diff --git a/README.md b/README.md index 57cc4ba..547ad32 100644 --- a/README.md +++ b/README.md @@ -160,6 +160,7 @@ Variable | Description | Default value `JIGASI_BREWERY_MUC` | MUC name for the Jigasi pool | jigasibrewery `JIGASI_PORT_MIN` | Minimum port for media used by Jigasi | 20000 `JIGASI_PORT_MAX` | Maximum port for media used by Jigasi | 20050 +`DISABLE_HTTPS` | Disable HTTPS, this can be useful if TLS connections are going to be handled outside of this setup | 1 ### Running on a LAN environment diff --git a/docker-compose.yml b/docker-compose.yml index 787af85..8522973 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -13,6 +13,7 @@ services: - ENABLE_AUTH - ENABLE_GUESTS - ENABLE_LETSENCRYPT + - DISABLE_HTTPS - JICOFO_AUTH_USER - LETSENCRYPT_DOMAIN - LETSENCRYPT_EMAIL diff --git a/env.example b/env.example index 8d59637..9dea1be 100644 --- a/env.example +++ b/env.example @@ -118,3 +118,6 @@ JIGASI_PORT_MIN=20000 # Maximum port for media used by Jigasi. JIGASI_PORT_MAX=20050 + +# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup. +#DISABLE_HTTPS=1 diff --git a/web/rootfs/defaults/default b/web/rootfs/defaults/default index 5ae5b71..0d2027f 100644 --- a/web/rootfs/defaults/default +++ b/web/rootfs/defaults/default @@ -4,9 +4,11 @@ server { include /config/nginx/meet.conf; } +{{ if not .Env.DISABLE_HTTPS }} server { listen 443 ssl; include /config/nginx/ssl.conf; include /config/nginx/meet.conf; } +{{ end }} diff --git a/web/rootfs/etc/cont-init.d/10-config b/web/rootfs/etc/cont-init.d/10-config index d61a3f1..326c778 100644 --- a/web/rootfs/etc/cont-init.d/10-config +++ b/web/rootfs/etc/cont-init.d/10-config @@ -8,25 +8,30 @@ mkdir -p \ /var/tmp/nginx # generate keys (maybe) -if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then - if [[ ! -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then - certbot certonly \ - --noninteractive \ - --standalone \ - --preferred-challenges http \ - -d $LETSENCRYPT_DOMAIN \ - --agree-tos \ - --email $LETSENCRYPT_EMAIL - cp /defaults/letsencrypt-renew /etc/cron.monthly/ - fi -else - # use self-signed certs - if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then - echo "using keys found in /config/keys" +if [[ $DISABLE_HTTPS -ne 1 ]]; then + if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then + if [[ ! -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then + certbot certonly \ + --noninteractive \ + --standalone \ + --preferred-challenges http \ + -d $LETSENCRYPT_DOMAIN \ + --agree-tos \ + --email $LETSENCRYPT_EMAIL + cp /defaults/letsencrypt-renew /etc/cron.monthly/ + fi else - echo "generating self-signed keys in /config/keys, you can replace these with your own keys if required" - SUBJECT="/C=US/ST=TX/L=Austin/O=jitsi.org/OU=Jitsi Server/CN=*" - openssl req -new -x509 -days 3650 -nodes -out /config/keys/cert.crt -keyout /config/keys/cert.key -subj "$SUBJECT" + # use self-signed certs + if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then + echo "using keys found in /config/keys" + else + echo "generating self-signed keys in /config/keys, you can replace these with your own keys if required" + SUBJECT="/C=US/ST=TX/L=Austin/O=jitsi.org/OU=Jitsi Server/CN=*" + openssl req -new -x509 -days 3650 -nodes -out /config/keys/cert.crt -keyout /config/keys/cert.key -subj "$SUBJECT" + fi + fi + if [[ ! -f /config/nginx/dhparams.pem ]]; then + openssl dhparam -out /config/nginx/dhparams.pem 2048 fi fi @@ -43,12 +48,8 @@ if [[ ! -f /config/nginx/ssl.conf ]]; then tpl /defaults/ssl.conf > /config/nginx/ssl.conf fi -if [ ! -f "/config/nginx/dhparams.pem" ]; then - openssl dhparam -out /config/nginx/dhparams.pem 2048 -fi - if [[ ! -f /config/nginx/site-confs/default ]]; then - cp /defaults/default /config/nginx/site-confs/default + tpl /defaults/default > /config/nginx/site-confs/default fi if [[ ! -f /config/config.js ]]; then