diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default-app-without-demos.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default-app-without-demos.conf new file mode 100644 index 00000000..69b6ab22 --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default-app-without-demos.conf @@ -0,0 +1,83 @@ +# Your app +#upstream yourapp { +# server localhost:5442; +#} + +upstream openviduserver { + server localhost:5443; +} + +server { + listen 443 ssl; + server_name {domain_name}; + + ssl_certificate /etc/letsencrypt/live/{domain_name}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{domain_name}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{domain_name}/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_prefer_server_ciphers on; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto https; + proxy_headers_hash_bucket_size 512; + proxy_redirect off; + + # Websockets + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Welcome + root /var/www/html; + + # Your app + #location / { + # proxy_pass http://yourapp; # Openvidu call by default + #} + + # Openvidu Server + location /layouts/custom { + rewrite ^/layouts/custom/(.*)$ /custom-layout/$1 break; + root /opt/openvidu; + } + + location /api { + proxy_pass http://openviduserver; + } + + location /openvidu { + proxy_pass http://openviduserver; + } + + location /info { + proxy_pass http://openviduserver; + } + + location /config { + proxy_pass http://openviduserver; + } + + location /accept-certificate { + proxy_pass http://openviduserver; + } + + location /cdr { + proxy_pass http://openviduserver; + } + + location /dashboard { + rewrite ^/dashboard/(.*)$ /$1 break; + proxy_pass http://openviduserver/; + } +} diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/default-app.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default-app.conf similarity index 82% rename from openvidu-server/docker/openvidu-proxy/default_nginx_conf/default-app.conf rename to openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default-app.conf index b26bc04e..f4e0d4ef 100644 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/default-app.conf +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default-app.conf @@ -1,3 +1,4 @@ +# Openvidu call upstream yourapp { server localhost:5442; } @@ -37,12 +38,20 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - # Your App + # Welcome + #root /var/www/html; + + # Your app location / { - proxy_pass http://yourapp; + proxy_pass http://yourapp; # Openvidu call by default } # Openvidu Server + location /layouts/custom { + rewrite ^/layouts/custom/(.*)$ /custom-layout/$1 break; + root /opt/openvidu; + } + location /api { proxy_pass http://openviduserver; } @@ -59,8 +68,16 @@ server { proxy_pass http://openviduserver; } + location /accept-certificate { + proxy_pass http://openviduserver; + } + + location /cdr { + proxy_pass http://openviduserver; + } + location /dashboard { rewrite ^/dashboard/(.*)$ /$1 break; proxy_pass http://openviduserver/; } -} \ No newline at end of file +} diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/default.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default.conf similarity index 83% rename from openvidu-server/docker/openvidu-proxy/default_nginx_conf/default.conf rename to openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default.conf index bd2ebb3a..5abb9252 100644 --- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/default.conf +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/ce/default.conf @@ -2,11 +2,13 @@ server { listen 80; server_name {domain_name}; + # Redirect to https location / { return 301 https://$host$request_uri; } + # letsencrypt location /.well-known/acme-challenge/ { root /var/www/certbot; } -} \ No newline at end of file +} diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default-app-without-demos.