#!/bin/bash -e # Copyright (c) 2018 BigBlueButton Inc. # # This program is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free Software # Foundation; either version 3.0 of the License, or (at your option) any later # version. # # BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public License along # with BigBlueButton; if not, see . # BigBlueButton is an open source conferencing system. For more information see # https://www.bigbluebutton.org/. # # This bbb-install.sh script automates many of the installation and configuration # steps at # https://docs.bigbluebutton.org/install/install.html # # # Examples # # Install BigBlueButton with a SSL certificate from Let's Encrypt using hostname bbb.example.com # and email address info@example.com and apply a basic firewall # # wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -w -v bionic-24 -s bbb.example.com -e info@example.com # # Same as above but also install the API examples for testing. # # wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -w -a -v bionic-24 -s bbb.example.com -e info@example.com # # Install BigBlueButton with SSL + Greenlight # # wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -w -v bionic-24 -s bbb.example.com -e info@example.com -g # usage() { set +x cat 1>&2 < Install given version of BigBlueButton (e.g. 'bionic-24') (required) -s Configure server with -e Email for Let's Encrypt certbot -x Use Let's Encrypt certbot with manual dns challenges -a Install BBB API demos -g Install Greenlight -c : Configure with coturn server at using -m Create a Symbolic link from /var/bigbluebutton to -p [:] Use apt-get proxy at (default port 3142) -r Use alternative apt repository (such as packages-eu.bigbluebutton.org) -d Skip SSL certificates request (use provided certificates from mounted volume) in /local/certs/ -w Install UFW firewall (recommended) -h Print help OPTIONS (install coturn only): -c : Setup a coturn server with and (required) -e Configure email for Let's Encrypt certbot (required) OPTIONS (install Let's Encrypt certificate only): -s Configure server with (required) -e Configure email for Let's Encrypt certbot (required) -l Only install Let's Encrypt certificate (not BigBlueButton) -x Use Let's Encrypt certbot with manual dns challenges (optional) EXAMPLES: Sample options for setup a BigBlueButton server -v bionic-24 -s bbb.example.com -e info@example.com -v bionic-24 -s bbb.example.com -e info@example.com -g -v bionic-24 -s bbb.example.com -e info@example.com -g -c turn.example.com:1234324 Sample options for setup of a coturn server (on a Ubuntu 20.04) -c turn.example.com:1234324 -e info@example.com SUPPORT: Community: https://bigbluebutton.org/support Docs: https://github.com/bigbluebutton/bbb-install HERE } main() { export DEBIAN_FRONTEND=noninteractive PACKAGE_REPOSITORY=ubuntu.bigbluebutton.org LETS_ENCRYPT_OPTIONS=(--webroot --non-interactive) SOURCES_FETCHED=false need_x64 while builtin getopts "hs:r:c:v:e:p:m:xgadw" opt "${@}"; do case $opt in h) usage exit 0 ;; s) HOST=$OPTARG if [ "$HOST" == "bbb.example.com" ]; then err "You must specify a valid hostname (not the hostname given in the docs)." fi ;; r) PACKAGE_REPOSITORY=$OPTARG ;; e) EMAIL=$OPTARG if [ "$EMAIL" == "info@example.com" ]; then err "You must specify a valid email address (not the email in the docs)." fi ;; x) LETS_ENCRYPT_OPTIONS=(--manual --preferred-challenges dns) ;; c) COTURN=$OPTARG check_coturn "$COTURN" ;; v) VERSION=$OPTARG ;; p) PROXY=$OPTARG if [ -n "$PROXY" ]; then if [[ "$PROXY" =~ : ]]; then echo "Acquire::http::Proxy \"http://$PROXY\";" > /etc/apt/apt.conf.d/01proxy else echo "Acquire::http::Proxy \"http://$PROXY:3142\";" > /etc/apt/apt.conf.d/01proxy fi fi ;; g) GREENLIGHT=true ;; a) API_DEMOS=true ;; m) LINK_PATH=$OPTARG ;; d) PROVIDED_CERTIFICATE=true ;; w) SSH_PORT=$(grep