From 31d8255b5454406e4437e94a1e38e4420e11b355 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mai=20G=C3=A1bor?= Date: Wed, 18 May 2022 15:28:18 +0200 Subject: [PATCH 1/4] update proxymd location --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e32a6384..269dfb6a 100644 --- a/README.md +++ b/README.md @@ -248,7 +248,7 @@ sudo systemctl enable edumeet ## Load balanced installation -To deploy this as a load balanced cluster, have a look at [HAproxy](HAproxy.md). +To deploy this as a load balanced cluster, have a look at [HAproxy](/docs/HAproxy.md). ## Learning management integration From df35af971c0bfa7d208720bdf4cc2adb5432ab28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mai=20G=C3=A1bor?= Date: Wed, 18 May 2022 15:28:50 +0200 Subject: [PATCH 2/4] add haproxy 2.2 installation and cofig guide --- docs/HAproxy.md | 117 +++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 105 insertions(+), 12 deletions(-) diff --git a/docs/HAproxy.md b/docs/HAproxy.md index 2166f393..bd3a1060 100644 --- a/docs/HAproxy.md +++ b/docs/HAproxy.md @@ -80,22 +80,115 @@ trustProxy : ['192.0.2.5'], * Install and setup haproxy `apt install haproxy` +* Install haproxy 2.2 (recommend) + sudo apt-get install gnupg2 curl -y +curl https://haproxy.debian.net/bernat.debian.org.gpg | sudo apt-key add - +echo deb http://haproxy.debian.net buster-backports-2.2 main | sudo tee /etc/apt/sources.list.d/haproxy.list +sudo apt-get update +apt-get install haproxy=2.2.\* + +sudo systemctl start haproxy +sudo systemctl enable haproxy + * Add to /etc/haproxy/haproxy.cfg config ``` plaintext - backend edumeet - balance url_param roomId - hash-type consistent - server mm1 192.0.2.1:80 check maxconn 2000 verify none - server mm2 192.0.2.2:80 check maxconn 2000 verify none - server mm3 192.0.2.3:80 check maxconn 2000 verify none +global + # mult thread setup + nbproc 1 + nbthread 4 + cpu-map auto:1/1-4 0-3 + + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats socket /run/haproxy.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + # An alternative list with additional directives can be obtained from + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 + tune.ssl.default-dh-param 2048 + maxconn 20000 + +defaults + log global + mode http + option httplog + #option logasap + #option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + maxconn 8192 + +backend letsmeet-room-backend + fullconn 4000 + balance url_param roomId + hash-type consistent + stick-table type string len 1024 size 100k expire 8h + stick store-request url_param(roomId) + stick match url_param(roomId) + stick match url_param(state),url_dec,b64dec,field(8,'\"') + + server edumeet1 192.0.2.1:80 check maxconn 2000 verify none + server edumeet2 192.0.2.2:80 check maxconn 1000 verify none + server edumeet3 192.0.2.3:80 check maxconn 1000 verify none + +backend letsmeet-backend + fullconn 4000 + balance leastconn + stick-table type ip size 200k expire 30m + stick on src + hash-type consistent + + server edumeet1 192.0.2.1:80 check maxconn 2000 verify none + server edumeet2 192.0.2.2:80 check maxconn 1000 verify none + server edumeet3 192.0.2.3:80 check maxconn 1000 verify none + +frontend letsmeet + bind *:80 + bind*:443 ssl crt /etc/ssl/edumeet.example.com/edumeet.example.com.pem alpn h2,http/1.1 + http-request redirect scheme https if !{ ssl_fc } + http-request add-header X-Forwarded-Proto https + stats enable + stats uri /static/stats + #stats hide-version + stats refresh 10s + stats admin if TRUE + #stats admin if LOCALHOST + stats realm Haproxy\ Statistics + stats auth admin:password + + maxconn 6000 + acl roomId-acl url_param(roomId) -m found + acl callback-acl path_beg /auth/callback + use_backend letsmeet-room-backend if roomId-acl || callback-acl + default_backend letsmeet-backend - frontend meet.example.com - bind 192.0.2.5:80 - bind 192.0.2.5:443 ssl crt /root/certificate.pem - http-request redirect scheme https unless { ssl_fc } - reqadd X-Forwarded-Proto:\ https - default_backend edumeet ``` + +Creating cert with letsencrypt + +sudo cat /etc/letsencrypt/live/edumeet.example.com/fullchain.pem /etc/letsencrypt/live/edumeet.example.com/privkey.pem | sudo tee /etc/ssl/edumeet.example.com/edumeet.example.com.pem From e41501ab5eb2c2d7aeedc37326d92ace7ba83f05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mai=20G=C3=A1bor?= Date: Wed, 18 May 2022 15:30:21 +0200 Subject: [PATCH 3/4] fix formating --- docs/HAproxy.