Im using a self-hosted docker version alongside with Traefik reverse-proxy. Ive setup ports correctly, alongside with UDP port for Calls plugin. However said plugin does not ever "asks" for microphone permissions as MM seems to not think were using SSL, even though we are using forced SSL with TLS from Traefik.
To mitigate that, i tried enabling TLS option and feeding it the certificates and key files (which i had to split from acme.json). MM seems to like those files and won`t complain, and i see “server successfully started on port” in the logs, HOWEVER container is NEVER becoming Healthy, because on inspection the healthcheck is:
Calls works perfectly fine when being SSL-offloaded, there’s also no special configuration necessary to make it work.
Can you confirm that your SiteUrl (environment variable MM_SERVICESETTINGS_SITEURL) is set to the URL your clients access the server at, i.e. https://mm.yourdomain.tld?
where $DOMAIN var is defined in .env file. So it should know it’s on HTTPS. Yet, when i attach cert and key, switch MM to use TLS and restart container, server logs state that server is up, but container keeps being killed by a health-check not handling it being HTTPS instead of HTTP. And yes, ive tried leaving it on default port and switching to :443. Unless i override healthcheck, container die due to heathcheck deeming it “unhealthy”
Im struggling to make my usecase work.
Context:
i have a MM instance running in docker. Works well.
In front of it, i have Traefik as a reverse proxy. THere’s few middlewares setup, like ensuring http > https, etc, but nothing more.
my Calls plugin wasn’t working - it looked as if we’re connected, but couldn’t un-mite microphone > “allow to use your mic!” with no pop-up asking to do so.
After some research, i found that the built-in server wouldn’t work unless MM was using TLS with certificates.
Im splitting Traefik ACME letsencrypt certificate with automatics (it seems to be correct), adding them to MM instance to handle the file permissions correctly.
Ive added a corresponding router to my Traefik, to handle UDP traffic over 8443 port and move all of it towards MM instance. I think i need to acheive this things:
– make MM use TLS; recognize certificates provided by ACME \ Letsencrypt automation
– make Traefik communicate with backend (MM) via TLS (tho what about UDP?)
few times ive seen it struggling, either to certificate missmatch which isn’t really possible as it’s literaly same certificate or due to “client trying to speak HTTP with HTTPS endpoint”
Is there an explanations somewhere about making Calls in Docker work properly? I dont think ive found it. Maybe im missing some additional ports? Maybe it has some specific requirements for TLS? Anything in this matter would greatly help. Thanks for your time.
Where does this healthcheck come from in the first place? I’m not aware of something like this in the official docker compose based setup, can you point me to the documentation for it or describe how you set it up?
Regarding the options you think you have:
As I said, calls are working just fine when being SSL offloaded, it’s absolutely not necessary to run the Mattermost application server on a TLS binding.
There’s detailed documentation for hosting calls, please have a look here: https://docs.mattermost.com/configure/calls-deployment.html#calls-self-hosted-deployment
Depending on your deployment type, you will also need udp/8443 inbound to your Mattermost application server and this cannot be forwarded through traefik.
this is what i found, inspecting the image. I did not add the healthcheck.
In the image: mattermost/mattermost-team-edition.
I have 8443 inbound allowed to MM instance. SSL handled by Traefik. When i’m trying to start a call, it does start, however microhpone is muted and i can’t unmute it because there’s no pop-up \ permissions request.
UDP router for traefik is absoluely possible, but i`ll try to just open \ expose a port on MM container instead. Just for the reference:
Traefik ports
- target: 8443
published: 8443
protocol: udp
mode: host
networks:
traefik entripoint setup with name “calls”
- --entryPoints.calls.address=:8443/udp
traefik config for MM container:
- “traefik.udp.routers.mm-call-rtr.entrypoints=calls”
- “traefik.udp.routers.mm-call-rtr.service=mm-call-svc”
- “traefik.udp.services.mm-call-svc.loadBalancer.server.port=8443”