close down lots of open ports

docker-compose.yml

@@ -3,6 +3,8 @@ version: '3.6'
 services:
   core:
     image: bbb-core
+    depends_on:
+        - redis
     cap_add:
       - SYS_NICE # for realtime scheduling
       - SYS_ADMIN # for systemd
@@ -20,11 +22,17 @@ services:
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro # for systemd
       - ./mod/core/entrypoint.sh:/entrypoint.sh
+      - ./mod/core/red5.properties:/usr/share/red5/conf/red5.properties
+      - ./mod/core/bigbluebutton.properties:/usr/share/red5/webapps/bigbluebutton/WEB-INF/bigbluebutton.properties
+      - ./mod/core/bigbluebutton-sip.properties:/usr/share/red5/webapps/sip/WEB-INF/bigbluebutton-sip.properties
       - ./mod/freeswitch/vars.xml:/opt/freeswitch/conf/vars.xml.tmpl
       - ./mod/freeswitch/external.xml:/opt/freeswitch/conf/sip_profiles/external.xml
+      - ./mod/freeswitch/acl.conf.xml:/opt/freeswitch/conf/autoload_configs/acl.conf.xml
+      - ./mod/freeswitch/event_socket.conf.xml:/opt/freeswitch/conf/autoload_configs/event_socket.conf.xml
       - ./mod/web/bigbluebutton.properties:/usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties.tmpl
       - ./mod/core/bigbluebutton.yml:/usr/local/bigbluebutton/core/scripts/bigbluebutton.yml
       - ./mod/bbb-apps-akka/application.conf:/usr/share/bbb-apps-akka/conf/application.conf.tmpl
+      - ./mod/bbb-fsesl-akka/application.conf:/etc/bbb-fsesl-akka/application.conf
     network_mode: host
 
   nginx:
@@ -95,7 +103,7 @@ services:
       FREESWITCH_IP: host.docker.internal
       FREESWITCH_SIP_IP: ${EXTERNAL_IP}
       ESL_IP: host.docker.internal
-      LOG_LEVEL: debug
+      LOG_LEVEL: info
       NODE_CONFIG: '{"kurento":[{"ip":"${EXTERNAL_IP}","url":"ws://kurento:8888/kurento"}]}'
     ports:
       - "127.0.0.1:3008:3008"
@@ -109,6 +117,7 @@ services:
     image: bbb-html5
     depends_on:
       - redis
+      - mongodb
       - etherpad
     environment:
       DOMAIN: ${DOMAIN}

mod/bbb-apps-akka/application.conf

@@ -28,7 +28,7 @@ akka {
 }
 
 redis {
-    host="127.0.0.1"
+    host="10.7.7.5"
     port=6379
     password=""
     # recording keys should expire in 14 days
@@ -65,7 +65,7 @@ sharedNotes {
 }
 
 http {
-  interface = "0.0.0.0"
+  interface = "10.7.7.1"
   port = 9999
 }
 

mod/bbb-fsesl-akka/application.conf

@@ -0,0 +1,45 @@
+akka {
+  actor {
+    debug {
+      receive = on
+    }
+  }
+  loggers = ["akka.event.slf4j.Slf4jLogger"]
+  loglevel = "DEBUG"
+  stdout-loglevel = "DEBUG"
+  
+    redis-subscriber-worker-dispatcher {
+      mailbox-type = "akka.dispatch.SingleConsumerOnlyUnboundedMailbox"
+      # Throughput defines the maximum number of messages to be
+      # processed per actor before the thread jumps to the next actor.
+      # Set to 1 for as fair as possible.
+      throughput = 512
+    }
+}
+
+
+freeswitch {
+    esl {
+        host="10.7.7.1"
+        port=8021
+        password="ClueCon"
+    }
+    conf {
+    	profile="cdquality"
+    }
+}
+
+redis {
+  host="10.7.7.5"
+  port=6379
+  password=""
+  # recording keys should expire in 14 days
+  keyExpiry=1209600
+}
+
+http {
+  interface = "127.0.0.1"
+  interface = ${?INTERFACE}
+  port = 8900
+  port = ${?PORT}
+}

