|
|
|
Potrzebujemy dwóch domen na jednej będzie działać PrivMX Team Server na drugiej PrivMX Video Server. Na potrzeby tego przykładu użyjemy domeny `foo.pmxbox.com` dla PrivMX Team Server i poddomeny `video.foo.pmxbox.com` dla PrivMX Video Server.
|
|
|
|
|
|
|
|
|
|
|
|
## Wymagania
|
|
|
|
|
|
|
|
Na maszynie należy zainstalować `docker`, `docker-compose`, `certbot`, `nginx` i `wget`
|
|
|
|
|
|
|
|
|
|
|
|
## PrivMX Video Server
|
|
|
|
|
|
|
|
Klonujemy repo, następnie uruchamiamy setup i startujemy usługę.
|
|
|
|
```
|
|
|
|
git clone https://dev.privmx.com/main/privmx-video-server-docker.git /srv/privmx-video-server-docker
|
|
|
|
sudo ./setup.sh video.foo.pmxbox.com
|
|
|
|
docker-compose up -d
|
|
|
|
```
|
|
|
|
|
|
|
|
Wyciągamy secret który trzeba będzie podać w konfiguracji PrivMX Team Server
|
|
|
|
```
|
|
|
|
cat ../privmx-video-server-docker/.env | grep PRIVMX_API_SECRET
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## PrivMX Team Server
|
|
|
|
|
|
|
|
Klonujemy repo, następnie należy wedytować plik `.env` aby ustawić docelową domenę i to że będziemy uzywać https. Na końcu startujemy usługę.
|
|
|
|
```
|
|
|
|
git clone https://dev.privmx.com/main/privmx-team-server-docker.git /srv/privmx-team-server-docker
|
|
|
|
cd /srv/privmx-team-server-docker
|
|
|
|
sed -i 's/PRIVMX_DOMAIN=example.com/PRIVMX_DOMAIN=foo.pmxbox.com/g' .env
|
|
|
|
sed -i 's/PRIVMX_SECURE=false/PRIVMX_SECURE=true/g' .env
|
|
|
|
docker-compose up -d
|
|
|
|
```
|
|
|
|
|
|
|
|
Edytujemy config aby połączyć się z serwerem video. Dopisujemy sekcję video zgodnie z [instrukcją](https://dev.privmx.com/main/docs/-/wikis/Team-Server-configuration-file#privmx-video-server-pairing) używając sekretu uzyskanego w poprzednim kroku. Na końcu chcemy uzyskać taki plik:
|
|
|
|
```
|
|
|
|
{
|
|
|
|
"domain": "foo.pmxbox.com",
|
|
|
|
"server": {
|
|
|
|
"port": 3000,
|
|
|
|
"secure": true
|
|
|
|
},
|
|
|
|
"db": {
|
|
|
|
"mongo": {
|
|
|
|
"url": "mongodb://mongodb:27017",
|
|
|
|
"dbName": "privmx_foo_pmxbox_com"
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"app": {
|
|
|
|
"instanceName": "MyCompany"
|
|
|
|
},
|
|
|
|
"video": {
|
|
|
|
"enabled": true,
|
|
|
|
"secret": "ed016d3ad3954926872498c84b8e2681",
|
|
|
|
"clientUrl": "https://video.foo.pmxbox.com",
|
|
|
|
"apiUrl": "https://video.foo.pmxbox.com/privmx-api/",
|
|
|
|
"jitsiScript": {
|
|
|
|
"scriptsDirectory": "/usr/share/privmx-team-server/app/conf/jitsi/scripts"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
Pobieramy paczkę skryptów i wrzucamy w odpowiedni katalog
|
|
|
|
```
|
|
|
|
wget https://dev.privmx.com/cdn/jitsi-script/jitsi-script-latest.zip
|
|
|
|
mkdir -p ./volumes/app/conf/jitsi/scripts/
|
|
|
|
unzip jitsi-script-latest.zip -d ./volumes/app/conf/jitsi/scripts/
|
|
|
|
```
|
|
|
|
|
|
|
|
Restartujemy PrivMX Team Server
|
|
|
|
```
|
|
|
|
docker-compose restart privmxteamserver
|
|
|
|
```
|
|
|
|
|
|
|
|
Wyciągamy ACToken który podamy podczas rejestracji
|
|
|
|
```
|
|
|
|
cat volumes/app/data/...
