query_string;
# If you have recordings from 0.9.0 beta versions and are sure that you will never want to play recordings made with BigBlueButton 0.81, 
#comment the line above and uncomment the following line: return 301 /playback/presentation/0.9.0/playback.html?$query_string;
}

location /playback/presentation {
    root /var/bigbluebutton;
    index index.html index.htm;
}

location /presentation {
    root /var/bigbluebutton/published;
    index index.html index.htm;
}

# configuration file /etc/bigbluebutton/nginx/screenshare.nginx:
# Handle desktop sharing tunneling.  Forwards requests to Red5 on port 5080.
location /screenshare {
    proxy_pass http://127.0.0.1:5080;
    proxy_redirect default;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    client_max_body_size 10m;
    client_body_buffer_size 128k;
    proxy_connect_timeout 90;
    proxy_send_timeout 90;
    proxy_read_timeout 90;
    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    include fastcgi_params;
}

# configuration file /etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

# configuration file /etc/bigbluebutton/nginx/sip.nginx:
location /ws {
    proxy_pass https://192.168.1.51:7443;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_read_timeout 6h;
    proxy_send_timeout 6h;
    client_body_timeout 6h;
    send_timeout 6h;
    auth_request /bigbluebutton/connection/checkAuthorization;
    auth_request_set $auth_status $upstream_status;
}

# configuration file /etc/bigbluebutton/nginx/verto.nginx:
location /verto {
    proxy_pass https://127.0.0.1:8082;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_read_timeout 6h;
    proxy_send_timeout 6h;
    client_body_timeout 6h;
    send_timeout 6h;
}

# configuration file /etc/bigbluebutton/nginx/web.nginx:
# Handle request to bbb-web running within a SpringBoot Tomcat embedded servlet container.  This is for BBB-API and Presentation.
location /bigbluebutton {
proxy_http_version 1.1;
location /bigbluebutton {
    proxy_pass http://127.0.0.1:8090;
    proxy_redirect default;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # Workaround IE refusal to set cookies in iframe
    add_header P3P 'CP="No P3P policy available"';
}

location ~ "^\/bigbluebutton\/presentation\/(?<prestoken>[a-zA-Z0-9_-]+)/upload$" {
    proxy_pass http://127.0.0.1:8090;
    proxy_redirect default;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # Workaround IE refusal to set cookies in iframe
    add_header P3P 'CP="No P3P policy available"';
    # Allow 30M uploaded presentation document.
    client_max_body_size 30m;
    client_body_buffer_size 128k;
    proxy_connect_timeout 90;
    proxy_send_timeout 90;
    proxy_read_timeout 90;
    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    include fastcgi_params;
    proxy_request_buffering off;
    # Send a sub-request to allow bbb-web to refuse before loading
    auth_request /bigbluebutton/presentation/checkPresentation;
}

location /bigbluebutton/presentation/download {
    return 404;
}

location ~ "^/bigbluebutton/presentation/download\/[0-9a-f]+-[0-9]+/[0-9a-f]+-[0-9]+$" {
    if ($arg_presFilename !~ "^[0-9a-f]+-[0-9]+\.[0-9a-zA-Z]+$") {
    return 404;
    }

    proxy_pass http://127.0.0.1:8090$uri$is_args$args;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # Workaround IE refusal to set cookies in iframe
    add_header P3P 'CP="No P3P policy available"';
}

location = /bigbluebutton/presentation/checkPresentation {
    proxy_pass http://127.0.0.1:8090;
    proxy_redirect default;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Presentation-Token $prestoken;
    proxy_set_header X-Original-URI $request_uri;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-Content-Length $http_content_length;
    # Allow 30M uploaded presentation document.
    client_max_body_size 30m;
    client_body_buffer_size 128k;
    proxy_pass_request_body off;
    proxy_request_buffering off;
}

# To check connection authentication, include:
# auth_request /bigbluebutton/connection/checkAuthorization; auth_request_set $auth_status $upstream_status;
#
# and make sure to add sessionToken param in the request URI
location = /bigbluebutton/connection/checkAuthorization {
    internal;
    proxy_pass http://127.0.0.1:8090;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
}

    location ~ "^/bigbluebutton\/textTrack\/(?<textTrackToken>[a-zA-Z0-9]+)\/(?<recordId>[a-zA-Z0-9_-]+)\/(?<textTrack>.+)$" {
        # Workaround IE refusal to set cookies in iframe
        add_header P3P 'CP="No P3P policy available"';
        # Allow 30M uploaded presentation document.
        client_max_body_size 30m;
        client_body_buffer_size 128k;
        proxy_connect_timeout 90;
        proxy_send_timeout 90;
        proxy_read_timeout 90;
        proxy_buffer_size 4k;
        proxy_buffers 4 32k;
        proxy_busy_buffers_size 64k;
        proxy_temp_file_write_size 64k;
        include fastcgi_params;
        proxy_request_buffering off;
        # Send a sub-request to allow bbb-web to refuse before loading
        auth_request /bigbluebutton/textTrack/validateAuthToken;
        default_type text/plain;
        alias /var/bigbluebutton/captions/$recordId/$textTrack;
    }

    location = /bigbluebutton/textTrack/validateAuthToken {
        internal;
        proxy_pass http://127.0.0.1:8090;
        proxy_redirect default;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-textTrack-token $textTrackToken;
        proxy_set_header X-textTrack-recordId $recordId;
        proxy_set_header X-textTrack-track $textTrack;
        proxy_set_header X-Original-URI $request_uri;
    }
}

