ambiser
/
openvidu
mirror of https://github.com/OpenVidu/openvidu.git
8
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

openvidu proxy updated

pull/463/head
OscarSotoSanchez 2020-05-04 13:35:21 +02:00
parent 7234c30c09
commit dfda7b2a86
3 changed files with 165 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
openvidu-server/docker/openvidu-docker-compose/docker-compose.yml
View File

@ -67,7 +67,7 @@ services:
- MAX_PORT=65535 - MAX_PORT=65535
nginx: nginx:
image: openvidu/openvidu-proxy:2.0.0-beta2 image: openvidu/openvidu-proxy:2.0.0-beta3
restart: on-failure restart: on-failure
network_mode: host network_mode: host
volumes: volumes:
@ -83,4 +83,4 @@ services:
- ALLOWED_ACCESS_TO_DASHBOARD=${ALLOWED_ACCESS_TO_DASHBOARD:-} - ALLOWED_ACCESS_TO_DASHBOARD=${ALLOWED_ACCESS_TO_DASHBOARD:-}
- ALLOWED_ACCESS_TO_RESTAPI=${ALLOWED_ACCESS_TO_RESTAPI:-} - ALLOWED_ACCESS_TO_RESTAPI=${ALLOWED_ACCESS_TO_RESTAPI:-}
- PROXY_MODE=CE - PROXY_MODE=CE
- WITH_DEMOS=true - WITH_APP=true

9
openvidu-server/docker/openvidu-proxy/Dockerfile
View File

@ -2,11 +2,10 @@ FROM nginx:1.18.0-alpine
# Install required software # Install required software
RUN apk update && \ RUN apk update && \
apk add bash && \ apk add bash \
apk add certbot && \ certbot \
apk add openssl && \ openssl \
apk add apache2-utils && \ apache2-utils && \
apk add ipcalc && \
rm -rf /var/cache/apk/* rm -rf /var/cache/apk/*
# Default nginx conf # Default nginx conf

205
openvidu-server/docker/openvidu-proxy/entrypoint.sh Normal file → Executable file
View File

@ -1,5 +1,32 @@
#!/bin/sh #!/bin/bash
# Checks
if [ -z "${DOMAIN_OR_PUBLIC_IP}" ]; then
printf "\n =======¡ERROR!======="
printf "\n Variable 'DOMAIN_OR_PUBLIC_IP' it's necessary\n"
exit 0
fi
if [ -z "${CERTIFICATE_TYPE}" ]; then
printf "\n =======¡ERROR!======="
printf "\n Variable 'CERTIFICATE_TYPE' it's necessary\n"
exit 0
fi
if [[ "${CERTIFICATE_TYPE}" == "letsencrypt" && \
"${LETSENCRYPT_EMAIL}" == "user@example.com" || \
-z "${LETSENCRYPT_EMAIL}" ]]; then
printf "\n =======¡ERROR!======="
printf "\n If your use LetsEncrypt mode it's necessary a correct email in 'LETSENCRYPT_EMAIL' variable\n"
exit 0
fi
# Global variables
CERTIFICATES_FOLDER=/etc/letsencrypt/live
CERTIFICATES_CONF="${CERTIFICATES_FOLDER}/certificates.conf"
[ ! -d "${CERTIFICATES_FOLDER}" ] && mkdir -p "${CERTIFICATES_FOLDER}"
[ ! -f "${CERTIFICATES_CONF}" ] && touch "${CERTIFICATES_CONF}"
[ -z "${PROXY_HTTP_PORT}" ] && export PROXY_HTTP_PORT=80 [ -z "${PROXY_HTTP_PORT}" ] && export PROXY_HTTP_PORT=80
[ -z "${PROXY_HTTPS_PORT}" ] && export PROXY_HTTPS_PORT=443 [ -z "${PROXY_HTTPS_PORT}" ] && export PROXY_HTTPS_PORT=443
[ -z "${ALLOWED_ACCESS_TO_DASHBOARD}" ] && export ALLOWED_ACCESS_TO_DASHBOARD=all [ -z "${ALLOWED_ACCESS_TO_DASHBOARD}" ] && export ALLOWED_ACCESS_TO_DASHBOARD=all
@ -9,64 +36,95 @@