mod/core/bigbluebutton-sip.properties

@@ -0,0 +1,25 @@
+# The ip and port the BBB SIP app is going to use
+bbb.sip.app.ip=127.0.0.1
+bbb.sip.app.port=5070
+
+# The username and password the BBB SIP app to use to 
+# register with FreeSWITCH 
+sip.server.username=bbbuser
+sip.server.password=secret
+
+# The ip and port of the FreeSWITCH server
+freeswitch.ip=127.0.0.1
+freeswitch.port=5060
+
+# The start/stop RTP port the application is going to use
+# for the media stream.
+startAudioPort=15000
+stopAudioPort=16383
+
+redis.host=10.7.7.5
+redis.port=6379
+redis.password=
+
+# If you want mjsip stack (red5/log/*access*.log) to minimize the amount of logs it
+# generates, set this to a lower value (e.g. 3).
+sipStackDebugLevel=3

mod/core/bigbluebutton.properties

@@ -0,0 +1,32 @@
+#
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
+#
+# Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+#
+
+# Locate of BBB default meeting dir
+default.BigBlueButtonDirectory=/var/bigbluebutton
+
+freeswitch.esl.host=10.7.7.1
+freeswitch.esl.port=8021
+freeswitch.esl.password=ClueCon
+
+redisHost=10.7.7.5
+redisPort=6379
+redisPassword=
+redisExpireKey=1209600
+
+# Maximum message length allowed from the client.
+maxMessageLength=32000