# configuration file /etc/bigbluebutton/nginx/webrtc-sfu.nginx:
location /bbb-webrtc-sfu {
    proxy_pass http://127.0.0.1:3008;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_read_timeout 6h;
    proxy_send_timeout 6h;
    client_body_timeout 6h;
    send_timeout 6h;
    auth_request /bigbluebutton/connection/checkAuthorization;
    auth_request_set $auth_status $upstream_status;
}

# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding of Nginx configuration files in order to fully unleash the power of 
# Nginx. http://wiki.nginx.org/Pitfalls http://wiki.nginx.org/QuickStart http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean file but keep this around for reference. Or just disable in 
# sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    # SSL configuration
    #
    # listen 443 ssl default_server; listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic. See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration. See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;
    root /var/www/html;
    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;
    server_name _;
    location / {
        # First attempt to serve request as file, then as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }
    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #       include snippets/fastcgi-php.conf;
    #
    #       # With php7.0-cgi alone:
    #       fastcgi_pass 127.0.0.1:9000;
    #       # With php7.0-fpm:
    #       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    #}

    # deny access to .htaccess files, if Apache's document root concurs with nginx's one
    #
    #location ~ /\.ht {
    #       deny all;
    #}
}

# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that to sites-enabled/ to enable it.
#
#server {
#       listen 80; listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com; index index.html;
#
#       location / {
#           try_files $uri $uri/ =404;
#       }
#}

We use BigBlueButton (Ver. 2.2.30) as our online classroom platform. It seems that this 'Permission denied' in trying to connect to port 8090 is the reason why users are now getting 'ICE error 1007' when trying to connect to the audio bridge.

Continuing with the search for solutions, ICE error 1007 happens from 2 possibilities: 1) connection blocked by a firewall (there are no active firewalls on our production servers), and 2) connection blocked by NAT.

In case NAT is the source of the blockage, I have included the contents of the current NAT iptables:

Chain PREROUTING (policy ACCEPT)
target      prot opt source         destination
DOCKER      all  --  0.0.0.0/0      0.0.0.0/0      ADDRTYPE match dst-type LOCAL
    
Chain INPUT (policy ACCEPT)
target      prot opt source         destination
    
Chain OUTPUT (policy ACCEPT)
target      prot opt source         destination
DOCKER      all  --  0.0.0.0/0      !127.0.0.0/8   ADDRTYPE match dst-type LOCAL
    
Chain POSTROUTING (policy ACCEPT)
target      prot opt source         destination
MASQUERADE  all  --  172.17.0.0/16  0.0.0.0/0
MASQUERADE  all  --  172.18.0.0/16  0.0.0.0/0
MASQUERADE  tcp  --  172.18.0.2     172.18.0.2     tcp dpt:80
MASQUERADE  tcp  --  172.18.0.3     172.18.0.3     tcp dpt:5432
    
Chain DOCKER (2 references)
target      prot opt source         destination
RETURN      all  --  0.0.0.0/0      0.0.0.0/0
RETURN      all  --  0.0.0.0/0      0.0.0.0/0
DNAT        tcp  --  0.0.0.0/0      127.0.0.1      tcp dpt:5000 to:172.18.0.2:80
DNAT        tcp  --  0.0.0.0/0      127.0.0.1      tcp dpt:5432 to:172.18.0.3:5432

I hope this helps...

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
larshie
  • 11
  • 1
  • 5
  • 1
    `Connection refused` indicates that nothing is listening on the given port. Check if the backend server is actually running. – Gerald Schneider Nov 09 '20 at 11:30
  • And that nginx config is pretty irrelevant, more relevant would be the server block that contains your proxy directives, which most probably resides in `/etc/nginx/sites-enabled/`. – Gerald Schneider Nov 09 '20 at 11:32
  • `upstream: "http:// 127` could it be that here is a space misplaces in the config? Why not you shown nginx conf and it looks for me that this question is more private based instead business related – djdomi Nov 29 '20 at 14:01
  • Thanks, djdomi for your astute observation. `"http://127.0.0.1:8090` in fact does not have a space, it was accidentally inserted when I copied over the nginx error message. Also this is definitely business related, for we use BigBlueButton as our online classroom platform for our members worldwide who follow specialized training courses. – larshie Nov 30 '20 at 07:55
  • Please post the output of `nginx -T`. – Michael Hampton Nov 30 '20 at 13:03
  • Thanks for that Michael, I executed the command as you suggested and piped the output to the nano editor. Unfortunately, it contains over 33000 characters and it cannot be posted. Is it possible to send you the output as a text file? – larshie Nov 30 '20 at 17:58
  • You can omit the `mime.types` file. – Michael Hampton Dec 01 '20 at 12:43
  • Thanks, Michael. Unfortunately, there are still over 2000 characters too many, without the `mime.types` file to make the posting... – larshie Dec 02 '20 at 13:03
  • I have posted the first half of the output from `sudo nginx -T` for you to see. I will delete it and post the second half in a couple of days. I hope this will show you what you are looking for... – larshie Dec 03 '20 at 08:12
  • Hello Michael, As promised, I have now replaced the first half of `nginx -T` with the second half. I hope this helps... – larshie Dec 05 '20 at 07:38

0 Answers0