Live Chat Software by Kayako
Knowledgebase: Ubuntu
Configuring HTTPS on BigBlueButton
Posted by Thang Le Toan on 03 April 2016 03:21 AM

Configure BigBlueButton to use a domain name

In order to obtain a valid SSL certificate for your server, you must configure the server to use a domain name that you own or control.

For the purposes of documentation, we will be using the domain name “example.com”, with a BigBlueButton server hosted at “bigbluebutton.example.com”.

Please run the commands as root.

Once you have a domain name and have configured it with a DNS host, add an A record pointing to your server. You can then use the bbb-conf setip command to configure BigBlueButton to use that domain name, for example:

bbb-conf --setip bigbluebutton.example.com

Note: Before going through the steps, be sure to (upgrade your server)[#upgrading-bigbluebutton-0-9] to the latest release of 0.9.x.

Obtain an SSL certificate

In order to serve BigBlueButton over HTTPS, you need to have a valid SSL certificate. A domain validated (sometimes called “class 1”) certificate with a 2048 bit RSA key and SHA-256 checksum is the current recommended minimum, and it should be sufficient.

There are a number of providers that you could obtain a certificate from. Many domain name sales companies also offer certificates.

Some well known large providers of SSL certificates include Comodo, Symantec, GoDaddy, GlobalSign, and DigiCert. In addition, free SSL certificates are available from StartSSL and CACert, with some caveats: StartSSL certificates can’t be revoked without paying a service fee, and most people do not have the root for CACert installed in their web browser.

Each provider will give you a series of steps for generating the certificate, but they will normally include generating a private key and certificate request locally, sending the certificate request to be signed, and then receiving back the signed certificate after they have performed any required verification steps.

To install the certificate in BigBlueButton, you will need to have files for the certificate, private key, and any intermediate certificates in PEM format.

Configure nginx to use HTTPS

Depending on your CA, you should now have 2 or more files, as follows:

  • Certificate
  • Private key
  • Intermediate certificate (there may be more than one, or could be none)

The next step is to install the files on the server.

Create the directory /etc/nginx/ssl:

mkdir /etc/nginx/ssl

And now create the private key file for nginx to use (replace the hostname in the filename with your own). In addition, fix the permissions so that only root can read the private key:

cat >/etc/nginx/ssl/bigbluebutton.example.com.key <<'END'
Paste the contents of your key file here
END
chmod 0600 /etc/nginx/ssl/bigbluebutton.example.com.key

And the certificate file. Note that nginx needs your server certificate and the list of intermediate certificates together in one file (replace the hostname in the filename with your own):

cat >/etc/nginx/ssl/bigbluebutton.example.com.crt <<'END'
Paste (in order) the contents of the following files:
  1. The signed certificate from the CA
  2. In order, each intermediate certificate provided by the CA (but do not include the root).
END

In addition, we’ll generate a set of 2048-bit diffie-hellman parameters to improve security for some types of ciphers. This step can take several minutes to complete, particularly if run on a virtual machine.

openssl dhparam -out /etc/nginx/ssl/dhp-2048.pem 2048

Now we can edit the nginx configuration to use SSL. Edit the file /etc/nginx/sites-available/bigbluebutton to add the marked lines. Ensure that you’re using the correct filenames to match the certificate and key files you created above.

server {
  server_name bigbluebutton.example.com;
  listen 80;
  listen 443 ssl;
  ssl_certificate /etc/nginx/ssl/bigbluebutton.example.com.crt;
  ssl_certificate_key /etc/nginx/ssl/bigbluebutton.example.com.key;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256";
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/ssl/dhp-2048.pem;
  [...]

For reference, note that the SSL settings used above are based on those proposed in https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ and provide support for all modern browsers (including IE8, but not IE6, on Windows XP). Please note that recommended SSL settings are subject to change as new vulnerabilities are found.

