v3.0.0-beta.5: basic working functionality

quite some features (recording, SIP, transcription, etc.) are not working yet, but a milestone where it should finally take a commit
This commit is contained in:
chandi 2024-11-24 16:07:48 +01:00
parent 20315c1cf8
commit c740f55e5a
66 changed files with 386 additions and 1019 deletions

View File

@ -3,7 +3,7 @@
# 📦 BigBlueButton 3.0 Docker
Version: 3.0.0-alpha.1 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/bigbluebutton/docker/issues) | [Upgrading](docs/upgrading.md) | [Development](docs/development.md)
Version: 3.0.0-beta.5 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/bigbluebutton/docker/issues) | [Upgrading](docs/upgrading.md) | [Development](docs/development.md)
## Features
- Easy installation
@ -18,9 +18,7 @@ Version: 3.0.0-alpha.1 | [Changelog](CHANGELOG.md) | [Issues](https://github.com
- Linux (it will not work under Windows/WSL)
- Root access (bbb-docker uses host networking, so it won't work with Kubernetes, any "CaaS"-Service, etc.)
- Public IPv4 (expect issues with a firewall / NAT)
## What is not implemented yet
- bbb-lti
- firewall allows internal networking (e.g. for ufw: `ufw allow 10.7.7.0/24`)
## Install
1. Ensure the requirements above are fulfilled (it really doesn't work without them)

45
dev.env
View File

@ -6,7 +6,11 @@
# - accept self signed certificates
DEV_MODE=true
# user and group used for
# this avoid any file permission issues with files
# created inside docker (e.g. node_modules)
BBB_DEV_UID=1000
BBB_DEV_GID=1000
# ====================================
@ -93,8 +97,6 @@ SIP_IP_ALLOWLIST=0.0.0.0/0
# CUSTOMIZATION
# ====================================
CLIENT_TITLE=BigBlueButton (Development)
# use following lines to replace the default welcome message and footer
WELCOME_MESSAGE="Welcome to <b>%%CONFNAME%%</b>!<br><br>For help on using BigBlueButton see these (short) <a href='https://www.bigbluebutton.org/html5' target='_blank'><u>tutorial videos</u></a>.<br><br>To join the audio bridge click the speaker button. Use a headset to avoid causing background noise for others."
WELCOME_FOOTER="This server is running <a href='https://docs.bigbluebutton.org/'' target='_blank'><u>BigBlueButton</u></a>."
@ -123,52 +125,15 @@ DEFAULT_PRESENTATION=./mod/nginx/default.pdf
# - zh-hk-sinmei - Chinese/Hong Kong Sinmei
SOUNDS_LANGUAGE=en-us-callie
# set to false to disable listenOnlyMode
LISTEN_ONLY_MODE=true
# set to true to disable echo test
DISABLE_ECHO_TEST=false
# set to true to automatically share webcam
AUTO_SHARE_WEBCAM=false
# set to true to disable video preview for webcam sharing
DISABLE_VIDEO_PREVIEW=false
# set to false to disable chat
CHAT_ENABLED=true
# set to true to start chat closed
CHAT_START_CLOSED=false
# set to true to disable announcements "You are now (un-)muted"
DISABLE_SOUND_MUTED=false
# set to true to disable announcement "You are the only person in this conference"
DISABLE_SOUND_ALONE=false
# maximum count of breakout rooms per meeting
# Warning: increasing the limit of breakout rooms per meeting
# can generate excessive overhead to the server. We recommend
# this value to be kept under 12.
BREAKOUTROOM_LIMIT=8
# set to false to disable the learning dashboard
ENABLE_LEARNING_DASHBOARD=true
# ====================================
# Tuning
# ====================================
# Default = 2; Min = 1; Max = 4
# On powerful systems with high number of meetings you can set values up to 4 to accelerate handling of events
NUMBER_OF_BACKEND_NODEJS_PROCESSES=1
# Default = 2; Min = 1; Max = 8
# Set a number between 1 and 4 times the value of NUMBER_OF_BACKEND_NODEJS_PROCESSES where higher number helps with meetings
# stretching the recommended number of users in BigBlueButton
NUMBER_OF_FRONTEND_NODEJS_PROCESSES=1
# ====================================
# GREENLIGHT CONFIGURATION
# ====================================

View File

@ -3,45 +3,6 @@
# don't edit this directly.
{{/* -------- */}}
version: '3.6'
# html5 templates
x-html5-backend: &html5backend
build:
context: mod/html5
additional_contexts:
- source=./repos/bigbluebutton/bigbluebutton-html5
args:
BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
TAG_BBB: {{ .Env.TAG_BBB }}
image: alangecker/bbb-docker-html5:{{ .Env.TAG_BBB }}
restart: unless-stopped
depends_on:
- redis
- mongodb
- etherpad
environment: &html5backend-env
DOMAIN: ${DOMAIN}
CLIENT_TITLE: ${CLIENT_TITLE}
LISTEN_ONLY_MODE: ${LISTEN_ONLY_MODE:-true}
DISABLE_ECHO_TEST: ${DISABLE_ECHO_TEST:-false}
AUTO_SHARE_WEBCAM: ${AUTO_SHARE_WEBCAM:-false}
DISABLE_VIDEO_PREVIEW: ${DISABLE_VIDEO_PREVIEW:-false}
CHAT_ENABLED: ${CHAT_ENABLED:-true}
CHAT_START_CLOSED: ${CHAT_START_CLOSED:-false}
BREAKOUTROOM_LIMIT: ${BREAKOUTROOM_LIMIT:-8}
DEV_MODE: ${DEV_MODE:-}
BBB_HTML5_ROLE: backend
x-html5-frontend: &html5frontend
<<: *html5backend
volumes:
- html5-static:/html5-static:rw
environment: &html5frontend-env
<<: *html5backend-env
BBB_HTML5_ROLE: frontend
# =========================
services:
bbb-web:
build:
@ -81,61 +42,6 @@ services:
ipv4_address: 10.7.7.2
{{ if isTrue .Env.DEV_MODE }}
html5-dev:
build:
context: mod/html5
dockerfile: Dockerfile.dev
args:
BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
user: ${BBB_DOCKER_USER}
restart: unless-stopped
depends_on:
- redis
- mongodb
- etherpad
volumes:
- ./repos/bigbluebutton/bigbluebutton-html5:/app/:rw
- ./.cache/npm:/tmp/.npm:rw
- ./.cache/meteor:/tmp/.meteor:rw
- ./mod/html5/bbb-html5.yml:/tmp/bbb-html5.yml.tmpl
environment:
<<: *html5backend-env
HOME: /tmp
BBB_HTML5_ROLE: ""
networks:
bbb-net:
ipv4_address: 10.7.7.200
{{ else }}
{{ range $i := loop 0 (atoi .Env.NUMBER_OF_BACKEND_NODEJS_PROCESSES) }}
html5-backend-{{ add $i 1 }}:
<<: *html5backend
environment:
<<: *html5backend-env
INSTANCE_ID: {{ add $i 1 }}
PORT: {{ add 4000 $i }}
networks:
bbb-net:
ipv4_address: 10.7.7.{{ add 100 $i }}
{{end}}
{{ range $i := loop 0 (atoi .Env.NUMBER_OF_FRONTEND_NODEJS_PROCESSES) }}
html5-frontend-{{ add $i 1 }}:
<<: *html5frontend
environment:
<<: *html5frontend-env
INSTANCE_ID: {{ add $i 1 }}
PORT: {{ add 4100 $i }}
networks:
bbb-net:
ipv4_address: 10.7.7.{{ add 200 $i }}
{{end}}
{{ end }}
freeswitch:
container_name: bbb-freeswitch
build:
@ -168,7 +74,9 @@ services:
- ./conf/sip_profiles:/etc/freeswitch/sip_profiles/external
- ./conf/dialplan_public:/etc/freeswitch/dialplan/public_docker
- ./data/freeswitch-meetings:/var/freeswitch/meetings
network_mode: host
networks:
bbb-net:
ipv4_address: 10.7.7.10
logging:
# reduce logs to a minimum, so `docker compose logs -f` still works
driver: "local"
@ -183,35 +91,30 @@ services:
additional_contexts:
- src-learning-dashboard=./repos/bigbluebutton/bbb-learning-dashboard
- src-playback=./repos/bbb-playback
- src-html5=./repos/bigbluebutton/bigbluebutton-html5
args:
BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
image: alangecker/bbb-docker-nginx:1.25-{{ .Env.TAG_PLAYBACK }}-{{ .Env.TAG_BBB }}
TAG_BBB: {{ .Env.TAG_BBB }}
image: alangecker/bbb-docker-nginx:{{ .Env.TAG_BBB }}-{{ .Env.TAG_PLAYBACK }}-1.25
restart: unless-stopped
depends_on:
- etherpad
- webrtc-sfu
{{ if isTrue .Env.DEV_MODE }}
- html5-dev
{{ else }}
- html5-backend-1
{{ end }}
volumes:
- ./data/bigbluebutton:/var/bigbluebutton
- html5-static:/html5-static:ro
- ${DEFAULT_PRESENTATION:-/dev/null}:/www/default.pdf
{{ if isTrue .Env.DEV_MODE }}
# don't let nginx directly serve static files
- ./mod/nginx/bbb-html5.dev.nginx:/etc/nginx/bbb/bbb-html5.nginx:ro
{{ end }}
tmpfs:
- /tmp
network_mode: host
extra_hosts:
- "host.docker.internal:10.7.7.1"
- "bbb-web:10.7.7.2"
- "etherpad:10.7.7.4"
- "webrtc-sfu:10.7.7.1"
- "html5:10.7.7.11"
- "greenlight:10.7.7.21"
- "bbb-graphql-server:10.7.7.31"
- "bbb-graphql-middleware:10.7.7.32"
etherpad:
build:
@ -220,7 +123,7 @@ services:
- plugin=./repos/bbb-etherpad-plugin
- skin=./repos/bbb-etherpad-skin
args:
TAG_ETHERPAD: "1.9.1"
TAG_ETHERPAD: "1.9.4"
image: alangecker/bbb-docker-etherpad:1.9.1-s{{ .Env.COMMIT_ETHERPAD_SKIN }}-p{{ .Env.COMMIT_ETHERPAD_PLUGIN }}
restart: unless-stopped
depends_on:
@ -259,22 +162,6 @@ services:
bbb-net:
ipv4_address: 10.7.7.5
mongodb:
image: mongo:6.0
restart: unless-stopped
volumes:
- ./mod/mongo/mongod.conf:/etc/mongod.conf
- ./mod/mongo/init-replica.sh:/docker-entrypoint-initdb.d/init-replica.sh
tmpfs:
- /data/configdb
- /data/db
command: mongod --config /etc/mongod.conf --oplogSize 8 --replSet rs0 --noauth
healthcheck:
test: bash -c "if mongo --eval 'quit(db.runCommand({ ping':' 1 }).ok ? 0 ':' 2)'; then exit 0; fi; exit 1;"
networks:
bbb-net:
ipv4_address: 10.7.7.6
webrtc-sfu:
build:
context: mod/webrtc-sfu
@ -288,30 +175,16 @@ services:
- redis
- freeswitch
environment:
CLIENT_HOST: 10.7.7.1
REDIS_HOST: 10.7.7.5
FREESWITCH_IP: 10.7.7.1
FREESWITCH_SIP_IP: ${EXTERNAL_IPv4}
MCS_HOST: 0.0.0.0
MCS_ADDRESS: 0.0.0.0
ESL_IP: 10.7.7.1
ESL_PASSWORD: ${FSESL_PASSWORD:-ClueCon}
RECORDING_ADAPTER: bbb-webrtc-recorder
RECORD_WEBCAMS: "true"
KURENTO: '[]'
# TODO: add mediasoup IPv6
# TODO: can listen to 0.0.0.0 for nat support? https://github.com/versatica/mediasoup/issues/487
{{ if .Env.EXTERNAL_IPv6 }}
MS_WEBRTC_LISTEN_IPS: '[{"ip":"{{ .Env.EXTERNAL_IPv6 }}", "announcedIp":"{{ .Env.EXTERNAL_IPv6 }}"}, {"ip":"${EXTERNAL_IPv4}", "announcedIp":"${EXTERNAL_IPv4}"}]'
{{else}}
MS_WEBRTC_LISTEN_IPS: '[{"ip":"${EXTERNAL_IPv4}", "announcedIp":"${EXTERNAL_IPv4}"}]'
{{end}}
MS_RTP_LISTEN_IP: '{"ip":"0.0.0.0", "announcedIp":"${EXTERNAL_IPv4}"}'
volumes:
- ./data/mediasoup:/var/mediasoup
tmpfs:
- /var/log/bbb-webrtc-sfu
network_mode: host
security_opt:
- seccomp:unconfined # allow io_uring access for mediasoup
ulimits:
memlock: -1 # allow io_uring_register_buffers to allocate enough ram
fsesl-akka:
build:
@ -339,8 +212,10 @@ services:
additional_contexts:
- src-common-message=./repos/bigbluebutton/bbb-common-message
- src-apps-akka=./repos/bigbluebutton/akka-bbb-apps
- src-config=./repos/bigbluebutton/bigbluebutton-html5/private/config/
args:
BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
TAG_BBB: {{ .Env.TAG_BBB }}
image: alangecker/bbb-docker-apps-akka:{{ .Env.TAG_BBB }}
restart: unless-stopped
depends_on:
@ -352,7 +227,7 @@ services:
POSTGRES_PASSWORD: ${POSTGRESQL_SECRET:-password}
volumes:
- ./data/freeswitch-meetings:/var/freeswitch/meetings
- ./conf/settings.yml:/etc/bigbluebutton/bbb-html5.yml:ro
- ./conf/bbb-html5.yml:/etc/bigbluebutton/bbb-html5.yml:ro
networks:
bbb-net:
ipv4_address: 10.7.7.15
@ -364,19 +239,21 @@ services:
- src=./repos/bigbluebutton/bbb-graphql-server
args:
BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
GRAPHQL_ENGINE_TAG: v2.44.0
depends_on:
- postgres
- bbb-web
- apps-akka
- bbb-graphql-actions
restart: unless-stopped
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: ${POSTGRESQL_SECRET:-password}
HASURA_GRAPHQL_ADMIN_SECRET: TODO_CHANGE_ME
networks:
bbb-net:
ipv4_address: 10.7.7.31
extra_hosts:
- "bbb-web:10.7.7.2"
- "bbb-graphql-actions:10.7.7.30"
bbb-graphql-actions:
build:
@ -392,6 +269,7 @@ services:
restart: unless-stopped
depends_on:
- redis
- apps-akka
environment:
BBB_REDIS_HOST: redis
networks:
@ -413,11 +291,9 @@ services:
restart: unless-stopped
depends_on:
- bbb-graphql-server
- bbb-graphql-actions
- bbb-web
- redis
environment:
BBB_GRAPHQL_MIDDLEWARE_LISTEN_PORT: 8378
BBB_GRAPHQL_MIDDLEWARE_REDIS_ADDRESS: 10.7.7.5:6379
BBB_GRAPHQL_MIDDLEWARE_HASURA_WS: ws://bbb-graphql-server:8080/v1/graphql
networks:
bbb-net:
ipv4_address: 10.7.7.32
@ -442,8 +318,7 @@ services:
build: mod/periodic
image: alangecker/bbb-docker-periodic:v2.7.0
restart: unless-stopped
depends_on:
- mongodb
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data/bigbluebutton:/var/bigbluebutton
@ -469,7 +344,7 @@ services:
- bbb-conf=./repos/bigbluebutton/bigbluebutton-config
args:
BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }}
TAG_BBB_PRESENTATION_VIDEO: "4.0.3"
TAG_BBB_PRESENTATION_VIDEO: "5.0.0-beta.2"
image: alangecker/bbb-docker-recordings:{{ .Env.TAG_BBB }}
restart: unless-stopped
depends_on:
@ -648,7 +523,6 @@ services:
volumes:
html5-static:
{{ if isTrue .Env.ENABLE_HTTPS_PROXY }}
ssl_data:
{{end}}