mod/core/red5.properties

@@ -0,0 +1,157 @@
+# Socket policy
+policy.host=10.7.7.1
+policy.port=843
+
+# HTTP
+http.host=10.7.7.1
+http.port=5080
+https.port=5443
+http.URIEncoding=UTF-8
+http.max_headers_size=8192
+http.max_keep_alive_requests=-1
+http.max_threads=20
+http.acceptor_thread_count=10
+http.processor_cache=20
+
+# RTMP
+rtmp.host=10.7.7.1
+rtmp.port=1935
+rtmp.io_threads=8
+rtmp.send_buffer_size=65536
+rtmp.receive_buffer_size=65536
+rtmp.ping_interval=1000
+rtmp.max_inactivity=20000
+rtmp.max_handshake_time=5000
+rtmp.tcp_nodelay=true
+rtmp.tcp_keepalive=false
+rtmp.default_server_bandwidth=10000000
+rtmp.default_client_bandwidth=10000000
+rtmp.client_bandwidth_limit_type=2
+rtmp.bandwidth_detection=false
+rtmp.encoder_base_tolerance=5000
+rtmp.encoder_drop_live_future=false
+# traffic optimization hinting. to disable set traffic class set to -1
+# low delay + high throughput == 24 (0x18)
+rtmp.traffic_class=-1
+# requested maximum length of the queue of incoming connections
+rtmp.backlog=32
+# the interval (seconds) between each throughput calculation
+rtmp.thoughput_calc_interval=15
+# enable use of the default mina acceptor
+rtmp.default_acceptor=true
+# socket i/o pool sizes used when default acceptor is disabled
+rtmp.initial_pool_size=0
+rtmp.max_pool_size=2
+rtmp.max_processor_pool_size=8
+rtmp.executor_keepalive_time=60000
+mina.logfilter.enable=false
+# scheduler configs (per application)
+rtmp.scheduler.pool_size=8
+rtmp.deadlockguard.sheduler.pool_size=8
+# message executor configs (per application) - adjust these as needed if you get tasks rejected
+rtmp.executor.core_pool_size=4
+rtmp.executor.max_pool_size=32
+rtmp.executor.queue_capacity=64
+# drop audio packets when queue is almost full, to disable this, set to 0
+rtmp.executor.queue_size_to_drop_audio_packets=60
+# maximum amount of time allotted to process a single rtmp message / packet in milliseconds, set it as 0 to disable timeout
+rtmp.max_handling_time=2000
+# connection tweaks - dont modify unless you know what you're doing
+rtmp.channel.initial.capacity=3
+rtmp.channel.concurrency.level=1
+rtmp.stream.initial.capacity=1
+rtmp.stream.concurrency.level=1
+rtmp.pending.calls.initial.capacity=3
+rtmp.pending.calls.concurrency.level=1
+rtmp.reserved.streams.initial.capacity=1
+rtmp.reserved.streams.concurrency.level=1
+rtmp.generateMetadata=false
+# maximum packet size allowed in bytes
+rtmp.max_packet_size=3145728
+
+# RTMPS
+rtmps.host=10.7.7.1
+rtmps.port=8443
+rtmps.ping_interval=5000
+rtmps.max_inactivity=20000
+rtmps.max_keep_alive_requests=-1
+rtmps.max_threads=8
+rtmps.acceptor_thread_count=2
+rtmps.processor_cache=20
+# RTMPS Key and Trust store parameters
+rtmps.keystorepass=password
+rtmps.keystorefile=conf/keystore.jks
+rtmps.truststorepass=password
+rtmps.truststorefile=conf/truststore.jks
+
+# RTMPT
+rtmpt.host=10.7.7.1
+rtmpt.port=8088
+rtmpt.ping_interval=5000
+rtmpt.max_inactivity=20000
+rtmpt.max_handshake_time=5000
+rtmpt.max_keep_alive_requests=-1
+rtmpt.max_threads=8
+rtmpt.acceptor_thread_count=2
+rtmpt.processor_cache=20
+rtmpt.encoder_base_tolerance=5000
+rtmpt.encoder_drop_live_future=true
+# better setting for streaming media
+rtmpt.target_reponse_size=32768
+# best setting for small messages or shared objects
+#rtmpt.target_reponse_size=8192
+# max incoming messages to process at a time. the most that FP appears to send is 166
+rtmpt.max_in_msg_process=166
+# max time in millis that we will wait when offering data to the in or out queue
+rtmpt.max_queue_offer_time=125
+# max offer attempts
+rtmpt.max_queue_offer_attempts=4
+
+# WebSocket
+ws.host=10.7.7.1
+ws.port=8081
+
+# Debug proxy (needs to be activated in red5-core.xml)
+proxy.source_host=127.0.0.1
+proxy.source_port=1936
+proxy.destination_host=127.0.0.1
+proxy.destination_port=1935
+
+# JMX
+jmx.rmi.host=localhost
+jmx.rmi.port=9999
+jmx.rmi.sport=9998
+jmx.rmi.port.remoteobjects=
+jmx.keystorepass=password
+jmx.mina.monitor.enable=false
+jmx.mina.poll.interval=1000
+# Whether to always create the registry in-process, not attempting to 
+# locate an existing registry at the specified port. Set to "true" in order
+# to avoid the overhead of locating an existing registry when you always intend
+# to create a new registry in any case.
+jmx.registry.create=true
+# Whether or not the MBeanServerFactoryBean should attempt to locate a running 
+# MBeanServer before creating one
+jmx.reuse.existing.server=true
+# Whether to register the MBeanServer with the MBeanServerFactory, making it 
+# available through MBeanServerFactory.findMBeanServer()
+jmx.register.factory=true
+# Whether any threads started for the JMXConnectorServer should be started as daemon threads
+jmx.daemon=true
+# Whether the JMXConnectorServer should be started in a separate thread
+jmx.threaded=true
+
+# Server properties
+# max events to send in a single update
+so.max.events.per.update=64
+so.scheduler.pool_size=4
+keyframe.cache.entry.max=500
+war.deploy.server.check.interval=600000
+fileconsumer.delayed.write=true
+fileconsumer.queue.size=120
+fileconsumer.wait.for.keyframe=true
+subscriberstream.buffer.check.interval=5000
+subscriberstream.underrun.trigger=100
+subscriberstream.max.pending.frames=10
+subscriberstream.max.sequential.frames=10
+broadcaststream.auto.record=false

