diff --git a/openvidu-server/deployments/ce/docker-compose/.env b/openvidu-server/deployments/ce/docker-compose/.env index 0a6a7da8..86cba267 100644 --- a/openvidu-server/deployments/ce/docker-compose/.env +++ b/openvidu-server/deployments/ce/docker-compose/.env @@ -40,8 +40,14 @@ LETSENCRYPT_EMAIL=user@example.com # HTTPS_PORT=443 # If true request to with www will be redirected to non-www requests +# Default value is false # REDIRECT_WWW=false +# How many workers to configure in nginx proxy. +# The more workers, the more requests will be handled +# Default value is 10240 +# WORKER_CONNECTIONS=10240 + # Access restrictions # In this section you will be able to restrict the IPs from which you can access to # Openvidu API and the Administration Panel diff --git a/openvidu-server/deployments/ce/docker-compose/docker-compose.yml b/openvidu-server/deployments/ce/docker-compose/docker-compose.yml index baeef2dc..9bdc7081 100644 --- a/openvidu-server/deployments/ce/docker-compose/docker-compose.yml +++ b/openvidu-server/deployments/ce/docker-compose/docker-compose.yml @@ -22,10 +22,10 @@ version: '3.1' services: openvidu-server: - image: openvidu/openvidu-server:2.16.0-dev1 + image: openvidu/openvidu-server:2.16.0-dev2 restart: on-failure network_mode: host - entrypoint: ['/bin/bash', '-c', 'export COTURN_IP=`/usr/local/bin/discover_my_public_ip.sh`; /usr/local/bin/entrypoint.sh'] + entrypoint: ['/usr/local/bin/entrypoint.sh'] volumes: - /var/run/docker.sock:/var/run/docker.sock - ${OPENVIDU_RECORDING_PATH}:${OPENVIDU_RECORDING_PATH} @@ -39,6 +39,7 @@ services: - KMS_URIS=["ws://localhost:8888/kurento"] - COTURN_REDIS_IP=127.0.0.1 - COTURN_REDIS_PASSWORD=${OPENVIDU_SECRET} + - COTURN_IP=${COTURN_IP:-auto-ipv4} kms: image: ${KMS_IMAGE:-kurento/kurento-media-server:6.14.0} @@ -62,7 +63,7 @@ services: - REDIS_PASSWORD=${OPENVIDU_SECRET} coturn: - image: openvidu/openvidu-coturn:2.0.0-dev2 + image: openvidu/openvidu-coturn:2.0.0-dev3 restart: on-failure network_mode: host environment: @@ -74,12 +75,13 @@ services: - MAX_PORT=65535 nginx: - image: openvidu/openvidu-proxy:4.0.0-dev4 + image: openvidu/openvidu-proxy:4.0.0-dev5 restart: on-failure network_mode: host volumes: - ./certificates:/etc/letsencrypt - ./owncert:/owncert + - ./custom-nginx-vhosts:/etc/nginx/vhost.d/ - ${OPENVIDU_RECORDING_CUSTOM_LAYOUT}:/opt/openvidu/custom-layout environment: - DOMAIN_OR_PUBLIC_IP=${DOMAIN_OR_PUBLIC_IP} @@ -93,3 +95,5 @@ services: - WITH_APP=true - SUPPORT_DEPRECATED_API=${SUPPORT_DEPRECATED_API:-true} - REDIRECT_WWW=${REDIRECT_WWW:-false} + - WORKER_CONNECTIONS=${WORKER_CONNECTIONS:-10240} + - PUBLIC_IP=${PUBLIC_IP:-auto-ipv4} diff --git a/openvidu-server/deployments/ce/docker-compose/install_openvidu.sh b/openvidu-server/deployments/ce/docker-compose/install_openvidu.sh index 634d104d..fdaa61cb 100755 --- a/openvidu-server/deployments/ce/docker-compose/install_openvidu.sh +++ b/openvidu-server/deployments/ce/docker-compose/install_openvidu.sh @@ -54,6 +54,10 @@ new_ov_installation() { printf "\n => Creating folder 'owncert'..." mkdir "${OPENVIDU_FOLDER}/owncert" || fatal_error "Error while creating the folder 'owncert'" + # Create vhost nginx folder + printf "\n => Creating folder 'custom-nginx-vhosts'..." + mkdir "${OPENVIDU_FOLDER}/custom-nginx-vhosts" || fatal_error "Error while creating the folder 'custom-nginx-vhosts'" + # Ready to use printf '\n' printf '\n' diff --git a/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/.env b/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/.env index 02c68e18..cb4e985a 100644 --- a/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/.env +++ b/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/.env @@ -43,8 +43,14 @@ LETSENCRYPT_EMAIL=user@example.com # HTTPS_PORT=443 # If true request to with www will be redirected to non-www requests +# Default value is false # REDIRECT_WWW=false +# How many workers to configure in nginx proxy. +# The more workers, the more requests will be handled +# Default value is 10240 +# WORKER_CONNECTIONS=10240 + # Access restrictions # In this section you will be able to restrict the IPs from which you can access to # Openvidu API and the Administration Panel diff --git a/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/docker-compose.yml b/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/docker-compose.yml index 034d6035..71c0ac62 100644 --- a/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/docker-compose.yml +++ b/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/docker-compose.yml @@ -22,10 +22,10 @@ version: '3.1' services: openvidu-server: - image: openvidu/openvidu-server-pro:2.16.0-dev2 + image: openvidu/openvidu-server-pro:2.16.0-dev4 restart: on-failure network_mode: host - entrypoint: ['/bin/bash', '-c', 'export COTURN_IP=`/usr/local/bin/discover_my_public_ip.sh`; /usr/local/bin/entrypoint.sh'] + entrypoint: ['/usr/local/bin/entrypoint.sh'] volumes: - /var/run/docker.sock:/var/run/docker.sock - ${OPENVIDU_RECORDING_PATH}:${OPENVIDU_RECORDING_PATH} @@ -41,6 +41,7 @@ services: - KMS_URIS=[] - COTURN_REDIS_IP=127.0.0.1 - COTURN_REDIS_PASSWORD=${OPENVIDU_SECRET} + - COTURN_IP=${COTURN_IP:-auto-ipv4} - OPENVIDU_PRO_CLUSTER=true - OPENVIDU_PRO_KIBANA_HOST=${OPENVIDU_PRO_KIBANA_HOST:-http://127.0.0.1/kibana} - OPENVIDU_PRO_ELASTICSEARCH_HOST=${OPENVIDU_PRO_ELASTICSEARCH_HOST:-http://127.0.0.1:9200} @@ -65,7 +66,7 @@ services: - DB_PASSWORD=${OPENVIDU_SECRET} - MIN_PORT=40000 - MAX_PORT=65535 - - TURN_PUBLIC_IP=auto + - TURN_PUBLIC_IP=${TURN_PUBLIC_IP:-auto-ipv4} nginx: image: openvidu/openvidu-proxy:4.0.0-dev4 @@ -74,6 +75,7 @@ services: volumes: - ./certificates:/etc/letsencrypt - ./owncert:/owncert + - ./custom-nginx-vhosts:/etc/nginx/vhost.d/ - ${OPENVIDU_RECORDING_CUSTOM_LAYOUT}:/opt/openvidu/custom-layout environment: - DOMAIN_OR_PUBLIC_IP=${DOMAIN_OR_PUBLIC_IP} @@ -87,6 +89,7 @@ services: - WITH_APP=true - SUPPORT_DEPRECATED_API=${SUPPORT_DEPRECATED_API:-true} - REDIRECT_WWW=${REDIRECT_WWW:-false} + - WORKER_CONNECTIONS=${WORKER_CONNECTIONS:-10240} elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0 diff --git a/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/install_openvidu_pro.sh b/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/install_openvidu_pro.sh index 0a4f48d9..232ca29e 100755 --- a/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/install_openvidu_pro.sh +++ b/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/install_openvidu_pro.sh @@ -95,6 +95,10 @@ new_ov_installation() { printf "\n => Creating folder 'owncert'..." mkdir "${OPENVIDU_FOLDER}/owncert" || fatal_error "Error while creating the folder 'owncert'" + # Create vhost nginx folder + printf "\n => Creating folder 'custom-nginx-vhosts'..." + mkdir "${OPENVIDU_FOLDER}/custom-nginx-vhosts" || fatal_error "Error while creating the folder 'custom-nginx-vhosts'" + # Ready to use printf '\n' printf '\n' diff --git a/openvidu-server/docker/openvidu-coturn/entrypoint.sh b/openvidu-server/docker/openvidu-coturn/entrypoint.sh index c5799225..36152330 100644 --- a/openvidu-server/docker/openvidu-coturn/entrypoint.sh +++ b/openvidu-server/docker/openvidu-coturn/entrypoint.sh @@ -5,7 +5,8 @@ DEBUG=${DEBUG:-false} [ "$DEBUG" == "true" ] && set -x #Check parameters -[[ "${TURN_PUBLIC_IP}" == "auto" ]] && export TURN_PUBLIC_IP=$(/usr/local/bin/discover_my_public_ip.sh) +[[ "${TURN_PUBLIC_IP}" == "auto-ipv4" ]] && export TURN_PUBLIC_IP=$(/usr/local/bin/discover_my_public_ip.sh) +[[ "${TURN_PUBLIC_IP}" == "auto-ipv6" ]] && export TURN_PUBLIC_IP=$(/usr/local/bin/discover_my_public_ip.sh --ipv6) echo "TURN public IP: ${TURN_PUBLIC_IP:-"empty"}" diff --git a/openvidu-server/docker/openvidu-proxy/Dockerfile b/openvidu-server/docker/openvidu-proxy/Dockerfile index b29fd066..3eb033f3 100644 --- a/openvidu-server/docker/openvidu-proxy/Dockerfile +++ b/openvidu-server/docker/openvidu-proxy/Dockerfile @@ -5,7 +5,9 @@ RUN apk update && \ apk add bash \ certbot \ openssl \ - apache2-utils && \ + apache2-utils \ + bind-tools \ + perl pcre grep && \ rm -rf /var/cache/apk/* # Default nginx conf @@ -14,9 +16,15 @@ COPY ./default_nginx_conf /default_nginx_conf # Entrypoint and discover public ip scripts COPY ./discover_my_public_ip.sh /usr/local/bin + +# Copy nginx.conf +COPY ./nginx.conf /etc/nginx/nginx.conf + +# Entrypoint COPY ./entrypoint.sh /usr/local/bin RUN mkdir -p /var/www/certbot && \ + mkdir -p /etc/nginx/vhost.d/ && \ chmod +x /usr/local/bin/entrypoint.sh && \ chmod +x /usr/local/bin/discover_my_public_ip.sh diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default-app.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default-app.conf deleted file mode 100644 index efc7d333..00000000 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default-app.conf +++ /dev/null @@ -1,33 +0,0 @@ -{app_upstream} - -upstream openviduserver { - server localhost:5443; -} - -server { - listen {https_port} ssl; - server_name {domain_name}; - - {ssl_config} - - {proxy_config} - - {app_config} - - ######################## - # OpenVidu Locations # - ######################## - {common_api_ce} - - {deprecated_api_ce} - - {new_api_ce} - - ################################# - # LetsEncrypt # - ################################# - location /.well-known/acme-challenge { - root /var/www/certbot; - try_files $uri $uri/ =404; - } -} diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default.conf index 6afc2bbd..d7ad3644 100644 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default.conf +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default.conf @@ -1,3 +1,9 @@ +{app_upstream} + +upstream openviduserver { + server localhost:5443; +} + server { listen {http_port}; server_name {domain_name}; @@ -11,4 +17,38 @@ server { location /.well-known/acme-challenge/ { root /var/www/certbot; } + + {nginx_status} +} + +{redirect_www} + +{redirect_www_ssl} + +server { + listen {https_port} ssl; + server_name {domain_name}; + + {ssl_config} + + {proxy_config} + + {app_config} + + ######################## + # OpenVidu Locations # + ######################## + {common_api_ce} + + {deprecated_api_ce} + + {new_api_ce} + + ################################# + # LetsEncrypt # + ################################# + location /.well-known/acme-challenge { + root /var/www/certbot; + try_files $uri $uri/ =404; + } } diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/app_config.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/app_config.conf new file mode 100644 index 00000000..2dd7bcee --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/app_config.conf @@ -0,0 +1,4 @@ + # Your App + location / { + proxy_pass http://yourapp; # Openvidu call by default + } \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/app_config_default.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/app_config_default.conf new file mode 100644 index 00000000..82f76720 --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/app_config_default.conf @@ -0,0 +1,2 @@ + # Welcome + root /var/www/html; \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/upstream-yourapp.