Port /etc/ssh/ssh_config | grep -v \# | sed 's/[^0-9]*//g') if [[ -n "$SSH_PORT" && "$SSH_PORT" != "22" ]]; then err "Detected sshd not listening to standard port 22 -- unable to install default UFW firewall rules. See https://docs.bigbluebutton.org/2.2/customize.html#secure-your-system--restrict-access-to-specific-ports" fi UFW=true ;; :) err "Missing option argument for -$OPTARG" ;; \?) usage_err "Invalid option: -$OPTARG" >&2 ;; esac done if [ -n "$HOST" ]; then check_host "$HOST" fi if [ -n "$VERSION" ]; then check_version "$VERSION" fi check_apache2 # Check if we're installing coturn (need an e-mail address for Let's Encrypt) if [ -z "$VERSION" ] && [ -n "$COTURN" ]; then if [ -z "$EMAIL" ]; then err "Installing coturn needs an e-mail address for Let's Encrypt"; fi check_ubuntu 20.04 install_coturn exit 0 fi if [ -z "$VERSION" ]; then usage exit 0 fi # We're installing BigBlueButton env if [ "$DISTRO" == "xenial" ]; then check_ubuntu 16.04 TOMCAT_USER=tomcat7 fi if [ "$DISTRO" == "bionic" ]; then check_ubuntu 18.04 TOMCAT_USER=tomcat8 fi check_mem need_pkg software-properties-common # needed for add-apt-repository sudo add-apt-repository universe need_pkg wget curl gpg-agent dirmngr apparmor-utils get_IP "$HOST" if [ "$DISTRO" == "xenial" ]; then echo "** Ubuntu 16.04 is now end of life. Recommend installing BigBlueButton 2.3 on Ubuntu 18.04" rm -rf /etc/apt/sources.list.d/jonathonf-ubuntu-ffmpeg-4-xenial.list need_ppa rmescandon-ubuntu-yq-xenial.list ppa:rmescandon/yq CC86BB64 # Edit yaml files with yq need_ppa libreoffice-ubuntu-ppa-xenial.list ppa:libreoffice/ppa 1378B444 # Latest libreoffice need_ppa bigbluebutton-ubuntu-support-xenial.list ppa:bigbluebutton/support E95B94BC # Latest version of ffmpeg apt-get -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install grub-pc update-notifier-common # Remove default version of nodejs for Ubuntu 16.04 if installed if dpkg -s nodejs | grep Version | grep -q 4.2.6; then apt-get purge -y nodejs > /dev/null 2>&1 fi apt-get purge -yq kms-core-6.0 kms-elements-6.0 kurento-media-server-6.0 > /dev/null 2>&1 # Remove older packages if [ ! -f /etc/apt/sources.list.d/nodesource.list ]; then curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash - fi if ! apt-cache madison nodejs | grep -q node_8; then err "Did not detect nodejs 8.x candidate for installation" fi if ! apt-key list A15703C6 | grep -q A15703C6; then wget -qO - https://www.mongodb.org/static/pgp/server-3.4.asc | sudo apt-key add - fi if apt-key list A15703C6 | grep -q expired; then wget -qO - https://www.mongodb.org/static/pgp/server-3.4.asc | sudo apt-key add - fi rm -rf /etc/apt/sources.list.d/mongodb-org-4.0.list echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list MONGODB=mongodb-org need_pkg openjdk-8-jre fi if [ "$DISTRO" == "bionic" ]; then need_pkg ca-certificates need_ppa rmescandon-ubuntu-yq-bionic.list ppa:rmescandon/yq CC86BB64 # Edit yaml files with yq need_ppa libreoffice-ubuntu-ppa-bionic.list ppa:libreoffice/ppa 1378B444 # Latest version of libreoffice need_ppa bigbluebutton-ubuntu-support-bionic.list ppa:bigbluebutton/support E95B94BC # Latest version of ffmpeg if ! apt-key list 5AFA7A83 | grep -q -E "1024|4096"; then # Add Kurento package sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5AFA7A83 fi rm -rf /etc/apt/sources.list.d/kurento.list # Kurento 6.15 now packaged with 2.3 if [ ! -f /etc/apt/sources.list.d/nodesource.list ]; then curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash - fi if ! apt-cache madison nodejs | grep -q node_12; then err "Did not detect nodejs 12.x candidate for installation" fi if ! apt-key list MongoDB | grep -q 4.2; then wget -qO - https://www.mongodb.org/static/pgp/server-4.2.asc | sudo apt-key add - fi echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.2.list