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default-app-without-demos.conf new file mode 100644 index 00000000..68cc5993 --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default-app-without-demos.conf @@ -0,0 +1,136 @@ +add_header X-Frame-Options SAMEORIGIN; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; + +upstream kibana { + server localhost:5601; +} + +upstream openviduserver { + server localhost:5443; +} + +server { + # Redirect to https + if ($host = {domain_name}) { + return 301 https://$host$request_uri; + } # managed by Certbot + + listen 80 default_server; + server_name {domain_name}; + + # letsencrypt + location /.well-known/acme-challenge { + root /var/www/certbot; + try_files $uri $uri/ =404; + } + + # Kibana panel + location /kibana { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + + rewrite ^/kibana/(.*)$ /$1 break; + proxy_pass http://kibana/; + } +} + +server { + listen 443 ssl default deferred; + server_name {domain_name}; + + ssl_certificate /etc/letsencrypt/live/{domain_name}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{domain_name}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{domain_name}/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_prefer_server_ciphers on; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto https; + proxy_headers_hash_bucket_size 512; + proxy_redirect off; + + # Websockets + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Welcome + root /var/www/html; + + # Kibana panel + location /kibana { + auth_basic "Openvidu Monitoring"; + auth_basic_user_file /etc/nginx/kibana.htpasswd; + + rewrite ^/kibana/(.*)$ /$1 break; + proxy_pass http://kibana/; + } + + # Openvidu Server + location /layouts/custom { + rewrite ^/layouts/custom/(.*)$ /custom-layout/$1 break; + root /opt/openvidu; + } + + location /api { + proxy_pass http://openviduserver; + } + + location /openvidu { + proxy_pass http://openviduserver; + } + + location /info { + proxy_pass http://openviduserver; + } + + location /config { + proxy_pass http://openviduserver; + } + + location /accept-certificate { + proxy_pass http://openviduserver; + } + + location /dashboard { + rewrite ^/dashboard/(.*)$ /$1 break; + proxy_pass http://openviduserver/; + } + + # Openvidu Server Pro + location /cdr { + proxy_pass http://openviduserver; + } + + location /pro { + proxy_pass http://openviduserver; + } + + location /api-login { + proxy_pass http://openviduserver; + } + + location /elasticsearch { + proxy_pass http://openviduserver; + } + + location /inspector { + rewrite ^/inspector/(.*)$ /$1 break; + proxy_pass http://openviduserver/; + } +} diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf new file mode 100644 index 00000000..a168dd1e --- /dev/null +++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf @@ -0,0 +1,146 @@ +add_header X-Frame-Options SAMEORIGIN; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; + +# Openvidu call +upstream yourapp { + server localhost:5442; +} + +upstream kibana { + server localhost:5601; +} + +upstream openviduserver { + server localhost:5443; +} + +server { + # Redirect to https + if ($host = {domain_name}) { + return 301 https://$host$request_uri; + } # managed by Certbot + + listen 80 default_server; + server_name {domain_name}; + + # letsencrypt + location /.well-known/acme-challenge { + root /var/www/certbot; + try_files $uri $uri/ =404; + } + + # Kibana panel + location /kibana { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + + rewrite ^/kibana/(.*)$ /$1 break; + proxy_pass http://kibana/; + } +} + +server { + listen 443 ssl default deferred; + server_name {domain_name}; + + ssl_certificate /etc/letsencrypt/live/{domain_name}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{domain_name}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{domain_name}/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_prefer_server_ciphers on; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto https; + proxy_headers_hash_bucket_size 512; + proxy_redirect off; + + # Websockets + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Welcome + #root /var/www/html; + + # Your app + location / { + proxy_pass http://yourapp; # Openvidu call by default + } + + # Kibana panel + location /kibana { + auth_basic "Openvidu Monitoring"; + auth_basic_user_file /etc/nginx/kibana.htpasswd; + + rewrite ^/kibana/(.