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/app_upstream.conf similarity index 100% rename from openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/upstream-yourapp.conf rename to openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/app_upstream.conf diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/common_api_ce.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/common_api_ce.conf new file mode 100644 index 00000000..1ac0df12 --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/common_api_ce.conf @@ -0,0 +1,14 @@ + ################################# + # Common rules # + ################################# + # Dashboard rule + location /dashboard { + {rules_access_dashboard} + deny all; + proxy_pass http://openviduserver; + } + + # Websocket rule + location ~ /openvidu$ { + proxy_pass http://openviduserver; + } \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/deprecated_api_ce.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/deprecated_api_ce.conf new file mode 100644 index 00000000..a572356d --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/deprecated_api_ce.conf @@ -0,0 +1,40 @@ + ################################# + # Deprecated API # + ################################# + # Openvidu Server + location /layouts/custom { + rewrite ^/layouts/custom/(.*)$ /custom-layout/$1 break; + root /opt/openvidu; + } + + location /recordings { + proxy_pass http://openviduserver; + } + + location /api { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } + + location /info { + {rules_access_dashboard} + deny all; + proxy_pass http://openviduserver; + } + + location /config { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } + + location /accept-certificate { + proxy_pass http://openviduserver; + } + + location /cdr { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/new_api_ce.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/new_api_ce.conf new file mode 100644 index 00000000..4b9d940b --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/new_api_ce.conf @@ -0,0 +1,33 @@ + ################################# + # New API # + ################################# + location /openvidu/layouts { + rewrite ^/openvidu/layouts/(.*)$ /custom-layout/$1 break; + root /opt/openvidu; + } + + location /openvidu/recordings { + proxy_pass http://openviduserver; + } + + location /openvidu/api { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } + + location /openvidu/info { + {rules_access_dashboard} + deny all; + proxy_pass http://openviduserver; + } + + location /openvidu/accept-certificate { + proxy_pass http://openviduserver; + } + + location /openvidu/cdr { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/redirect_www.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/redirect_www.conf new file mode 100644 index 00000000..bdff866e --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/redirect_www.conf @@ -0,0 +1,14 @@ +server { + listen {http_port}; + server_name www.{domain_name}; + + # Redirect to https + location / { + rewrite ^(.*) https://{domain_name}:{https_port}$1 permanent; + } + + # letsencrypt + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } +} \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/default-root.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/default-root.conf deleted file mode 100644 index eaef697f..00000000 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/default-root.conf +++ /dev/null @@ -1,2 +0,0 @@ -# Welcome -root /var/www/html; \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/location-yourapp.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/location-yourapp.conf deleted file mode 100644 index 1f714085..00000000 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/location-yourapp.conf +++ /dev/null @@ -1,4 +0,0 @@ -# Your App -location / { - proxy_pass http://yourapp; # Openvidu call by default -} \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-ce/common-api-ce.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-ce/common-api-ce.conf deleted file mode 100644 index e5609e8d..00000000 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-ce/common-api-ce.conf +++ /dev/null @@ -1,14 +0,0 @@ -################################# -# Common rules # -################################# -# Dashboard rule -location /dashboard { - {rules_access_dashboard} - deny all; - proxy_pass http://openviduserver; -} - -# Websocket rule -location ~ /openvidu$ { - proxy_pass http://openviduserver; -} \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-ce/deprecated-api-ce.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-ce/deprecated-api-ce.conf deleted file mode 100644 index f8406500..00000000 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-ce/deprecated-api-ce.conf +++ /dev/null @@ -1,40 +0,0 @@ -################################# -# Deprecated API # -################################# -# Openvidu Server -location /layouts/custom { - rewrite ^/layouts/custom/(.*)$ /custom-layout/$1 break; - root /opt/openvidu; -} - -location /recordings { - proxy_pass http://openviduserver; -} - -location /api { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} - -location /info { - {rules_access_dashboard} - deny all; - proxy_pass http://openviduserver; -} - -location /config { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} - -location /accept-certificate { - proxy_pass http://openviduserver; -} - -location /cdr { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-ce/new-api-ce.