rm -f /etc/apt/sources.list.d/mongodb-org-4.0.list touch /root/.rnd MONGODB=mongodb-org install_docker # needed for bbb-libreoffice-docker docker pull openjdk:11-jre-buster # fix issue 413 docker tag openjdk:11-jre-buster openjdk:11-jre need_pkg ruby gem install bundler -v 2.1.4 BBB_WEB_ETC_CONFIG=/etc/bigbluebutton/bbb-web.properties # Override file for local settings need_pkg openjdk-8-jre update-java-alternatives -s java-1.8.0-openjdk-amd64 fi apt-get update apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade need_pkg nodejs "$MONGODB" apt-transport-https haveged build-essential yq need_pkg bigbluebutton need_pkg bbb-html5 if [ -f /usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties ]; then # 2.2 SERVLET_DIR=/usr/share/bbb-web TURN_XML=$SERVLET_DIR/WEB-INF/classes/spring/turn-stun-servers.xml else # 2.0 SERVLET_DIR=/var/lib/tomcat7/webapps/bigbluebutton TURN_XML=$SERVLET_DIR/WEB-INF/spring/turn-stun-servers.xml fi while [ ! -f "$SERVLET_DIR/WEB-INF/classes/bigbluebutton.properties" ]; do sleep 1; echo -n '.'; done check_lxc check_nat check_LimitNOFILE configure_HTML5 if [ -n "$API_DEMOS" ]; then need_pkg bbb-demo while [ ! -f "/var/lib/$TOMCAT_USER/webapps/demo/bbb_api_conf.jsp" ]; do sleep 1; echo -n '.'; done fi if [ -n "$LINK_PATH" ]; then ln -s "$LINK_PATH" "/var/bigbluebutton" fi if [ -n "$PROVIDED_CERTIFICATE" ] ; then install_ssl elif [ -n "$HOST" ] && [ -n "$EMAIL" ] ; then install_ssl fi if [ -n "$GREENLIGHT" ]; then install_greenlight fi if [ -n "$COTURN" ]; then configure_coturn fi apt-get auto-remove -y if systemctl status freeswitch.service | grep -q SETSCHEDULER; then sed -i "s/^CPUSchedulingPolicy=rr/#CPUSchedulingPolicy=rr/g" /lib/systemd/system/freeswitch.service systemctl daemon-reload fi if [ -n "$UFW" ]; then setup_ufw fi if [ "$DISTRO" == "xenial" ]; then # Add overrides to ensure redis-server is started before bbb-apps-akka, bbb-fsesl-akka, and bbb-transcode-akka if [ ! -f /etc/systemd/system/bbb-apps-akka.service.d/override.conf ];then mkdir -p /etc/systemd/system/bbb-apps-akka.service.d cat > /etc/systemd/system/bbb-apps-akka.service.d/override.conf < /etc/systemd/system/bbb-fsesl-akka.service.d/override.conf < /etc/systemd/system/bbb-transcode-akka.service.d/override.conf <&2 exit 1 } usage_err() { say "$1" >&2 usage exit 1 } check_root() { if [ $EUID != 0 ]; then err "You must run this command as root."; fi } check_mem() { if awk '$1~/MemTotal/ {exit !($2<3940000)}' /proc/meminfo; then err "Your server needs to have (at least) 4G of memory." fi } check_ubuntu(){ RELEASE=$(lsb_release -r | sed 's/^[^0-9]*//g') if [ "$RELEASE" != "$1" ]; then err "You must run this command on Ubuntu $1 server."; fi } need_x64() { UNAME=$(uname -m) if [ "$UNAME" != "x86_64" ]; then err "You must run this command on a 64-bit server."; fi } wait_443() { echo "Waiting for port 443 to clear " # netstat fields 4 and 6 are Local Address and State while netstat -ant | awk '{print $4, $6}' | grep TIME_WAIT | grep -q ":443"; do sleep 1; echo -n '.'; done echo } get_IP() { if [ -n "$IP" ]; then return 0; fi # Determine local IP need_pkg net-tools if LANG=c ifconfig | grep -q 'venet0:0'; then IP=$(ifconfig | grep -v '127.0.0.1' | grep -E "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" | tail -1 | cut -d: -f2 | awk '{ print $1}') else IP=$(ifconfig "$(route | grep ^default | head -1 | sed "s/.