Doc
Doc
English

Docker + Nginx

Through this guide, you will learn how to use Docker and Nginx to officially deploy applications to the production environment and configure HTTPS certificates to ensure communication security.

How to get key and secret?

1. Copy Basic Configuration

The following is the basic configuration of vocespace. You need to copy this configuration and specify it when starting the container

1{
2  "livekit": {
3    "key": "devkey",
4    "secret": "secret",
5    "url": "wss://your.server.name"
6  },
7  "codec": "vp9",
8  "resolution": "1080p",
9  "maxBitrate": 3000000,
10  "maxFramerate": 30,
11  "priority": "medium",
12  "redis": { 
13    "enabled": true, 
14    "host": "your.ip", 
15    "port": 6379, 
16    "password": "vocespace", 
17    "db": 0 
18  },
19  "server_url": "your.server.name"
20}
WARNING

your.ip: User host machine IP address, you can use ifconfig | grep inet to view

1inet 127.0.0.1 netmask 0xff000000
2inet 192.168.31.138 netmask 0xffffff00 broadcast 192.168.31.255

In this example 192.168.31.138 is your host machine IP

your.server.name: Domain name for deployment

2. Use Docker to deploy applications

Get VoceSpace Images

VoceSpace contains two images:

  • amd: privoce/vocespace:latest
  • arm: privoce/vocespace:latest_arm

So you need to know your current server architecture to make a choice, see: help-View your own Linux architecture

1# amd
2docker pull privoce/vocespace:latest
3# arm
4docker pull privoce/vocespace:latest_arm

Start Container

Before starting to configure Nginx reverse proxy, we need to run the backend service container first.

1docker run -d \
2  -p 3000:3000 \
3  -v ${PWD}/vocespace.conf.json:/app/vocespace.conf.json \
4  --name vocespace \
5  privoce/vocespace:latest
NOTE
  • -p 3000:3000: Map the container's port 3000 to the host's port 3000.
  • -v ${PWD}/vocespace.conf.json:/app/vocespace.conf.json: Map the configuration
  • --name: Name the container for easy subsequent management.

2. Install and configure Nginx

2.1 Install Nginx and Certbot

Make sure the system is updated and install the required packages:

1apt update
2apt install nginx certbot python3-certbot-nginx -y
WARNING
  • If you are using CentOS or other non-Debian distributions, please change to the corresponding package management command (such as yum or dnf).
  • certbot and python3-certbot-nginx are tools for automatically configuring HTTPS.

2.2 Configure nginx.conf (global configuration, you can ignore here)

Path: /etc/nginx/nginx.conf

1user  nginx;
2worker_processes  auto;
3
4error_log  /var/log/nginx/error.log warn;
5pid        /var/run/nginx.pid;
6
7events {
8    worker_connections  1024;
9}
10
11http {
12    include       /etc/nginx/mime.types;
13    default_type  application/octet-stream;
14
15    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
16                      '$status $body_bytes_sent "$http_referer" '
17                      '"$http_user_agent" "$http_x_forwarded_for"';
18
19    access_log  /var/log/nginx/access.log  main;
20
21    sendfile        on;
22    keepalive_timeout  65;
23
24    include /etc/nginx/conf.d/*.conf;
25}
NOTE
  • This is a global configuration and usually does not need to be changed frequently.
  • It is recommended to enable logrotate for the log directory to avoid disk fullness.

2.3 Configure site files (virtual host configuration)

Path recommendation: /etc/nginx/sites-enabled/vocespace or /etc/nginx/conf.d/vocespace

First, perform a simple configuration:

1# HTTP to HTTPS redirection
2server {
3    listen 80;
4    listen [::]:80;
5
6    server_name your.server.name;
7
8    location / {
9        return 301 https://$host$request_uri;
10    }
11
12    return 404;
13}

2.4 Apply for an HTTPS certificate using Certbot

Make sure the domain name is correctly resolved to the server IP in the DNS service provider.

Certificate issuance command

1certbot --nginx -d your.server.name --register-unsafely-without-email
NOTE
  • --nginx: Certbot will automatically modify your nginx configuration to enable HTTPS.
  • --register-unsafely-without-email: Do not bind an email address. Not recommended for official use, it is recommended to add --email your@email.com.