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-ce/new-api-ce.conf deleted file mode 100644 index 992eb7db..00000000 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-ce/new-api-ce.conf +++ /dev/null @@ -1,33 +0,0 @@ -################################# -# New API # -################################# -location /openvidu/layouts { - rewrite ^/openvidu/layouts/(.*)$ /custom-layout/$1 break; - root /opt/openvidu; -} - -location /openvidu/recordings { - proxy_pass http://openviduserver; -} - -location /openvidu/api { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} - -location /openvidu/info { - {rules_access_dashboard} - deny all; - proxy_pass http://openviduserver; -} - -location /openvidu/accept-certificate { - proxy_pass http://openviduserver; -} - -location /openvidu/cdr { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-pro/common-api-pro.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-pro/common-api-pro.conf deleted file mode 100644 index ea22f7de..00000000 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-pro/common-api-pro.conf +++ /dev/null @@ -1,27 +0,0 @@ -################################# -# Common rules # -################################# -location /dashboard { - {rules_access_dashboard} - deny all; - rewrite ^/dashboard/(.*)$ /$1 break; - proxy_pass http://openviduserver/; -} - -location /inspector { - {rules_access_dashboard} - deny all; - proxy_pass http://openviduserver; -} - -location ~ /openvidu$ { - proxy_pass http://openviduserver; -} - -location /kibana { - {rules_access_dashboard} - deny all; - - rewrite ^/kibana/(.*)$ /$1 break; - proxy_pass http://kibana/; -} \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-pro/deprecated-api-pro.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-pro/deprecated-api-pro.conf deleted file mode 100644 index 95fe3481..00000000 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-pro/deprecated-api-pro.conf +++ /dev/null @@ -1,59 +0,0 @@ -################################# -# Deprecated API # -################################# -# Openvidu Server -location /layouts/custom { - rewrite ^/layouts/custom/(.*)$ /custom-layout/$1 break; - root /opt/openvidu; -} - -location /recordings { - proxy_pass http://openviduserver; -} - -location /api { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} - -location /info { - {rules_access_dashboard} - deny all; - proxy_pass http://openviduserver; -} - -location /config { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} - -location /accept-certificate { - proxy_pass http://openviduserver; -} - -location /cdr { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} - -# Openvidu Server Pro -location /pro { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} - -location /api-login { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} - -location /elasticsearch { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-pro/new-api-pro.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-pro/new-api-pro.conf deleted file mode 100644 index ef33eba1..00000000 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/locations-pro/new-api-pro.conf +++ /dev/null @@ -1,46 +0,0 @@ -################################# -# New API # -################################# -# OpenVidu Server -location /openvidu/layouts { - rewrite ^/openvidu/layouts/(.*)$ /custom-layout/$1 break; - root /opt/openvidu; -} - -location /openvidu/recordings { - proxy_pass http://openviduserver; -} - -location /openvidu/api { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} - -location /openvidu/info { - {rules_access_dashboard} - deny all; - proxy_pass http://openviduserver; -} - -location /openvidu/accept-certificate { - proxy_pass http://openviduserver; -} - -location /openvidu/cdr { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} -# OpenVidu Server PRO -location /openvidu/elk { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} - -location /openvidu/inspector-api { - {rules_acess_api} - deny all; - proxy_pass http://openviduserver; -} \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/nginx_status.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/nginx_status.conf new file mode 100644 index 00000000..be33d323 --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/nginx_status.conf @@ -0,0 +1,5 @@ + location /nginx_status { + stub_status; + allow 127.0.0.1; #only allow requests from localhost + deny all; #deny all other hosts + } \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/common_api_pro.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/common_api_pro.conf new file mode 100644 index 00000000..6df8b233 --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/common_api_pro.conf @@ -0,0 +1,27 @@ + ################################# + # Common rules # + ################################# + location /dashboard { + {rules_access_dashboard} + deny all; + rewrite ^/dashboard/(.*)$ /$1 break; + proxy_pass http://openviduserver/; + } + + location /inspector { + {rules_access_dashboard} + deny all; + proxy_pass http://openviduserver; + } + + location ~ /openvidu$ { + proxy_pass http://openviduserver; + } + + location /kibana { + {rules_access_dashboard} + deny all; + + rewrite ^/kibana/(.*)$ /$1 break; + proxy_pass http://kibana/; + } \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/deprecated_api_pro.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/deprecated_api_pro.conf new file mode 100644 index 00000000..1c8a45eb --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/deprecated_api_pro.conf @@ -0,0 +1,59 @@ + ################################# + # Deprecated API # + ################################# + # Openvidu Server + location /layouts/custom { + rewrite ^/layouts/custom/(.