Configure FreeSWITCH & WebRTC

Edit the file /opt/freeswitch/conf/sip_profiles/external.xml and look for a line containing “ws-binding”. Add a new line below it, as indicated:

    <param name="tls-version" value="$${sip_tls_version}"/>
    <param name="ws-binding" value=":5066"/>
    <param name="wss-binding" value=":7443"/>

You need to make sure that the dialplan will accept the incoming secure websocket. Open the file /opt/freeswitch/conf/dialplan/public/bbb_webrtc.xml and locate the line

   <condition field="${sip_via_protocol}" expression="^ws$" break="on-false">

and change ws to wss?:

    <condition field="${sip_via_protocol}" expression="^wss?$" break="on-false">

Now the websocket forwarding address in nginx must be updated. Edit the file /etc/bigbluebutton/nginx/sip.nginx and change the protocol and port on the proxy_pass line as shown:

location /ws {
  proxy_pass https://203.0.113.3:7443;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "Upgrade";
  proxy_read_timeout 6h;
  proxy_send_timeout 6h;
  client_body_timeout 6h;
  send_timeout 6h;
}

In addition, the webrtc code in the client must be updated to use the secure websockets connection. Edit the file /var/www/bigbluebutton/client/lib/bbb_webrtc_bridge_sip.js and change the line that selects the ‘ws’ protocol to use ‘wss’ instead:

function createUAWithStuns(username, server, callback, stunsConfig, makeCallFunc) {
    console.log("Creating new user agent");
    /* VERY IMPORTANT * - You must escape the username because spaces will cause the connection to fail
     * - We are connecting to the websocket through an nginx redirect instead of directly to 5066 */
    var configuration = {
        uri: 'sip:' + encodeURIComponent(username) + '@' + server,
        wsServers: 'wss://' + server + '/ws',
        displayName: username,
        register: false,
        traceSip: true,
        autostart: false,
        userAgentString: "BigBlueButton",
        stunServers: stunsConfig['stunServers'],
        turnServers: stunsConfig['turnServers']
     };

     [...]

Configure BigBlueButton to load session via HTTPS

Edit the file /var/lib/tomcat7/webapps/bigbluebutton/WEB-INF/classes/bigbluebutton.properties and update the property bigbluebutton.web.serverURL to use https:

#----------------------------------------------------
# This URL is where the BBB client is accessible. When a user sucessfully
# enters a name and password, she is redirected here to load the client.
bigbluebutton.web.serverURL=https://bigbluebutton.example.com

You must also update the file /var/www/bigbluebutton/client/conf/config.xml to tell the client to load components via https. Since this is tedious to do by hand, you can use the following command to apply the change:

sed -e 's|http://|https://|g' -i /var/www/bigbluebutton/client/conf/config.xml

If you would ever need to revert this change, you can run the reverse command:

sed -e 's|https://|http://|g' -i /var/www/bigbluebutton/client/conf/config.xml

BigBlueButton loads a button image for the “install Flash” prompt from Adobe’s website. In order to avoid a mixed content warning (loading non-https resources on an https page), change http to https in the file /var/www/bigbluebutton/client/BigBlueButton.html in the indicated location:

        <h2>You need Flash installed and enabled in order to use the Flash client.</h2>
        <br/>
        <div style="width:50%; margin-left: auto; margin-right: auto; ">
          <a href="http://www.adobe.com/go/getflashplayer">
            <img src="https://www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" />
          </a>

Edit Demo Files

If you have the demo application installed, you also need to change them to use https.

cd /var/lib/tomcat7/webapps/demo

grep joinURL.startsWith *

Edit the files from the result of the grep by switching to https. That is, change joinURL.startsWith("http://") to joinURL.startsWith("https://").

Edit bbb_api_conf.jsp to also use https.

// This is the URL for the BigBlueButton server
String BigBlueButtonURL = "https://demo.bigbluebutton.org/bigbluebutton/";

Restart BigBlueButton

To apply all of the configuration changes made, you must restart all components of BigBlueButton:

bbb-conf --restart

Test your HTTPS configuration

In order to ensure you didn’t make any mistakes that could cause security compromises, please test your HTTPS configuration. A well-respected site that can do a series of automated tests is https://www.ssllabs.com/ssltest/ - simply enter your server’s hostname, optionally check the “Do not show results” checkbox if you would like to keep it private, then Submit.

At time of writing, the configuration shown on this page should achieve an “A” ranking in the SSL Labs test page.

Troubleshooting Installation

The following will help you resolve common errors with installation.

Run sudo bbb-conf –check

We’ve built in a BigBlueButton configuration utility, called bbb-conf, to help you configure your BigBlueButton server and troubleshoot your setup if something doesn’t work right.