View File

@ -19,13 +19,25 @@ RUN cd /source \
# ===================================================
FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder-settings
RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64 && chmod a+x /usr/local/bin/yq
COPY --from=src-config /settings.yml /settings.yml
ARG TAG_BBB
RUN yq e -i ".public.app.bbbServerVersion = \"$TAG_BBB\"" /settings.yml
RUN yq e -i ".public.app.html5ClientBuild = \"$TAG_BBB\"" /settings.yml
# ===================================================
FROM alangecker/bbb-docker-base-java
COPY --from=builder-settings /usr/local/bin/yq /usr/local/bin/yq
COPY --from=builder /bbb-apps-akka-0.0.4 /bbb-apps-akka
COPY bbb-apps-akka.conf /etc/bigbluebutton/bbb-apps-akka.conf.tmpl
COPY logback.xml /bbb-apps-akka/conf/logback.xml
COPY entrypoint.sh /entrypoint.sh
COPY --from=builder-settings --chown=bigbluebutton:bigbluebutton /settings.yml /usr/share/bigbluebutton/html5-client/private/config/settings.yml
COPY settings.yml /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml
USER bigbluebutton
ENTRYPOINT /entrypoint.sh

View File

@ -15,7 +15,7 @@ http {
postgres {
properties = {
serverName = "10.7.7.22"
serverName = "postgres"
portNumber = "5432"
databaseName = "bbb_graphql"
user = "postgres"

View File

@ -1,10 +1,17 @@
#!/bin/sh -e
# bbb-apps-akka.conf
TARGET=/etc/bigbluebutton/bbb-apps-akka.conf
cp /etc/bigbluebutton/bbb-apps-akka.conf.tmpl $TARGET
sed -i "s/DOMAIN/$DOMAIN/" $TARGET
sed -i "s/SHARED_SECRET/$SHARED_SECRET/" $TARGET
sed -i "s/POSTGRES_PASSWORD/$POSTGRES_PASSWORD/" $TARGET
# settings.yml
TARGET=/usr/share/bigbluebutton/html5-client/private/config/settings.yml
yq e -i ".public.kurento.wsUrl = \"wss://$DOMAIN/bbb-webrtc-sfu\"" $TARGET
yq e -i ".public.pads.url = \"https://$DOMAIN/pad\"" $TARGET
cd /bbb-apps-akka
/bbb-apps-akka/bin/bbb-apps-akka

View File

@ -1,7 +0,0 @@
# just the default values required for gettting apps-akka running
# use ./conf/sertings.yml for modifying anything
public:
plugins: []
userReaction:
expire: 30

View File

@ -16,7 +16,7 @@ RUN cd /src/dist && \
# ------------------------------
FROM node:18-bookworm-slim
FROM node:22-bookworm-slim
COPY --from=builder /src/dist /app
@ -29,4 +29,6 @@ WORKDIR /app
ENV SERVER_HOST 0.0.0.0
ENV NODE_ENV=production
CMD [ "node", "/app/bbb-graphql-actions.js" ]

View File

@ -2,10 +2,11 @@ ARG BBB_BUILD_TAG
FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
COPY --from=src / /src/
RUN cd /src/ && ./local-build.sh
RUN cd /src/ && CGO_ENABLED=0 go build -o bbb-graphql-middleware cmd/bbb-graphql-middleware/main.go
# ------------------------------
FROM alpine
COPY --from=builder /src/bbb-graphql-middleware /app/bbb-graphql-middleware
COPY --from=builder /src/config/config.yml /usr/share/bbb-graphql-middleware/config.yml
COPY config.yml /etc/bigbluebutton/bbb-graphql-middleware.yml
CMD [ "/app/bbb-graphql-middleware" ]

View File

@ -0,0 +1,15 @@
server:
listen_host: 0.0.0.0
listen_port: 8378
redis:
host: redis
port: 6379
password: ""
hasura:
url: ws://bbb-graphql-server:8085/v1/graphql
graphql-actions:
url: http://bbb-graphql-actions:8093
auth_hook:
url: http://bbb-web:8090/bigbluebutton/connection/checkGraphqlAuthorization
session_vars_hook:
url: http://apps-akka:8901/userInfo

View File

@ -1,17 +1,18 @@
ARG BBB_BUILD_TAG
ARG GRAPHQL_ENGINE_TAG
FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
RUN mkdir -p /hasura-cli && cd /hasura-cli && npm install hasura-cli
RUN curl -L https://github.com/hasura/graphql-engine/raw/stable/cli/get.sh | INSTALL_PATH=/usr/local/bin VERSION=v2.44.0 bash
RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 && chmod a+x /usr/local/bin/yq
# ----------------------------
FROM hasura/graphql-engine:v2.36.0
FROM hasura/graphql-engine:$GRAPHQL_ENGINE_TAG
# install netstat
# install netstat, required for start script
RUN apt-get update && apt-get install -y net-tools gosu
COPY --from=builder /usr/local/bin/yq /usr/local/bin/yq
COPY --from=builder /hasura-cli/node_modules/hasura-cli/hasura /usr/local/bin/hansura
COPY --from=builder /usr/local/bin/hasura /usr/local/bin/hasura
COPY --from=src /bbb_schema.sql /app/
COPY --from=src /metadata /app/metadata