*)$ /custom-layout/$1 break; + root /opt/openvidu; + } + + location /recordings { + proxy_pass http://openviduserver; + } + + location /api { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } + + location /info { + {rules_access_dashboard} + deny all; + proxy_pass http://openviduserver; + } + + location /config { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } + + location /accept-certificate { + proxy_pass http://openviduserver; + } + + location /cdr { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } + + # Openvidu Server Pro + location /pro { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } + + location /api-login { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } + + location /elasticsearch { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/new_api_pro.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/new_api_pro.conf new file mode 100644 index 00000000..ea426b5c --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/new_api_pro.conf @@ -0,0 +1,46 @@ + ################################# + # New API # + ################################# + # OpenVidu Server + location /openvidu/layouts { + rewrite ^/openvidu/layouts/(.*)$ /custom-layout/$1 break; + root /opt/openvidu; + } + + location /openvidu/recordings { + proxy_pass http://openviduserver; + } + + location /openvidu/api { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } + + location /openvidu/info { + {rules_access_dashboard} + deny all; + proxy_pass http://openviduserver; + } + + location /openvidu/accept-certificate { + proxy_pass http://openviduserver; + } + + location /openvidu/cdr { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } + # OpenVidu Server PRO + location /openvidu/elk { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } + + location /openvidu/inspector-api { + {rules_acess_api} + deny all; + proxy_pass http://openviduserver; + } \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/redirect_www.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/redirect_www.conf new file mode 100644 index 00000000..bd17a798 --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/redirect_www.conf @@ -0,0 +1,3 @@ + if ($host = www.{domain_name}) { + rewrite ^(.*) https://{domain_name}:{https_port}$1 permanent; + } \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/proxy.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/proxy.conf deleted file mode 100644 index 197cdab3..00000000 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/proxy.conf +++ /dev/null @@ -1,13 +0,0 @@ -# Proxy -proxy_set_header Host $host; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Proto $scheme; -proxy_set_header X-Forwarded-Proto https; -proxy_headers_hash_bucket_size 512; -proxy_redirect off; - -# Websockets -proxy_http_version 1.1; -proxy_set_header Upgrade $http_upgrade; -proxy_set_header Connection "upgrade"; \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/proxy_config.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/proxy_config.conf new file mode 100644 index 00000000..9c3add1c --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/proxy_config.conf @@ -0,0 +1,13 @@ + # Proxy + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto https; + proxy_headers_hash_bucket_size 512; + proxy_redirect off; + + # Websockets + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/redirect_www_ssl.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/redirect_www_ssl.conf new file mode 100644 index 00000000..fd1c7803 --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/redirect_www_ssl.conf @@ -0,0 +1,18 @@ +server { + listen 443 ssl; + server_name www.{domain_name}; + + {ssl_config} + + {proxy_config} + + # Redirect to non-www + location / { + rewrite ^(.*) https://{domain_name}:{https_port}$1 permanent; + } + + # letsencrypt + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } +} \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ssl.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ssl.conf deleted file mode 100644 index 38395628..00000000 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ssl.conf +++ /dev/null @@ -1,14 +0,0 @@ -# SSL Config -ssl_certificate /etc/letsencrypt/live/{domain_name}/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/{domain_name}/privkey.pem; -ssl_trusted_certificate /etc/letsencrypt/live/{domain_name}/fullchain.pem; - -ssl_session_cache shared:SSL:50m; -ssl_session_timeout 5m; -ssl_stapling on; -ssl_stapling_verify on; - -ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; -ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - -ssl_prefer_server_ciphers on; \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ssl_config.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ssl_config.conf new file mode 100644 index 00000000..ae29491c --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ssl_config.conf @@ -0,0 +1,14 @@ + # SSL Config + ssl_certificate /etc/letsencrypt/live/{domain_name}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{domain_name}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{domain_name}/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_prefer_server_ciphers on; \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf index 510d59e6..7566442a 100644 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf @@ -12,11 +12,15 @@ upstream openviduserver { server localhost:5443; } +{redirect_www_ssl} + server { # Redirect to https if ($host = {domain_name}) { rewrite ^(.