* //")" | awk '/inet /{ print $2}' | cut -d: -f2) fi local external_ip # Determine external IP if grep -sqi ^ec2 /sys/devices/virtual/dmi/id/product_uuid; then # EC2 external_ip=$(wget -qO- http://169.254.169.254/latest/meta-data/public-ipv4) elif [ -f /var/lib/dhcp/dhclient.eth0.leases ] && grep -q unknown-245 /var/lib/dhcp/dhclient.eth0.leases; then # Azure external_ip=$(curl -H Metadata:true "http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-08-01&format=text") elif [ -f /run/scw-metadata.cache ]; then # Scaleway external_ip=$(grep "PUBLIC_IP_ADDRESS" /run/scw-metadata.cache | cut -d '=' -f 2) elif which dmidecode > /dev/null && dmidecode -s bios-vendor | grep -q Google; then # Google Compute Cloud external_ip=$(wget -O - -q "http://metadata/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip" --header 'Metadata-Flavor: Google') elif [ -n "$1" ]; then # Try and determine the external IP from the given hostname need_pkg dnsutils external_ip=$(dig +short "$1" @resolver1.opendns.com | grep '^[.0-9]*$' | tail -n1) fi # Check if the external IP reaches the internal IP if [ -n "$external_ip" ] && [ "$IP" != "$external_ip" ]; then if which nginx; then systemctl stop nginx fi need_pkg netcat-openbsd wait_443 nc -l -p 443 > /dev/null 2>&1 & nc_PID=$! sleep 1 # Check if we can reach the server through it's external IP address if nc -zvw3 "$external_ip" 443 > /dev/null 2>&1; then INTERNAL_IP=$IP IP=$external_ip echo echo " Detected this server has an internal/external IP address." echo echo " INTERNAL_IP: $INTERNAL_IP" echo " (external) IP: $IP" echo fi kill $nc_PID > /dev/null 2>&1; if which nginx; then systemctl start nginx fi fi if [ -z "$IP" ]; then err "Unable to determine local IP address."; fi } need_pkg() { check_root while fuser /var/lib/dpkg/lock >/dev/null 2>&1; do sleep 1; done if [ ! "$SOURCES_FETCHED" = true ]; then apt-get update SOURCES_FETCHED=true fi if ! dpkg -s "${@}" >/dev/null 2>&1; then LC_CTYPE=C.UTF-8 apt-get install -yq "${@}" fi } need_ppa() { need_pkg software-properties-common if [ ! -f "/etc/apt/sources.list.d/$1" ]; then LC_CTYPE=C.UTF-8 add-apt-repository -y "$2" fi if ! apt-key list "$3" | grep -q -E "1024|4096"; then # Let's try it a second time LC_CTYPE=C.UTF-8 add-apt-repository "$2" -y if ! apt-key list "$3" | grep -q -E "1024|4096"; then err "Unable to setup PPA for $2" fi fi } check_version() { if ! echo "$1" | grep -Eq "xenial|bionic"; then err "This script can only install BigBlueButton 2.2 up to 2.4"; fi DISTRO=${1%%-*} if ! wget -qS --spider "https://$PACKAGE_REPOSITORY/$1/dists/bigbluebutton-$DISTRO/Release.gpg" > /dev/null 2>&1; then err "Unable to locate packages for $1 at $PACKAGE_REPOSITORY." fi check_root need_pkg apt-transport-https if ! apt-key list | grep -q "BigBlueButton apt-get"; then wget "https://$PACKAGE_REPOSITORY/repo/bigbluebutton.asc" -O- | apt-key add - fi # Check if were upgrading from 2.0 (the ownership of /etc/bigbluebutton/nginx/web has changed from bbb-client to bbb-web) if [ -f /etc/apt/sources.list.d/bigbluebutton.list ]; then if grep -q xenial-200 /etc/apt/sources.list.d/bigbluebutton.list; then if echo "$VERSION" | grep -q xenial-22; then if dpkg -l | grep -q bbb-client; then apt-get purge -y bbb-client fi fi fi fi echo "deb https://$PACKAGE_REPOSITORY/$VERSION bigbluebutton-$DISTRO main" > /etc/apt/sources.list.d/bigbluebutton.list } check_host() { if [ -z "$PROVIDED_CERTIFICATE" ] && [ -z "$HOST" ]; then need_pkg dnsutils apt-transport-https net-tools DIG_IP=$(dig +short "$1" | grep '^[.0-9]*$' | tail -n1) if [ -z "$DIG_IP" ]; then err "Unable to resolve $1 to an IP address using DNS lookup."; fi get_IP "$1" if [ "$DIG_IP" != "$IP" ]; then err "DNS lookup for $1 resolved to $DIG_IP but didn't match local $IP."; fi fi } check_coturn() { if ! echo "$1" | grep -q ':'; then err "Option for coturn must be :"; fi COTURN_HOST=$(echo "$OPTARG" | cut -d':' -f1) COTURN_SECRET=$(echo "$OPTARG" | cut -d':' -f2) if [ -z "$COTURN_HOST" ]; then err "-c option must contain "; fi if [ -z "$COTURN_SECRET" ]; then err "-c option must contain "; fi if [ "$COTURN_HOST" == "turn.example.com" ]; then err "You must specify a valid hostname (not the example given in the docs)" fi if [ "$COTURN_SECRET" == "1234abcd" ]; then err "You must