*)$ /$1 break; + proxy_pass http://kibana/; + } + + # Openvidu Server + location /layouts/custom { + rewrite ^/layouts/custom/(.*)$ /custom-layout/$1 break; + root /opt/openvidu; + } + + location /api { + proxy_pass http://openviduserver; + } + + location /openvidu { + proxy_pass http://openviduserver; + } + + location /info { + proxy_pass http://openviduserver; + } + + location /config { + proxy_pass http://openviduserver; + } + + location /accept-certificate { + proxy_pass http://openviduserver; + } + + location /dashboard { + rewrite ^/dashboard/(.*)$ /$1 break; + proxy_pass http://openviduserver/; + } + + # Openvidu Server Pro + location /cdr { + proxy_pass http://openviduserver; + } + + location /pro { + proxy_pass http://openviduserver; + } + + location /api-login { + proxy_pass http://openviduserver; + } + + location /elasticsearch { + proxy_pass http://openviduserver; + } + + location /inspector { + rewrite ^/inspector/(.*)$ /$1 break; + proxy_pass http://openviduserver/; + } +} diff --git a/openvidu-server/docker/openvidu-proxy/entrypoint.sh b/openvidu-server/docker/openvidu-proxy/entrypoint.sh index 9a964ce4..13d68ef2 100644 --- a/openvidu-server/docker/openvidu-proxy/entrypoint.sh +++ b/openvidu-server/docker/openvidu-proxy/entrypoint.sh @@ -7,28 +7,23 @@ service nginx start echo "Domain name: ${DOMAIN_OR_PUBLIC_IP}" echo "Certificated: ${CERTIFICATE_TYPE}" echo "Letsencrypt Email: ${LETSENCRYPT_EMAIL}" - -if [ -z "${NGINX_CONF}" ]; then - NGINX_CONF=default -fi - -echo "NGINX Conf: ${NGINX_CONF}" +echo "Proxy mode: ${PROXY_MODE:-CE}" +echo "Demos mode: ${WITH_DEMOS:-true}" case ${CERTIFICATE_TYPE} in "selfsigned") echo "===Mode selfsigned===" - DOMAIN_OR_PUBLIC_IP="openvidu" - if [[ ! -f "/etc/letsencrypt/live/openvidu/privkey.pem" && ! -f "/etc/letsencrypt/live/openvidu/fullchain.pem" ]]; then + if [[ ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then echo "Generating certificated..." rm -rf /etc/letsencrypt/live/* - mkdir -p /etc/letsencrypt/live/openvidu + mkdir -p /etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP} openssl req -new -nodes -x509 \ - -subj "/CN=openvidu" -days 365 \ - -keyout /etc/letsencrypt/live/openvidu/privkey.pem -out /etc/letsencrypt/live/openvidu/fullchain.pem -extensions v3_ca + -subj "/CN=${DOMAIN_OR_PUBLIC_IP}" -days 365 \ + -keyout /etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem -out /etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem -extensions v3_ca else echo "The certificate already exists, using them..." fi @@ -69,14 +64,40 @@ esac # All permission certificated folder chmod -R 777 /etc/letsencrypt -if [ "${NGINX_CONF}" == "custom" ]; then - rm /etc/nginx/conf.d/* - cp /custom_nginx_conf/* /etc/nginx/conf.d -else - rm /etc/nginx/conf.d/* - cp /default_nginx_conf/* /etc/nginx/conf.d +# Use certificates in folder '/default_nginx_conf' +if [ "${PROXY_MODE}" == "CE" ]; then + if [ "${WITH_DEMOS}" == "true" ]; then + mv /default_nginx_conf/ce/default-app.conf /default_nginx_conf/default-app.conf + mv /default_nginx_conf/ce/default.conf /default_nginx_conf/default.conf + else + mv /default_nginx_conf/ce/default-app-without-demos.conf /default_nginx_conf/default-app.conf + mv /default_nginx_conf/ce/default.conf /default_nginx_conf/default.conf + fi + + rm -rf /default_nginx_conf/ce + rm -rf /default_nginx_conf/pro fi +if [ "${PROXY_MODE}" == "PRO" ]; then + if [ "${WITH_DEMOS}" == "true" ]; then + mv /default_nginx_conf/pro/default.conf /default_nginx_conf/default.conf + else + mv /default_nginx_conf/pro/default-app-without-demos.conf /default_nginx_conf/default.conf + fi + + rm -rf /default_nginx_conf/ce + rm -rf /default_nginx_conf/pro +fi + +# Create index.html +mkdir -p /var/www/html +cat> /var/www/html/index.html<