Verify Nginx status and restart

1nginx -t
2systemctl reload nginx

2.5 Complete the https configuration

1# HTTPS reverse proxy configuration
2server {
3    listen 443 ssl;
4    listen [::]:443 ssl;
5
6    server_name your.server.name;
7
8    ssl_certificate /etc/letsencrypt/live/your.server.name/fullchain.pem;
9    ssl_certificate_key /etc/letsencrypt/live/your.server.name/privkey.pem;
10    include /etc/letsencrypt/options-ssl-nginx.conf;
11    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
12
13    # Application main service (such as front-end or back-end web interface)
14    location / {
15        proxy_pass http://127.0.0.1:3000;
16        proxy_http_version 1.1;
17        proxy_set_header Upgrade $http_upgrade;
18        proxy_set_header Connection "Upgrade";
19        proxy_set_header Host $host;
20        proxy_cache_bypass $http_upgrade;
21    }
22
23    # WebRTC service proxy (port and path depend on the project)
24    location /rtc {
25        proxy_pass http://127.0.0.1:7880;
26        proxy_http_version 1.1;
27        proxy_set_header Upgrade $http_upgrade;
28        proxy_set_header Connection "Upgrade";
29        proxy_set_header Host $host;
30    }
31
32    # Socket.IO real-time communication proxy in nginx here you can ignore
33    # location /socket.io {
34    #    proxy_pass http://127.0.0.1:3000; 
35    #    proxy_http_version 1.1;
36    #    proxy_set_header Upgrade $http_upgrade;
37    #    proxy_set_header Connection "Upgrade";
38    #    proxy_set_header Host $host;
39    #    proxy_set_header X-Real-IP $remote_addr;
40    #    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
41    #    proxy_set_header X-Forwarded-Proto $scheme;
42    #    proxy_cache_bypass $http_upgrade;
43    # }
44}
WARNING
  • server_name must be consistent with the domain name of the certificate you actually applied for.
  • Please make sure that the files in /etc/letsencrypt/live/your.server.name/ have been generated The ssl configuration is generated by certbot

2.4 Start and check the status of Nginx

1# Check if the configuration is correct
2nginx -t
3
4# Reload the configuration (recommended) or restart the service
5systemctl reload nginx
6# or
7systemctl restart nginx

3. Start livekit-server

Like local deployment, you also need to start livekit-server to support webrtc. You can choose to download livekit and start it as in local deployment, or you can use docker deployment

Local
Docker

Download livekit-server

1curl -sSL https://get.livekit.io | bash

After the download is completed, it will usually be in /usr/local/bin/livekit-server

Create configuration

We provide a minimal configuration to help you deploy quickly. First, create the configuration file vim /etc/livekit.yml

1port: 7880
2bind_addresses:
3    - "0.0.0.0"
4rtc:
5    tcp_port: 7881
6    port_range_start: 50000
7    port_range_end: 60000
8    use_external_ip: true
9    enable_loopback_candidate: false
10turn:
11    enabled: false
12    domain: turn.vocespace.xyz
13    tls_port: 5349
14    udp_port: 3478
15    external_tls: true
16keys:
17  devkey: secret

Start in the background using nohup

By using nohup you can start livekit-server in the background and output the logs to /usr/local/bin/logs/livekit_output.log for easy viewing

1nohup /usr/local/bin/livekit-server --config /etc/livekit.yml > /usr/local/bin/logs/livekit_output.log 2>&1 &

4. Download and start Redis

Macos
Windows
Linux
1brew install redis
2brew services start redis -- --requirepass "vocespace" --bind 0.0.0.0 --protected-mode no

Cloud Server Description

Configure Security Group/Firewall

When using cloud servers, such as Alibaba Cloud, Tencent Cloud, Google Cloud, etc., you need to configure the security group/firewall of the server.

port type ingress/egress allow ip
3000 tcp ingress 0.0.0.0/0 Ipv4
3000 tcp egress 0.0.0.0/0 Ipv4
7880 tcp ingress 0.0.0.0/0 Ipv4
7881 tcp ingress 0.0.0.0/0 Ipv4
80 tcp ingress 0.0.0.0/0 Ipv4
443 tcp ingress 0.0.0.0/0 Ipv4
50000~60000 udp ingress 0.0.0.0/0 Ipv4

Additional suggestions

Automatically renew the certificate:

1# Test renewal
2certbot renew --dry-run

Open ports in the firewall (if using ufw):

1ufw allow 'Nginx Full'

HTTPS enforcement and security reinforcement: You can add the following configuration in nginx.conf:

1ssl_protocols TLSv1.2 TLSv1.3;
2ssl_prefer_server_ciphers on;
Table of Contents