Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a nginx conf example in the documentation #244

Open
vincentfretin opened this issue Feb 27, 2021 · 7 comments
Open

Add a nginx conf example in the documentation #244

vincentfretin opened this issue Feb 27, 2021 · 7 comments
Labels
documentation help wanted

Comments

@vincentfretin
Copy link
Member

Add in the documentation a nginx conf example to deploy the nodejs server behind nginx with tls for production.
see open-easyrtc/open-easyrtc#61 (comment)
PR wanted :)

Note that you can also configure nodejs with a certificate, see #169
@vincentfretin vincentfretin mentioned this issue Mar 7, 2021
Closed
@vincentfretin
Copy link
Member Author

vincentfretin commented Jul 4, 2023
edited

Example of a nginx config I use:

server {
  listen      80;
  listen      [::]:80;
  server_name www.mydomain.com;
  return 301 https://mydomain.com$request_uri;
}

server {
  listen      443 ssl http2;
  listen      [::]:443 ssl http2;
  server_name www.mydomain.com;

  # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1k&guideline=5.6
  ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
  ssl_session_tickets off;

  # modern configuration
  ssl_protocols TLSv1.3;
  ssl_prefer_server_ciphers off;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds)
  add_header Strict-Transport-Security "max-age=63072000" always;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;

  # verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/chain.pem;
  resolver 8.8.8.8 8.8.4.4;

  return 301 https://mydomain.com$request_uri;
}

server {
  listen      80 default_server;
  listen      [::]:80 default_server;
  server_name mydomain.com;
  # allow letsencrypt
  location ~ /\.well-known {
    allow all;
    root /var/www/html;
    try_files $uri $uri/ =404;
  }
  location / {
    return 301 https://$host$request_uri;
  }
}

server {
  listen      443 ssl http2;
  listen      [::]:443 ssl http2;
  server_name mydomain.com;
  keepalive_timeout   70;
  # allow letsencrypt
  location ~ /\.well-known {
    allow all;
    root /var/www/html;
    try_files $uri $uri/ =404;
  }
  location /socket.io {
    proxy_pass http://127.0.0.1:8080;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }
  location /easyrtc {
    proxy_pass http://127.0.0.1:8080;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }
  location / {
    root /home/ubuntu/mydomain/dist;
  }

  # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1k&guideline=5.6
  ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
  ssl_session_tickets off;

  # modern configuration
  ssl_protocols TLSv1.3;
  ssl_prefer_server_ciphers off;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds)
  add_header Strict-Transport-Security "max-age=63072000" always;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;

  # verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/chain.pem;
  resolver 8.8.8.8 8.8.4.4;
}

index.html is in the folder /home/ubuntu/mydomain/dist
http (80) traffic is redirected to https (443)
www.mydomain.com is redirected to mydomain.com
/socket.io and /easyrtc routes are proxied to nodejs on default port 8080, configured for websocket usage.

Letsencrypt certificate generated like this (when the 443 config is commented initially):

certbot certonly --deploy-hook "nginx -s reload" --webroot -w /var/www/html -d mydomain.com -d www.mydomain.com

@vincentfretin
Copy link
Member Author

If you're using Plesk that generates the nginx conf and generates the letsencrypt certificate for you, read https://www.plesk.com/kb/support/does-node-js-on-plesk-support-websockets-socket-io-2/
You just need to clear the Proxy mode checkbox for websocket to work (otherwise socket.io fallbacks to http polling)

@vincentfretin
Copy link
Member Author

The /easyrtc proxy here is only needed to get the /easyrtc/easyrtc.js file (<script src="/easyrtc/easyrtc.js"></script> in the index.html) that is served by the node server, it's an express route defined by the open-easyrtc library. The advantage is that you get the same version of the open-easyrtc library for the server and the client. Don't forget sometimes to remove package-lock.json and run npm install again to be sure you get the latest version of the open-easyrtc library (2.0.20 at the time of writing this)
If you prefer to serve it from cdn, you can use
<script src="https://unpkg.com/open-easyrtc@2.0.20/api/easyrtc.js"></script>
It's exactly the same file. Just be sure that the client version and server version matches.

@vincentfretin
Copy link
Member Author

An additional note, if you use nginx, the tls termination is done on nginx, not the node server, so don't enable https config on the node server.

@vincentfretin
Copy link
Member Author

Also don't specify serverURL property in networked-scene, keep the default that is just serverURL: /
For you to understand, the easyrtc adapter will try to connect to ${serverURL}/socket.io so it will go to nginx and forward the request to the node server.

@vincentfretin vincentfretin mentioned this issue Mar 1, 2024
Closed
@vincentfretin
Copy link
Member Author

I wrote a more in depth ubuntu server installation instructions for the janus adapter, you can find how to install nginx and certbot, configure a nginx site and restarting the service.
https://github.com/networked-aframe/naf-janus-adapter/blob/master/docs/janus-deployment.md#nginx-configuration
and https://github.com/networked-aframe/naf-janus-adapter/blob/master/docs/janus-deployment.md#automatic-security-upgrades-with-unattended-upgrades-optional to auto update your server.

@vincentfretin
Copy link
Member Author

For the easyrtc server to restart on reboot, you can use pm2 that is used generally to start nodejs processes, this is mentioned briefly in the hosting doc for aws.

Here is more detailed version:

sudo npm install pm2 -g
pm2 start server/easyrtc-server.js
pm2 startup # this gives you the following command you need to execute:
sudo env PATH=$PATH:/usr/bin /usr/lib/node_modules/pm2/bin/pm2 startup systemd -u ubuntu --hp /home/ubuntu
pm2 save
pm2 install pm2-logrotate

later to update:

git pull
pm2 list
pm2 restart easyrtc-server

If you upgrade Node.js in production, you may need to recreate the pm2 startup script, read https://pm2.keymetrics.io/docs/usage/update-pm2/

Here we use the easyrtc server on 8080 and https is handled in nginx.

Be sure to secure your server to allow only access to 443 (https) and not 8080 directly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vincentfretin