diff --git a/docker-compose.tmpl.yml b/docker-compose.tmpl.yml index 21f29c5..c4fa09e 100644 --- a/docker-compose.tmpl.yml +++ b/docker-compose.tmpl.yml @@ -156,6 +156,7 @@ services: - "etherpad:10.7.7.4" - "webrtc-sfu:10.7.7.1" - "html5:10.7.7.11" + - "greenlight:10.7.7.21" etherpad: build: mod/etherpad @@ -380,6 +381,10 @@ services: {{else}} - ./mod/https/site-ipv4only.conf:/etc/nginx/conf.d/bbb-docker.conf {{end}} + {{ if isTrue .Env.DEV_MODE }} + # allow bbb api access without https + - ./mod/https/force-https.conf:/usr/local/openresty/nginx/conf/force-https.conf + {{end}} environment: {{ if isTrue .Env.DEV_MODE }} ALLOWED_DOMAINS: "" @@ -417,24 +422,29 @@ services: {{ if isTrue .Env.ENABLE_GREENLIGHT }} # greenlight greenlight: - image: bigbluebutton/greenlight:v2 + image: bigbluebutton/greenlight:{{ .Env.TAG_GREENLIGHT }}-alpine restart: unless-stopped env_file: .env + depends_on: + - postgres + - redis + environment: - DB_ADAPTER: postgresql - DB_HOST: postgres - DB_NAME: greenlight - DB_USERNAME: postgres - DB_PASSWORD: ${POSTGRESQL_SECRET:-password} + DATABASE_URL: postgres://postgres:${POSTGRESQL_SECRET:-password}@postgres:5432/greenlight + REDIS_URL: redis://redis:6379 {{ if isTrue .Env.DEV_MODE }} - BIGBLUEBUTTON_ENDPOINT: http://10.7.7.1:48087/bigbluebutton/api/ + BIGBLUEBUTTON_ENDPOINT: http://10.7.7.1/bigbluebutton/api {{else}} - BIGBLUEBUTTON_ENDPOINT: https://${DOMAIN}/bigbluebutton/api/ + BIGBLUEBUTTON_ENDPOINT: https://${DOMAIN}/bigbluebutton/api {{end}} BIGBLUEBUTTON_SECRET: ${SHARED_SECRET} SECRET_KEY_BASE: ${RAILS_SECRET} - ports: - - 10.7.7.1:5000:80 + volumes: + - ./greenlight-data:/usr/src/app/storage + networks: + bbb-net: + ipv4_address: 10.7.7.21 + postgres: image: postgres:12-alpine restart: unless-stopped @@ -449,6 +459,9 @@ services: retries: 5 volumes: - ./postgres-data:/var/lib/postgresql/data + networks: + bbb-net: + ipv4_address: 10.7.7.22 {{end}} {{ if isTrue .Env.ENABLE_PROMETHEUS_EXPORTER }} diff --git a/mod/https/force-https.conf b/mod/https/force-https.conf new file mode 100644 index 0000000..b9ad46a --- /dev/null +++ b/mod/https/force-https.conf @@ -0,0 +1,15 @@ +# overwriting force-https.conf from valian/docker-nginx-auto-ssl + +location /bigbluebutton/api/join { + return 301 https://$host$request_uri; +} + +# allow /api calls without redirecting to https +location /bigbluebutton/api { + proxy_pass https://127.0.0.1:443; + proxy_ssl_verify off; +} + +location / { + return 301 https://$host$request_uri; +} diff --git a/mod/nginx/bbb/greenlight.nginx b/mod/nginx/bbb/greenlight.nginx deleted file mode 100644 index 203b4c3..0000000 --- a/mod/nginx/bbb/greenlight.nginx +++ /dev/null @@ -1,35 +0,0 @@ -# Routes requests to Greenlight based on the '/b' prefix. -# Use this file to route '/b' paths on your BigBlueButton server -# to the Greenlight application. If you are using a different -# subpath, you should change it here. - - -location /b { - proxy_pass http://host.docker.internal:5000; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Ssl on; - proxy_http_version 1.1; - client_max_body_size 1000m; -} - -location /b/cable { - proxy_pass http://host.docker.internal:5000; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Ssl on; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_http_version 1.1; - proxy_read_timeout 6h; - proxy_send_timeout 6h; - client_body_timeout 6h; - send_timeout 6h; -} - -# this is necessary for the preupload_presentation feature -location /rails/active_storage { - return 301 /b$request_uri; -} diff --git a/mod/nginx/bigbluebutton b/mod/nginx/bigbluebutton index 833ef33..e184bda 100644 --- a/mod/nginx/bigbluebutton +++ b/mod/nginx/bigbluebutton @@ -29,12 +29,33 @@ server { # https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea add_header Permissions-Policy "interest-cohort=()"; - # redirect to greenlight - location = / { - return 302 /b; - } # Include specific rules for record and playback include /etc/nginx/bbb/*.nginx; + + location / { + proxy_pass http://greenlight:3000; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Ssl on; + proxy_http_version 1.1; + client_max_body_size 