If you think something isn’t working correctly, the first step is enter the following command.

$ sudo bbb-conf --check

This will check your setup to ensure the correct processes are running, the BigBlueButton components have correctly started, and look for common configuration problems that might prevent BigBlueButton from working properly.

If you see text after the line ** Potential problems described below **, then it may be warnings (which you can ignore if you’ve change settings) or errors with the setup.

Could not get your microphone for a WebRTC call

At the time of writing, the current release is Chrome 45. As of Chrome 47 (coming soon), Chrome will require that any access to the user’s micrphone for WebRTC be restricted to sites that are served via HTTPS. Users using Chrome Canary will also have this requirement.

If the user attempts to share their microphone, Chrome will block access and BigBlueButton will report the following error

WebRTC Audio Failure: Detected the following WebRTC issue: Could not get your microphone for a WebRTC call. Do you want to try flash instead?

To enable Chrome to access the user’s microphone, see Coniguring HTTPS on BigBlueButton.

Tomcat7 takes a long time to startup

Tomcat relies on the SecureRandom class (which uses available entropy) to provide random values for its session IDs. On a virtualized server, however, the available entropy can run low and cause tomcat7 to block for a long period before it finishes it’s startup sequence (see Tomcat’s Entropy Source).

To provide tomcat7 with more entropy, you can install havaged

$ sudo apt-get install haveged

For more information see How to Setup Additional Entropy for Cloud Servers Using Haveged.

Errors with packages

Some hosting providers do not provide a complete /etc/apt/source.list. If you are finding your are unable to install a package, try replacing your /etc/apt/sources.list with the following

deb http://archive.ubuntu.com/ubuntu trusty main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu trusty-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu trusty-security main restricted universe multiverse

then do

$ sudo apt-get update

and try installing BigBlueButton again from the beginning.

Some packages could not be installed error (libpython3.4)

Some installations of Ubuntu 14.04 might have broken python3.4 packages installed. To check if this issue affects you, run the following command:

sudo apt-get install -s libpython3.4

If you get output that looks similar to the following - in particular, if it mentions the python version “3.4.3-1ubuntu1~14.04.1”, then you are hitting this issue:

libpython3.4 : Depends: libpython3.4-stdlib (= 3.4.0-2ubuntu1.1) but 3.4.3-1ubuntu1~14.04.1 is to be installed 

To fix this problem, run the following commands:

sudo dpkg -r --force-all libpython3.4-stdlib python3.4-minimal libpython3.4-minimal libpython3.4 python3.4
sudo apt-get -f install

If those commands complete, you can go back to the installation instructions and try the package that had failed again.

BigBlueButton does not load

If your server has multiple network connections, the install scripts may have used the wrong IP for BigBlueButton’s configuration. Another possibility is you want to access BigBlueButton through a hostname (but not IP).

To change all of BigBlueButton’s configuration files to use a different IP address or hostname, enter

$ sudo bbb-conf --setip <ip_address_or_hostname>
$ sudo bbb-conf --enablewebrtc
 
$ sudo bbb-conf --clean
$ sudo bbb-conf --check

For example

$ sudo bbb-conf --setip my.host.com

For more information see bbb-conf options.

Host IP address has changed

See BigBlueButton does not load

Audio not working

If you are installing BigBlueButton on EC2 or a hosting provider that has a number of network interfaces, you need to tell FreeSWITCH to listen on your external interface on it’s IP address (shown below as EXTERNAL_IP_ADDRESS). You must use the external IP address where EXTERNAL_IP_ADDRESS is show (not the external hostname).

Edit /opt/freeswitch/conf/vars.xml

Remove this line

<X-PRE-PROCESS cmd="set" data="local_ip_v4=xxx.yyy.zzz.qqq"/>

Change

<X-PRE-PROCESS cmd="set" data="bind_server_ip=auto"/>

To

<X-PRE-PROCESS cmd="set" data="bind_server_ip=EXTERNAL_IP_ADDRESS"/>

Change

<X-PRE-PROCESS cmd="set" data="external_rtp_ip=stun:stun.freeswitch.org"/>

To

<X-PRE-PROCESS cmd="set" data="external_rtp_ip=EXTERNAL_IP_ADDRESS"/>

Change ```


To



Edit `/opt/freeswitch/conf/sip_profiles/external.xml` and change

<param name="rtp-ip" value="$${local_ip_v4}"/>
<param name="sip-ip" value="$${local_ip_v4}"/>
<param name="ext-rtp-ip" value="$${local_ip_v4}"/>
<param name="ext-sip-ip" value="$${local_ip_v4}"/> ```