*) https://{domain_name}:{https_port}$1 permanent; } # managed by Certbot + + {redirect_www} listen {http_port} default_server; server_name {domain_name}; @@ -38,6 +42,8 @@ server { rewrite ^/kibana/(.*)$ /$1 break; proxy_pass http://kibana/; } + + {nginx_status} } server { diff --git a/openvidu-server/docker/openvidu-proxy/entrypoint.sh b/openvidu-server/docker/openvidu-proxy/entrypoint.sh index e975e800..1b72f4e3 100755 --- a/openvidu-server/docker/openvidu-proxy/entrypoint.sh +++ b/openvidu-server/docker/openvidu-proxy/entrypoint.sh @@ -38,7 +38,10 @@ CERTIFICATES_CONF="${CERTIFICATES_LIVE_FOLDER}/certificates.conf" [ -z "${PROXY_HTTPS_PORT}" ] && export PROXY_HTTPS_PORT=443 [ -z "${WITH_APP}" ] && export WITH_APP=true [ -z "${SUPPORT_DEPRECATED_API}" ] && export SUPPORT_DEPRECATED_API=true +[ -z "${REDIRECT_WWW}" ] && export REDIRECT_WWW=false [ -z "${PROXY_MODE}" ] && export PROXY_MODE=CE +[ -z "${WORKER_CONNECTIONS}" ] && export WORKER_CONNECTIONS=10240 +[ -z "${PUBLIC_IP}" ] && export PUBLIC_IP=auto-ipv4 [ -z "${ALLOWED_ACCESS_TO_DASHBOARD}" ] && export ALLOWED_ACCESS_TO_DASHBOARD=all [ -z "${ALLOWED_ACCESS_TO_RESTAPI}" ] && export ALLOWED_ACCESS_TO_RESTAPI=all @@ -51,8 +54,10 @@ printf "\n" printf "\n Config NGINX:" printf "\n - Http Port: %s" "${PROXY_HTTP_PORT}" printf "\n - Https Port: %s" "${PROXY_HTTPS_PORT}" +printf "\n - Worker Connections: %s" "${WORKER_CONNECTIONS}" printf "\n - Allowed Access in Openvidu Dashboard: %s" "${ALLOWED_ACCESS_TO_DASHBOARD}" printf "\n - Allowed Access in Openvidu API: %s" "${ALLOWED_ACCESS_TO_RESTAPI}" +printf "\n - Redirect www to non-www: %s" "${REDIRECT_WWW}" printf "\n" printf "\n Config Openvidu Application:" printf "\n - Domain name: %s" "${DOMAIN_OR_PUBLIC_IP}" @@ -67,6 +72,9 @@ printf "\n = CONFIGURATION NGINX =" printf "\n =======================================" printf "\n" +# Override worker connections +sed -i "s/{worker_connections}/${WORKER_CONNECTIONS}/g" /etc/nginx/nginx.conf + printf "\n Configure %s domain..." "${DOMAIN_OR_PUBLIC_IP}" OLD_DOMAIN_OR_PUBLIC_IP=$(head -n 1 "${CERTIFICATES_CONF}" | cut -f1 -d$'\t') CERTIFICATED_OLD_CONFIG=$(head -n 1 "${CERTIFICATES_CONF}" | cut -f2 -d$'\t') @@ -74,9 +82,9 @@ CERTIFICATED_OLD_CONFIG=$(head -n 1 "${CERTIFICATES_CONF}" | cut -f2 -d$'\t') printf "\n - New configuration: %s %s" "${CERTIFICATE_TYPE}" "${DOMAIN_OR_PUBLIC_IP}" if [ -z "${CERTIFICATED_OLD_CONFIG}" ]; then - printf "\n - Old configuration: none" + printf "\n - Old configuration: none\n" else - printf "\n - Old configuration: %s %s" "${CERTIFICATED_OLD_CONFIG}" "${OLD_DOMAIN_OR_PUBLIC_IP}" + printf "\n - Old configuration: %s %s\n" "${CERTIFICATED_OLD_CONFIG}" "${OLD_DOMAIN_OR_PUBLIC_IP}" if [ "${CERTIFICATED_OLD_CONFIG}" != "${CERTIFICATE_TYPE}" ] || \ [ "${OLD_DOMAIN_OR_PUBLIC_IP}" != "${DOMAIN_OR_PUBLIC_IP}" ]; then @@ -161,34 +169,14 @@ chmod -R 777 /etc/letsencrypt # Use certificates in folder '/default_nginx_conf' if [ "${PROXY_MODE}" == "CE" ]; then - if [ "${WITH_APP}" == "true" ] && [ "${SUPPORT_DEPRECATED_API}" == "true" ]; then - mv /default_nginx_conf/ce/support_deprecated_api/default-app.conf /default_nginx_conf/default-app.conf - elif [ "${WITH_APP}" == "true" ] && [ "${SUPPORT_DEPRECATED_API}" == "false" ]; then - mv /default_nginx_conf/ce/default-app.conf /default_nginx_conf/default-app.conf - elif [ "${WITH_APP}" == "false" ] && [ "${SUPPORT_DEPRECATED_API}" == "true" ]; then - mv /default_nginx_conf/ce/support_deprecated_api/default-app-without-demos.conf /default_nginx_conf/default-app.conf - elif [ "${WITH_APP}" == "false" ] && [ "${SUPPORT_DEPRECATED_API}" == "false" ]; then - mv /default_nginx_conf/ce/default-app-without-demos.conf /default_nginx_conf/default-app.conf - fi - mv /default_nginx_conf/ce/default.conf /default_nginx_conf/default.conf - - rm -rf /default_nginx_conf/ce - rm -rf /default_nginx_conf/pro + # Remove previous configuration + [[ -f /default_nginx_conf/default.conf ]] && rm /default_nginx_conf/default.conf + cp /default_nginx_conf/ce/default.conf /default_nginx_conf/default.conf fi if [ "${PROXY_MODE}" == "PRO" ]; then - if [ "${WITH_APP}" == "true" ] && [ "${SUPPORT_DEPRECATED_API}" == "true" ]; then - mv /default_nginx_conf/pro/support_deprecated_api/default.conf /default_nginx_conf/default.conf - elif [ "${WITH_APP}" == "true" ] && [ "${SUPPORT_DEPRECATED_API}" == "false" ]; then - mv /default_nginx_conf/pro/default.conf /default_nginx_conf/default.conf - elif [ "${WITH_APP}" == "false" ] && [ "${SUPPORT_DEPRECATED_API}" == "true" ]; then - mv /default_nginx_conf/pro/support_deprecated_api/default-app-without-demos.conf /default_nginx_conf/default.conf - elif [ "${WITH_APP}" == "false" ] && [ "${SUPPORT_DEPRECATED_API}" == "false" ]; then - mv /default_nginx_conf/pro/default-app-without-demos.conf /default_nginx_conf/default.conf - fi - - rm -rf /default_nginx_conf/ce - rm -rf /default_nginx_conf/pro +[[ -f /default_nginx_conf/default.conf ]] && rm /default_nginx_conf/default.conf + cp /default_nginx_conf/pro/default.conf /default_nginx_conf/default.conf fi # Create index.html @@ -199,7 +187,50 @@ EOF # Load nginx conf files rm /etc/nginx/conf.d/* -cp /default_nginx_conf/* /etc/nginx/conf.d +cp /default_nginx_conf/default* /etc/nginx/conf.d + +# Replace config files +sed -e '/{ssl_config}/{r default_nginx_conf/global/ssl_config.conf' -e 'd}' -i /etc/nginx/conf.d/* +sed -e '/{proxy_config}/{r default_nginx_conf/global/proxy_config.conf' -e 