knallimall.org knallimall.org

User Tools

Site Tools

nextcloud-talk-high-performance-backend

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
nextcloud-talk-high-performance-backend [2021/04/20 22:56] adminnextcloud-talk-high-performance-backend [2021/04/23 22:04] (current) – [Using Gitlab Omnibus shipped Redis?] admin
Line 1: Line 1:
 ====== Nextcloud - janus, signaling, coturn ====== ====== Nextcloud - janus, signaling, coturn ======
 +
 +Inspired by
 +  * https://nichteinschalten.de/signalisierungsserver-fuer-nextcloud-aufsetzen-how-to/
 +  * https://markus-blog.de/index.php/2020/07/30/how-to-install-nextcloud-talk-high-performance-backend-with-stun-turnserver-on-ubuntu/
  
  
Line 6: Line 10:
   * Janus Gateway (''apt install janus'')   * Janus Gateway (''apt install janus'')
   * Coturn (''apt install coturn'')   * Coturn (''apt install coturn'')
-  * Signaling (see https://nichteinschalten.de/signalisierungsserver-fuer-nextcloud-aufsetzen-how-to/)+  * Signaling (see https://github.com/strukturag/nextcloud-spreed-signaling/
 +  * NATS Server via Docker (https://hub.docker.com/_/nats) 
 + 
 +===== Using Gitlab Omnibus shipped Redis? ===== 
 + 
 +Try to login ''sudo -u www-data redis-cli -s /var/opt/gitlab/redis/redis.socket''. Not working, huh? 
 +Add webserver user ''www-data'' to git and gitlab-redis groups. 
 + 
 +<code> 
 +sudo usermod -aG git www-data 
 +</code>
  
 +Now ''www-data'' can connect to redis. But this will be reset after ''gitlab-ctl reconfigure''
 ===== Settings ===== ===== Settings =====
  
   * <hashKey> - ''openssl rand -hex 16''   * <hashKey> - ''openssl rand -hex 16''
   * <blockKey> - ''openssl rand -hex 16''   * <blockKey> - ''openssl rand -hex 16''
-  * <SharedSecret> - ''openssl rand -hex 16'' +  * <SharedSecret> - used in Nextcloud Talk settings "Shared Secret" and  - ''openssl rand -hex 16'' 
-  * <apiKey> +  * <apiKey> - janus.jcfg ''turn_rest_api_key'' and server.conf -> [turn] -> apikey - ''openssl rand -base64 16'' 
-  * <turnSecret> - ''openssl rand -hex 32'' +  * <ipAddress- IP Address of your server 
-  * <ipAddress>+  * <signalingPort> - Listen port for signaling Server 
 +  * <NextcloudDomain> - Domain of your Nextcloud instance 
 +  * <coturnSecret> - used in server.conf and turnserver.conf - ''openssl rand -hex 32'' 
 +  * <coturnDomain> - Domain running coturn including protocol (https!!) 
 +  * <coturnPort> - Port used for turn/stun server 
 + 
 +===== NATS Server ===== 
 + 
 +Run NATS server using docker 
 + 
 +<code bash> 
 +docker run --restart=always --name=NATSSERVER -d -p 4222:4222 -ti --restart=always nats:latest 
 +</code>
  
 ===== Configs ===== ===== Configs =====
  
-<code bash /etc/signaling/server.conf >+<code bash /etc/signaling/server.conf>
 [http] [http]
 listen = 127.0.0.1:<signalingPort> listen = 127.0.0.1:<signalingPort>
Line 37: Line 64:
  
 [backend-1] [backend-1]
-url = https://cloud.example.org+url = <NextcloudDomain>
 secret = <SharedSecret> secret = <SharedSecret>
  