View File

@ -1,5 +1,5 @@
version: 3
endpoint: http://localhost:8080
endpoint: http://localhost:8085
admin_secret: bigbluebutton
metadata_directory: metadata
actions:

View File

@ -12,11 +12,16 @@ export HASURA_GRAPHQL_METADATA_DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGR
export HASURA_GRAPHQL_LOG_LEVEL=warn
export HASURA_GRAPHQL_ENABLE_CONSOLE=false
export HASURA_GRAPHQL_LIVE_QUERIES_MULTIPLEXED_REFETCH_INTERVAL=250
export HASURA_GRAPHQL_LIVE_QUERIES_MULTIPLEXED_BATCH_SIZE=1000
export HASURA_GRAPHQL_STREAMING_QUERIES_MULTIPLEXED_REFETCH_INTERVAL=100
export HASURA_GRAPHQL_ADMIN_SECRET=bigbluebutton # TODO: improve security
export HASURA_GRAPHQL_STREAMING_QUERIES_MULTIPLEXED_BATCH_SIZE=1000
export HASURA_GRAPHQL_SERVER_PORT=8085
export HASURA_GRAPHQL_ENABLE_TELEMETRY=false
export HASURA_GRAPHQL_AUTH_HOOK=http://bbb-web:8090/bigbluebutton/connection/checkGraphqlAuthorization
export HASURA_GRAPHQL_WEBSOCKET_KEEPALIVE=10
export HASURA_GRAPHQL_AUTH_HOOK=http://apps-akka:8901/userInfo
export HASURA_BBB_GRAPHQL_ACTIONS_ADAPTER_URL=http://bbb-graphql-actions:8093
export HASURA_GRAPHQL_BBB_DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/bbb_graphql
exec $@

View File

@ -1,12 +1,13 @@
#!/bin/bash
set -e
cd /app/
# patch database url
# TODO: this should be possible via an environment variable
yq e -i '.[1].configuration.connection_info.database_url.connection_parameters.host = "postgres"' metadata/databases/databases.yaml
yq e -i ".[1].configuration.connection_info.database_url.connection_parameters.password = \"${POSTGRES_PASSWORD}\"" metadata/databases/databases.yaml
# TODO: this should be possible upstream in BBB via an environment variable
yq e -i ".[1].configuration.connection_info.database_url = \"$HASURA_GRAPHQL_BBB_DATABASE_URL\"" metadata/databases/databases.yaml
sed -i "s/^admin_secret: .*/admin_secret: $HASURA_GRAPHQL_ADMIN_SECRET/g" /app/config.yaml
echo "SELECT 'CREATE DATABASE hasura_app' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'hasura_app')\gexec" | psql
@ -27,13 +28,12 @@ sleep 1
#Check if Hasura is ready before applying metadata
HASURA_PORT=8080
while ! netstat -tuln | grep ":$HASURA_PORT " > /dev/null; do
echo "Waiting for Hasura's port ($HASURA_PORT) to be ready..."
while ! netstat -tuln | grep ":$HASURA_GRAPHQL_SERVER_PORT " > /dev/null; do
echo "Waiting for Hasura's port ($HASURA_GRAPHQL_SERVER_PORT) to be ready..."
sleep 1
done
echo "Applying new metadata to Hasura"
/usr/local/bin/hansura metadata apply --skip-update-check
/usr/local/bin/hasura metadata apply --skip-update-check
wait "$PID"

View File

@ -47,12 +47,10 @@ COPY --from=builder /dist /usr/share/bbb-web
COPY --from=builder /bbb-web/pres-checker/lib /usr/share/prescheck/lib
COPY --from=builder /bbb-web/pres-checker/run.sh /usr/share/prescheck/prescheck.sh
COPY mocked-ps /usr/bin/ps
# add entrypoint and templates
COPY entrypoint.sh /entrypoint.sh
COPY bbb-web.properties /etc/bigbluebutton/bbb-web.properties.tmpl
COPY turn-stun-servers.xml /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml.tmpl
COPY turn-stun-servers.xml /etc/bigbluebutton/turn-stun-servers.xml.tmpl
COPY logback.xml /usr/share/bbb-web/WEB-INF/classes/logback.xml
COPY office-convert.sh /usr/share/bbb-libreoffice-conversion/convert.sh

View File

@ -14,7 +14,7 @@ securitySalt={{ .Env.SHARED_SECRET }}
redisHost=redis
{{ if isTrue .Env.DEV_MODE }}
beans.presentationService.defaultUploadedPresentation=https://test.bigbluebutton.org/default.pdf
beans.presentationService.defaultUploadedPresentation=https://test27.bigbluebutton.org/default.pdf
# fetch presentations without HTTPS
presentationBaseURL=http://{{ .Env.DOMAIN }}/bigbluebutton/presentation
{{else}}

View File

@ -23,7 +23,7 @@ echo "$NUMBER_OF_BACKEND_NODEJS_PROCESSES" > /tmp/NUMBER_OF_BACKEND_NODEJS_PROCE
cd /usr/share/bbb-web/
dockerize \
-template /etc/bigbluebutton/bbb-web.properties.tmpl:/etc/bigbluebutton/bbb-web.properties \
-template /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml.tmpl:/usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml \
-template /etc/bigbluebutton/turn-stun-servers.xml.tmpl:/etc/bigbluebutton/turn-stun-servers.xml \
gosu bigbluebutton java -Dgrails.env=prod -Dserver.address=0.0.0.0 -Dserver.port=8090 -Dspring.main.allow-circular-references=true -Xms384m -Xmx384m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/bigbluebutton/diagnostics -cp WEB-INF/lib/*:/:WEB-INF/classes/:. org.springframework.boot.loader.WarLauncher

View File

@ -22,7 +22,7 @@
<logger name="org.grails.commons" level="ERROR" />
<logger name="org.springframework" level="ERROR" />
<root level="ERROR">
<root level="WARN">
<appender-ref ref="STDOUT" />
</root>
</configuration>

View File

@ -1,8 +0,0 @@
#!/bin/bash
echo "(mocked-ps for HTML5LoadBalancingService.java)"
# fake random process load to distribute meetings equally
for i in `seq $(cat /tmp/NUMBER_OF_BACKEND_NODEJS_PROCESSES)`; do
randomLoad=$(echo $(( $RANDOM % 100 )))
echo " $randomLoad.1 /usr/share/node-v12.16.1-linux-x64/bin/node main.js NODEJS_BACKEND_INSTANCE_ID=$i"
done

View File

@ -539,7 +539,7 @@
"windowMs": 90000,
// maximum number of requests per IP to allow during the rate limit window
"max": 16
"max": 32
},
/*

View File

@ -28,7 +28,7 @@ RUN cd /build && ./build.sh
# add english sounds
RUN mkdir -p /build/staging/opt/freeswitch/share/freeswitch && \
wget http://bigbluebutton.org/downloads/sounds.tar.gz -O sounds.tar.gz && \
wget https://ubuntu.bigbluebutton.org/sounds.tar.gz -O sounds.tar.gz && \
tar xvfz sounds.tar.gz -C /build/staging/opt/freeswitch/share/freeswitch && \
wget https://gitlab.senfcall.de/senfcall-public/mute-and-unmute-sounds/-/archive/master/mute-and-unmute-sounds-master.zip && \
unzip mute-and-unmute-sounds-master.zip && \

View File

@ -1,49 +0,0 @@
<configuration name="acl.conf" description="Network Lists">
<network-lists>
<!--
These ACL's are automatically created on startup.
rfc1918.auto - RFC1918 Space
nat.auto - RFC1918 Excluding your local lan.
localnet.auto - ACL for your local lan.
loopback.auto - ACL for your local lan.
-->
<list name="lan" default="allow">
<node type="allow" cidr="127.0.0.1/32"/>
<node type="allow" cidr="10.130.218.147/32"/>
<node type="allow" cidr="10.0.0.0/8"/>
<node type="allow" cidr="192.168.0.0/16"/>
</list>
<!--
custom "loopback" so that traffic from docker
containers is also considered as local
-->
<list name="loopback.custom" default="deny">
<node type="allow" cidr="127.0.0.1/32"/>
<node type="allow" cidr="10.0.0.0/8"/>
<node type="allow" cidr="192.168.0.0/16"/>
<node type="allow" cidr="172.16.0.0/12" />
<node type="allow" cidr="$${external_ip_v4}/32"/>
</list>
<list name="deny_private_v6" default="allow">
<node type="deny" cidr="0.0.0.0/0"/>
<node type="deny" cidr="fe80::/10"/>
<node type="deny" cidr="fc00::/7"/>
</list>
<!--
This will traverse the directory adding all users
with the cidr= tag to this ACL, when this ACL matches
the users variables and params apply as if they
digest authenticated.
-->
<list name="domains" default="allow">
<!-- domain= is special it scans the domain from the directory to build the ACL -->
<node type="allow" domain="$${domain}"/>
<!-- use cidr= if you wish to allow ip ranges to this domains acl. -->
<!-- <node type="allow" cidr="192.168.0.0/24"/> -->
</list>
</network-lists>
</configuration>

View File

@ -4,7 +4,7 @@
<param name="listen-ip" value="$${local_ip_v4}"/>
<param name="listen-port" value="8021"/>
<param name="password" value="$${esl_password}"/>
<param name="apply-inbound-acl" value="loopback.custom"/>
<param name="apply-inbound-acl" value="rfc1918.auto"/>
<!--<param name="stop-on-bind-error" value="true"/>-->
</settings>
</configuration>

View File

@ -2,6 +2,7 @@
<modules>
<!-- Loggers (I'd load these first) -->
<load module="mod_console"/>
<!-- <load module="mod_logfile"/> -->
<!-- Event Handlers -->
<load module="mod_event_socket"/>

View File

@ -1,43 +0,0 @@
<!--
NOTICE:
This context is usually accessed via the external sip profile listening on port 5080.
It is recommended to have separate inbound and outbound contexts. Not only for security
but clearing up why you would need to do such a thing. You don't want outside un-authenticated
callers hitting your default context which allows dialing calls thru your providers and results
in Toll Fraud.
-->
<!-- http://wiki.freeswitch.org/wiki/Dialplan_XML -->
<include>
<context name="public">
<extension name="unloop">
<condition field="${unroll_loops}" expression="^true$"/>
<condition field="${sip_looped_call}" expression="^true$">
<action application="deflect" data="${destination_number}"/>
</condition>
</extension>
<!--
Tag anything pass thru here as an outside_call so you can make sure not
to create any routing loops based on the conditions that it came from
the outside of the switch.
-->
<extension name="outside_call" continue="true">
<condition>
<action application="set" data="outside_call=true"/>
<action application="export" data="RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)}"/>
</condition>
</extension>
<!--
You can place files in the public directory to get included.
-->
<X-PRE-PROCESS cmd="include" data="public_docker/*.xml"/>
<X-PRE-PROCESS cmd="include" data="public/*.xml"/>
</context>
</include>

