High Performance Backend for Talk on Nextcloud with Docker

Talk:HPB

See Nextcloud Talk documentation

A High Performance Backend (HPB) requires a signalling service and consists of three components working hand in hand;

1. STUN service is part of TURN for discovering NATed/firewalled external IP’s. TURN is both a ‘Traversal Using Relays around NAT’ (TURN) server and a ‘Session Traversal Utilities for NAT’ (STUN) server. A STUN server is provided by default in Nextcloud, but you can replace it with your own.
   • Examples: stun.nextcloud.com:443 or stun.yourdomain.tld:3478 or both
2. TURN service like “coturn” or “eturnal” for connecting NATed/firewalled external IP’s and controlling WebRTC streams. Its main role is to help WebRTC clients behind routers to communicate and relays the audio and video data through firewalls and port restrictions.
   • Examples: turn.yourdomain.tld:3478 or yourdomain.tld:3478
3. Signalling service like “Janus: the general purpose WebRTC server” is required for calls and conversations with multiple participants. The signaling server is used to establish a WebSocket connection between the participants in the call. Without it, all participants would have to upload their own audio/video individually for each other participant causing connectivity issues.
   • Example: https://signal.yourdomain.tld

Self-hosting all three services is not as daunting as it seems and thanks to the folks at Nextcloud AIO is easily installed running their docker image.

This example will require Docker and a Reverse proxy for forwarding and encrypting HTTP port 8181 to https://signal.yourdomain.tld

Prepare router/firewall & reverse proxy

• Allow inbound bypass for TURN & STUN on port 3478 tcp/udp (your.domain.tld:3478) must be internet facing in router/firewall
  • encryption is unnecessary for TURN & STUN as it will be handled by encrypted Nextcloud
• Set reverse proxy host for signal domain to forward HTTP & WSS (Websockets Support) for port 8181 to https://signal.yourdomain.tld

TIP: create secretpasswordkey

Make sure you create a long secretpasswordkey (min. 24 chars, better 32 chars) for each service! Note down the secretpasswordkeys as you will need them for creating the Docker stack and for configuring Nextcloud talk.

• issue command in host shell and repeat for each service:

openssl rand -hex 32

1. TURN_SECRET

• create a long random secretpasswordkey, issue command in host shell:

openssl rand -hex 32

2. SIGNALING_SECRET

• create a long random secretpasswordkey, issue command in host shell:

openssl rand -hex 32

3. INTERNAL_SECRET

• create a long random secretpasswordkey, issue command in host shell:

openssl rand -hex 32

Create and run Docker Stack

name: 'hpb'

services:

  nc-talk:
    container_name: talk_hpb
    image: nextcloud/aio-talk:latest
    init: true
    ports:
      - 3478:3478/tcp
      - 3478:3478/udp
      - 8181:8081/tcp
    environment:
      - NC_DOMAIN=cloud.yourdomain.tld
      - TALK_HOST=signal.yourdomain.tld
      - TURN_SECRET=secretpassword #this must be a long secretpasswordkey
      - SIGNALING_SECRET=secretpassword #this must be a long secretpasswordkey
      - TZ=Europe/Berlin
      - TALK_PORT=3478
      - INTERNAL_SECRET=secretpassword #this must be a long secretpasswordkey
    restart: unless-stopped

Configure Nextcloud Talk

Example Nextcloud STUN configuration,

Example Nextcloud TURN configuration

Example Nextcloud HPB configuration

ProxyPass / http://192.168.2.15:8181/ upgrade=websocket

RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
RequestHeader set X-Real-IP expr=%{REMOTE_ADDR}

Troubleshooting

connection errors

403 forbidden

TIP

make sure you have a long secretpasswordkey (min. 24 chars, better 32 chars) for each service!

How to install and configure Talk:HPB for Nextcloud with docker

A post was split to a new topic: Praise: High Performance Backend for Talk on Nextcloud Docker