Complete NC installation on Debian with Spreed.me and TURN step by step

Thank you very much, this worked for me, where using the spreedme stun server was not enough.

If first found the strukurag docker solution here, but I didn’t want to install again something to run/install something else again. I am already unhappy only being able to run spreedme with git, go, nodeJS, … installed before ;). I hope there will be some easier slim solution soon.

I only understand half of the turnserver.conf, I guess “alt-listening-port” is not necessary and will also only work with proper port forwarding in router. “cipher-list” should be also not necessary to edit, right? I will try to find out which lines are really necessary for the turn server to run with spreedme. But as the given configs work, I guess it would be helpfull to add it to the “official” installation guides on gut-hub and nextcloud.com as they are the first places where server-admins will try to find them.

So the installation priority would be:

  1. install spreed server + spreed.me nextcloud app + configuration
  2. as this doesn’t work in most cases for calls between separate networks: configure the use of stun server, preferably the one from spreed.me
  3. as this also is not enough for some network configurations (e.g. mine): installation of turn server, preferably coturn with the here given config adjustments

@MichaIng docker works every time but you need to manually run on each reboot.
you need to do docker ps -a copy the pid number xxxx, then docker rm xxxxxxxx
then re-run docker with the following command
docker run --rm --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -vpwd:/srv/extra -i -t spreed/webrtc

for more info you can visit the following link : http://community.nethserver.org/t/experimenting-the-spreed-me-feature-under-nextcloud/4685/3

the second issue with docker is that you cannot change the ports 8080 and 8443 .
the third issue of Docker is you can access the spreedme outside of nextcloud , security problem

@SyS0p3r solution is very good however again I was not able to fix the security nor being able to run it in Https
and you need to start the spreed webrtc manually.

I am working on an easy solution will post the howto however it will be complementing that of @SyS0p3r
in the meantime can someone help in the webrtc.conf with https enabled?

I have solved the start with boot, solved the security (so now no one will be able to access spreed without being logged into nextcloud) I am left with https not being enabled which is really annoying me. Every time I enable https the spreed-webrtc refuses to reload.

Yeah, I mean the docker solution should be nice, if someone anyway already uses docker as platform for many other things. But as I never used it so far and also don’t see any reason why I should, I don’t like to use it just for one piece of software to run. The things you mention also don’t look like it’s an “easier” solution in any way.

@https: As the turn server already listens to port 8443 now, could there be a problem using the same port for the spreed server? At least port 8443 is offered in the https section of the conf file. But I guess you can choose any free port? I wonder why I don’t need the forward port 8080 where my spreed server listens to it so far (non https so far).

I will also try to get it work with https now and let you know how it works.

€: Okay I tried to make spreed listen to https. For the first: It is not possible to use port 8443, if that is already used by the turn server. At least good to know for me as noob in this topics ;).
I tried to use port 8444 and adjusted the apache conf, spreed server conf and also the one for the nextcloud app, but at least I always got some handshake error message, trying to access the spreedme app.
But looking into the apache conf, I guess that the connection actually already is in https.

This is, what my nextcloud apache conf contains according to the guides:

	<Location /webrtc>
		ProxyPass http://127.0.0.1:8080/webrtc
		ProxyPassReverse /webrtc
	</Location>
	<Location /webrtc/ws>
		ProxyPass ws://127.0.0.1:8080/webrtc/ws
	</Location>
	ProxyVia On
	ProxyPreserveHost On
	RequestHeader set X-Forwarded-Proto 'https' env=HTTPS

I don’t exactly understand all of this, but isn’t this a sort of just redirecting the https request of the client internally to the http port where the spreed server listens? I mean even that spreed does not listen explicit to an https port, the access over the web browser is (as long as apache is configures accordingly) just possible over https, which also doesn’t change, when accessing the spreedme app. This also explains why there is no port forwarding for 8080 necessary.

The official instructions say:
"Running for production
Spreed WebRTC should be run through a SSL frontend proxy with support for Websockets."
and then refer to documentation files that (for apache) show exactly the lines I show above.

So I guess everything is as it should be and the connection is “save” through https, or am I wrong?

@MichaIng yes you are right
This should be fine.
You just need to make sure you can access it via http as well as via https.
also make sure that you do not have direct access http://ipaddress:8080 or https://ipaddress:8443

Mine is similar to your except that I run the VM machine provided by techandme where all runs in https.

What do you mean by “access it via http”? All http access is redirected to https automatically. Whatever I try (with webbrowser) to access via http or port 80 is redirected or refused.

Port 8080 is not forwarded by the router, just UDP 8443 to the turn server. I didn’t found a way to access something through this opened port, but I also don’t know much ways to do that ;). As far as I understand my settings, my webserver just listens to port 80 (which is redirected to 443) and 443. For ssh my router forwards another certain port to 22. I don’t know about the actual security risk of opening port 8443 (directly) for the turn server or what I can/should do to minimize it. If you or somebody else has some hint for me, I would appreciate :).

@MichaIng as I explained to you earlier my OS is bit different as well as your setup.
My OS is ubuntu 16 , it is the VM pre-installed version of Nextcloud provided by techandme.se
What I did is followed the steps of @SyS0p3r script and adopted some of it on my machine

If all your requests are going to 443 then your machine fulfills the conditions.

many thansk for your complete tutorial
i tried to apply it on ubuntu 16.10 server
spreed seem working but ididnt understand how will starting chat then i restart server
now i cant start apache server
i didnt find any error log

what is the error you get? what happens when you do a

/etc/init.d/httpd restart
or
service httpd restart

error should be in /var/log/httpd/

i dont have any error but i am trying to revert all that i do in this tutorial so can you give me way to delete init script
(nohup ./spreed-webrtc-server > /dev/null 2>&1 &)
thanks

i solved problem when i delete golang and installed directly apache returned to start but i am still dont knwo how to use spreedme
when i click spreed me it generate second line top of nextcloud nothing more

why can’t you change the port? just edit it in the config file and then in the docker start command. You even can redirect one port from the outside to another to the inside.

