Added letsencrypt and minor changes in compose

2020-03-25 12:42:26 +01:00 · 2020-03-25 12:42:26 +01:00 · e5833cbba8
parent b4522cb9e5
commit e5833cbba8
11 changed files with 151 additions and 59 deletions
--- a/openvidu-server/docker/openvidu-docker-compose/.env
+++ b/openvidu-server/docker/openvidu-docker-compose/.env
@ -1,18 +1,28 @@
-openvidu_public_ip=192.168.1.66
-openvidu_secret=MY_SECRET
+# OpenVidu configuration
+# ----------------------
+# Documentation: https://openvidu.io/docs/reference-docs/openvidu-server-params/

-# Certificate type
-# You can choose:
-# 1. Self Signed (selfsigned) The certificate will be generate within
-#    the instance (default)
-# 2. Let's encrypt (letsencrypt) Free SSL certificate provider
-# 3. Your own certificate (owncert) If you own a SSL certificate, use this one.
-#    You need to provide your certificate files (nginx.key and nginx.crt) and
-#    put then in roles/nginx/files folder.
-whichcert=selfsigned
+# OpenVidu SECRET used for apps and to access to the inspector. Change it.
+OPENVIDU_SECRET=MY_SECRET

-# Your custom domain name i.e. openvidu.example.com
-domain_name=openvidu.example.com
+# Domain name. If you do not have one, the public IP of the machine.
+DOMAIN_OR_PUBLIC_IP=openvidu.example.com

-# Let's Encrypt email to receive notifications
-letsencrypt_email=openvidu@example.com
+# Openvidu Folder Record used for save the openvidu recording videos. Change it 
+with the folder you want to use from your host.
+OPENVIDU_RECORDING_FOLDER=/opt/recordings
+
+# Certificate type: 
+# - selfsigned:  Self signed certificate. Not recommended for production use.  
+#                Users will see an ERROR when connected to web page.
+# - owncert:     Valid certificate purchased in a Internet services company.
+#                Please put the certificates in same folder as docker-compose.yml
+#                file with names certificate.key and certificate.cert.
+# - letsencrypt: Generate a new certificate using letsencrypt. Please set the 
+#                required contact email for Let's Encrypt in LETSENCRYPT_EMAIL 
+#                variable.
+CERTIFICATE_TYPE=selfsigned
+
+# If CERTIFICATE_TYPE=letsencrypt, you need to configure a valid email for 
+# notifications
+LETSENCRYPT_EMAIL=user@example.com
--- a/openvidu-server/docker/openvidu-docker-compose/docker-compose.yml
+++ b/openvidu-server/docker/openvidu-docker-compose/docker-compose.yml
@ -3,35 +3,42 @@ version: '3.1'
 services:
    openvidu-ce:
        image: openvidu/openvidu-server:2.12.0
-        entrypoint: ["java", "-jar", "-Dopenvidu.recording=true", "-Dopenvidu.recording.path=/opt/recordings", "-Dserver.ssl.enabled=false", "-Dopenvidu.publicurl=https://${openvidu_public_ip}:4443", "-Dserver.port=5443", "/openvidu-server.jar"]
-        ports:
-            - "5443:5443"
+        entrypoint: ["java", "-jar", "/openvidu-server.jar"]
+        restart: on-failure
+        network_mode: host
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
-            - ov-recordings:/opt/recordings
+            - ${OPENVIDU_RECORDING_FOLDER}:${OPENVIDU_RECORDING_FOLDER}
        environment:
-            - openvidu.secret=${openvidu_secret}
-            - kms.uris="[\"ws://${openvidu_public_ip}:8888/kurento\"]"
-            - coturn.ip=${openvidu_public_ip}
-            - coturn.redis.ip=${openvidu_public_ip}
+            - SERVER_SSL_ENABLED=false
+            - SERVER_PORT=5443
+            - OPENVIDU_PUBLICURL=https://${DOMAIN_OR_PUBLIC_IP}:4443
+            - OPENVIDU_SECRET=${OPENVIDU_SECRET}
+            - OPENVIDU_RECORDING=true
+            - OPENVIDU_RECORDING_PATH=${OPENVIDU_RECORDING_FOLDER}
+            - KMS_URIS="[\"ws://127.0.0.1:8888/kurento\"]"
+            - COTURN_IP=127.0.0.1
+            - COTURN_REDIS_IP=127.0.0.1

    kms:
        image: kurento/kurento-media-server:6.13.0
+        restart: on-failure
        network_mode: host
        environment:
-            - KMS_EXTERNAL_ADDRESS=${openvidu_public_ip}
+            - KMS_EXTERNAL_ADDRESS=${DOMAIN_OR_PUBLIC_IP}