specify a new password (not the example given in the docs)." fi check_host "$COTURN_HOST" } check_apache2() { if dpkg -l | grep -q apache2-bin; then err "You must uninstall the Apache2 server first"; fi } # If running under LXC, then modify the FreeSWITCH systemctl service so it does not use realtime scheduler check_lxc() { if grep -qa container=lxc /proc/1/environ; then if grep IOSchedulingClass /lib/systemd/system/freeswitch.service > /dev/null; then cat > /lib/systemd/system/freeswitch.service << HERE [Unit] Description=freeswitch After=syslog.target network.target local-fs.target [Service] Type=forking PIDFile=/opt/freeswitch/var/run/freeswitch/freeswitch.pid Environment="DAEMON_OPTS=-nonat" EnvironmentFile=-/etc/default/freeswitch ExecStart=/opt/freeswitch/bin/freeswitch -u freeswitch -g daemon -ncwait \$DAEMON_OPTS TimeoutSec=45s Restart=always WorkingDirectory=/opt/freeswitch User=freeswitch Group=daemon LimitCORE=infinity LimitNOFILE=100000 LimitNPROC=60000 LimitSTACK=250000 LimitRTPRIO=infinity LimitRTTIME=7000000 #IOSchedulingClass=realtime #IOSchedulingPriority=2 #CPUSchedulingPolicy=rr #CPUSchedulingPriority=89 [Install] WantedBy=multi-user.target HERE systemctl daemon-reload fi fi } # Check if running externally with internal/external IP addresses check_nat() { xmlstarlet edit --inplace --update '//X-PRE-PROCESS[@cmd="set" and starts-with(@data, "external_rtp_ip=")]/@data' --value "external_rtp_ip=$IP" /opt/freeswitch/conf/vars.xml xmlstarlet edit --inplace --update '//X-PRE-PROCESS[@cmd="set" and starts-with(@data, "external_sip_ip=")]/@data' --value "external_sip_ip=$IP" /opt/freeswitch/conf/vars.xml if [ -n "$INTERNAL_IP" ]; then xmlstarlet edit --inplace --update '//param[@name="ext-rtp-ip"]/@value' --value "\$\${external_rtp_ip}" /opt/freeswitch/conf/sip_profiles/external.xml xmlstarlet edit --inplace --update '//param[@name="ext-sip-ip"]/@value' --value "\$\${external_sip_ip}" /opt/freeswitch/conf/sip_profiles/external.xml sed -i "s/$INTERNAL_IP:/$IP:/g" /etc/bigbluebutton/nginx/sip.nginx ip addr add "$IP" dev lo # If dummy NIC is not in dummy-nic.service (or the file does not exist), update/create it if ! grep -q "$IP" /lib/systemd/system/dummy-nic.service > /dev/null 2>&1; then if [ -f /lib/systemd/system/dummy-nic.service ]; then DAEMON_RELOAD=true; fi cat > /lib/systemd/system/dummy-nic.service << HERE [Unit] Description=Configure dummy NIC for FreeSWITCH Before=freeswitch.service After=network.target [Service] ExecStart=/sbin/ip addr add $IP dev lo [Install] WantedBy=multi-user.target HERE if [ "$DAEMON_RELOAD" == "true" ]; then systemctl daemon-reload systemctl restart dummy-nic else systemctl enable dummy-nic systemctl start dummy-nic fi fi fi } check_LimitNOFILE() { CPU=$(nproc --all) if [ "$CPU" -ge 8 ]; then if [ -f /lib/systemd/system/bbb-web.service ]; then # Let's create an override file to increase the number of LimitNOFILE mkdir -p /etc/systemd/system/bbb-web.service.d/ cat > /etc/systemd/system/bbb-web.service.d/override.conf << HERE [Service] LimitNOFILE=8192 HERE systemctl daemon-reload fi fi } configure_HTML5() { # Use Google's default STUN server if [ -n "$INTERNAL_IP" ]; then sed -i "s/[;]*externalIPv4=.*/externalIPv4=$IP/g" /etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini sed -i "s/[;]*iceTcp=.*/iceTcp=0/g" /etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini fi # Make the HTML5 client default sed -i 's/^attendeesJoinViaHTML5Client=.*/attendeesJoinViaHTML5Client=true/' $SERVLET_DIR/WEB-INF/classes/bigbluebutton.properties sed -i 's/^moderatorsJoinViaHTML5Client=.