I am “almost” there in having installed HPB for Talk in a docker manner under a Nginx proxy (also in docker).
I prepend that I have already read tens of threads on this topic :-/
My remaining issue is that while in the “peer to peer” mode the Hetzner-provided STUN and TURN server works for everyone, in my HPB setup in some cases connection doesn’t success.
For example, if I use my mobile with mobile data is fine (but I have a message it is slow), if I use it under eduroam (univ WIFI network) I can’t video-call (chat is fine).
This is my setting, can you help to point on obvious errors or if you can share a configuration that is working for you ? I can create several subdomain (stun.mydomain;fr, turn…) just don’t know what the HPB container expects… if I should use the STUN/TURN embedded in the HPB container or still use the STUN/TURN provided by Hetzner…
HPB
A VPS from Hetzner, no firewalls for now
Directory creation
mkdir -p ~/docker/proxy/conf.d
mkdir -p ~/docker/proxy/certbot/conf
mkdir -p ~/docker/proxy/certbot/www
mkdir -p ~/docker/apps/hpb
Proxy (nginx) compose file
tee ~/docker/proxy/proxy.compose.yml << 'EOF'
services:
proxy:
image: nginx:latest
container_name: proxy
extra_hosts:
- "host.docker.internal:host-gateway"
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- ./conf.d:/etc/nginx/conf.d:ro
- ./certbot/www:/var/www/certbot
- ./certbot/conf:/etc/letsencrypt
certbot:
image: certbot/certbot
container_name: certbot
# restart: unless-stopped
volumes:
- ./certbot/www:/var/www/certbot
- ./certbot/conf:/etc/letsencrypt
HPB compose file
tee ~/docker/apps/hpb/hpb.compose.yml << 'EOF'
services:
hpb-web:
container_name: hpb-web
image: ghcr.io/nextcloud-releases/aio-talk:latest
init: true
network_mode: host
#ports:
# - 3478:3478/tcp
# - 3478:3478/udp
# - 8181:8081/tcp
# - "20000-20100:20000-20100/udp"
environment:
# This is on Hetzner NC
- NC_DOMAIN=nc.mydomain.fr
# This is this host
- TALK_HOST=hpb.mydomain.fr
- TURN_SECRET=[the same secret of the Hetzner turn server secret]
- SIGNALING_SECRET=[secret]
- TZ=Europe/Paris
- TALK_PORT=3478
- INTERNAL_SECRET=[secret]
restart: unless-stopped
EOF
Proxy virtual host config
tee ~/docker/proxy/conf.d/hpb.conf << 'EOF'
server {
listen 80;
server_name hpb.mydomain.fr;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name hpb.mydomain.fr;
ssl_certificate /etc/letsencrypt/live/hpb.mydomain.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hpb.mydomain.fr/privkey.pem;
# WebSocket + long-lived connections
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
location / {
proxy_pass http://host.docker.internal:8081;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Forwarded headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
}
}
EOF
docker compose -f ~/docker/apps/hpb/hpb.compose.yml up -d
docker compose -f ~/docker/proxy/proxy.compose.yml up -d
You actually need to first have only server 80 enable, run certbot, and then add the 443 server:
docker compose run --rm certbot certonly \
--webroot \
--webroot-path=/var/www/certbot \
--email foo@example.org \
--agree-tos \
--no-eff-email \
-d hpb.yourdomain.fr
NC
→ managed by hetzner
on https://nc.mydomain.fr
NC Talk setting page
(https://nc.mydomain.fr/settings/admin/talk)
HPB
HPB backend URL: https://hpb.mydomain.fr
Shared secret: secret
This validates
STUN servers
stun: stun.your-storageshare.de:443
TURN servers
- turn only
- TURN server URL: turn.your-storageshare.de:443
- TURN server secret: a predefined secret that I also put on my hpb docker compose file
- UDP and TCP
This also validates