'd}' -i /etc/nginx/conf.d/* +sed -e '/{nginx_status}/{r default_nginx_conf/global/nginx_status.conf' -e 'd}' -i /etc/nginx/conf.d/* +sed -e '/{common_api_ce}/{r default_nginx_conf/global/ce/common_api_ce.conf' -e 'd}' -i /etc/nginx/conf.d/* +sed -e '/{new_api_ce}/{r default_nginx_conf/global/ce/new_api_ce.conf' -e 'd}' -i /etc/nginx/conf.d/* +sed -e '/{common_api_pro}/{r default_nginx_conf/global/pro/common_api_pro.conf' -e 'd}' -i /etc/nginx/conf.d/* +sed -e '/{new_api_pro}/{r default_nginx_conf/global/pro/new_api_pro.conf' -e 'd}' -i /etc/nginx/conf.d/* + +if [[ "${WITH_APP}" == "true" ]]; then + sed -e '/{app_upstream}/{r default_nginx_conf/global/app_upstream.conf' -e 'd}' -i /etc/nginx/conf.d/* + sed -e '/{app_config}/{r default_nginx_conf/global/app_config.conf' -e 'd}' -i /etc/nginx/conf.d/* +elif [[ "${WITH_APP}" == "false" ]]; then + sed -i '/{app_upstream}/d' /etc/nginx/conf.d/* + sed -e '/{app_config}/{r default_nginx_conf/global/app_config_default.conf' -e 'd}' -i /etc/nginx/conf.d/* +fi + +if [[ "${SUPPORT_DEPRECATED_API}" == "true" ]]; then + sed -e '/{deprecated_api_ce}/{r default_nginx_conf/global/ce/deprecated_api_ce.conf' -e 'd}' -i /etc/nginx/conf.d/* + sed -e '/{deprecated_api_pro}/{r default_nginx_conf/global/pro/deprecated_api_pro.conf' -e 'd}' -i /etc/nginx/conf.d/* +elif [[ "${SUPPORT_DEPRECATED_API}" == "false" ]]; then + sed -i '/{deprecated_api_ce}/d' /etc/nginx/conf.d/* + sed -i '/{deprecated_api_pro}/d' /etc/nginx/conf.d/* +fi + +if [[ "${REDIRECT_WWW}" == "true" ]]; then + sed -e '/{redirect_www_ssl}/{r default_nginx_conf/global/redirect_www_ssl.conf' -e 'd}' -i /etc/nginx/conf.d/* + if [[ "${PROXY_MODE}" == "CE" ]]; then + sed -e '/{redirect_www}/{r default_nginx_conf/global/ce/redirect_www.conf' -e 'd}' -i /etc/nginx/conf.d/* + fi + + if [ "${PROXY_MODE}" == "PRO" ]; then + sed -e '/{redirect_www}/{r default_nginx_conf/global/pro/redirect_www.conf' -e 'd}' -i /etc/nginx/conf.d/* + fi +elif [[ "${REDIRECT_WWW}" == "false" ]]; then + sed -i '/{redirect_www}/d' /etc/nginx/conf.d/* + sed -i '/{redirect_www_ssl}/d' /etc/nginx/conf.d/* +fi + +# Process main configs +sed -e '/{ssl_config}/{r default_nginx_conf/global/ssl_config.conf' -e 'd}' -i /etc/nginx/conf.d/* +sed -e '/{proxy_config}/{r default_nginx_conf/global/proxy_config.conf' -e 'd}' -i /etc/nginx/conf.d/* sed -i "s/{domain_name}/${DOMAIN_OR_PUBLIC_IP}/g" /etc/nginx/conf.d/* sed -i "s/{http_port}/${PROXY_HTTP_PORT}/g" /etc/nginx/conf.d/* sed -i "s/{https_port}/${PROXY_HTTPS_PORT}/g" /etc/nginx/conf.d/* @@ -212,8 +243,6 @@ printf "\n =======================================" printf "\n" printf "\n Adding rules..." -LOCAL_NETWORKS=$(ip route list | grep -Eo '([0-9]*\.){3}[0-9]*/[0-9]*') -PUBLIC_IP=$(/usr/local/bin/discover_my_public_ip.sh) valid_ip_v4() { @@ -237,6 +266,23 @@ valid_ip_v6() fi } +LOCAL_NETWORKS=$(ip route list | grep -Eo '([0-9]*\.){3}[0-9]*/[0-9]*') +if [[ "${PUBLIC_IP}" == "auto-ipv4" ]]; then + PUBLIC_IP=$(/usr/local/bin/discover_my_public_ip.sh) + printf "\n - Public IPv4 for rules: %s" "$PUBLIC_IP" +elif [[ "${PUBLIC_IP}" == "auto-ipv6" ]]; then + PUBLIC_IP=$(/usr/local/bin/discover_my_public_ip.sh --ipv6) + printf "\n - Public IPv6 for rules: %s" "$PUBLIC_IP" +else + if valid_ip_v4 "$PUBLIC_IP"; then + printf "\n - Valid defined public IPv4: %s" "$PUBLIC_IP" + elif valid_ip_v6 "$PUBLIC_IP"; then + printf "\n - Valid defined public IPv6: %s" "$PUBLIC_IP" + else + printf "\n - Not valid defined IP Address: %s" "$PUBLIC_IP" + fi +fi + if [ "${ALLOWED_ACCESS_TO_DASHBOARD}" != "all" ]; then IFS=',' for IP in $(echo "${ALLOWED_ACCESS_TO_DASHBOARD}" | tr -d '[:space:]') @@ -302,7 +348,7 @@ else fi if [ "${RULES_DASHBOARD}" != "allow all;" ]; then - if ! echo "${RULES_DASHBOARD}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP" || valid_ip_v6 "$IP"; then + if ! echo "${RULES_DASHBOARD}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP" || valid_ip_v6 "$PUBLIC_IP"; then RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $PUBLIC_IP;" fi @@ -320,7 +366,7 @@ if [ "${RULES_DASHBOARD}" != "allow all;" ]; then fi if [ "${RULES_RESTAPI}" != "allow all;" ]; then - if ! echo "${RULES_RESTAPI}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP" || valid_ip_v6 "$IP"; then + if ! echo "${RULES_RESTAPI}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP" || valid_ip_v6 "$PUBLIC_IP"; then RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $PUBLIC_IP;" fi diff --git a/openvidu-server/docker/openvidu-proxy/nginx.conf b/openvidu-server/docker/openvidu-proxy/nginx.conf new file mode 100644 index 00000000..8e1d6549 --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/nginx.conf @@ -0,0 +1,32 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections {worker_connections}; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/vhost.d/*.conf; +} \ No newline at end of file diff --git a/openvidu-server/docker/openvidu-proxy/test.sh b/openvidu-server/docker/openvidu-proxy/test.sh deleted file mode 100644 index e69de29b..00000000 diff --git a/openvidu-server/docker/openvidu-server-pro/entrypoint.sh b/openvidu-server/docker/openvidu-server-pro/entrypoint.sh index 468e4812..6aca96dc 100755 --- a/openvidu-server/docker/openvidu-server-pro/entrypoint.sh +++ b/openvidu-server/docker/openvidu-server-pro/entrypoint.sh @@ -23,6 +23,14 @@ printf "\n = LAUNCH OPENVIDU-SERVER =" printf "\n =======================================" printf "\n" +# Get coturn public ip +[[ -z ${COTURN_IP} ]] && export COTURN_IP=auto-ipv4 +if [[ -z "${COTURN_IP}" == "auto-ipv4" ]]; then + COTURN_IP=$(/usr/local/bin/discover_my_public_ip.sh) +elif [[ -z "${COTURN_IP}" == "auto-ipv6" ]]; then + COTURN_IP=$(/usr/local/bin/discover_my_public_ip.sh --ipv6) +fi + if [ ! -z "${JAVA_OPTIONS}" ]; then printf "\n Using java options: %s" "${JAVA_OPTIONS}" fi diff --git a/openvidu-server/docker/openvidu-server/entrypoint.sh b/openvidu-server/docker/openvidu-server/entrypoint.sh index be6b71d0..624fe7f8 100644 --- a/openvidu-server/docker/openvidu-server/entrypoint.sh +++ b/openvidu-server/docker/openvidu-server/entrypoint.sh @@ -6,6 +6,14 @@ printf "\n = LAUNCH OPENVIDU-SERVER =" printf "\n =======================================" printf "\n" +# Get coturn public ip +[[ -z ${COTURN_IP} ]] && export COTURN_IP=auto-ipv4 +if [[ -z "${COTURN_IP}" == "auto-ipv4" ]]; then + COTURN_IP=$(/usr/local/bin/discover_my_public_ip.sh) +elif [[ -z "${COTURN_IP}" == "auto-ipv6" ]]; then + COTURN_IP=$(/usr/local/bin/discover_my_public_ip.sh --ipv6) +fi + if [ ! -z "${JAVA_OPTIONS}" ]; then printf "\n Using java options: %s" "${JAVA_OPTIONS}" fi diff --git a/openvidu-server/docker/utils/discover_my_public_ip.sh b/openvidu-server/docker/utils/discover_my_public_ip.sh index b42b3a97..e8227993 100755 --- a/openvidu-server/docker/utils/discover_my_public_ip.sh +++ b/openvidu-server/docker/utils/discover_my_public_ip.sh @@ -1,47 +1,116 @@ -#!/bin/bash +#!/usr/bin/env bash -# Check if a txt is a valid ip -function valid_ip() -{ - local ip=$1 - local stat=1 +#/ Use DNS to find out about the external IP of the running system. +#/ +#/ This script is useful when running from a machine that sits behind a NAT. +#/ Due to how NAT works, machines behind it belong to an internal or private +#/ subnet, with a different address space than the external or public side. +#/ +#/ Typically it is possible to make an HTTP request to a number of providers +#/ that offer the external IP in their response body (eg: ifconfig.me). However, +#/ why do a slow and heavy HTTP request, when DNS exists and is much faster? +#/ Well established providers such as OpenDNS or Google offer special hostnames +#/ that, when resolved, will actually return the IP address of the caller. +#/ +#/ https://unix.stackexchange.com/questions/22615/how-can-i-get-my-external-ip-address-in-a-shell-script/81699#81699 +#/ +#/ +#/ Arguments +#/ --------- +#/ +#/ --ipv4 +#/ +#/ Find the external IPv4 address. +#/ Optional. Default: Enabled. +#/ +#/ --ipv6 +#/ +#/ Find the external IPv6 address. +#/ Optional. Default: Disabled. - if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then - OIFS=$IFS - IFS='.' - ip=($ip) - IFS=$OIFS - [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \ - && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]] - stat=$? - fi - return $stat + + +# Shell setup +# =========== + +# Bash options for strict error checking. +set -o errexit -o errtrace -o pipefail -o nounset + +# Trace all commands (to stderr). +#set -o xtrace + +# Trap function for unhandled errors. +function on_error() { + echo "[getmyip] ERROR ($?)" >&2 + exit 1 } +trap on_error ERR -# Services to get public ip -SERVICES=( - "curl --silent -sw :%{http_code} ipv4.icanhazip.com" - "curl --silent -sw :%{http_code} ifconfig.me" - "curl --silent -sw :%{http_code} -4 ifconfig.co" - "curl --silent -sw :%{http_code} ipecho.net/plain" - "curl --silent -sw :%{http_code} ipinfo.io/ip" - "curl --silent -sw :%{http_code} checkip.amazonaws.com" - "curl --silent -sw :%{http_code} v4.ident.me" -) -# Get public ip -for service in "${SERVICES[@]}"; do - RUN_COMMAND=$($service | tr -d '[:space:]') - IP=$(echo "$RUN_COMMAND" | cut -d':' -f1) - HTTP_CODE=$(echo "$RUN_COMMAND" | cut -d':' -f2) - if [ "$HTTP_CODE" == "200" ]; then - if valid_ip "$IP"; then - printf "%s" "$IP" - exit 0 - fi +# Parse call arguments +# ==================== + +CFG_IPV4="true" +CFG_IPV6="false" + +while [[ $# -gt 0 ]]; do + case "${1-}" in + --ipv4) + CFG_IPV4="true" + CFG_IPV6="false" + ;; + --ipv6) + CFG_IPV4="false" + CFG_IPV6="true" + ;; + *) + echo "Invalid argument: '${1-}'" >&2 + exit 1 + ;; + esac + shift +done + + + +# Obtain the external IP address +# ============================== + +if [[ "$CFG_IPV4" == "true" ]]; then + COMMANDS=( + 'dig @resolver1.opendns.com myip.opendns.com A -4 +short' + 'dig @ns1.google.com o-o.myaddr.l.google.com TXT -4 +short | tr -d \"' + 'dig @1.1.1.1 whoami.cloudflare TXT CH -4 +short | tr -d \"' + 'dig @ns1-1.akamaitech.net whoami.akamai.net A -4 +short' + ) + + function is_valid_ip() { + # Check if the input looks like an IPv4 address. + # Doesn't check if the actual values are valid; assumes they are. + echo "$1" | grep --perl-regexp --quiet '^(\d{1,3}\.){3}\d{1,3}$' + } +elif [[ "$CFG_IPV6" == "true" ]]; then + COMMANDS=( + 'dig @resolver1.opendns.com myip.opendns.com AAAA -6 +short' + 'dig @ns1.google.com o-o.myaddr.l.google.com TXT -6 +short | tr -d \"' + 'dig @2606:4700:4700::1111 whoami.cloudflare TXT CH -6 +short | tr -d \"' + ) + + function is_valid_ip() { + # Check if the input looks like an IPv6 address. + # It's almost impossible to check the IPv6 representation because it + # varies wildly, so just check that there are at least 2 colons. + [[ "$(echo "$1" | awk -F':' '{print NF-1}')" -ge 2 ]] + } +fi + +for COMMAND in "${COMMANDS[@]}"; do + if IP="$(eval "$COMMAND")" && is_valid_ip "$IP"; then + echo "$IP" + exit 0 fi done -printf "error" -exit 0 \ No newline at end of file +echo "[getmyip] All providers failed" >&2 +exit 1 \ No newline at end of file