*/moderatorsJoinViaHTML5Client=true/' $SERVLET_DIR/WEB-INF/classes/bigbluebutton.properties sed -i 's/swfSlidesRequired=true/swfSlidesRequired=false/g' $SERVLET_DIR/WEB-INF/classes/bigbluebutton.properties } install_greenlight(){ install_docker # Purge older docker compose if dpkg -l | grep -q docker-compose; then apt-get purge -y docker-compose fi if [ ! -x /usr/local/bin/docker-compose ]; then curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose fi if [ ! -d ~/greenlight ]; then mkdir -p ~/greenlight fi # This will trigger the download of Greenlight docker image (if needed) SECRET_KEY_BASE=$(docker run --rm bigbluebutton/greenlight:v2 bundle exec rake secret) if [ ! -f ~/greenlight/.env ]; then docker run --rm bigbluebutton/greenlight:v2 cat ./sample.env > ~/greenlight/.env fi BIGBLUEBUTTON_URL=$(cat "$SERVLET_DIR/WEB-INF/classes/bigbluebutton.properties" "$BBB_WEB_ETC_CONFIG" | grep -v '#' | sed -n '/^bigbluebutton.web.serverURL/{s/.*=//;p}' | tail -n 1 )/bigbluebutton/ BIGBLUEBUTTON_SECRET=$(cat "$SERVLET_DIR/WEB-INF/classes/bigbluebutton.properties" "$BBB_WEB_ETC_CONFIG" | grep -v '#' | grep ^securitySalt | tail -n 1 | cut -d= -f2) SAFE_HOSTS=$(cat "$SERVLET_DIR/WEB-INF/classes/bigbluebutton.properties" "$BBB_WEB_ETC_CONFIG" | grep -v '#' | sed -n '/^bigbluebutton.web.serverURL/{s/.*=//;p}' | tail -n 1 | sed 's/https\?:\/\///') # Update Greenlight configuration file in ~/greenlight/env sed -i "s|SECRET_KEY_BASE=.*|SECRET_KEY_BASE=$SECRET_KEY_BASE|" ~/greenlight/.env sed -i "s|.*BIGBLUEBUTTON_ENDPOINT=.*|BIGBLUEBUTTON_ENDPOINT=$BIGBLUEBUTTON_URL|" ~/greenlight/.env sed -i "s|.*BIGBLUEBUTTON_SECRET=.*|BIGBLUEBUTTON_SECRET=$BIGBLUEBUTTON_SECRET|" ~/greenlight/.env sed -i "s|SAFE_HOSTS=.*|SAFE_HOSTS=$SAFE_HOSTS|" ~/greenlight/.env # need_pkg bbb-webhooks if [ ! -f /etc/bigbluebutton/nginx/greenlight.nginx ]; then docker run --rm bigbluebutton/greenlight:v2 cat ./greenlight.nginx | tee /etc/bigbluebutton/nginx/greenlight.nginx cat > /etc/bigbluebutton/nginx/greenlight-redirect.nginx << HERE location = / { return 307 /b; } HERE systemctl restart nginx fi if ! gem list | grep -q java_properties; then gem install jwt java_properties fi if [ ! -f ~/greenlight/docker-compose.yml ]; then docker run --rm bigbluebutton/greenlight:v2 cat ./docker-compose.yml > ~/greenlight/docker-compose.yml fi # change the default passwords PGPASSWORD=$(openssl rand -base64 24) sed -i "s,^\([ \t-]*POSTGRES_PASSWORD\)\(=password\),\1=$PGPASSWORD,g" ~/greenlight/docker-compose.yml sed -i "s,^\([ \t]*DB_PASSWORD\)\(=password\),\1=$PGPASSWORD,g" ~/greenlight/.env # Remove old containers if docker ps | grep -q greenlight_db_1; then docker rm -f greenlight_db_1 fi if docker ps | grep -q greenlight-v2; then docker rm -f greenlight-v2 fi if ! docker ps | grep -q greenlight; then docker-compose -f ~/greenlight/docker-compose.yml up -d sleep 5 fi } install_docker() { need_pkg apt-transport-https ca-certificates curl gnupg-agent software-properties-common openssl # Install Docker if ! apt-key list | grep -q Docker; then curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - fi if ! dpkg -l | grep -q docker-ce; then add-apt-repository \ "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) \ stable" apt-get update need_pkg docker-ce docker-ce-cli containerd.io fi if ! which docker; then err "Docker did not install"; fi # Remove Docker Compose if dpkg -l | grep -q docker-compose; then apt-get purge -y docker-compose fi } install_ssl() { if ! grep -q "$HOST" /usr/local/bigbluebutton/core/scripts/bigbluebutton.yml; then bbb-conf --setip "$HOST" fi mkdir -p /etc/nginx/ssl if [ -z "$PROVIDED_CERTIFICATE" ]; then add-apt-repository universe need_ppa certbot-ubuntu-certbot-xenial.list ppa:certbot/certbot 75BCA694 apt-get update need_pkg certbot fi if [[ ! -f /etc/nginx/ssl/ffdhe2048.pem ]]; then cat >/etc/nginx/ssl/ffdhe2048.pem <<"HERE" -----BEGIN DH PARAMETERS----- MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== -----END DH PARAMETERS----- HERE fi if [[ -f /etc/nginx/ssl/dhp-4096.pem ]]; then rm /etc/nginx/ssl/dhp-4096.pem fi if [ ! -f "/etc/letsencrypt/live/$HOST/fullchain.pem" ]; then rm -f /tmp/bigbluebutton.bak if ! grep -q "$HOST" /etc/nginx/sites-available/bigbluebutton; then # make sure we can do the challenge if [ -f /etc/nginx/sites-available/bigbluebutton ]; then cp /etc/nginx/sites-available/bigbluebutton /tmp/bigbluebutton.bak fi cat < /etc/nginx/sites-available/bigbluebutton server_tokens off; server { listen 80; listen [::]:80; server_name $HOST; access_log /var/log/nginx/bigbluebutton.access.log; # BigBlueButton landing page. location / { root /var/www/bigbluebutton-default; index index.html index.htm; expires 1m; } } HERE systemctl restart nginx fi if [ -z "$PROVIDED_CERTIFICATE" ]; then if ! certbot --email "$EMAIL" --agree-tos --rsa-key-size 4096 -w /var/www/bigbluebutton-default/ \ -d "$HOST" --deploy-hook "systemctl reload nginx" "${LETS_ENCRYPT_OPTIONS[@]}" certonly; then systemctl restart nginx err "Let's Encrypt SSL request for $HOST did not succeed - exiting" fi else # Place your fullchain.pem and privkey.pem files in /local/certs/ and bbb-install.sh will deal with the rest. mkdir -p "/etc/letsencrypt/live/$HOST/" ln -s /local/certs/fullchain.pem "/etc/letsencrypt/live/$HOST/fullchain.pem" ln -s /local/certs/privkey.pem "/etc/letsencrypt/live/$HOST/privkey.pem" fi fi cat < /etc/nginx/sites-available/bigbluebutton server_tokens off; server { listen 80; listen [::]:80; server_name $HOST; return 301 https://\$server_name\$request_uri; #redirect HTTP to HTTPS } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name $HOST; ssl_certificate /etc/letsencrypt/live/$HOST/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$HOST/privkey.pem; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_dhparam /etc/nginx/ssl/ffdhe2048.pem; # HSTS (comment out to enable) #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; access_log /var/log/nginx/bigbluebutton.access.log; # BigBlueButton landing page. location / { root /var/www/bigbluebutton-default; index index.html index.htm; expires 1m; } # Include specific rules for record and playback include /etc/bigbluebutton/nginx/*.nginx; } HERE # Configure rest of BigBlueButton Configuration for SSL xmlstarlet edit --inplace --update '//param[@name="wss-binding"]/@value' --value "$IP:7443" /opt/freeswitch/conf/sip_profiles/external.xml # shellcheck disable=SC1091 eval "$(source /etc/bigbluebutton/bigbluebutton-release && declare -p BIGBLUEBUTTON_RELEASE)" if [[ $BIGBLUEBUTTON_RELEASE == 2.2.* ]] && [[ ${BIGBLUEBUTTON_RELEASE#*.*.} -lt 29 ]]; then sed -i "s/proxy_pass .*/proxy_pass https:\/\/$IP:7443;/g" /etc/bigbluebutton/nginx/sip.nginx else # Use nginx as proxy for WSS -> WS (see https://github.com/bigbluebutton/bigbluebutton/issues/9667) yq w -i /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml public.media.sipjsHackViaWs true sed -i "s/proxy_pass .*/proxy_pass http:\/\/$IP:5066;/g" /etc/bigbluebutton/nginx/sip.nginx xmlstarlet edit --inplace --update '//param[@name="ws-binding"]/@value' --value "$IP:5066" /opt/freeswitch/conf/sip_profiles/external.xml fi sed -i 's/^bigbluebutton.web.serverURL=http:/bigbluebutton.web.serverURL=https:/g' "$SERVLET_DIR/WEB-INF/classes/bigbluebutton.properties" if [ -f "$BBB_WEB_ETC_CONFIG" ]; then sed -i 's/^bigbluebutton.web.serverURL=http:/bigbluebutton.web.serverURL=https:/g' "$BBB_WEB_ETC_CONFIG" fi yq w -i /usr/local/bigbluebutton/core/scripts/bigbluebutton.yml playback_protocol https chmod 644 /usr/local/bigbluebutton/core/scripts/bigbluebutton.yml if [ -f "/var/lib/$TOMCAT_USER/webapps/demo/bbb_api_conf.jsp" ]; then sed -i 's/String BigBlueButtonURL = "http:/String BigBlueButtonURL = "https:/g' "/var/lib/$TOMCAT_USER/webapps/demo/bbb_api_conf.jsp" fi if [ -f /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml ]; then yq w -i /usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml public.note.url "https://$HOST/pad" fi # Update Greenlight (if installed) to use SSL if [ -f ~/greenlight/.env ]; then if ! grep ^BIGBLUEBUTTON_ENDPOINT ~/greenlight/.env | grep -q https; then BIGBLUEBUTTON_URL=$(cat "$SERVLET_DIR/WEB-INF/classes/bigbluebutton.properties" "$BBB_WEB_ETC_CONFIG" | grep -v '#' | sed -n '/^bigbluebutton.web.serverURL/{s/.