mod/freeswitch/acl.conf.xml

@@ -0,0 +1,49 @@
+<configuration name="acl.conf" description="Network Lists">
+  <network-lists>
+    <!--
+         These ACL's are automatically created on startup.
+
+         rfc1918.auto  - RFC1918 Space
+         nat.auto      - RFC1918 Excluding your local lan.
+         localnet.auto - ACL for your local lan.
+         loopback.auto - ACL for your local lan.
+    -->
+
+    <list name="lan" default="allow">
+      <node type="allow" cidr="127.0.0.1/32"/>
+      <node type="allow" cidr="10.130.218.147/32"/>
+      <node type="allow" cidr="10.0.0.0/8"/>
+      <node type="allow" cidr="192.168.0.0/16"/>      
+    </list>
+
+    <!--
+        custom "loopback" so that traffic from docker
+        containers is also considered as local
+    -->
+    <list name="loopback.custom" default="deny">
+      <node type="allow" cidr="127.0.0.1/32"/>
+      <node type="allow" cidr="10.0.0.0/8"/>
+      <node type="allow" cidr="192.168.0.0/16"/>
+    </list>
+
+    <list name="deny_private_v6" default="allow">
+      <node type="deny" cidr="0.0.0.0/0"/>
+      <node type="deny" cidr="fe80::/10"/>
+      <node type="deny" cidr="fc00::/7"/>
+    </list>
+    <!--
+        This will traverse the directory adding all users
+        with the cidr= tag to this ACL, when this ACL matches
+        the users variables and params apply as if they
+        digest authenticated.
+    -->
+    <list name="domains" default="allow">
+      <!-- domain= is special it scans the domain from the directory to build the ACL -->
+      <node type="allow" domain="$${domain}"/>
+      <node type="allow" domain="10.0.0.0/8"/>
+      <!-- use cidr= if you wish to allow ip ranges to this domains acl. -->
+      <!-- <node type="allow" cidr="192.168.0.0/24"/> -->
+    </list>
+
+  </network-lists>
+</configuration>

mod/freeswitch/event_socket.conf.xml

@@ -1,10 +1,10 @@
 <configuration name="event_socket.conf" description="Socket Client">
   <settings>
     <param name="nat-map" value="false"/>
-    <param name="listen-ip" value="0.0.0.0"/>
+    <param name="listen-ip" value="$${local_ip_v4}"/>
     <param name="listen-port" value="8021"/>
     <param name="password" value="ClueCon"/>
-    <!--<param name="apply-inbound-acl" value="loopback.auto"/>-->
+    <param name="apply-inbound-acl" value="loopback.custom"/>
     <!--<param name="stop-on-bind-error" value="true"/>-->
   </settings>
 </configuration>

mod/freeswitch/external.xml

@@ -105,8 +105,8 @@
     <param name="tls-verify-in-subjects" value=""/>
     <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
     <param name="tls-version" value="$${sip_tls_version}"/>
-    <!-- <param name="ws-binding"  value="144.76.97.34:5066"/> -->
-    <param name="wss-binding"  value="$${external_rtp_ip}:7443"/>
+    <param name="ws-binding"  value="0.0.0.0:5066"/>
+    <param name="wss-binding"  value="$${local_ip_v4}:7443"/>
     
 
     <!-- enable rtcp on every channel also can be done per leg basis with rtcp_audio_interval_msec variable set to passthru to pass it across a call-->

mod/freeswitch/vars.xml

@@ -58,8 +58,8 @@
       affect the sip authentication.  Please review conf/directory/default.xml for more
       information on this topic.
   -->
-  <X-PRE-PROCESS cmd="set" data="local_ip_v4=0.0.0.0"/>
-
+  <X-PRE-PROCESS cmd="set" data="local_ip_v4=10.7.7.1"/>
+  <X-PRE-PROCESS cmd="set" data="local_ip_v6=::1"/>
   <X-PRE-PROCESS cmd="set" data="domain=meet.livingutopia.org"/>
   <X-PRE-PROCESS cmd="set" data="domain_name=$${domain}"/>
   <X-PRE-PROCESS cmd="set" data="hold_music=local_stream://moh"/>

mod/nginx/bbb/sip.nginx

@@ -1,5 +1,5 @@
 location /ws {
-        proxy_pass https://144.76.97.34:7443;
+        proxy_pass https://host.docker.internal:7443;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "Upgrade";