nginx -g "daemon on;" nginx -g "daemon on;"
# Show input enviroment variables # Show input enviroment variables
echo "Http Port: ${PROXY_HTTP_PORT}" printf "\n ======================================="
echo "Https Port: ${PROXY_HTTPS_PORT}" printf "\n = INPUT VARIABLES ="
echo "Allowed Dashboard: ${ALLOWED_ACCESS_TO_DASHBOARD}" printf "\n ======================================="
echo "Allowed API: ${ALLOWED_ACCESS_TO_RESTAPI}" printf "\n"
echo "Domain name: ${DOMAIN_OR_PUBLIC_IP}"
echo "Certificated: ${CERTIFICATE_TYPE}" printf "\n Config NGINX:"
echo "Letsencrypt Email: ${LETSENCRYPT_EMAIL}" printf "\n - Http Port: %s" "${PROXY_HTTP_PORT}"
echo "Proxy mode: ${PROXY_MODE:-CE}" printf "\n - Https Port: %s" "${PROXY_HTTPS_PORT}"
echo "Demos mode: ${WITH_DEMOS:-true}" printf "\n - Allowed Access in Openvidu Dashboard: %s" "${ALLOWED_ACCESS_TO_DASHBOARD}"
printf "\n - Allowed Access in Openvidu API: %s" "${ALLOWED_ACCESS_TO_RESTAPI}"
printf "\n"
printf "\n Config Openvidu Application:"
printf "\n - Domain name: %s" "${DOMAIN_OR_PUBLIC_IP}"
printf "\n - Certificated: %s" "${CERTIFICATE_TYPE}"
printf "\n - Letsencrypt Email: %s" "${LETSENCRYPT_EMAIL}"
printf "\n - Openvidu Application: %s" "${WITH_APP:-true}"
printf "\n - Openvidu Application Type: %s" "${PROXY_MODE:-CE}"
printf "\n"
printf "\n ======================================="
printf "\n = CONFIGURATION NGINX ="
printf "\n ======================================="
printf "\n"
printf "\n Configure %s domain..." "${DOMAIN_OR_PUBLIC_IP}"
CERTIFICATED_OLD_CONFIG=$(grep "${DOMAIN_OR_PUBLIC_IP}" "${CERTIFICATES_CONF}" | cut -f2 -d$'\t')
printf "\n - New configuration: %s" "${CERTIFICATE_TYPE}"
if [ -z "${CERTIFICATED_OLD_CONFIG}" ]; then
printf "\n - Old configuration: none"
rm -rf "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}" | true
else
printf "\n - Old configuration: %s" "${CERTIFICATED_OLD_CONFIG}"
if [ "${CERTIFICATED_OLD_CONFIG}" != "${CERTIFICATE_TYPE}" ]; then
printf "\n - Restarting configuration... Removing old certificated..."
rm -rf "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}"
fi
fi
# Create certificate folder if don't exist and save actual conf
[ ! -d "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}" ] && mkdir -p "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}"
sed -i "/${DOMAIN_OR_PUBLIC_IP}/d" "${CERTIFICATES_CONF}"
echo -e "${DOMAIN_OR_PUBLIC_IP}\t${CERTIFICATE_TYPE}" >> "${CERTIFICATES_CONF}"
case ${CERTIFICATE_TYPE} in case ${CERTIFICATE_TYPE} in
"selfsigned") "selfsigned")
echo "===Mode selfsigned===" if [[ ! -f "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && \
! -f "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then
if [[ ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then printf "\n - Generating selfsigned certificate...\n"
echo "Generating certificated..."