1000m; + } + + location /cable { + proxy_pass http://greenlight:3000; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_http_version 1.1; + proxy_read_timeout 6h; + proxy_send_timeout 6h; + client_body_timeout 6h; + send_timeout 6h; + } } diff --git a/sample.env b/sample.env index f83534d..78a9715 100644 --- a/sample.env +++ b/sample.env @@ -160,180 +160,42 @@ NUMBER_OF_FRONTEND_NODEJS_PROCESSES=2 # GREENLIGHT CONFIGURATION # ==================================== -# Microsoft Office365 Login Provider (optional) -# -# For in-depth steps on setting up a Office 365 Login Provider, see: -# -# https://docs.bigbluebutton.org/greenlight/gl-config.html#office365-oauth2 -# -OFFICE365_KEY= -OFFICE365_SECRET= -OFFICE365_HD= +### SMTP CONFIGURATION +# Emails are required for the basic features of Greenlight to function. +# Please refer to your SMTP provider to get the values for the variables below +#SMTP_SENDER_EMAIL= +#SMTP_SENDER_NAME= +#SMTP_SERVER= +#SMTP_PORT= +#SMTP_DOMAIN= +#SMTP_USERNAME= +#SMTP_PASSWORD= +#SMTP_AUTH= +#SMTP_STARTTLS_AUTO=true +#SMTP_STARTTLS=false +#SMTP_TLS=false +#SMTP_SSL_VERIFY=true -# OAUTH2_REDIRECT allows you to specify the redirect_url passed to oauth on sign in. -# It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy -OAUTH2_REDIRECT= +### EXTERNAL AUTHENTICATION METHODS +# +#OPENID_CONNECT_CLIENT_ID= +#OPENID_CONNECT_CLIENT_SECRET= +#OPENID_CONNECT_ISSUER= +#OPENID_CONNECT_REDIRECT= -# LDAP Login Provider (optional) -# -# You can enable LDAP authentication by providing values for the variables below. -# Configuring LDAP authentication will take precedence over all other providers. -# For information about setting up LDAP, see: -# -# https://docs.bigbluebutton.org/greenlight/gl-config.html#ldap-auth -# -# LDAP_SERVER=ldap.example.com -# LDAP_PORT=389 -# LDAP_METHOD=plain -# LDAP_UID=uid -# LDAP_BASE=dc=example,dc=com -# LDAP_AUTH=simple -# LDAP_BIND_DN=cn=admin,dc=example,dc=com -# LDAP_PASSWORD=password -# LDAP_ROLE_FIELD=ou -# LDAP_FILTER=(&(attr1=value1)(attr2=value2)) -LDAP_SERVER= -LDAP_PORT= -LDAP_METHOD= -LDAP_UID= -LDAP_BASE= -LDAP_BIND_DN= -LDAP_AUTH= -LDAP_PASSWORD= -LDAP_ROLE_FIELD= -LDAP_FILTER= +# To enable hCaptcha on the user sign up and sign in, define these 2 keys +#HCAPTCHA_SITE_KEY= +#HCAPTCHA_SECRET_KEY= -# Set this to true if you want GreenLight to support user signup and login without -# Omniauth. For more information, see: -# -# https://docs.bigbluebutton.org/greenlight/gl-overview.html#accounts-and-profile -# -ALLOW_GREENLIGHT_ACCOUNTS=true +# Set these if you are using a Simple Storage Service (S3) +# Uncomment S3_ENDPOINT only if you are using a S3 OTHER than Amazon Web Service (AWS) S3. +#S3_ACCESS_KEY_ID= +#S3_SECRET_ACCESS_KEY= +#S3_REGION= +#S3_BUCKET= +#S3_ENDPOINT= -# Set this to true if you want GreenLight to send verification emails upon -# the creation of a new account -# -# ALLOW_MAIL_NOTIFICATIONS=true -# -# The notifications are sent using sendmail, unless the SMTP_SERVER variable is set. -# In that case, make sure the rest of the variables are properly set. -# -# SMTP_SERVER=smtp.gmail.com -# SMTP_PORT=587 -# SMTP_DOMAIN=gmail.com -# SMTP_USERNAME= -# SMTP_PASSWORD= -# SMTP_AUTH=plain -# SMTP_STARTTLS_AUTO=true -# -# If your mail server has a self-signed certificate, you'll also need to include the line below. -# Please note that enable this presents its own security risks and should not be done unless necessary. -# SMTP_OPENSSL_VERIFY_MODE=none -# -SMTP_SERVER= -SMTP_PORT= -SMTP_DOMAIN= -SMTP_USERNAME= -SMTP_PASSWORD= -SMTP_AUTH= -SMTP_STARTTLS_AUTO= +# Define the default locale language code (i.e. 