High Performance Backend for Talk on Nextcloud with Docker

đź“‘ How to
, , , , , ,
1

High Performance Backend for Talk on Nextcloud with Docker

Talk:HPB

A High Performance Backend (HPB) for Nextcloud Talk requires a signalling service and consists of three components working hand in hand;

  1. STUN service (Session Traversal Utilities for NAT) for discovering NATed/firewalled external IP’s. Nextcloud provides a default STUN server but can be replaced with your own.
    • Examples: stun.nextcloud.com:443 or stun.yourdomain.tld:3478
  2. TURN service (Traversal Using Relays around NAT) like “coturn” or “eturnal” for connecting NATed/firewalled external IP’s and controlling WebRTC streams. Its main role is to help WebRTC clients behind routers to communicate and relays the audio and video data through firewalls and port restrictions.
    • Examples: turn.yourdomain.tld:3478 or yourdomain.tld:3478
    • Encryption is optional for TURN & STUN and will be handled by encrypted Nextcloud
  3. WebRTC Signalling service like “Janus WebRTC server” or “Spreed WebRTC server” is required for calls and conversations with multiple participants. The signaling server is used to establish a WebSocket connection between the participants in the call. Without it, all participants would have to upload their own audio/video individually for each other participant causing connectivity issues.
    • Example: https://signal.yourdomain.tld

Self-hosting all three services is not as daunting as it seems and thanks to the folks at Nextcloud AIO is easily accomplished using their docker image.

This example will require Docker and a reverse proxy for forwarding and encrypting HTTP & WSS (Websockets Support) for port 8181 to your signal domain https://signal.yourdomain.tld.

Prepare router/firewall & reverse proxy

  • Expose TURN & STUN on port 3478 tcp/udp which must be internet facing in router/firewall (i.e your.domain.tld:3478)
    • encryption is optional for TURN & STUN as it will be handled by encrypted Nextcloud
  • Set reverse proxy host for signal domain to forward and encrypt HTTP & WSS (Websockets Support) for port 8181 to https://signal.yourdomain.tld

TIP: create secretpasswordkey

Make sure you create a long secretpasswordkey (min. 24 chars, better 32 chars) for each service! Note down the secretpasswordkeys as you will need them for creating the Docker stack and for configuring HPB in Nextcloud talk.

  • issue command in host shell and repeat for each service:
openssl rand -hex 32

grafik

1. TURN_SECRET
  • create a long random secretpasswordkey, issue command in host shell:
openssl rand -hex 32
2. SIGNALING_SECRET
  • create a long random secretpasswordkey, issue command in host shell:
openssl rand -hex 32
3. INTERNAL_SECRET
  • create a long random secretpasswordkey, issue command in host shell:
openssl rand -hex 32

Create and run Docker Stack

  • or create a docker-compose.yaml in place and execute in docker
name: 'hpb'

services:

  nc-talk:
    container_name: talk_hpb
    image: ghcr.io/nextcloud-releases/aio-talk:latest
    init: true
    ports:
      - 3478:3478/tcp
      - 3478:3478/udp
      - 8181:8081/tcp
    environment:
      - NC_DOMAIN=cloud.yourdomain.tld
      - TALK_HOST=signal.yourdomain.tld
      - TURN_SECRET=secretpasswordkey #this must be a long secretpasswordkey
      - SIGNALING_SECRET=secretpasswordkey #this must be a long secretpasswordkey
      - TZ=Europe/Berlin
      - TALK_PORT=3478
      - INTERNAL_SECRET=secretpasswordkey #this must be a long secretpasswordkey
    restart: unless-stopped
Upgrade Talk:HPB Docker image

Configure Nextcloud Talk

Example Nextcloud STUN configuration,

encryption for STUN will be handled by encrypted Nextcloud stun.yourdomain.tld:3478 or use default stun.nextcloud.com:443

grafik

Example Nextcloud TURN configuration

encryption for TURN will be handled by encrypted Nextcloud turn.yourdomain.tld:3478 or yourdomain.tld:3478 or optional set up turns

grafik

Examples Nextcloud HPB configuration

Example 1

grafik
grafik1136Ă—382 24.9 KB

Example 2
grafik

Reverse proxy documentation

Example NPM reverse proxy manager configuration"

grafik

Example Apache reverse proxy configuration"

for websocket upgrade (2.4.47 and later) in apache version

set

ProxyPass / http://192.168.2.xx:8181/ upgrade=websocket

and:

RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
RequestHeader set X-Real-IP expr=%{REMOTE_ADDR}

as mentioned strukturag/nextcloud-spreed-signaling: Standalone signaling server for Nextcloud Talk.

or mod_proxy_wstunnel - Apache HTTP Server Version 2.4 and mod_proxy - Apache HTTP Server Version 2.4

Troubleshooting

connection errors

403 forbidden

TIP

make sure you have a long secretpasswordkey (min. 24 chars, better 32 chars) for each service!

12 Likes
HPB Talk won't work for unknown reasons
High-Performance Backend Talk
How-to/FAQ WIKI
HPB push url is 404
Turn server fĂĽr Talk HPB?
Nextcloud cannot connect to High performance backend.
Talk / TURN Server, keine Verbindung
Talk HPB with NPM reverse proxy
NextCloud AIO - NPM - nextcloud/aio-talk:latest port conflict
Nextcloud Talk HPB Multi-tenant Setup – Configuration for Multiple Subdomains
What's the future of Talk and the HPB?
Nextcloud+Janus+Signaling+Coturn - how does it work?
Turn & stun server
Ubuntu 24.04 + Nextcloud
Nextcloud Talk High Performance Backend (HPB) - Multi-Domain Setup Guide
Nextcloud Talk HPB – 403 Authentication Check Failed
Nextcloud HPB Unable to add conversation "403 Forbidden` response: Authentication check failed"
NextCloud Talk with TURN server?
High-performance backend truenas scale nextcloud talk can’t connect
Use high performance backend: access refused
nextcloud signaling server.conf Failed to start signaling.service
nextcloud signaling server.conf Failed to start signaling.service
Richdocuments failing to open documents after upgrade
nextcloud signaling server.conf Failed to start signaling.service
Talk can't connect to Spreed signaling server
Talk can't connect to Spreed signaling server
Switching to AIO from 'basic' docker?
Nextcloud LXC template for Proxmox
Konfiguracja hpb
Nextcloud talk functionalities entering links in talk meetings
Ubuntu 24.04 + Nextcloud
Nextcloud Talk blury flickering border when using background images
Use high performance backend: access refused
My screen share is blank when sharing in Talk
My screen share is blank when sharing in Talk
My screen share is blank when sharing in Talk
Error setup Talk High Performance Backend
Error: "Running version: unknown" After Setting Up HPB Server for Talk App
Suche Setup fĂĽr eine Handwerker Zunft
Backup Nextcloud Netcup
High-performance backend truenas scale nextcloud talk can’t connect
High-performance backend truenas scale nextcloud talk can’t connect
The dreaded generic "Internal Server Error"
Turn & hpb commercial server
Talk HPB on debian 13
Signaling server error. Websocket
Nextcloud Talk Verbindung Signaling Server
High-performance backend
Error in Desktop Notifications for Nextcloud Progressive Web App instance
High Perfomance Backend (HPB) error 502 or 400 with separate Nextcloud on Raspberry Pi
How to set High Performance Backend for talk in a server with only http/https ports open on its network?
Nextcloud TURN is not healthy, talk calls will not connect off of local network
2

A post was split to a new topic: Praise: High Performance Backend for Talk on Nextcloud Docker