    redis-db:
        image: redis:5.0.7
-        ports:
-            - "6379:6379"
+        restart: on-failure
+        network_mode: host

    openvidu-coturn:
        image: openvidu-coturn
+        restart: on-failure
        network_mode: host
        environment:
-            - REDIS_IP=localhost
-            - TURN_PUBLIC_IP=localhost
+            - REDIS_IP=127.0.0.1
+            - TURN_PUBLIC_IP=127.0.0.1
            - TURN_LISTEN_PORT=3478
            - DB_NAME=0
            - DB_PASSWORD=turn
@ -40,25 +47,22 @@ services:
        
    proxy:
        image: openvidu-nginx
+        restart: on-failure
        network_mode: host
        volumes:
-            - ./default.conf:/etc/nginx/conf.d/default.conf
-            - ./openvidu.conf:/etc/nginx/conf.d/openvidu.conf
-            - ./openvidu-call.conf:/etc/nginx/conf.d/openvidu-call.conf
+            - ./nginx_conf:/nginx_conf
+            - ./owncert:/owncert
+        environment: 
+            - DOMAIN_OR_PUBLIC_IP=${DOMAIN_OR_PUBLIC_IP}
+            - CERTIFICATE_TYPE=${CERTIFICATE_TYPE}
+            - LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL}

    openvidu-call:
        image: openvidu-call
+        restart: on-failure
        ports:
            - "5442:80"
        environment: 
-            - OPENVIDU_URL=https://${openvidu_public_ip}:4443
-            - OPENVIDU_SECRET=${openvidu_secret}
+            - OPENVIDU_URL=https://${DOMAIN_OR_PUBLIC_IP}:4443
+            - OPENVIDU_SECRET=${OPENVIDU_SECRET}

-volumes:
-    letsencrypt:
-    certbot:
-    ov-recordings:
-        driver_opts:
-              type: none
-              device: /opt/recordings # Recording host PATH
-              o: bind
--- a/openvidu-server/docker/openvidu-docker-compose/nginx_conf/default.conf
+++ b/openvidu-server/docker/openvidu-docker-compose/nginx_conf/default.conf
@ -1,6 +1,7 @@
 server {
    listen 80;
    server_name {domain_name};
+    
    location / {
        return 301 https://$host$request_uri;
    }    
--- a/openvidu-server/docker/openvidu-docker-compose/nginx_conf/openvidu-call.conf
+++ b/openvidu-server/docker/openvidu-docker-compose/nginx_conf/openvidu-call.conf
@ -2,7 +2,6 @@ server {
    listen 443 ssl;
    server_name {domain_name};

-    ssl on;
    ssl_certificate         /etc/letsencrypt/live/{domain_name}/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/{domain_name}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{domain_name}/fullchain.pem;
--- a/openvidu-server/docker/openvidu-docker-compose/nginx_conf/openvidu.conf
+++ b/openvidu-server/docker/openvidu-docker-compose/nginx_conf/openvidu.conf
@ -2,7 +2,6 @@ server {
    listen 4443 ssl;
    server_name {domain_name};