View File

@ -1,113 +0,0 @@
<profile name="external-ipv6">
<!-- http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files -->
<!-- This profile is only for outbound registrations to providers -->
<gateways>
<X-PRE-PROCESS cmd="include" data="external-ipv6/*.xml"/>
</gateways>
<aliases>
<!--
<alias name="outbound"/>
<alias name="nat"/>
-->
</aliases>
<domains>
<!--<domain name="all" alias="false" parse="true"/>-->
</domains>
<settings>
<param name="debug" value="0"/>
<!-- If you want FreeSWITCH to shutdown if this profile fails to load, uncomment the next line. -->
<!-- <param name="shutdown-on-fail" value="true"/> -->
<param name="sip-trace" value="no"/>
<param name="sip-capture" value="no"/>
<param name="rfc2833-pt" value="101"/>
<!-- RFC 5626 : Send reg-id and sip.instance -->
<!--<param name="enable-rfc-5626" value="true"/> -->
<param name="sip-port" value="$${external_sip_port}"/>
<param name="dialplan" value="XML"/>
<param name="context" value="public"/>
<param name="dtmf-duration" value="2000"/>
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/>
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/>
<param name="hold-music" value="$${hold_music}"/>
<param name="rtp-timer-name" value="soft"/>
<!--<param name="enable-100rel" value="true"/>-->
<!--<param name="disable-srv503" value="true"/>-->
<!-- This could be set to "passive" -->
<param name="local-network-acl" value="none"/>
<param name="manage-presence" value="false"/>
<!-- Added for Microsoft Edge support
<param name="apply-candidate-acl" value="wan_v6.auto"/>
<param name="apply-candidate-acl" value="rfc1918.auto"/>
<param name="apply-candidate-acl" value="any_v6.auto"/>
<param name="apply-candidate-acl" value="wan_v4.auto"/>
<param name="apply-candidate-acl" value="any_v4.auto"/>
-->
<param name="apply-candidate-acl" value="deny_private_v6"/>
<!-- used to share presence info across sofia profiles
manage-presence needs to be set to passive on this profile
if you want it to behave as if it were the internal profile
for presence.
-->
<!-- Name of the db to use for this profile -->
<param name="dbname" value="sqlite://memory://file:external-ipv6?mode=memory&amp;cache=shared"/>
<!--<param name="presence-hosts" value="$${domain}"/>-->
<!--<param name="force-register-domain" value="$${domain}"/>-->
<!--all inbound reg will stored in the db using this domain -->
<!--<param name="force-register-db-domain" value="$${domain}"/>-->
<!-- ************************************************* -->
<!--<param name="aggressive-nat-detection" value="true"/>-->
<param name="inbound-codec-negotiation" value="generous"/>
<param name="nonce-ttl" value="60"/>
<param name="auth-calls" value="false"/>
<param name="inbound-late-negotiation" value="true"/>
<param name="inbound-zrtp-passthru" value="true"/> <!-- (also enables late negotiation) -->
<!--
DO NOT USE HOSTNAMES, ONLY IP ADDRESSES IN THESE SETTINGS!
-->
<param name="rtp-ip" value="$${external_ip_v6}"/>
<param name="sip-ip" value="$${local_ip_v6}"/>
<!-- Shouldn't set these on IPv6 -->
<!--<param name="ext-rtp-ip" value="auto-nat"/>-->
<!--<param name="ext-sip-ip" value="auto-nat"/>-->
<param name="rtp-timeout-sec" value="300"/>
<param name="rtp-hold-timeout-sec" value="1800"/>
<!--<param name="enable-3pcc" value="true"/>-->
<!-- TLS: disabled by default, set to "true" to enable -->
<param name="tls" value="$${external_ssl_enable}"/>
<!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
<param name="tls-only" value="false"/>
<!-- additional bind parameters for TLS -->
<param name="tls-bind-params" value="transport=tls"/>
<!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->
<param name="tls-sip-port" value="$${external_tls_port}"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
<!--<param name="tls-cert-dir" value=""/>-->
<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
<param name="tls-passphrase" value=""/>
<!-- Verify the date on TLS certificates -->
<param name="tls-verify-date" value="true"/>
<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'subjects_in', 'subjects_out' and 'subjects_all' for subject validation. Multiple policies can be split with a '|' pipe -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
<param name="tls-verify-depth" value="2"/>
<!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
<param name="tls-verify-in-subjects" value=""/>
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/>
<param name="ws-binding" value=":5066"/>
<param name="wss-binding" value=":7443"/>
<param name="rtcp-audio-interval-msec" value="5000"/>
<param name="rtcp-video-interval-msec" value="5000"/>
<param name="dtmf-type" value="info"/>
<param name="liberal-dtmf" value="true"/>
</settings>
</profile>

View File

@ -1,128 +0,0 @@
<profile name="external">
<!-- http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files -->
<!-- This profile is only for outbound registrations to providers -->
<gateways>
<X-PRE-PROCESS cmd="include" data="external/*.xml"/>
</gateways>
<aliases>
<!--
<alias name="outbound"/>
<alias name="nat"/>
-->
</aliases>
<domains>
<domain name="all" alias="false" parse="true"/>
</domains>
<settings>
<param name="debug" value="0"/>
<!-- If you want FreeSWITCH to shutdown if this profile fails to load, uncomment the next line. -->
<!-- <param name="shutdown-on-fail" value="true"/> -->
<param name="sip-trace" value="no"/>
<param name="sip-capture" value="no"/>
<param name="rfc2833-pt" value="101"/>
<!-- RFC 5626 : Send reg-id and sip.instance -->
<!--<param name="enable-rfc-5626" value="true"/> -->
<param name="sip-port" value="$${external_sip_port}"/>
<param name="dialplan" value="XML"/>
<param name="context" value="public"/>
<param name="dtmf-duration" value="2000"/>
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/>
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/>
<param name="hold-music" value="$${hold_music}"/>
<param name="rtp-timer-name" value="soft"/>
<!--<param name="enable-100rel" value="true"/>-->
<!--<param name="disable-srv503" value="true"/>-->
<!-- This could be set to "passive" -->
<param name="local-network-acl" value="none"/>
<param name="manage-presence" value="false"/>
<!-- Added for Microsoft Edge browser -->
<param name="apply-candidate-acl" value="localnet.auto"/>
<param name="apply-candidate-acl" value="wan_v4.auto"/>
<param name="apply-candidate-acl" value="rfc1918.auto"/>
<param name="apply-candidate-acl" value="any_v4.auto"/>
<!-- used to share presence info across sofia profiles
manage-presence needs to be set to passive on this profile
if you want it to behave as if it were the internal profile
for presence.
-->
<!-- Name of the db to use for this profile -->
<param name="dbname" value="sqlite://memory://file:external?mode=memory&amp;cache=shared"/>
<!--<param name="presence-hosts" value="$${domain}"/>-->
<!--<param name="force-register-domain" value="$${domain}"/>-->
<!--all inbound reg will stored in the db using this domain -->
<!--<param name="force-register-db-domain" value="$${domain}"/>-->
<!-- ************************************************* -->
<!--<param name="aggressive-nat-detection" value="true"/>-->
<param name="inbound-codec-negotiation" value="generous"/>
<param name="nonce-ttl" value="60"/>
<param name="auth-calls" value="false"/>
<param name="inbound-late-negotiation" value="true"/>
<param name="inbound-zrtp-passthru" value="true"/> <!-- (also enables late negotiation) -->
<!--
DO NOT USE HOSTNAMES, ONLY IP ADDRESSES IN THESE SETTINGS!
<param name="rtp-ip" value="$${local_ip_v4}"/>
<param name="sip-ip" value="$${local_ip_v4}"/>
<param name="ext-rtp-ip" value="auto-nat"/>
<param name="ext-sip-ip" value="auto-nat"/>
-->
<param name="rtp-ip" value="$${external_ip_v4}"/>
<param name="sip-ip" value="$${local_ip_v4}"/>
<param name="ext-rtp-ip" value="$${external_rtp_ip}"/>
<param name="ext-sip-ip" value="$${external_sip_ip}"/>
<!--
Listen only clients somehow run into this timeout
causing
Hangup sofia/external/GLOBAL_AUDIO_76116@10.7.7.1 [CS_EXECUTE] [MEDIA_TIMEOUT]
[mcs-freeswitch] Dispatching conference new video floor event released
[mcs-freeswitch] Received CHANNEL_HANGUP for
-->
<param name="rtp-timeout-sec" value="86400"/>
<param name="rtp-hold-timeout-sec" value="1800"/>
<param name="enable-3pcc" value="proxy"/>
<!-- TLS: disabled by default, set to "true" to enable -->
<param name="tls" value="$${external_ssl_enable}"/>
<!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
<param name="tls-only" value="false"/>
<!-- additional bind parameters for TLS -->
<param name="tls-bind-params" value="transport=tls"/>
<!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->
<param name="tls-sip-port" value="$${external_tls_port}"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
<!--<param name="tls-cert-dir" value=""/>-->
<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
<param name="tls-passphrase" value=""/>
<!-- Verify the date on TLS certificates -->
<param name="tls-verify-date" value="true"/>
<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'in_subjects', 'out_subjects' and 'all_subjects' for subject validation. Multiple policies can be split with a '|' pipe -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
<param name="tls-verify-depth" value="2"/>
<!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
<param name="tls-verify-in-subjects" value=""/>
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/>
<param name="ws-binding" value="0.0.0.0:5066"/>
<param name="wss-binding" value="$${local_ip_v4}:7443"/>
<!-- enable rtcp on every channel also can be done per leg basis with rtcp_audio_interval_msec variable set to passthru to pass it across a call-->
<param name="rtcp-audio-interval-msec" value="5000"/>
<param name="rtcp-video-interval-msec" value="5000"/>
<!-- Cut down in the join time -->
<param name="dtmf-type" value="info"/>
<param name="liberal-dtmf" value="true"/>
</settings>
</profile>