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/HAproxy.md b/docs/HAproxy.md index bd3a1060..5081d6db 100644 --- a/docs/HAproxy.md +++ b/docs/HAproxy.md @@ -95,7 +95,7 @@ sudo systemctl enable haproxy ``` plaintext -global + global # mult thread setup nbproc 1 nbthread 4 @@ -125,7 +125,7 @@ global tune.ssl.default-dh-param 2048 maxconn 20000 -defaults + defaults log global mode http option httplog @@ -143,7 +143,7 @@ defaults errorfile 504 /etc/haproxy/errors/504.http maxconn 8192 -backend letsmeet-room-backend + backend letsmeet-room-backend fullconn 4000 balance url_param roomId hash-type consistent @@ -156,7 +156,7 @@ backend letsmeet-room-backend server edumeet2 192.0.2.2:80 check maxconn 1000 verify none server edumeet3 192.0.2.3:80 check maxconn 1000 verify none -backend letsmeet-backend + backend letsmeet-backend fullconn 4000 balance leastconn stick-table type ip size 200k expire 30m @@ -167,7 +167,7 @@ backend letsmeet-backend server edumeet2 192.0.2.2:80 check maxconn 1000 verify none server edumeet3 192.0.2.3:80 check maxconn 1000 verify none -frontend letsmeet + frontend letsmeet bind *:80 bind*:443 ssl crt /etc/ssl/edumeet.example.com/edumeet.example.com.pem alpn h2,http/1.1 http-request redirect scheme https if !{ ssl_fc } From 0076b6e83148934fdcc99690f22e23f7e8933145 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mai=20G=C3=A1bor?= Date: Fri, 20 May 2022 14:38:03 +0200 Subject: [PATCH 4/4] update formating, example, typo --- docs/HAproxy.md | 116 ++++++++++++++++++++++++++---------------------- 1 file changed, 62 insertions(+), 54 deletions(-) diff --git a/docs/HAproxy.md b/docs/HAproxy.md index 5081d6db..14dc05b9 100644 --- a/docs/HAproxy.md +++ b/docs/HAproxy.md @@ -64,13 +64,17 @@ OR ### Server config -mm/configs/server/config.js - -``` js -redisOptions : { host: '192.0.2.4'}, -listeningPort: 80, -httpOnly: true, -trustProxy : ['192.0.2.5'], +config.yaml +``` yaml +turnAPIKey : "" +turnAPIURI : "" +listeningPort : 80 +httpOnly : true +trustProxy : "192.0.2.5" +redisOptions: + host: "192.0.2.4" + port: "6379" + password: "passwd" ``` ## Deploy HA proxy @@ -78,10 +82,12 @@ trustProxy : ['192.0.2.5'], * Configure certificate / letsencrypt for `meet.example.com` * In this example we put a complete chain and private key in /root/certificate.pem. * Install and setup haproxy - - `apt install haproxy` -* Install haproxy 2.2 (recommend) - sudo apt-get install gnupg2 curl -y +```bash +apt install haproxy +``` +* Install haproxy 2.2 (recommended) +``` bash +sudo apt-get install gnupg2 curl -y curl https://haproxy.debian.net/bernat.debian.org.gpg | sudo apt-key add - echo deb http://haproxy.debian.net buster-backports-2.2 main | sudo tee /etc/apt/sources.list.d/haproxy.list sudo apt-get update @@ -89,59 +95,59 @@ apt-get install haproxy=2.2.\* sudo systemctl start haproxy sudo systemctl enable haproxy - +``` * Add to /etc/haproxy/haproxy.cfg config ``` plaintext global - # mult thread setup - nbproc 1 - nbthread 4 - cpu-map auto:1/1-4 0-3 + # mult thread setup + nbproc 1 + nbthread 4 + cpu-map auto:1/1-4 0-3 - log /dev/log local0 - log /dev/log local1 notice - chroot /var/lib/haproxy - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners - stats socket /run/haproxy.sock mode 660 level admin - stats timeout 30s - user haproxy - group haproxy - daemon + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats socket /run/haproxy.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon - # Default SSL material locations - ca-base /etc/ssl/certs - crt-base /etc/ssl/private + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private - # Default ciphers to use on SSL-enabled listening sockets. - # For more information, see ciphers(1SSL). This list is from: - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ - # An alternative list with additional directives can be obtained from - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy - ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS - ssl-default-bind-options no-sslv3 - tune.ssl.default-dh-param 2048 - maxconn 20000 + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + # An alternative list with additional directives can be obtained from + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 + tune.ssl.default-dh-param 2048 + maxconn 20000 defaults - log global - mode http - option httplog - #option logasap - #option dontlognull - timeout connect 5000 - timeout client 50000 - timeout server 50000 - errorfile 400 /etc/haproxy/errors/400.http - errorfile 403 /etc/haproxy/errors/403.http - errorfile 408 /etc/haproxy/errors/408.http - errorfile 500 /etc/haproxy/errors/500.http - errorfile 502 /etc/haproxy/errors/502.http - errorfile 503 /etc/haproxy/errors/503.http - errorfile 504 /etc/haproxy/errors/504.http - maxconn 8192 + log global + mode http + option httplog + #option logasap + #option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + maxconn 8192 backend letsmeet-room-backend fullconn 4000 @@ -189,6 +195,8 @@ sudo systemctl enable haproxy ``` -Creating cert with letsencrypt +* Creating cert with letsencrypt : +``` bash sudo cat /etc/letsencrypt/live/edumeet.example.com/fullchain.pem /etc/letsencrypt/live/edumeet.example.com/privkey.pem | sudo tee /etc/ssl/edumeet.example.com/edumeet.example.com.pem +```