*=//;p}' | tail -n 1 )/bigbluebutton/ sed -i "s|.*BIGBLUEBUTTON_ENDPOINT=.*|BIGBLUEBUTTON_ENDPOINT=$BIGBLUEBUTTON_URL|" ~/greenlight/.env docker-compose -f ~/greenlight/docker-compose.yml down docker-compose -f ~/greenlight/docker-compose.yml up -d fi fi # Update HTML5 client (if installed) to use SSL if [ -f /usr/share/meteor/bundle/programs/server/assets/app/config/settings-production.json ]; then sed -i "s|\"wsUrl.*|\"wsUrl\": \"wss://$HOST/bbb-webrtc-sfu\",|g" \ /usr/share/meteor/bundle/programs/server/assets/app/config/settings-production.json fi TARGET=/usr/local/bigbluebutton/bbb-webrtc-sfu/config/default.yml if [ -f $TARGET ]; then if grep -q kurentoIp $TARGET; then # 2.0 yq w -i $TARGET kurentoIp "$IP" else # 2.2 yq w -i $TARGET kurento[0].ip "$IP" yq w -i $TARGET freeswitch.ip "$IP" if [[ $BIGBLUEBUTTON_RELEASE == 2.2.* ]] && [[ ${BIGBLUEBUTTON_RELEASE#*.*.} -lt 29 ]]; then if [ -n "$INTERNAL_IP" ]; then yq w -i $TARGET freeswitch.sip_ip "$INTERNAL_IP" else yq w -i $TARGET freeswitch.sip_ip "$IP" fi else # Use nginx as proxy for WSS -> WS (see https://github.com/bigbluebutton/bigbluebutton/issues/9667) yq w -i $TARGET freeswitch.sip_ip "$IP" fi fi chown bigbluebutton:bigbluebutton $TARGET chmod 644 $TARGET fi } configure_coturn() { cat < "$TURN_XML" HERE } install_coturn() { apt-get update apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade need_pkg software-properties-common certbot if ! certbot certonly --standalone --non-interactive --preferred-challenges http \ -d "$COTURN_HOST" --email "$EMAIL" --agree-tos -n ; then err "Let's Encrypt SSL request for $COTURN_HOST did not succeed - exiting" fi need_pkg coturn if [ -n "$INTERNAL_IP" ]; then EXTERNAL_IP="external-ip=$IP/$INTERNAL_IP" fi cat < /etc/turnserver.conf listening-port=3478 tls-listening-port=443 listening-ip=$IP relay-ip=$IP $EXTERNAL_IP min-port=32769 max-port=65535 verbose fingerprint lt-cred-mech use-auth-secret static-auth-secret=$COTURN_SECRET realm=$(echo "$COTURN_HOST" | cut -d'.' -f2-) cert=/etc/turnserver/fullchain.pem pkey=/etc/turnserver/privkey.pem # From https://ssl-config.mozilla.org/ Intermediate, openssl 1.1.0g, 2020-01 cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" dh-file=/etc/turnserver/ffdhe2048.pem keep-address-family no-cli no-tlsv1 no-tlsv1_1 HERE mkdir -p /etc/turnserver if [[ ! -f /etc/turnserver/ffdhe2048.pem ]]; then cat >/etc/turnserver/ffdhe2048.pem <<"HERE" -----BEGIN DH PARAMETERS----- MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== -----END DH PARAMETERS----- HERE fi if [[ -f /etc/turnserver/dhp.pem ]]; then rm /etc/turnserver/dhp.pem fi mkdir -p /var/log/turnserver chown turnserver:turnserver /var/log/turnserver cat < /etc/logrotate.d/coturn /var/log/turnserver/*.log { rotate 7 daily missingok notifempty compress postrotate /bin/systemctl kill -s HUP coturn.service endscript } HERE # Eanble coturn to bind to port 443 with CAP_NET_BIND_SERVICE mkdir -p /etc/systemd/system/coturn.service.d rm -rf /etc/systemd/system/coturn.service.d/ansible.conf # Remove previous file cat > /etc/systemd/system/coturn.service.d/override.conf < /etc/letsencrypt/renewal-hooks/deploy/coturn < /etc/bigbluebutton/bbb-conf/apply-config.sh << HERE #!/bin/bash # Pull in the helper functions for configuring BigBlueButton source /etc/bigbluebutton/bbb-conf/apply-lib.sh enableUFWRules HERE chmod +x /etc/bigbluebutton/bbb-conf/apply-config.sh fi } main "$@" || exit 1