View File

@ -1,12 +1,15 @@
<include>
<X-PRE-PROCESS cmd="set" data="esl_password={{ .Env.ESL_PASSWORD }}"/>
<!-- Preprocessor Variables
These are introduced when configuration strings must be consistent across modules.
NOTICE: YOU CAN NOT COMMENT OUT AN X-PRE-PROCESS line, Remove the line instead.
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
YOU SHOULD CHANGE THIS default_password value if you don't want to be subject to any
toll fraud in the future. It's your responsibility to secure your own system.
This default config is used to demonstrate the feature set of FreeSWITCH.
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-->
<X-PRE-PROCESS cmd="set" data="default_password=1234"/>
@ -15,6 +18,7 @@
The following variables are set dynamically - calculated if possible by freeswitch - and
are available to the config as $${variable}. You can see their calculated value via fs_cli
by entering eval $${variable}
hostname
local_ip_v4
local_mask_v4
@ -41,21 +45,23 @@
nat_public_addr
nat_private_addr
nat_type
-->
<X-PRE-PROCESS cmd="set" data="sound_prefix={{ .Env.SOUNDS_PATH }}"/>
<X-PRE-PROCESS cmd="set" data="esl_password={{ .Env.ESL_PASSWORD }}"/>
<!--
This setting is what sets the default domain FreeSWITCH will use if all else fails.
FreeSWICH will default to $${local_ip_v4} unless changed. Changing this setting does
affect the sip authentication. Please review conf/directory/default.xml for more
information on this topic.
-->
<X-PRE-PROCESS cmd="set" data="local_ip_v4=10.7.7.1"/>
<X-PRE-PROCESS cmd="set" data="local_ip_v6=::1"/>
<X-PRE-PROCESS cmd="set" data="external_ip_v4={{ .Env.EXTERNAL_IPv4 }}"/>
<X-PRE-PROCESS cmd="set" data="external_ip_v6={{ .Env.EXTERNAL_IPv6 }}"/>
<X-PRE-PROCESS cmd="set" data="local_ip_v4=10.7.7.10"/>
<X-PRE-PROCESS cmd="set" data="domain={{ .Env.DOMAIN }}"/>
<X-PRE-PROCESS cmd="set" data="domain_name=$${domain}"/>
<X-PRE-PROCESS cmd="set" data="hold_music=local_stream://moh"/>
@ -63,6 +69,7 @@
<X-PRE-PROCESS cmd="set" data="rtp_sdes_suites=AEAD_AES_256_GCM_8|AEAD_AES_128_GCM_8|AES_CM_256_HMAC_SHA1_80|AES_CM_192_HMAC_SHA1_80|AES_CM_128_HMAC_SHA1_80|AES_CM_256_HMAC_SHA1_32|AES_CM_192_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_32|AES_CM_128_NULL_AUTH"/>
<!--
Enable ZRTP globally you can override this on a per channel basis
http://wiki.freeswitch.org/wiki/ZRTP (on how to enable zrtp)
-->
<X-PRE-PROCESS cmd="set" data="zrtp_secure_media=true"/>
@ -70,7 +77,9 @@
NOTICE: When using SRTP it's critical that you do not offer or accept
variable bit rate codecs, doing so would leak information and possibly
compromise your SRTP stream. (FS-6404)
Supported SRTP Crypto Suites:
AEAD_AES_256_GCM_8
____________________________________________________________________________
This algorithm is identical to AEAD_AES_256_GCM (see Section 5.2 of
@ -78,6 +87,8 @@
authentication tag with a length of 8 octets (64 bits) is used.
An AEAD_AES_256_GCM_8 ciphertext is exactly 8 octets longer than its
corresponding plaintext.
AEAD_AES_128_GCM_8
____________________________________________________________________________
This algorithm is identical to AEAD_AES_128_GCM (see Section 5.1 of
@ -85,6 +96,8 @@
authentication tag with a length of 8 octets (64 bits) is used.
An AEAD_AES_128_GCM_8 ciphertext is exactly 8 octets longer than its
corresponding plaintext.
AES_CM_256_HMAC_SHA1_80 | AES_CM_192_HMAC_SHA1_80 | AES_CM_128_HMAC_SHA1_80
____________________________________________________________________________
AES_CM_128_HMAC_SHA1_80 is the SRTP default AES Counter Mode cipher
@ -92,18 +105,25 @@
tag. The master-key length is 128 bits and has a default lifetime of
a maximum of 2^48 SRTP packets or 2^31 SRTCP packets, whichever comes
first.
AES_CM_256_HMAC_SHA1_32 | AES_CM_192_HMAC_SHA1_32 | AES_CM_128_HMAC_SHA1_32
____________________________________________________________________________
This crypto-suite is identical to AES_CM_128_HMAC_SHA1_80 except that
the authentication tag is 32 bits. The length of the base64-decoded key and
salt value for this crypto-suite MUST be 30 octets i.e., 240 bits; otherwise,
the crypto attribute is considered invalid.
AES_CM_128_NULL_AUTH
____________________________________________________________________________
The SRTP default cipher (AES-128 Counter Mode), but to use no authentication
method. This policy is NOT RECOMMENDED unless it is unavoidable; see
Section 7.5 of [RFC3711].
SRTP variables that modify behaviors based on direction/leg:
rtp_secure_media
____________________________________________________________________________
possible values:
@ -112,11 +132,16 @@
forbidden - More useful for inbound to deny SAVP negotiation
false - implies forbidden
true - implies mandatory
default if not set is accept SAVP inbound if offered.
rtp_secure_media_inbound | rtp_secure_media_outbound
____________________________________________________________________________
This is the same as rtp_secure_media, but would apply to either inbound
or outbound offers specifically.
How to specify crypto suites:
____________________________________________________________________________
By default without specifying any crypto suites FreeSWITCH will offer
@ -124,29 +149,39 @@
endpoint has in common. If you wish to force specific crypto suites you
can do so by appending the suites in a comma separated list in the order
that you wish to offer them in.
Examples:
rtp_secure_media=mandatory:AES_CM_256_HMAC_SHA1_80,AES_CM_256_HMAC_SHA1_32
rtp_secure_media=true:AES_CM_256_HMAC_SHA1_80,AES_CM_256_HMAC_SHA1_32
rtp_secure_media=optional:AES_CM_256_HMAC_SHA1_80
rtp_secure_media=true:AES_CM_256_HMAC_SHA1_80
Additionally you can narrow this down on either inbound or outbound by
specifying as so:
rtp_secure_media_inbound=true:AEAD_AES_256_GCM_8
rtp_secure_media_inbound=mandatory:AEAD_AES_256_GCM_8
rtp_secure_media_outbound=true:AEAD_AES_128_GCM_8
rtp_secure_media_outbound=optional:AEAD_AES_128_GCM_8
rtp_secure_media_suites
____________________________________________________________________________
Optionaly you can use rtp_secure_media_suites to dictate the suite list
Optionally you can use rtp_secure_media_suites to dictate the suite list
and only use rtp_secure_media=[optional|mandatory|false|true] without having
to dictate the suite list with the rtp_secure_media* variables.
-->
<!--
Examples of codec options: (module must be compiled and loaded)
codecname[@8000h|16000h|32000h[@XXi]]
XX is the frame size must be multples allowed for the codec
XX is the frame size must be multiples allowed for the codec
FreeSWITCH can support 10-120ms on some codecs.
We do not support exceeding the MTU of the RTP packet.
iLBC@30i - iLBC using mode=30 which will win in all cases.
DVI4@8000h@20i - IMA ADPCM 8kHz using 20ms ptime. (multiples of 10)
DVI4@16000h@40i - IMA ADPCM 16kHz using 40ms ptime. (multiples of 10)
@ -173,17 +208,23 @@
AAL2-G726-40 - Same as G726-40 but using AAL2 packing. (multiples of 10)
LPC - LPC10 using 90ms ptime (only supports 90ms at this time in FreeSWITCH)
L16 - L16 isn't recommended for VoIP but you can do it. L16 can exceed the MTU rather quickly.
These are the passthru audio codecs:
G729 - G729 in passthru mode. (mod_g729)
G723 - G723.1 in passthru mode. (mod_g723_1)
AMR - AMR in passthru mode. (mod_amr)
These are the passthru video codecs: (mod_h26x)
H261 - H.261 Video
H263 - H.263 Video
H263-1998 - H.263-1998 Video
H263-2000 - H.263-2000 Video
H264 - H.264 Video
RTP Dynamic Payload Numbers currently used in FreeSWITCH and what for.
96 - AMR
97 - iLBC (30)
98 - iLBC (20)
@ -216,6 +257,7 @@
125 -
126 -
127 - BV32
-->
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=OPUS,speex@16000h@20i,speex@8000h@20i,G722,PCMU,PCMA"/>
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=OPUS,speex@16000h@20i,G722,PCMU,PCMA"/>
@ -232,7 +274,9 @@
<X-PRE-PROCESS cmd="set" data="xmpp_server_profile=xmpps"/>
<!--
THIS IS ONLY USED FOR DINGALING
bind_server_ip
Can be an ip address, a dns name, or "auto".
This determines an ip address available on this host to bind.
If you are separating RTP and SIP traffic, you will want to have
@ -242,6 +286,7 @@
<X-PRE-PROCESS cmd="set" data="bind_server_ip=auto"/>
<!-- NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
If you're going to load test FreeSWITCH please input real IP addresses
for external_rtp_ip and external_sip_ip
-->
@ -256,7 +301,7 @@
If unspecified, the bind_server_ip value is used.
Used by: sofia.conf.xml dingaling.conf.xml
-->
<X-PRE-PROCESS cmd="set" data="external_rtp_ip={{ .Env.EXTERNAL_IPv4 }}"/>
<X-PRE-PROCESS cmd="set" data="external_rtp_ip=stun:stun.l.google.com:19302"/>
<!-- external_sip_ip
Used as the public IP address for SDP.
@ -269,7 +314,7 @@
If unspecified, the bind_server_ip value is used.
Used by: sofia.conf.xml dingaling.conf.xml
-->
<X-PRE-PROCESS cmd="set" data="external_sip_ip={{ .Env.EXTERNAL_IPv4 }}"/>
<X-PRE-PROCESS cmd="set" data="external_sip_ip=stun:stun.l.google.com:19302"/>
<!-- unroll-loops
Used to turn on sip loopback unrolling.
@ -328,9 +373,11 @@
<!--
Digits Dialed filter: (FS-6940)
The digits stream may contain valid credit card numbers or social security numbers, These digit
filters will allow you to make a valant effort to stamp out sensitive information for
PCI/HIPPA compliance. (see xml_cdr dialed_digits)
df_us_ssn = US Social Security Number pattern
df_us_luhn = Visa, MasterCard, American Express, Diners Club, Discover and JCB
-->
@ -342,6 +389,7 @@
<!--
Setting up your default sip provider is easy.
Below are some values that should work in most cases.
These are for conf/directory/default/example.com.xml
-->
<X-PRE-PROCESS cmd="set" data="default_provider=example.com"/>
@ -354,16 +402,21 @@
<!--
SIP and TLS settings. http://wiki.freeswitch.org/wiki/Tls
valid options: sslv2,sslv3,sslv23,tlsv1,tlsv1.1,tlsv1.2
default: tlsv1,tlsv1.1,tlsv1.2
-->
<X-PRE-PROCESS cmd="set" data="sip_tls_version=tlsv1,tlsv1.1,tlsv1.2"/>
<!--
TLS cipher suite: default ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
The actual ciphers supported will change per platform.
openssl ciphers -v 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
Will show you what is available in your verion of openssl.
Will show you what is available in your version of openssl.
-->
<X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>
@ -380,7 +433,7 @@
<X-PRE-PROCESS cmd="set" data="external_ssl_enable=false"/>
<!-- Video Settings -->
<!-- Setting the max bandwdith -->
<!-- Setting the max bandwidth -->
<X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_in=1mb"/>
<X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_out=1mb"/>
@ -396,3 +449,4 @@
<X-PRE-PROCESS cmd="set" data="video_no_avatar_png=$${images_dir}/default-avatar.png"/>
</include>