'en' for English) from the fallowing list: +# [en, ar, fr, es] +#DEFAULT_LOCALE=en -# Specify the email address that all mail is sent from -SMTP_SENDER= - -# Prefix for the applications root URL. -# Useful for deploying the application to a subdirectory, which is highly recommended -# if deploying on a BigBlueButton server. Keep in mind that if you change this, you'll -# have to update your authentication callback URL's to reflect this change. -# -# The recommended prefix is "/b". -# -RELATIVE_URL_ROOT=/b - -# Specify which settings you would like the users to configure on room creation -# or edit after the room has been created -# By default, all settings are turned OFF. -# -# Current settings available: -# mute-on-join: Automatically mute users by default when they join a room -# require-moderator-approval: Require moderators to approve new users before they can join the room -# anyone-can-start: Allows anyone with the join url to start the room in BigBlueButton -# all-join-moderator: All users join as moderators in BigBlueButton -ROOM_FEATURES=mute-on-join,require-moderator-approval,anyone-can-start,all-join-moderator - -# Specify the maximum number of records to be sent to the BigBlueButton API in one call -# Default is set to 25 records -PAGINATION_NUMBER=25 - -# Specify the maximum number of rows that should be displayed per page for a paginated table -# Default is set to 25 rows -NUMBER_OF_ROWS=25 - -# Specify if you want to display the Google Calendar button -# ENABLE_GOOGLE_CALENDAR_BUTTON=true|false -ENABLE_GOOGLE_CALENDAR_BUTTON= - -# Set the application into Maintenance Mode -# -# Current options supported: -# true: Renders an error page that does not allow users to access any of the features in the application -# false: Application runs normally -MAINTENANCE_MODE=false - -# Displays a flash that appears to inform the user of a scheduled maintenance window -# This variable should contain ONLY the date and time of the scheduled maintenance -# -# Ex: MAINTENANCE_WINDOW=Friday August 18 6pm-10pm EST -MAINTENANCE_WINDOW= - -# The link to the Report an Issue button that appears on the 500 page and in the Account Dropdown -# -# Defaults to the Github Issues Page for Greenlight -# Button can be disabled by setting the value to blank -# -# REPORT_ISSUE_URL=https://github.com/bigbluebutton/greenlight/issues/new - -# The link to the Need help? button that appears on the Account Dropdown -# -# Defaults to the Greenlight documentation -# Button can be disabled by setting the value to blank -HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html - -# Comment this out to send logs to STDOUT in production instead of log/production.log . -# -# RAILS_LOG_TO_STDOUT=true -# -# When using docker-compose the logs can be sent to an centralized repository like PaperTrail -# just by using the built in driver. Make sure to add to docker-compose.yml the next lines: -# -# logging: -# driver: $LOG_DRIVER -# options: -# syslog-address: $LOG_ADDRESS -# tag: $LOG_TAG -# -# And set this variables up: -# -# LOG_DRIVER=syslog -# LOG_ADDRESS=udp://logs4.papertrailapp.com:[99999] -# LOG_TAG=greenlight.example.com:v2 -# -# Check docker-compose and papertrail documentation for encrypting and -# protecting access to the log repository. -# https://docs.docker.com/config/containers/logging/syslog/#options -# https://help.papertrailapp.com/kb/configuration/encrypting-remote-syslog-with-tls-ssl/ -# -# For sending logs to a remote aggregator enable these variables: -# -# RAILS_LOG_REMOTE_NAME=logxx.papertrailapp.com -# RAILS_LOG_REMOTE_PORT=9999 -# RAILS_LOG_REMOTE_TAG=greenlight -# - -# Specify the default registration to be used by Greenlight until an administrator sets the -# registration method -# Allowed values are: -# open - For open registration -# invite - For invite only registration -# approval - For approve/decline registration -DEFAULT_REGISTRATION=open diff --git a/scripts/generate-compose b/scripts/generate-compose index dff60de..e5d29e7 100755 --- a/scripts/generate-compose +++ b/scripts/generate-compose @@ -53,6 +53,7 @@ docker run \ -e TAG_PLAYBACK=${TAG_PLAYBACK} \ -e TAG_PADS=${TAG_PADS} \ -e TAG_FREESWITCH=${TAG_FREESWITCH} \ + -e TAG_GREENLIGHT=${TAG_GREENLIGHT} \ -e DEV_MODE=${DEV_MODE:-false} \ -e EXTERNAL_IPv6=${EXTERNAL_IPv6:-} \ -e ENABLE_RECORDING=${ENABLE_RECORDING:-false} \ diff --git a/tags.env b/tags.env index 67adb55..754cf66 100644 --- a/tags.env +++ b/tags.env @@ -18,6 +18,7 @@ TAG_FS_CONFIG=v2.6.0 TAG_FS_BUILD_FILES=v2.6.0 TAG_FREESWITCH=v1.10.9 +TAG_GREENLIGHT=v3.0.1 # individual git submodules # use `./scripts/checkout-submodules` to ensure, that the submodules