web: add builtin Let's Encrypt support
This commit is contained in:
parent
2115bc0ed3
commit
f61ef3f093
25
README.md
25
README.md
|
@ -51,11 +51,8 @@ A Jitsi Meet installation can be broken down into the following components:
|
|||
|
||||
![](resources/docker-jitsi-meet.png)
|
||||
|
||||
The diagram shows a typical deployment in a host running Docker, with a separate container
|
||||
(not included in this project) which acts as a reverse proxy and SSL terminator, then
|
||||
passing the traffic to the web container serving Jitsi Meet.
|
||||
|
||||
This project separates each of the components above into interlinked containers. To this end,
|
||||
The diagram shows a typical deployment in a host running Docker. This project
|
||||
separates each of the components above into interlinked containers. To this end,
|
||||
several container images are provided.
|
||||
|
||||
### Images
|
||||
|
@ -91,6 +88,23 @@ Variable | Description | Example
|
|||
`HTTPS_PORT` | Exposed port for HTTPS traffic | 8443
|
||||
`DOCKER_HOST_ADDRESS` | IP address of the Docker host, needed for LAN environments | 192.168.1.1
|
||||
|
||||
**NOTE**: The mobile apps won't work with self-signed certificates (the default)
|
||||
see below for instructions on how to obtain a proper certificate with Let's Encrypt.
|
||||
|
||||
### Let's Encrypt configuration
|
||||
|
||||
If you plan on exposing this container setup to the outside traffic directly and
|
||||
want a proper TLS certificate, you are in luck because Let's Encrypt support is
|
||||
built right in. Here are the required options:
|
||||
|
||||
Variable | Description | Example
|
||||
--- | --- | ---
|
||||
`ENABLE_LETSENCRYPT` | Enable Let's Encrypt certificate generation | 1
|
||||
`LETSENCRYPT_DOMAIN` | Domain for which to generate the certificate | meet.example.com
|
||||
`LETSENCRYPT_EMAIL` | E-Mail for receiving important account notifications (mandatory) | alice@atlanta.net
|
||||
|
||||
In addition, you will need to set `HTTP_PORT` to 80 and `HTTPS_PORT` to 443.
|
||||
|
||||
### SIP gateway configuration
|
||||
|
||||
If you want to enable the SIP gateway, these options are required:
|
||||
|
@ -162,7 +176,6 @@ option.
|
|||
* Support multiple Jitsi Videobridge containers.
|
||||
* Support container replicas (where applicable).
|
||||
* Docker Swarm mode.
|
||||
* Native Let's Encrypt support.
|
||||
* More services:
|
||||
* Jibri.
|
||||
* TURN server.
|
||||
|
|
|
@ -12,7 +12,10 @@ services:
|
|||
environment:
|
||||
- ENABLE_AUTH
|
||||
- ENABLE_GUESTS
|
||||
- ENABLE_LETSENCRYPT
|
||||
- JICOFO_AUTH_USER
|
||||
- LETSENCRYPT_DOMAIN
|
||||
- LETSENCRYPT_EMAIL
|
||||
- XMPP_DOMAIN
|
||||
- XMPP_AUTH_DOMAIN
|
||||
- XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
|
||||
|
|
14
env.example
14
env.example
|
@ -19,6 +19,20 @@ TZ=Europe/Amsterdam
|
|||
#DOCKER_HOST_ADDRESS=192.168.1.1
|
||||
|
||||
|
||||
#
|
||||
# Let's Encrypt configuration
|
||||
#
|
||||
|
||||
# Enable Let's Encrypt certificate generation.
|
||||
#ENABLE_LETSENCRYPT=1
|
||||
|
||||
# Domain for which to generate the certificate.
|
||||
#LETSENCRYPT_DOMAIN=meet.example.com
|
||||
|
||||
# E-Mail for receiving important account notifications (mandatory).
|
||||
#LETSENCRYPT_EMAIL=alice@atlanta.net
|
||||
|
||||
|
||||
#
|
||||
# Basic Jigasi configuration options (needed for SIP gateway support)
|
||||
#
|
||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 38 KiB |
File diff suppressed because one or more lines are too long
|
@ -2,7 +2,8 @@ FROM jitsi/base
|
|||
|
||||
RUN \
|
||||
apt-dpkg-wrap apt-get update && \
|
||||
apt-dpkg-wrap apt-get install -y nginx-extras jitsi-meet-web && \
|
||||
apt-dpkg-wrap apt-get install -y cron nginx-extras jitsi-meet-web && \
|
||||
apt-dpkg-wrap apt-get install -y -t stretch-backports certbot && \
|
||||
apt-cleanup && \
|
||||
rm -f /etc/nginx/conf.d/default.conf && \
|
||||
rm -f /usr/share/jitsi-meet/interface_config.js
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
#!/bin/bash
|
||||
|
||||
# stop nginx
|
||||
s6-svc -u /var/run/s6/services/nginx
|
||||
|
||||
# renew cert
|
||||
certbot -n renew >> /config/le-renew.log
|
||||
|
||||
# start nginx
|
||||
s6-svc -u /var/run/s6/services/nginx
|
|
@ -7,8 +7,13 @@ ssl_session_tickets off;
|
|||
ssl_dhparam /config/nginx/dhparams.pem;
|
||||
|
||||
# ssl certs
|
||||
{{ if .Env.ENABLE_LETSENCRYPT }}
|
||||
ssl_certificate /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/privkey.pem;
|
||||
{{ else }}
|
||||
ssl_certificate /config/keys/cert.crt;
|
||||
ssl_certificate_key /config/keys/cert.key;
|
||||
{{ end }}
|
||||
|
||||
# protocols
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
|
|
|
@ -8,12 +8,26 @@ mkdir -p \
|
|||
/var/tmp/nginx
|
||||
|
||||
# generate keys (maybe)
|
||||
if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then
|
||||
echo "using keys found in /config/keys"
|
||||
if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then
|
||||
if [[ ! -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then
|
||||
certbot certonly \
|
||||
--noninteractive \
|
||||
--standalone \
|
||||
--preferred-challenges http \
|
||||
-d $LETSENCRYPT_DOMAIN \
|
||||
--agree-tos \
|
||||
--email $LETSENCRYPT_EMAIL
|
||||
cp /defaults/letsencrypt-renew /etc/cron.monthly/
|
||||
fi
|
||||
else
|
||||
echo "generating self-signed keys in /config/keys, you can replace these with your own keys if required"
|
||||
SUBJECT="/C=US/ST=TX/L=Austin/O=jitsi.org/OU=Jitsi Server/CN=*"
|
||||
openssl req -new -x509 -days 3650 -nodes -out /config/keys/cert.crt -keyout /config/keys/cert.key -subj "$SUBJECT"
|
||||
# use self-signed certs
|
||||
if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then
|
||||
echo "using keys found in /config/keys"
|
||||
else
|
||||
echo "generating self-signed keys in /config/keys, you can replace these with your own keys if required"
|
||||
SUBJECT="/C=US/ST=TX/L=Austin/O=jitsi.org/OU=Jitsi Server/CN=*"
|
||||
openssl req -new -x509 -days 3650 -nodes -out /config/keys/cert.crt -keyout /config/keys/cert.key -subj "$SUBJECT"
|
||||
fi
|
||||
fi
|
||||
|
||||
# copy config files
|
||||
|
@ -22,7 +36,7 @@ if [[ ! -f /config/nginx/nginx.conf ]]; then
|
|||
fi
|
||||
|
||||
if [[ ! -f /config/nginx/ssl.conf ]]; then
|
||||
cp /defaults/ssl.conf /config/nginx/ssl.conf
|
||||
tpl /defaults/ssl.conf > /config/nginx/ssl.conf
|
||||
fi
|
||||
|
||||
if [ ! -f "/config/nginx/dhparams.pem" ]; then
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
#!/usr/bin/with-contenv bash
|
||||
|
||||
exec cron -f
|
|
@ -1,3 +1,3 @@
|
|||
#!/usr/bin/with-contenv bash
|
||||
nginx -c /config/nginx/nginx.conf
|
||||
|
||||
exec nginx -c /config/nginx/nginx.conf
|
||||
|
|
Loading…
Reference in New Issue