View File

@ -4,13 +4,13 @@ include "/bbb-fsesl-akka/conf/application.conf"
freeswitch {
esl {
host="10.7.7.1"
host="freeswitch"
password="FSESL_PASSWORD"
}
}
redis {
host="10.7.7.5"
host="redis"
}
http {

View File

@ -1,43 +0,0 @@
ARG BBB_BUILD_TAG
FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
# RUN groupadd -g 2000 meteor && useradd -m -u 2001 -g meteor meteor
# USER meteor
COPY --from=source ./ /source
RUN cd /source && meteor npm ci --production \
&& METEOR_DISABLE_OPTIMISTIC_CACHING=1 meteor build --architecture os.linux.x86_64 --allow-superuser --directory /app \
&& rm -rf /source
RUN cd /app/bundle/programs/server \
&& npm install --production
RUN mkdir -p /app/bundle/programs/web.browser/app/files && \
cp /app/bundle/programs/server/npm/node_modules/@fontsource/*/files/*.woff* /app/bundle/programs/web.browser/app/files/
ARG TAG_BBB
RUN sed -i "s/VERSION/$TAG_BBB/" /app/bundle/programs/web.browser/head.html \
&& find /app/bundle/programs/web.browser -name '*.js' -exec gzip -k -f -9 '{}' \; \
&& find /app/bundle/programs/web.browser -name '*.css' -exec gzip -k -f -9 '{}' \; \
&& find /app/bundle/programs/web.browser -name '*.wasm' -exec gzip -k -f -9 '{}' \;
# ------------------------------
FROM node:18-bookworm-slim
RUN apt-get update && apt-get install -y gosu
# add user & group
RUN groupadd -g 2000 meteor \
&& useradd -m -u 2001 -g meteor meteor
COPY --from=alangecker/bbb-docker-base-java /usr/local/bin/dockerize /usr/local/bin/dockerize
COPY --from=builder --chown=meteor:meteor /app/bundle /app
COPY entrypoint.sh /entrypoint.sh
COPY bbb-html5.yml /app/bbb-html5.yml.tmpl
# expose TAG_BBB in container for the version display
ARG TAG_BBB
ENV TAG_BBB $TAG_BBB
ENTRYPOINT ["/entrypoint.sh"]

View File

@ -1,16 +0,0 @@
ARG BBB_BUILD_TAG
FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
RUN curl https://install.meteor.com/\?release\=2.13 | sh
COPY --from=alangecker/bbb-docker-base-java /usr/local/bin/dockerize /usr/local/bin/dockerize
# make /root/.meteor accessible for user
RUN chmod 777 /root /root/.meteor
COPY entrypoint.dev.sh /entrypoint.dev.sh
ENTRYPOINT ["/entrypoint.dev.sh"]

View File

@ -1,25 +0,0 @@
public:
app:
html5ClientBuild: {{ .Env.TAG_BBB }}
bbbServerVersion: {{ .Env.TAG_BBB }}-docker
listenOnlyMode: {{ .Env.LISTEN_ONLY_MODE }}
skipCheck: {{ .Env.DISABLE_ECHO_TEST }}
clientTitle: {{ .Env.CLIENT_TITLE }}
appName: BigBlueButton HTML5 Client (docker)
breakouts:
breakoutRoomLimit: {{ .Env.BREAKOUTROOM_LIMIT }}
kurento:
wsUrl: wss://{{ .Env.DOMAIN }}/bbb-webrtc-sfu
autoShareWebcam: {{ .Env.AUTO_SHARE_WEBCAM }}
skipVideoPreview: {{ .Env.DISABLE_VIDEO_PREVIEW }}
chat:
enabled: {{ .Env.CHAT_ENABLED }}
startClosed: {{ .Env.CHAT_START_CLOSED }}
pads:
url: https://{{ .Env.DOMAIN }}/pad
private:
app:
host: 0.0.0.0
redis:
host: redis
port: '6379'

View File

@ -1,31 +0,0 @@
#!/bin/sh -e
# use /tmp as home dir as writeable directory for whatever UID we get
export HOME=/tmp
export MONGO_OPLOG_URL=mongodb://10.7.7.6/local
export MONGO_URL=mongodb://10.7.7.6/meteor
export ROOT_URL=http://127.0.0.1/html5client
export BIND_IP=0.0.0.0
export LANG=en_US.UTF-8
export BBB_HTML5_LOCAL_SETTINGS=/tmp/bbb-html5.yml
echo "DEV_MODE=true, disable TLS certificate rejecting"
export NODE_TLS_REJECT_UNAUTHORIZED=0
if [ ! -f "/tmp/.meteor/copy-done" ]; then
echo "# copying over .meteor from docker image... (this might take some minutes)"
cp -a /root/.meteor/* /tmp/.meteor
touch /tmp/.meteor/copy-done
fi
cd /app
echo "# meteor npm install"
meteor npm install
echo "# npm start"
dockerize \
-template /tmp/bbb-html5.yml.tmpl:/tmp/bbb-html5.yml \
npm start

View File

@ -1,38 +0,0 @@
#!/bin/bash
set -e
cd /app
export MONGO_OPLOG_URL=mongodb://10.7.7.6/local
export MONGO_URL=mongodb://10.7.7.6/meteor
export ROOT_URL=http://127.0.0.1/html5client
export NODE_ENV=production
export SERVER_WEBSOCKET_COMPRESSION='{"level":5, "maxWindowBits":13, "memLevel":7, "requestMaxWindowBits":13}'
export BIND_IP=0.0.0.0
export LANG=en_US.UTF-8
export INSTANCE_MAX=1
export ENVIRONMENT_TYPE=production
export NODE_VERSION=node-v14.21.1-linux-x64
export BBB_HTML5_LOCAL_SETTINGS=/app/bbb-html5.yml
if [ "$BBB_HTML5_ROLE" == "backend" ]; then
PARAM=NODEJS_BACKEND_INSTANCE_ID=$INSTANCE_ID
fi
# if container is the first frontend, do some additional tasks
if [ "$BBB_HTML5_ROLE" == "frontend" ] && [ "$INSTANCE_ID" == "1" ]; then
# copy static files into volume for direct access by nginx
# https://github.com/bigbluebutton/bigbluebutton/issues/10739
if [ -d "/html5-static" ]; then
rm -rf /html5-static/*
cp -r /app/programs/web.browser/* /html5-static
fi
fi
dockerize \
-template /app/bbb-html5.yml.tmpl:/app/bbb-html5.yml \
gosu meteor \
node --max-old-space-size=2048 --max_semi_space_size=128 main.js $PARAM

15
mod/livekit/livekit.yaml Normal file
View File

@ -0,0 +1,15 @@
port: 7880
log_level: debug
# when enabled, LiveKit will expose prometheus metrics on :6789/metrics
#prometheus_port: 6789
rtc:
port_range_start: 16384
port_range_end: 32768
use_external_ip: false
redis:
# redis is recommended for production deploys
address: redis:6379
keys:
# TODO: change keys
TEST: TEST

View File

@ -1,26 +0,0 @@
#!/bin/sh
set -e
host=${HOSTNAME:-$(hostname -f)}
# shut down again
mongod --pidfilepath /tmp/docker-entrypoint-temp-mongod.pid --shutdown
# restart again binding to 0.0.0.0 to allow a replset with 10.7.7.6
mongod --oplogSize 8 --replSet rs0 --noauth \
--config /tmp/docker-entrypoint-temp-config.json \
--bind_ip 0.0.0.0 --port 27017 \
--tlsMode disabled \
--logpath /proc/1/fd/1 --logappend \
--pidfilepath /tmp/docker-entrypoint-temp-mongod.pid --fork
# init replset with defaults
mongosh 10.7.7.6 --eval "rs.initiate({
_id: 'rs0',
members: [ { _id: 0, host: '10.7.7.6:27017' } ]
})"
echo "Waiting to become a master"
echo 'while (!db.isMaster().ismaster) { sleep(100); }' | mongosh
echo "I'm the master!"