rm -rf /etc/letsencrypt/live/*
mkdir -p "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}"
openssl req -new -nodes -x509 \ openssl req -new -nodes -x509 \
-subj "/CN=${DOMAIN_OR_PUBLIC_IP}" -days 365 \ -subj "/CN=${DOMAIN_OR_PUBLIC_IP}" -days 365 \
-keyout "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" \ -keyout "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" \
-out "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" -extensions v3_ca -out "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" \
-extensions v3_ca
else else
echo "The certificate already exists, using them..." printf "\n - Selfsigned certificate already exists, using them..."
fi fi
;; ;;
"owncert") "owncert")
echo "===Mode owncert===" if [[ ! -f "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && \
! -f "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then
if [[ ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then printf "\n - Copying owmcert certificate..."
echo "Using owmcert..."
rm -rf /etc/letsencrypt/live/*
mkdir -p "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}"
cp /owncert/certificate.key "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem"
cp /owncert/certificate.cert "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem"
cp /owncert/certificate.key "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/privkey.pem"
cp /owncert/certificate.cert "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem"
else else
echo "The certificate already exists, using them..." printf "\n - Owmcert certificate already exists, using them..."
fi fi
;; ;;
"letsencrypt") "letsencrypt")
echo "===Mode letsencrypt===" echo "0 12 * * * certbot renew >> /var/log/nginx/cron-letsencrypt.log" | crontab - # Auto renew cert
# Auto renew cert if [[ ! -f "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && \
echo "0 12 * * * certbot renew >> /var/log/nginx/cron-letsencrypt.log" | crontab - ! -f "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then
printf "\n - Requesting LetsEncrypt certificate..."
if [[ ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then certbot certonly -n --webroot -w /var/www/certbot \
echo "Requesting certificate..." -m "${LETSENCRYPT_EMAIL}" \
--agree-tos -d "${DOMAIN_OR_PUBLIC_IP}"
certbot certonly -n --webroot -w /var/www/certbot -m "${LETSENCRYPT_EMAIL}" --agree-tos -d "${DOMAIN_OR_PUBLIC_IP}"
else else
echo "The certificate already exists, using them..." printf "\n - LetsEncrypt certificate already exists, using them..."
fi fi
;; ;;
esac esac
@ -76,7 +134,7 @@ chmod -R 777 /etc/letsencrypt
# Use certificates in folder '/default_nginx_conf' # Use certificates in folder '/default_nginx_conf'
if [ "${PROXY_MODE}" == "CE" ]; then if [ "${PROXY_MODE}" == "CE" ]; then
if [ "${WITH_DEMOS}" == "true" ]; then if [ "${WITH_APP}" == "true" ]; then
mv /default_nginx_conf/ce/default-app.conf /default_nginx_conf/default-app.conf mv /default_nginx_conf/ce/default-app.conf /default_nginx_conf/default-app.conf
mv /default_nginx_conf/ce/default.conf /default_nginx_conf/default.conf mv /default_nginx_conf/ce/default.conf /default_nginx_conf/default.conf
else else
@ -89,7 +147,7 @@ if [ "${PROXY_MODE}" == "CE" ]; then
fi fi
if [ "${PROXY_MODE}" == "PRO" ]; then if [ "${PROXY_MODE}" == "PRO" ]; then
if [ "${WITH_DEMOS}" == "true" ]; then if [ "${WITH_APP}" == "true" ]; then
mv /default_nginx_conf/pro/default.conf /default_nginx_conf/default.conf mv /default_nginx_conf/pro/default.conf /default_nginx_conf/default.conf
else else
mv /default_nginx_conf/pro/default-app-without-demos.conf /default_nginx_conf/default.conf mv /default_nginx_conf/pro/default-app-without-demos.conf /default_nginx_conf/default.conf
@ -113,14 +171,32 @@ sed -i "s/{http_port}/${PROXY_HTTP_PORT}/g" /etc/nginx/conf.d/*
sed -i "s/{https_port}/${PROXY_HTTPS_PORT}/g" /etc/nginx/conf.d/* sed -i "s/{https_port}/${PROXY_HTTPS_PORT}/g" /etc/nginx/conf.d/*
# NGINX access # NGINX access
printf "\n"
printf "\n ======================================="
printf "\n = ALLOWED ACCESS ="
printf "\n ======================================="
printf "\n"
printf "\n Adding rules..."