Additional, if you look at the recent spreed.me manual on the nextcloud page you will see that the security issue is solved too.

On top of that, you forgot to expose your nextcloud App instance.

for spreedme server you need golang. if the problem was that apache wasnt starting with spreedme running i would think there might be a port conflict. did you run spreedme and apache on the same ports?

and to stop the spreedme script (it isnt a init script just a way to start in the background) you could do a:

ps -e | grep spreed-webrtc-server

it wil give you a line with a process id (like 8992 or something) and then kill it with

kill -9 8992 (change 8992 with your process id)

i dont receive any result with this command
i deleted all to start newly again
(also i tried to add repository of webrtc https://github.com/strukturag/spreed-webrtc/wiki/Ubuntu-Repository )

thanks for help

startup screep is not compatible with ubuntu or not working

If you moved the data folder to the /var/oc_data/ (or nc_data :slight_smile: ) you should add 2 lines to the permissions script:

find ${ncdata} -type f -print0 | xargs -0 chmod 0640
find ${ncdata} -type d -print0 | xargs -0 chmod 0750

I couldnt edit the original post anymore (i think) but needed to add it somehow since it could be a security issue if you don’t. You could get user directory’s with the wrong permissions (rwx-rw-r instead of rwx-r-x- —)

Hi all, my install work perfectly, I will just post some tips for helping :

  • Huge thanks to the author of the topic, it helped me a lot for beginning !
  • First, no need to have two public IPS, all programms run on the same dedicated server (nextcloud, web-rtc, and coturn)
  • Coturn work perfectly, with video calls in 3g, 4g, several machines under differents LANS, etc.
  • I have installed the ubuntu packaged programs, no sources. (just added a depot for web-rtc)
  • my /etc/turnserver.conf (run as a service by uncommenting TURNSERVER_ENABLED=1 in /etc/default/coturn) :

listening-port=8443
alt-listening-port=3478
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=6cf6cbc540e9667f3552773df92edbd442eca209a141df1cxxxxxxxxxxxx (generated by openssl rand -hex 32)
realm=mynextcloud.net
total-quota=100
bps-capacity=0
stale-nonce
cipher-list=“ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5”
log-file=/var/log/turn.log
no-loopback-peers
no-multicast-peers
cert=/etc/letsencrypt/live/mynextcloud.net/cert.pem
pkey=/etc/letsencrypt/live/mynextcloud.net/privkey.pem

  • my /etc/spreed/webrtc.conf :slight_smile: (I used the normal way to generate this configuration, in admin panel of nextcloud, just added root=, and turnURIS)

; Minimal Spreed WebRTC configuration for Nextcloud

[http]
root = /usr/share/spreed-webrtc-server/www (if you have the ubuntu version, you have to add this)
listen = 127.0.0.1:8080
basePath = /webrtc/

[app]
sessionSecret = 02819e83254f793608a1a6b1adb11ed657dxxxxxxxxxxxxxxxxxxxxxxxxxxx
encryptionSecret = c3ec0dc5ead5a8c95bcbae94fcde149xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
authorizeRoomJoin = true
serverToken = 9b88f0aee6fde09a749e65d061de84xxxxxxxxxxxxxxxxxxxxx
serverRealm = mynextcloud.net
extra = /var/www/nextcloud/apps/spreedme/extra
plugin = extra/static/owncloud.js

turnURIs = turn:mynextcloud.net:8443?transport=udp turn:mynextcloud.net:8443?transport=tcp
turnSecret = 6cf6cbc540e9667f3552773df92edbd442eca209axxxxxxxxxxxxxxxxxxxxxx

[users]
enabled = true
mode = sharedsecret
sharedsecret_secret = 10b774ef3db23e63a4d80c69b7879193xxxxxxxxxxxxxxxxxxxx

  • Open port 8443 and 3478 TCP and UDP, because coturn use the both protocols.
  • I have also create an admin for coturn by this command : sudo turnadmin -A -u admin -p passwdadmin
    The admin panel of coturn is available by browser at the adress : https://mynextcloud:8443 wich allows me to see the sessions, and add the secret code in section Shared Secrets (for TURN REST API) (don’t know if it’s necessary or not).

EDIT : I use ubuntu server 16.04.1

4 Likes

Just finalized the instruction with the last reply’s of my fellow nextclouders and removed the “remember its not working yet”. thanks for all your input.

@SyS0p3r this should not be done in /var/www for security reasons. Stuff in /var/www should be directly accessible by a web server. As you are proxy’ing everything through Spreed WebRTC, there’s no need to put these files into /var/www.

Ok tnx. I changed it to /opt/spreed-webrtc-master/ (might also be /usr/share but i’m used to /opt)

Excuse me for the beginners question, but what is the reason to use either /opt or /usr/share as root folder for the spreed server? As I remeber reading somewhere the one repo available installs it to /etc. I don’t know what the intention is to put something into one or the other predefined folder of linux systems or what rights/security reasons are there about this, so some explanation would be nice :slight_smile:. Reason is that I want to write a small guide about how to establish a systemd unit to autorun spreed.

€: I self explained it to me by reading http://unix.stackexchange.com/questions/11544/what-is-the-difference-between-opt-and-usr-local#11552. According to this I would also slightly prefer /opt/spreed-webrtc-master as root, as it is downloaded manually here and no files are created outside of this folder by any step.

€€: Guide about setting up a systemd unit for autorun the spreed server is done: [Spreed.ME] Howto autorun "spreed-webrtc-server" step-by-step