View File

@ -1,33 +0,0 @@
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
storage:
dbPath: /data/db
journal:
enabled: true
wiredTiger:
engineConfig:
cacheSizeGB: 1
journalCompressor: none
directoryForIndexes: true
collectionConfig:
blockCompressor: none
indexConfig:
prefixCompression: false
net:
port: 27017
bindIp: 0.0.0.0
replication:
replSetName: rs0
setParameter:
diagnosticDataCollectionEnabled: false
security:
javascriptEnabled: false

View File

@ -1,20 +1,29 @@
ARG BBB_BUILD_TAG
FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder
# --------------------
FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder-learning-dashboard
COPY --from=src-learning-dashboard / /bbb-learning-dashboard
RUN cd /bbb-learning-dashboard && npm ci && npm run build
FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder-playback
COPY --from=src-playback / /bbb-playback
RUN cd /bbb-playback && npm install && npm run-script build
FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder-html5
COPY --from=src-html5 / /source
RUN cd /source && CI=true npm ci
RUN cd /source && DISABLE_ESLINT_PLUGIN=true npm run build
RUN find /source/dist -name '*.js' -exec gzip -k -f -9 '{}' \; \
&& find /source/dist -name '*.css' -exec gzip -k -f -9 '{}' \; \
&& find /source/dist -name '*.wasm' -exec gzip -k -f -9 '{}' \;
# --------------------
FROM nginx:1.25-alpine
COPY --from=builder /bbb-learning-dashboard/build /www/learning-analytics-dashboard/
COPY --from=builder /bbb-playback/build /www/playback/presentation/2.3
COPY --from=builder-learning-dashboard /bbb-learning-dashboard/build /www/learning-analytics-dashboard/
COPY --from=builder-playback /bbb-playback/build /www/playback/presentation/2.3
COPY --from=builder-html5 /source/dist /usr/share/bigbluebutton/html5-client/
COPY ./bbb /etc/nginx/bbb
COPY ./bigbluebutton /etc/nginx/conf.d/default.conf
COPY ./bbb-graphql-client-settings-cache.conf /etc/nginx/conf.d/bbb-graphql-client-settings-cache.conf
COPY ./nginx.conf /etc/nginx/nginx.conf

View File

@ -0,0 +1 @@
proxy_cache_path /tmp/hasura-client-settings-cache levels=1:2 keys_zone=client_settings_cache:64m inactive=2880m use_temp_path=off;

View File

@ -1,6 +0,0 @@
location /html5client {
proxy_pass http://10.7.7.200:4100; # use for production
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}

View File

@ -1,49 +1,13 @@
location @html5client {
proxy_pass http://poolhtml5servers; # use for production
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
# running in production (static assets)
location /html5client {
gzip_static on;
alias /usr/share/bigbluebutton/html5-client/;
index index.html;
try_files $uri $uri/ =404;
}
location /html5client/locales {
alias /html5-static/app/locales;
}
location /html5client/compatibility {
gzip_static on;
alias /html5-static/app/compatibility;
}
location /html5client/resources {
alias /html5-static/app/resources;
}
location /html5client/svgs {
alias /html5-static/app/svgs;
}
location /html5client/fonts {
alias /html5-static/app/fonts;
}
location /html5client/files {
alias /html5-static/app/files;
}
location /html5client/wasm {
types {
application/wasm wasm;
}
gzip_static on;
alias /html5-static/app/wasm;
}
location /html5client {
gzip_static on;
alias /html5-static;
try_files $uri @html5client;
}
location /html5client/sockjs {
try_files $uri @html5client;
alias /usr/share/bigbluebutton/html5-client/locales;
autoindex on;
autoindex_format json;
}

View File

@ -1,24 +1,39 @@
location /graphql-test {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
# Websocket connection
location /v1/graphql {
location /graphql {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
#proxy_pass http://127.0.0.1:8080; #Hasura
proxy_pass http://10.7.7.32:8378; #Graphql Middleware
#proxy_pass http://bbb-graphql-server:8085; #Hasura (it requires to change the location to /v1/graphql)
proxy_pass http://bbb-graphql-middleware:8378; #Graphql Middleware
}
location /api/rest {
#Set cache system for client settings
location /api/rest/clientSettings {
auth_request /bigbluebutton/connection/checkGraphqlAuthorization;
auth_request_set $meeting_id $sent_http_meeting_id;
proxy_cache client_settings_cache;
proxy_cache_key "$uri|$meeting_id";
proxy_cache_use_stale updating;
proxy_cache_valid 24h;
proxy_cache_lock on;
add_header X-Cached $upstream_cache_status;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080; #Hasura
proxy_pass http://bbb-graphql-server:8085; #Hasura
}
location /api/rest/userMetadata {
auth_request /bigbluebutton/connection/checkGraphqlAuthorization;
auth_request_set $meeting_id $sent_http_meeting_id;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_pass http://bbb-graphql-server:8085; #Hasura
}

View File

@ -1,8 +1,3 @@
location ~ /learning-analytics-dashboard/([0-9a-f]+-[0-9]+)/(.*) {
alias /var/bigbluebutton/learning-dashboard/$1/$2;
autoindex off;
}
location /learning-analytics-dashboard/ {
alias /www/learning-analytics-dashboard/;
autoindex off;

View File

@ -0,0 +1,11 @@
location /livekit/ {
proxy_pass http://127.0.0.1:7880/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 60s;
proxy_send_timeout 60s;
client_body_timeout 60s;
send_timeout 60s;
}

View File

@ -15,7 +15,7 @@ location /pad/p/ {
proxy_set_header X-Real-IP $remote_addr; # http://wiki.nginx.org/HttpProxyModule
proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
proxy_set_header X-Forwarded-Proto $real_scheme; # for EP to set secure cookie flag when https is used
proxy_http_version 1.1;
auth_request /bigbluebutton/connection/checkAuthorization;
@ -57,7 +57,7 @@ location /pad/socket.io {
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr; # http://wiki.nginx.org/HttpProxyModule
proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
proxy_set_header X-Forwarded-Proto $real_scheme; # for EP to set secure cookie flag when https is used
proxy_set_header Host $host; # pass the host header
proxy_http_version 1.1; # recommended with keepalive connections
# WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html

View File

@ -22,32 +22,25 @@
location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/svg\/(?<page_num>\d+)$ {
default_type image/svg+xml;
alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/svgs/slide$page_num.svg;
if ($bbb_loadbalancer_node) {
add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
}
add_header 'Access-Control-Allow-Origin' '*' always;
}
location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/slide\/(?<page_num>\d+)$ {
alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/slide-$page_num.swf;
if ($bbb_loadbalancer_node) {
add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
}
location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/pdf\/(?<job_id>[A-Za-z0-9]+)\/annotated_slides.pdf$ {
default_type application/pdf;
alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/pdfs/$job_id/annotated_slides.pdf;
add_header 'Access-Control-Allow-Origin' '*' always;
}
location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/thumbnail\/(?<page_num>\d+)$ {
default_type image/png;
alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/thumbnails/thumb-$page_num.png;
if ($bbb_loadbalancer_node) {
add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
}
add_header 'Access-Control-Allow-Origin' '*' always;
}
location ~^\/bigbluebutton\/presentation\/(?<meeting_id_1>[A-Za-z0-9\-]+)\/(?<meeting_id_2>[A-Za-z0-9\-]+)\/(?<pres_id>[A-Za-z0-9\-]+)\/textfiles\/(?<page_num>\d+)$ {
default_type text/plain;
alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/textfiles/slide-$page_num.txt;
if ($bbb_loadbalancer_node) {
add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always;
}
add_header 'Access-Control-Allow-Origin' '*' always;
}

View File

@ -1,15 +0,0 @@
location /ws {
proxy_pass https://$freeswitch_addr:7443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 6h;
proxy_send_timeout 6h;
client_body_timeout 6h;
send_timeout 6h;
auth_request /bigbluebutton/connection/checkAuthorization;
auth_request_set $auth_status $upstream_status;
}

View File

@ -92,6 +92,16 @@
proxy_set_header X-Original-URI $request_uri;
}
location = /bigbluebutton/connection/checkGraphqlAuthorization {
internal;
proxy_pass http://bbb-web:8090;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
# this is required for CORS preflight checks in cluster setup
proxy_set_header X-Original-Method $request_method;
}
location = /bigbluebutton/connection/legacyCheckAuthorization {
internal;
proxy_pass http://bbb-web:8090;
@ -149,6 +159,18 @@
proxy_set_header X-Original-URI $request_uri;
}
location /bigbluebutton/ping {
default_type text/plain;
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
add_header Pragma "no-cache";
add_header Expires "0";
# this Header is required for cluster setups as the ping check is a
# CORS request. No cookies are required so we can just allow anyone
# to use this endpoint.
add_header 'Access-Control-Allow-Origin' '*';
return 200 "";
}
}
location @error403 {

View File

@ -1,22 +1,3 @@
map $remote_addr $freeswitch_addr {
"~:" [::1];
default 10.7.7.1;
}
upstream poolhtml5servers {
zone poolhtml5servers 32k;
least_conn;
server 10.7.7.200:4100 fail_timeout=10s max_fails=4 backup;
server 10.7.7.201:4101 fail_timeout=120s max_fails=1;
server 10.7.7.202:4102 fail_timeout=120s max_fails=1;
server 10.7.7.203:4103 fail_timeout=120s max_fails=1;
# TODO: set server list based on NUMBER_OF_FRONTEND_NODEJS_PROCESSES
# server 10.7.7.204:4104 fail_timeout=120s max_fails=1;
# server 10.7.7.205:4105 fail_timeout=120s max_fails=1;
# server 10.7.7.206:4106 fail_timeout=120s max_fails=1;
# server 10.7.7.207:4107 fail_timeout=120s max_fails=1;
}
server {
listen 48087 default_server;
listen [::]:48087 default_server;
@ -25,6 +6,10 @@ server {
absolute_redirect off;
root /www/;
# This variable is used instead of $scheme by bigbluebutton nginx include
# files, so $scheme can be overridden in reverse-proxy configurations.
set $real_scheme $scheme;
# opt-out of google's floc tracking
# https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
add_header Permissions-Policy "interest-cohort=()";

View File

@ -7,7 +7,7 @@ RUN wget -q https://github.com/mikefarah/yq/releases/download/v4.25.1/yq_linux_
&& chmod +x /usr/bin/yq
COPY --from=src / /bbb-webhooks
RUN cd /bbb-webhooks && npm install --production
RUN cd /bbb-webhooks && npm ci --omit=dev && rm -rf /bbb-webhooks./.git
RUN chmod 777 /bbb-webhooks/config
# ------------------------------

View File

@ -3,14 +3,14 @@ set -e
TARGET=/bbb-webhooks/config/production.yml
cp /bbb-webhooks/config/default.example.yml $TARGET
yq e -i ".bbb.sharedSecret = \"$SHARED_SECRET\"" $TARGET
yq e -i ".bbb.serverDomain = \"$DOMAIN\"" $TARGET
yq e -i ".bbb.auth2_0 = true" $TARGET
yq e -i ".server.bind = \"0.0.0.0\"" $TARGET
yq e -i ".hooks.getRaw = false" $TARGET
yq e -i ".redis.host = \"redis\"" $TARGET
yq e -i '.modules."../out/webhooks/index.js".config.getRaw = false' $TARGET
export NODE_ENV=production
export REDIS_HOST=redis
export SERVER_DOMAIN=$DOMAIN
export BEARER_AUTH=true
export SERVER_BIND_IP=0.0.0.0
cd /bbb-webhooks
node app.js