Line 49: Line 76:
 [turn] [turn]
 apikey = <apiKey> apikey = <apiKey>
-secret = <turnSecret+secret = <coturnSecret
-servers = turn:<ipAddress>:5349?transport=udp,turn:<ipAddress>:5349?transport=tcp+servers = turn:<ipAddress>:<coturnPort>?transport=udp,turn:<ipAddress>:<coturnPort>?transport=tcp
 </code> </code>
 +
 +<code bash /etc/turnserver.conf>
 +# TURN listener port for UDP and TCP (Default: 3478).
 +# Note: actually, TLS & DTLS sessions can connect to the 
 +# "plain" TCP & UDP port(s), too - if allowed by configuration.
 +#
 +listening-port=<coturnPort>
 +
 +# TURN listener port for TLS (Default: 5349).
 +# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
 +# port(s), too - if allowed by configuration. The TURN server 
 +# "automatically" recognizes the type of traffic. Actually, two listening
 +# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
 +# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
 +# For secure TCP connections, we currently support SSL version 3 and 
 +# TLS version 1.0, 1.1 and 1.2.
 +# For secure UDP connections, we support DTLS version 1.
 +#
 +tls-listening-port=<coturnPort>
 +
 +# Listener IP address of relay server. Multiple listeners can be specified.
 +# If no IP(s) specified in the config file or in the command line options, 
 +# then all IPv4 and IPv6 system IPs will be used for listening.
 +#
 +listening-ip=<ipAddress>
 +
 +# Uncomment to use fingerprints in the TURN messages.
 +# By default the fingerprints are off.
 +#
 +fingerprint
 +
 +# Uncomment to use long-term credential mechanism.
 +# By default no credentials mechanism is used (any user allowed).
 +#
 +lt-cred-mech
 +
 +# TURN REST API flag.
 +# Flag that sets a special authorization option that is based upon authentication secret.
 +# This feature can be used with the long-term authentication mechanism, only.
 +# This feature purpose is to support "TURN Server REST API", see
 +# "TURN REST API" link in the project's page 
 +# https://github.com/coturn/coturn/
 +#
 +# This option is used with timestamp:
 +
 +# usercombo -> "timestamp:userid"
 +# turn user -> usercombo
 +# turn password -> base64(hmac(secret key, usercombo))
 +#
 +# This allows TURN credentials to be accounted for a specific user id.
 +# If you don't have a suitable id, the timestamp alone can be used.
 +# This option is just turning on secret-based authentication.
 +# The actual value of the secret is defined either by option static-auth-secret,
 +# or can be found in the turn_secret table in the database (see below).
 +
 +use-auth-secret
 +
 +# 'Static' authentication secret value (a string) for TURN REST API only. 
 +# If not set, then the turn server
 +# will try to use the 'dynamic' value in turn_secret table
 +# in user database (if present). The database-stored  value can be changed on-the-fly
 +# by a separate program, so this is why that other mode is 'dynamic'.
 +#
 +static-auth-secret=<coturnSecret>
 +
 +# PostgreSQL database connection string in the case that we are using PostgreSQL
 +# as the user database.
 +# This database can be used for long-term credential mechanism
 +# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
 +# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
 +# versions connection string format, see 
 +# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
 +# for 9.x and newer connection string formats.
 +#
 +#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
 +
 +# MySQL database connection string in the case that we are using MySQL
 +# as the user database.
 +# This database can be used for long-term credential mechanism
 +# and it can store the secret value for secret-based timed authentication in TURN RESP API.
 +#
 +# Optional connection string parameters for the secure communications (SSL): 
 +# ca, capath, cert, key, cipher 
 +# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the 
 +# command options description).
 +#
 +# Use string format as below (space separated parameters, all optional):
 +#
 +#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 +
 +# Redis database connection string in the case that we are using Redis
 +# as the user database.
 +# This database can be used for long-term credential mechanism
 +# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
 +# Use string format as below (space separated parameters, all optional):
 +#
 +#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 +
 +# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
 +# This database keeps allocations status information, and it can be also used for publishing
 +# and delivering traffic and allocation event notifications.
 +# The connection string has the same parameters as redis-userdb connection string. 
 +# Use string format as below (space separated parameters, all optional):
 +#
 +#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 +
 +# The default realm to be used for the users when no explicit 
 +# origin/realm relationship was found in the database, or if the TURN
 +# server is not using any database (just the commands-line settings
 +# and the userdb file). Must be used with long-term credentials 
 +# mechanism or with TURN REST API.
 +#
 +realm=<coturnDomain>
 +
 +# Total allocation quota.
 +# default value is 0 (no quota).
 +# This option can also be set through the database, for a particular realm.
 +#
 +total-quota=100
 +
 +#
 +# Maximum server capacity.
 +# Total bytes-per-second bandwidth the TURN server is allowed to allocate
 +# for the sessions, combined (input and output network streams are treated separately).
 +#
 +bps-capacity=0
 +
 +# Uncomment if extra security is desired,
 +# with nonce value having limited lifetime (600 secs).
 +# By default, the nonce value is unique for a session,
 +# but it has unlimited lifetime. With this option,
 +# the nonce lifetime is limited to 600 seconds, after that 
 +# the client will get 438 error and will have to re-authenticate itself.
 +#
 +stale-nonce
 +
 +# Certificate file.
 +# Use an absolute path or path relative to the 
 +# configuration file.
 +#
 +cert=/etc/letsencrypt/path/cert.pem
 +
 +# Private key file.
 +# Use an absolute path or path relative to the 
 +# configuration file.
 +# Use PEM file format.
 +#
 +pkey=/etc/letsencrypt/path/privkey.pem
 +
 +# Allowed OpenSSL cipher list for TLS/DTLS connections.
 +# Default value is "DEFAULT".
 +#
 +#cipher-list="DEFAULT"
 +cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5"
 +
 +# Flag that can be used to disallow peers on the loopback addresses (127.x.x.x and ::1).
 +# This is an extra security measure.
 +#
 +no-loopback-peers
 +
 +# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
 +# This is an extra security measure.
 +#
 +no-multicast-peers
 +</code>
 +
 +Change these options in janus
 +
 +<code bash /etc/janus/janus.jcfg>
 +nat: {
 +  stun_server = "<coturnDomain>"
 +  stun_port = <coturnPort>
 +  full_trickle = true
 +  turn_server = "<coturnDomain>"
 +  turn_port = <coturnPort>
 +  turn_type = "udp"
 +  turn_rest_api_key = "<apiKey>"
 +}
 +</code>
 +
 +Extend <coturnDomain> vhost file
 +<code bash apache.vhost>
 +<VirtualHost *:443>
 +    # ...
 +    # Enable proxying Websocket requests to the standalone signaling server.
 +    ProxyPass "/standalone-signaling/"  "ws://127.0.0.1:<signalingPort>/"
 +
 +    RewriteEngine On
 +    # Websocket connections from the clients.
 +    RewriteRule ^/standalone-signaling/spreed$ - [L]
 +    # Backend connections from Nextcloud.
 +    RewriteRule ^/standalone-signaling/api/(.*) http://127.0.0.1:<signalingPort>/api/$1 [L,P]
 +    # ...
 +</VirtualHost>
 +</code>
 +
 +===== Nextcloud GUI configuration =====
 +
 +
 +{{::nextcloud-signaling-janus-coturn.png|}}
nextcloud-talk-high-performance-backend.1618952171.txt.gz · Last modified: 2021/04/20 22:56 by admin

Page Tools