LOCAL_NETWORKS=$(ip route list | grep -Eo '([0-9]*\.){3}[0-9]*/[0-9]*') LOCAL_NETWORKS=$(ip route list | grep -Eo '([0-9]*\.){3}[0-9]*/[0-9]*')
PUBLIC_IP=$(/usr/local/bin/discover_my_public_ip.sh) PUBLIC_IP=$(/usr/local/bin/discover_my_public_ip.sh)
valid_ip_v4() valid_ip_v4()
{ {
if ipcalc "$1" \ regex='^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(/[0-9]+)?$'
| awk 'BEGIN{FS=":"; is_invalid=0} /^INVALID/ {is_invalid=1} END {exit is_invalid}'
then if [[ "$1" =~ $regex ]]; then
return "$?"
else
return "$?"
fi
}
valid_ip_v6()
{
regex='^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(/[0-9]+)?$'
if [[ "$1" =~ $regex ]]; then
return "$?" return "$?"
else else
return "$?" return "$?"
@ -131,24 +207,34 @@ if [ "${ALLOWED_ACCESS_TO_DASHBOARD}" != "all" ]; then
IFS=',' IFS=','
for IP in $(echo "${ALLOWED_ACCESS_TO_DASHBOARD}" | tr -d '[:space:]') for IP in $(echo "${ALLOWED_ACCESS_TO_DASHBOARD}" | tr -d '[:space:]')
do do
if valid_ip_v4 "$IP"; then if valid_ip_v4 "$IP" || valid_ip_v6 "$IP"; then
if [ -z "${RULES_DASHBOARD}" ]; then if [ -z "${RULES_DASHBOARD}" ]; then
RULES_DASHBOARD="allow $IP;" RULES_DASHBOARD="allow $IP;"
printf "\n - Allowing IP/RANGE %s in Dashboard..." "$IP"
else else
if ! echo "${RULES_DASHBOARD}" | grep -q "$IP"; then if ! echo "${RULES_DASHBOARD}" | grep -q "$IP"; then
RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $IP;" RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $IP;"
printf "\n - Allowing IP/RANGE %s in Dashboard..." "$IP"
fi fi
fi fi
if [ -z "${RULES_RESTAPI}" ]; then if [ -z "${RULES_RESTAPI}" ]; then
RULES_RESTAPI="allow $IP;" RULES_RESTAPI="allow $IP;"
printf "\n - Allowing IP/RANGE %s in Rest-API..." "$IP"
else else
if ! echo "${RULES_RESTAPI}" | grep -q "$IP"; then if ! echo "${RULES_RESTAPI}" | grep -q "$IP"; then
RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;" RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;"
printf "\n - Allowing IP/RANGE %s in Rest-API..." "$IP"
fi fi
fi fi
else else
echo "Ip or range $IP is not valid" printf "\n =======¡ERROR!======="
printf "\n - IP or RANGE %s is not valid\n" "$IP"
exit 0
fi fi
done done
else else
@ -159,16 +245,22 @@ if [ "${ALLOWED_ACCESS_TO_RESTAPI}" != "all" ]; then
IFS=',' IFS=','
for IP in $(echo "${ALLOWED_ACCESS_TO_RESTAPI}" | tr -d '[:space:]') for IP in $(echo "${ALLOWED_ACCESS_TO_RESTAPI}" | tr -d '[:space:]')
do do
if valid_ip_v4 "$IP"; then if valid_ip_v4 "$IP" || valid_ip_v6 "$IP"; then
if [ -z "${RULES_RESTAPI}" ]; then if [ -z "${RULES_RESTAPI}" ]; then
RULES_RESTAPI="allow $IP;" RULES_RESTAPI="allow $IP;"
printf "\n - Allowing IP/RANGE %s in Rest-API..." "$IP"
else else
if ! echo "${RULES_RESTAPI}" | grep -q "$IP"; then if ! echo "${RULES_RESTAPI}" | grep -q "$IP"; then
RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;" RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;"
printf "\n - Allowing IP/RANGE %s in Rest-API..." "$IP"
fi fi
fi fi
else else
echo "Ip or range $IP is not valid" printf "\n =======¡ERROR!======="