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## Nginx
|
|
|
|
|
|
|
|
Tworzymy poniższe pliki:
|
|
|
|
|
|
|
|
- /etc/nginx/includes/proxy.conf
|
|
|
|
```
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
proxy_set_header Connection "Upgrade";
|
|
|
|
proxy_set_header Forwarded "";
|
|
|
|
```
|
|
|
|
|
|
|
|
- /etc/nginx/includes/ssl.conf
|
|
|
|
```
|
|
|
|
if ($scheme = http) {
|
|
|
|
return 302 https://$host;
|
|
|
|
}
|
|
|
|
ssl_session_timeout 1d;
|
|
|
|
ssl_session_cache shared:SSL:50m;
|
|
|
|
ssl_session_tickets off;
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
ssl_stapling on;
|
|
|
|
ssl_stapling_verify on;
|
|
|
|
resolver 8.8.4.4 8.8.8.8 valid=300s;
|
|
|
|
```
|
|
|
|
|
|
|
|
- /etc/nginx/sites-available/foo.pmxbox.com
|
|
|
|
```
|
|
|
|
server {
|
|
|
|
listen 80;
|
|
|
|
listen [::]:80;
|
|
|
|
#listen 443 ssl;
|
|
|
|
#listen [::]:443 ssl;
|
|
|
|
#include includes/ssl.conf;
|
|
|
|
#ssl_certificate /etc/letsencrypt/live/foo.pmxbox.com/fullchain.pem;
|
|
|
|
#ssl_certificate_key /etc/letsencrypt/live/foo.pmxbox.com/privkey.pem;
|
|
|
|
|
|
|
|
root /var/www/foo.pmxbox.com/html;
|
|
|
|
index index.html;
|
|
|
|
client_max_body_size 10M;
|
|
|
|
|
|
|
|
server_name foo.pmxbox.com;
|
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_pass http://127.0.0.1:7777;
|
|
|
|
include includes/proxy.conf;
|
|
|
|
}
|
|
|
|
|
|
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
|
|
default_type "text/plain";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
- /etc/nginx/sites-available/video.foo.pmxbox.com
|
|
|
|
```
|
|
|
|
server {
|
|
|
|
listen 80;
|
|
|
|
listen [::]:80;
|
|
|
|
#listen 443 ssl;
|
|
|
|
#listen [::]:443 ssl;
|
|
|
|
#include includes/ssl.conf;
|
|
|
|
#ssl_certificate /etc/letsencrypt/live/video.foo.pmxbox.com/fullchain.pem;
|
|
|
|
#ssl_certificate_key /etc/letsencrypt/live/video.foo.pmxbox.com/privkey.pem;
|
|
|
|
|
|
|
|
root /var/www/video.foo.pmxbox.com/html;
|
|
|
|
index index.html;
|
|
|
|
client_max_body_size 10M;
|
|
|
|
|
|
|
|
server_name video.foo.pmxbox.com;
|
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_pass http://127.0.0.1:8000;
|
|
|
|
include includes/proxy.conf;
|
|
|
|
}
|
|
|
|
|
|
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
|
|
default_type "text/plain";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
Tworzymy link do włączonych stron i robimy reload nginx
|
|
|
|
```
|
|
|
|
ln -s /etc/nginx/sites-available/foo.pmxbox.com /etc/nginx/sites-enabled/foo.pmxbox.com
|
|
|
|
ln -s /etc/nginx/sites-available/video.foo.pmxbox.com /etc/nginx/sites-enabled/video.foo.pmxbox.com
|
|
|
|
systemctl reload nginx
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## Generowanie certyfikatu
|
|
|
|
|
|
|
|
Tworzymy katalogi do challange
|
|
|
|
```
|
|
|
|
mkdir -p /var/www/foo.pmxbox.com/html/.well-known/acme-challenge/
|
|
|
|
mkdir -p /var/www/video.foo.pmxbox.com/html/.well-known/acme-challenge/
|
|
|
|
```
|
|
|
|
|
|
|
|
Uruchamiamy certbot, osobno dla każdej domeny
|
|
|
|
```
|
|
|
|
certbot certonly --webroot -w /var/www/foo.pmxbox.com/html -d foo.pmxbox.com
|
|
|
|
certbot certonly --webroot -w /var/www/video.foo.pmxbox.com/html -d video.foo.pmxbox.com
|
|
|
|
```
|
|
|
|
|
|
|
|
Wyedytuj komnfigurację usuwając znak komentarza (#) z linii 7-8 w plikach:
|
|
|
|
- /etc/nginx/sites-available/foo.pmxbox.com
|
|
|
|
- /etc/nginx/sites-available/video.foo.pmxbox.com
|
|
|
|
|
|
|
|
Reload nginx
|
|
|
|
```
|
|
|
|
systemctl reload nginx
|
|
|
|
``` |