-    ssl on;
    ssl_certificate         /etc/letsencrypt/live/{domain_name}/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/{domain_name}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{domain_name}/fullchain.pem;
--- a/openvidu-server/docker/openvidu-docker-compose/owncert/.gitignore
+++ b/openvidu-server/docker/openvidu-docker-compose/owncert/.gitignore
--- a/openvidu-server/docker/openvidu-docker-compose/owncert/certificate.cert
+++ b/openvidu-server/docker/openvidu-docker-compose/owncert/certificate.cert
@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIUY7YeT0y958HaS7gJ1oG13Pfim9UwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGcHJ1ZWJhMB4XDTIwMDMyNTExMjYyN1oXDTIxMDMyNTEx
+MjYyN1owETEPMA0GA1UEAwwGcHJ1ZWJhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA0K66CNXNFt7rcMsvWr09SCQdr2FMaZLHwgLaPZFJNAvtHdF8V9Yo
+y1aG0amq3zXpOM6+qyVrVWuJbG3jxS3vSpNlIcbeL3L3ygiu1M0QI1SorxdUI1Ak
+CE31uaBXLTzY1a6pmP8U9MJE/Wah5JlU9xsFUGnk3gDIpvkpjEgXMcRgvTbp98bw
+j2Xi4UIjbBmZl8hqLwubKqJIgxEo1FT8WGbBuhFwyqpshqiokk+PuxB0NEcn1tph
+886kTrF4TxTYU/6Eri7FPCz4C4MN2TCBe4c6bQL4B74tSzJJDt9uiKRKBL6zl6rG
+ckvQKPQLzKl9GTRd/WuY+WQwHbz45ktRswIDAQABo1MwUTAdBgNVHQ4EFgQU8iti
+pFuqNlN14mEWEGd8glmewYUwHwYDVR0jBBgwFoAU8itipFuqNlN14mEWEGd8glme
+wYUwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEASW9gL70x2giC
+AX7CsQoqtraR+AZDUi3ZFWkU0fFyfrSGommFwCrMHzTy+ztHh05U+n9uXF0bZuGg
+3nUW7CPx4+9/ofr76njPis+jM35FgKA8ppPQeTKJDin/By5LW6lUz7x80rntRxGX
+CwgDW60MqFoNTruzncOjk4V6F5Rl+rQoJhPVW/QZgm97pXsoZ4erlMUgm4/dle+K
+OaLMJglcYsDKao80tBbVjFleONFvd8pa4esymhhn2J2Aai37m4HvQD+daDkRPsWY
+DNdQuQ9FqGsIdm/ne3AC8fOLnuVpr8gJe+jlA3BX3Eccnte8T2xfTU5lerZPNisI
+Yk1FQD9fdg==
+-----END CERTIFICATE-----
--- a/openvidu-server/docker/openvidu-docker-compose/owncert/certificate.key
+++ b/openvidu-server/docker/openvidu-docker-compose/owncert/certificate.key
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDQrroI1c0W3utw
+yy9avT1IJB2vYUxpksfCAto9kUk0C+0d0XxX1ijLVobRqarfNek4zr6rJWtVa4ls
+bePFLe9Kk2Uhxt4vcvfKCK7UzRAjVKivF1QjUCQITfW5oFctPNjVrqmY/xT0wkT9
+ZqHkmVT3GwVQaeTeAMim+SmMSBcxxGC9Nun3xvCPZeLhQiNsGZmXyGovC5sqokiD
+ESjUVPxYZsG6EXDKqmyGqKiST4+7EHQ0RyfW2mHzzqROsXhPFNhT/oSuLsU8LPgL
+gw3ZMIF7hzptAvgHvi1LMkkO326IpEoEvrOXqsZyS9Ao9AvMqX0ZNF39a5j5ZDAd
+vPjmS1GzAgMBAAECggEAebqCkGbO9Jlic3BClkavOaa/ni8+mJLjbVumnKVkMzUF
+wxAQ3VfygfJeQG0dXIkhG18WP9VbD//jsNlFNR7/Z9wk8RgFQV5qBnMcMMvRrxpS
+L5iHHvY/noyDWx2Z3KySu8rf6XxaaA/umHZG14dN1brwVaD/vTRt12CeiNMAnKkn
+rqst5RfP68aMib82QqIEOVRxEBeKypZcuoqso+e00aOJ0sB+NN19r0zjBajwFkZQ
+r9vf9xPMyYLglWk6TgUqXsEUVKJd6Nju16zwmzRfDp6lGmch/qw7ec3gHBBE9mL/
+rluXkKOTGXLsbtJKweavI/VL4/u+6QUidWzkX12RuQKBgQD103sD17OcMlAGTS1q
+APU7G8YwjOyclRYCNzxjuD8+eQSkU2HV8fRgv8ighIDIC1Xv/k88Cfzwpiz65Ry8
+EpmVOkvDEDI16t6Khz5/5/JTyN7qFXBL3jW1xPGULIakxMpOFQ33SPuwvXC7SZM0
+tyarYZsVpicXqifKisG0asBpxQKBgQDZUbYVJW2O06MI7WMRAnXyVyxuMndsH9st
+W/Cvt51+phQ7StOSbTicRLLC1CUBdKLWgmzXyp3XG5xpPPGHyadXrCriT7F5pXZQ
+bE1yDO7ZpMVddBd5fcDWQK/y/pcPAJh40RJ8FiUBRnvwSpdD7WxCKr+l1COxayxh
+3EyLS9SdFwKBgBiYUR2ATlMZYZJP1HRfpimEzN58qwu7itkr55nejE1W1FUQlqBO
+NfIcHhmZSD07jRyW6ByMr0bwiV2M4MQcZEte6seYbj2gwyU/BMzNSxyA43SuMm8U
+y3DlRHpbvhjsK4WGa8BLCAuV2JqUcOr8TB0nhdmzpwOiHZsRKPJBIAE1AoGAPF4L
+Y3JjLaKyjj9LHqV9WBVJHU9dhyaOPtpkUJuD33OI+TN+9BTs/dPDiIVfxji9JzNR
+wtvg3qkn2L/6JAsrNhp4SydyGGWTKSH8nWrkSocP4DbocnIxSBLuDWUVVzCGKkGB
+jgCkxObsdMJzpIXmZbb0R79XLuijioekp6kn5X8CgYA37adGFgwzZYphQYemUeag
+2HFfTx5LNGoApl+yTzZ5LfdxfpeVmL0cZ6HIav6DzFxzzXceruro8bp5btxEgi8k
+D19JA/L5wZstHO17rxpth89nmV2+tY0jjLhJT3etjoVVDHWv3N+zc24mJrGc2BOF
+NtzDU5rMxe7qdJwTdJQQNg==
+-----END PRIVATE KEY-----
--- a/openvidu-server/docker/openvidu-nginx/Dockerfile
+++ b/openvidu-server/docker/openvidu-nginx/Dockerfile
@ -1,15 +1,19 @@
 FROM nginx:1.17.9

