web: add builtin Let's Encrypt support

pull/28/head
Saúl Ibarra Corretgé 6 years ago
parent 2115bc0ed3
commit f61ef3f093
  1. 25
      README.md
  2. 3
      docker-compose.yml
  3. 14
      env.example
  4. BIN
      resources/docker-jitsi-meet.png
  5. 2
      resources/docker-jitsi-meet.xml
  6. 3
      web/Dockerfile
  7. 10
      web/rootfs/defaults/letsencrypt-renew
  8. 5
      web/rootfs/defaults/ssl.conf
  9. 20
      web/rootfs/etc/cont-init.d/10-config
  10. 3
      web/rootfs/etc/services.d/cron/run
  11. 2
      web/rootfs/etc/services.d/nginx/run

@ -51,11 +51,8 @@ A Jitsi Meet installation can be broken down into the following components:
![](resources/docker-jitsi-meet.png)
The diagram shows a typical deployment in a host running Docker, with a separate container
(not included in this project) which acts as a reverse proxy and SSL terminator, then
passing the traffic to the web container serving Jitsi Meet.
This project separates each of the components above into interlinked containers. To this end,
The diagram shows a typical deployment in a host running Docker. This project
separates each of the components above into interlinked containers. To this end,
several container images are provided.
### Images
@ -91,6 +88,23 @@ Variable | Description | Example
`HTTPS_PORT` | Exposed port for HTTPS traffic | 8443
`DOCKER_HOST_ADDRESS` | IP address of the Docker host, needed for LAN environments | 192.168.1.1
**NOTE**: The mobile apps won't work with self-signed certificates (the default)
see below for instructions on how to obtain a proper certificate with Let's Encrypt.
### Let's Encrypt configuration
If you plan on exposing this container setup to the outside traffic directly and
want a proper TLS certificate, you are in luck because Let's Encrypt support is
built right in. Here are the required options:
Variable | Description | Example
--- | --- | ---
`ENABLE_LETSENCRYPT` | Enable Let's Encrypt certificate generation | 1
`LETSENCRYPT_DOMAIN` | Domain for which to generate the certificate | meet.example.com
`LETSENCRYPT_EMAIL` | E-Mail for receiving important account notifications (mandatory) | alice@atlanta.net
In addition, you will need to set `HTTP_PORT` to 80 and `HTTPS_PORT` to 443.
### SIP gateway configuration
If you want to enable the SIP gateway, these options are required:
@ -162,7 +176,6 @@ option.
* Support multiple Jitsi Videobridge containers.
* Support container replicas (where applicable).
* Docker Swarm mode.
* Native Let's Encrypt support.
* More services:
* Jibri.
* TURN server.

@ -12,7 +12,10 @@ services:
environment:
- ENABLE_AUTH
- ENABLE_GUESTS
- ENABLE_LETSENCRYPT
- JICOFO_AUTH_USER
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280

@ -19,6 +19,20 @@ TZ=Europe/Amsterdam
#DOCKER_HOST_ADDRESS=192.168.1.1
#
# Let's Encrypt configuration
#
# Enable Let's Encrypt certificate generation.
#ENABLE_LETSENCRYPT=1
# Domain for which to generate the certificate.
#LETSENCRYPT_DOMAIN=meet.example.com
# E-Mail for receiving important account notifications (mandatory).
#LETSENCRYPT_EMAIL=alice@atlanta.net
#
# Basic Jigasi configuration options (needed for SIP gateway support)
#

Binary file not shown.

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 38 KiB

File diff suppressed because one or more lines are too long

@ -2,7 +2,8 @@ FROM jitsi/base
RUN \
apt-dpkg-wrap apt-get update && \
apt-dpkg-wrap apt-get install -y nginx-extras jitsi-meet-web && \
apt-dpkg-wrap apt-get install -y cron nginx-extras jitsi-meet-web && \
apt-dpkg-wrap apt-get install -y -t stretch-backports certbot && \
apt-cleanup && \
rm -f /etc/nginx/conf.d/default.conf && \
rm -f /usr/share/jitsi-meet/interface_config.js

@ -0,0 +1,10 @@
#!/bin/bash
# stop nginx
s6-svc -u /var/run/s6/services/nginx
# renew cert
certbot -n renew >> /config/le-renew.log
# start nginx
s6-svc -u /var/run/s6/services/nginx

@ -7,8 +7,13 @@ ssl_session_tickets off;
ssl_dhparam /config/nginx/dhparams.pem;
# ssl certs
{{ if .Env.ENABLE_LETSENCRYPT }}
ssl_certificate /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/privkey.pem;
{{ else }}
ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
{{ end }}
# protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

@ -8,12 +8,26 @@ mkdir -p \
/var/tmp/nginx
# generate keys (maybe)
if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then
echo "using keys found in /config/keys"
if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then
if [[ ! -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then
certbot certonly \
--noninteractive \
--standalone \
--preferred-challenges http \
-d $LETSENCRYPT_DOMAIN \
--agree-tos \
--email $LETSENCRYPT_EMAIL
cp /defaults/letsencrypt-renew /etc/cron.monthly/
fi
else
# use self-signed certs
if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then
echo "using keys found in /config/keys"
else
echo "generating self-signed keys in /config/keys, you can replace these with your own keys if required"
SUBJECT="/C=US/ST=TX/L=Austin/O=jitsi.org/OU=Jitsi Server/CN=*"
openssl req -new -x509 -days 3650 -nodes -out /config/keys/cert.crt -keyout /config/keys/cert.key -subj "$SUBJECT"
fi
fi
# copy config files
@ -22,7 +36,7 @@ if [[ ! -f /config/nginx/nginx.conf ]]; then
fi
if [[ ! -f /config/nginx/ssl.conf ]]; then
cp /defaults/ssl.conf /config/nginx/ssl.conf
tpl /defaults/ssl.conf > /config/nginx/ssl.conf
fi
if [ ! -f "/config/nginx/dhparams.pem" ]; then

@ -0,0 +1,3 @@
#!/usr/bin/with-contenv bash
exec cron -f

@ -1,3 +1,3 @@
#!/usr/bin/with-contenv bash
nginx -c /config/nginx/nginx.conf
exec nginx -c /config/nginx/nginx.conf

Loading…
Cancel
Save