printf "\n - IP or RANGE %s is not valid\n" "$IP"
exit 0
fi fi
done done
else else
@ -176,7 +268,7 @@ else
fi fi
if [ "${RULES_DASHBOARD}" != "allow all;" ]; then if [ "${RULES_DASHBOARD}" != "allow all;" ]; then
if ! echo "${RULES_DASHBOARD}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP"; then if ! echo "${RULES_DASHBOARD}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP" || valid_ip_v6 "$IP"; then
RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $PUBLIC_IP;" RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $PUBLIC_IP;"
fi fi
@ -187,14 +279,14 @@ if [ "${RULES_DASHBOARD}" != "allow all;" ]; then
IFS=$'\n' IFS=$'\n'
for IP in ${LOCAL_NETWORKS} for IP in ${LOCAL_NETWORKS}
do do
if ! echo "${RULES_DASHBOARD}" | grep -q "$IP" && valid_ip_v4 "$IP"; then if ! echo "${RULES_DASHBOARD}" | grep -q "$IP" && valid_ip_v4 "$IP" || valid_ip_v6 "$IP"; then
RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $IP;" RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $IP;"
fi fi
done done
fi fi
if [ "${RULES_RESTAPI}" != "allow all;" ]; then if [ "${RULES_RESTAPI}" != "allow all;" ]; then
if ! echo "${RULES_RESTAPI}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP"; then if ! echo "${RULES_RESTAPI}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP" || valid_ip_v6 "$IP"; then
RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $PUBLIC_IP;" RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $PUBLIC_IP;"
fi fi
@ -205,7 +297,7 @@ if [ "${RULES_RESTAPI}" != "allow all;" ]; then
IFS=$'\n' IFS=$'\n'
for IP in ${LOCAL_NETWORKS} for IP in ${LOCAL_NETWORKS}
do do
if ! echo "${RULES_RESTAPI}" | grep -q "$IP" && valid_ip_v4 "$IP"; then if ! echo "${RULES_RESTAPI}" | grep -q "$IP" && valid_ip_v4 "$IP" || valid_ip_v6 "$IP"; then
RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;" RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;"
fi fi
done done
@ -215,10 +307,17 @@ sed -i "s/{rules_access_dashboard}/$(echo "${RULES_DASHBOARD}" | sed 's#/#\\/#g'
sed -i "s/{rules_acess_api}/$(echo "${RULES_RESTAPI}" | sed 's#/#\\/#g')/g" /etc/nginx/conf.d/* sed -i "s/{rules_acess_api}/$(echo "${RULES_RESTAPI}" | sed 's#/#\\/#g')/g" /etc/nginx/conf.d/*
sed -i "s/{new_line}/\n\t/g" /etc/nginx/conf.d/* # New line sed -i "s/{new_line}/\n\t/g" /etc/nginx/conf.d/* # New line
printf "Rules DASHBOARD: \n \t%s\n" "$(echo "${RULES_DASHBOARD}" | sed 's/{new_line}/\n\t/g')" printf "\n"
printf "Rules RESTAPI: \n \t%s\n" "$(echo "${RULES_RESTAPI}" | sed 's/{new_line}/\n\t/g')" printf "\n Finish Rules:"
printf "\n Openvidu Dashboard: \n\t\t- %s" "$(echo "${RULES_DASHBOARD}" | sed 's/{new_line}/\n\t\t- /g')"
printf "\n Openvidu API: \n\t\t- %s" "$(echo "${RULES_RESTAPI}" | sed 's/{new_line}/\n\t\t- /g')"
# Restart nginx service # Restart nginx service
printf "\n"
printf "\n ======================================="
printf "\n = START OPENVIDU PROXY ="
printf "\n ======================================="
printf "\n\n"
nginx -s reload nginx -s reload
# Init cron # Init cron