 # Install certbot
-RUN apt update && \
-    apt install -y python python-dev libffi6 libffi-dev libssl-dev curl build-essential procps && \
+RUN apt-get update && \
+    apt-get install -y python python-dev libffi6 libffi-dev libssl-dev curl build-essential procps && \
    curl -L 'https://bootstrap.pypa.io/get-pip.py' | python && \
    pip install -U cffi certbot && \
+    mkdir -p /var/www/certbot && \
    apt remove --purge -y python-dev build-essential libffi-dev libssl-dev curl && \
    apt-get autoremove -y && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

+# Default nginx conf
+COPY ./default.conf /etc/nginx/conf.d/default.conf
+
 # Entrypoint
 COPY ./entrypoint.sh /usr/local/bin
 RUN chmod +x /usr/local/bin/entrypoint.sh
--- a/openvidu-server/docker/openvidu-nginx/default.conf
+++ b/openvidu-server/docker/openvidu-nginx/default.conf
@ -0,0 +1,7 @@
+server {
+    listen 80;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+}
--- a/openvidu-server/docker/openvidu-nginx/entrypoint.sh
+++ b/openvidu-server/docker/openvidu-nginx/entrypoint.sh
@ -1,21 +1,42 @@
 #!/bin/bash

-if [[ ! -z "${whichcert}" && ! -z "${domain_name}" && ! -z "${letsencrypt_email}" ]]; then
-  sed -i "s/{domain_name}/${domain_name}/" /etc/nginx/conf.d/*.conf
-else
-    domain_name="openvidu"
+# Start with default certbot conf
+service nginx start
+
+# Show input enviroment variables
+echo "Domain name: ${DOMAIN_OR_PUBLIC_IP}"
+echo "Certificated: ${CERTIFICATE_TYPE}"
+echo "Letsencrypt Email: ${LETSENCRYPT_EMAIL}"
+
+case ${CERTIFICATE_TYPE} in
+
+  "selfsigned")
+    echo "Creating selfsigned..."
+  
+    DOMAIN_OR_PUBLIC_IP="openvidu"
    mkdir -p /etc/letsencrypt/live/openvidu
+    openssl req -new -nodes -x509 \
+      -subj "/CN=openvidu" -days 365 \
+      -keyout /etc/letsencrypt/live/openvidu/privkey.pem -out /etc/letsencrypt/live/openvidu/fullchain.pem -extensions v3_ca
+    ;;

-    openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
-      -subj "/C=/ST=/L=/O=/CN=openvidu" \
-      -keyout /etc/letsencrypt/live/openvidu/privkey.pem \
-      -out /etc/letsencrypt/live/openvidu/fullchain.pem
-fi
+  "owncert")
+    echo "Using owncert..."

-CONFIG_FILES=/etc/nginx/conf.d/*
-for file in ${CONFIG_FILES}
-do
-  echo "$( cat ${file} | sed "s/{domain_name}/${domain_name}/")" > ${file}
-done
+    mkdir -p /etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}
+    cp /owncert/certificate.key /etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem
+    cp /owncert/certificate.cert /etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem
+    ;;

+  "letsencrypt")
+    echo "Requesting letsencrypt..."
+
+    certbot certonly -n --webroot -w /var/www/certbot -m ${LETSENCRYPT_EMAIL} --agree-tos -d ${DOMAIN_OR_PUBLIC_IP}
+    ;;
+esac
+
+[ -d "/nginx_conf" ] && rm /etc/nginx/conf.d/* && cp /nginx_conf/* /etc/nginx/conf.d
+sed -i "s/{domain_name}/${DOMAIN_OR_PUBLIC_IP}/" /etc/nginx/conf.d/*
+
+service nginx restart
 tail -f /var/log/nginx/*.log