View File

@ -27,4 +27,10 @@ RUN mkdir /home/webrtc-sfu && chown -R webrtc-sfu:webrtc-sfu /app/config /home/w
USER webrtc-sfu
WORKDIR /app
COPY config.yaml /etc/bigbluebutton/bbb-webrtc-sfu/production.yml
ENV NODE_ENV=production
ENV NODE_CONFIG_DIR=/app/config/:/etc/bigbluebutton/bbb-webrtc-sfu/
ENV ALLOW_CONFIG_MUTATIONS=true
CMD [ "npm", "start" ]

View File

@ -0,0 +1,40 @@
kurento: []
redisHost: 10.7.7.5
clientHost: 10.7.7.1
recordingAdapter: bbb-webrtc-recorder
mcs-host: 10.7.7.1
mcs-address: 10.7.7.1
freeswitch:
ip: 10.7.7.10
sip_ip: 10.7.7.10
port: 5066
esl_ip: 10.7.7.10
esl_port: 8021
log:
# trace|debug|info|warn|error
level: debug
# Whether to log to stdout
stdout: true
# Whether to log to a file
file: false
mediasoup:
dedicatedMediaTypeWorkers:
audio: auto
workerBalancing:
strategy: least-loaded
webrtc:
# announcedIP => it's the host public IPv4 in case the machine is
# behind a 1:1 NAT
# ip => the address on which mediasoup will bind its RTC sockets
listenIps:
- ip: "10.7.7.1"
announcedIp: "10.7.7.1"
plainRtp:
listenIp:
ip: "0.0.0.0"
announcedIp: "10.7.7.1"

@ -1 +1 @@
Subproject commit 433fe4c3934edff36cddcfb1e892e323c2fe75ea
Subproject commit 724d55c26b1c94ea22a85b0c7e064f57b54875cb

@ -1 +1 @@
Subproject commit a8f5a72a7dc55cc8bab6f980035291b6e8fe5de5
Subproject commit 4e11f9337cecb36400f8c41caa12431b2667d8bb

@ -1 +1 @@
Subproject commit 7c0cd8e6cad144578598f9fa6ea2d9ab78af560b
Subproject commit a3e2f1fe2f12bd9d0be86a8afac71b2a82455269

@ -1 +1 @@
Subproject commit fe901bd15cadcb33f935900f804926f36793c48d
Subproject commit 6fbde34c357ba656741842048e936611faf45a09

@ -1 +1 @@
Subproject commit b674477a40a3060738219d8a58915f1bcaf8738b
Subproject commit c36e394e4aaa6be6c429222b7c9a86a8945b5563

@ -1 +1 @@
Subproject commit 4cb05e7f4a23645ec387f3b5391194128be7d193
Subproject commit a88d069d6ffb74df797bcaf001f7e63181c07a09

View File

@ -5,9 +5,9 @@
repos/bbb-etherpad-plugin 068ded5
repos/bbb-etherpad-skin 8328b77
repos/bbb-pads v1.5.2
repos/bbb-playback v5.0.2
repos/bbb-webhooks v2.6.1
repos/bbb-webrtc-sfu v2.12.0
repos/bigbluebutton v2.7.3
repos/freeswitch v1.10.10
repos/bbb-pads v1.5.3
repos/bbb-playback v5.1.3
repos/bbb-webhooks v3.3.0
repos/bbb-webrtc-sfu v2.17.0-alpha.1
repos/bigbluebutton v3.0.0-beta.5
repos/freeswitch v1.10.12

View File

@ -82,8 +82,6 @@ SIP_IP_ALLOWLIST=
# CUSTOMIZATION
# ====================================
CLIENT_TITLE=BigBlueButton
# use following lines to replace the default welcome message and footer
WELCOME_MESSAGE="Welcome to <b>%%CONFNAME%%</b>!<br><br>For help on using BigBlueButton see these (short) <a href='https://www.bigbluebutton.org/html5' target='_blank'><u>tutorial videos</u></a>.<br><br>To join the audio bridge click the speaker button. Use a headset to avoid causing background noise for others."
WELCOME_FOOTER="This server is running <a href='https://docs.bigbluebutton.org/'' target='_blank'><u>BigBlueButton</u></a>."
@ -112,52 +110,15 @@ DEFAULT_PRESENTATION=./mod/nginx/default.pdf
# - zh-hk-sinmei - Chinese/Hong Kong Sinmei
SOUNDS_LANGUAGE=en-us-callie
# set to false to disable listenOnlyMode
LISTEN_ONLY_MODE=true
# set to true to disable echo test
DISABLE_ECHO_TEST=false
# set to true to automatically share webcam
AUTO_SHARE_WEBCAM=false
# set to true to disable video preview for webcam sharing
DISABLE_VIDEO_PREVIEW=false
# set to false to disable chat
CHAT_ENABLED=true
# set to true to start chat closed
CHAT_START_CLOSED=false
# set to true to disable announcements "You are now (un-)muted"
DISABLE_SOUND_MUTED=false
# set to true to disable announcement "You are the only person in this conference"
DISABLE_SOUND_ALONE=false
# maximum count of breakout rooms per meeting
# Warning: increasing the limit of breakout rooms per meeting
# can generate excessive overhead to the server. We recommend
# this value to be kept under 12.
BREAKOUTROOM_LIMIT=8
# set to false to disable the learning dashboard
ENABLE_LEARNING_DASHBOARD=true
# ====================================
# Tuning
# ====================================
# Default = 2; Min = 1; Max = 4
# On powerful systems with high number of meetings you can set values up to 4 to accelerate handling of events
NUMBER_OF_BACKEND_NODEJS_PROCESSES=2
# Default = 2; Min = 1; Max = 8
# Set a number between 1 and 4 times the value of NUMBER_OF_BACKEND_NODEJS_PROCESSES where higher number helps with meetings
# stretching the recommended number of users in BigBlueButton
NUMBER_OF_FRONTEND_NODEJS_PROCESSES=2
# ====================================
# GREENLIGHT CONFIGURATION
# ====================================

View File

@ -4,6 +4,15 @@ set -e
cd "$(dirname "$0")/.."
. scripts/functions.sh
ensure_bbbhtml5yml
create_dev_env () {
cp dev.env .env
sed -i "s/BBB_DEV_UID=.*/BBB_DEV_UID=$(id -u)/" .env
sed -i "s/BBB_DEV_GID=.*/BBB_DEV_GID=$(id -g)/" .env
load_env
}
if [ -f ".env" ]; then
load_env
if [[ "$DEV_MODE" == "" ]]; then
@ -13,7 +22,7 @@ if [ -f ".env" ]; then
response=${response,,} # tolower
if [[ $response =~ ^(y| ) ]] || [[ -z $response ]]; then
cp .env .env.bak
cp dev.env .env
create_dev_env
else
echo "we can't continue with a .env file configured as a development environment"
exit 1
@ -21,30 +30,7 @@ if [ -f ".env" ]; then
fi
else
echo "# creating a .env for the dev setup"
cp dev.env .env
fi
# to avoid any file permission issues we want to run some containers with the same
# UID and GID as the current user
export BBB_DOCKER_USER="$(id -u):$(id -g)"
# also add it to ~/.zshrc and/or ~/.bashrc so
# that people can also use commands like `docker compose up`
# without that variable being missing
function add_permanent_env {
STR='export BBB_DOCKER_USER="$(id -u):$(id -g)"'
if [ -z "$(grep "$STR" "$1")" ]; then
echo "append"
echo "" >> $1
echo "# following line got added by bbb-docker" >> $1
echo "$STR" >> $1
fi
}
if [ -f "$(realpath ~/.zshrc)" ]; then
add_permanent_env "$(realpath ~/.zshrc)"
fi
if [ -f "$(realpath ~/.bashrc)" ]; then
add_permanent_env "$(realpath ~/.bashrc)"
create_dev_env
fi

View File

@ -7,4 +7,4 @@ cd $(dirname $0)/..
. ./scripts/functions.sh
load_env
docker compose exec freeswitch /opt/freeswitch/bin/fs_cli -H 10.7.7.1 -p "$FSESL_PASSWORD"
docker compose exec freeswitch /opt/freeswitch/bin/fs_cli -H 10.7.7.10 -p "$FSESL_PASSWORD" $@

View File

@ -1,5 +1,5 @@
function load_env {
export $(cat .env | sed 's/#.*//g' | grep -v "WELCOME_FOOTER" | grep -v "WELCOME_MESSAGE" | grep -v "CLIENT_TITLE" | xargs)
export $(cat .env | sed 's/#.*//g' | grep -v "WELCOME_FOOTER" | grep -v "WELCOME_MESSAGE" | xargs)
}
function ensure_submodules {
@ -16,3 +16,14 @@ function ensure_submodules {
}
function ensure_bbbhtml5yml {
if [ ! -f conf/bbb-html5.yml ]; then
cat << EOF > conf/bbb-html5.yml
# this file equals the /etc/bigbluebutton/bbb-html5.yml file referenced in the docs
public:
app:
appName: BigBlueButton HTML5 Client (docker)
EOF
fi
}

View File

@ -7,6 +7,8 @@ cd $(dirname $0)/..
. scripts/functions.sh
load_env
ensure_bbbhtml5yml
# check for non-optional environment variables,
# which got introduced later and may miss in existing
# .env files during upgrades
@ -41,7 +43,7 @@ function get_tag {
}
# https://hub.docker.com/r/bigbluebutton/bbb-build
BBB_BUILD_TAG=v3.0.x-release--2023-09-26-152524
BBB_BUILD_TAG=v3.0.x-release--2024-08-30-014114
docker run \
--rm \
@ -65,7 +67,5 @@ docker run \
-e ENABLE_GREENLIGHT=${ENABLE_GREENLIGHT:-false} \
-e ENABLE_PROMETHEUS_EXPORTER=${ENABLE_PROMETHEUS_EXPORTER:-false} \
-e ENABLE_PROMETHEUS_EXPORTER_OPTIMIZATION=${ENABLE_PROMETHEUS_EXPORTER_OPTIMIZATION:-false} \
-e NUMBER_OF_BACKEND_NODEJS_PROCESSES=${NUMBER_OF_BACKEND_NODEJS_PROCESSES:-1} \
-e NUMBER_OF_FRONTEND_NODEJS_PROCESSES=${NUMBER_OF_FRONTEND_NODEJS_PROCESSES:-1} \
jwilder/dockerize -template /docker-compose.tmpl.yml \
> docker-compose.yml

View File

@ -18,6 +18,7 @@ then
exit 1
fi
ensure_bbbhtml5yml
EXTERNAL_IPv4=$(curl -4 -s https://icanhazip.com)
EXTERNAL_IPv6=$(curl -6 -s -m 10 https://icanhazip.com || true)