to

    <param name="rtp-ip" value="$${local_ip_v4}"/>
    <param name="sip-ip" value="$${local_ip_v4}"/>
    <param name="ext-rtp-ip" value="$${external_rtp_ip}"/>
    <param name="ext-sip-ip" value="$${external_sip_ip}"/>

Edit /usr/share/red5/webapps/sip/WEB-INF/bigbluebutton-sip.properties

bbb.sip.app.ip=<internal ip>
bbb.sip.app.port=5070

freeswitch.ip=<internal ip>
freeswitch.port=5060

Edit /etc/bigbluebutton/nginx/sip.nginx to

location /ws {
        proxy_pass http://EXTERNAL_IP_ADDRESS:5066;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_read_timeout 6h;
        proxy_send_timeout 6h;
        client_body_timeout 6h;
        send_timeout 6h;
}

changing EXTERNAL_IP_ADDRESS to your server’s elastic IP address.

Open the following TCP and UPD ports on the local firewall (if you have one installed) and security groups (if your using EC2):

  • TCP - 5066
  • UDP - 16384 to 32768
  • TCP - 7443 (if you have HTTPS enabled)

Conference not found errors

The command sudo bbb-conf --debug searches through the red5, tomcat7, and nginx logs looking for errors and exceptions. However, the messages such as

    -- ERRORS found in /usr/share/red5/log/* --
/usr/share/red5/log/bigbluebutton.log:2015-05-02 13:50:37,681-04:00 [pool-17-thread-1] ERROR o.b.w.v.f.a.PopulateRoomCommand - Not XML: [Conference 78505 not found]

are innocious and can be ignored.

If you’ve installed/uninstalled BigBlueButton packages, you may get a No Symbolic Link warning from bbb-conf --check:

** Potential Problems **
    nginx (conf): no symbolic link in /etc/nginx/sites-enabled for bigbluebutton

To solve this, add a symbolic link to nginx for the BigBlueButton site:

sudo ln -s /etc/nginx/sites-available/bigbluebutton /etc/nginx/sites-enabled/bigbluebutton
sudo /etc/init.d/nginx restart

Voice Application failed to register with sip server

When doing sudo bbb-conf --check, you may see the warning

voice Application failed to register with sip server

This error occurs when bbb-apps-sip isn’t able to make a SIP call to FreeSWITCH. You’ll see this in BigBlueButton when users click the headset icon and don’t join the voice conference.

One possible cause for this is you have just installed BigBlueButton, but not restarted it. The packages do not start up the BigBlueButton components in the right order. To restart BigBlueButton, do the following:

    sudo bbb-conf --restart
    sudo bbb-conf --check

If you don’t want FreeSWITCH to bind to 127.0.0.1, you need to figure out which IP address it’s using. First, determine the IP address FreeSWITCH is monitoring for incoming SIP calls with the following command:

netstat -ant | grep 5060

You should see an output such as

tcp        0      0 234.147.116.3:5060    0.0.0.0:*               LISTEN

In this example, FreeSWITCH is listening on IP address 234.147.116.3. The IP address on your server will be different.

Next, edit /usr/share/red5/webapps/sip/WEB-INF/bigbluebutton-sip.properties and set the value for sip.server.host to the IP address returned from the above command. Save the changes (you’ll need to edit the file as root to save changes).

Restart BigBlueButton using the commands and run the built-in diagnostics checks.

sudo bbb-conf --clean
sudo bbb-conf --check

If the above does not resolve your problem, post to the output of the commands sudo bbb-conf --check and ifconfig to bigbluebutton-setup and we’ll help you there. `

Client WebRTC Error Codes

WebRTC offers very high-quality audio. However, the user’s network settings (or firewall) may not allow WebRTC to connect (or keep connected).

Here are the following lists the possible WebRTC error messages that a user may encounter:

  • 1001: WebSocket disconnected - The WebSocket had connected successfully and has now disconnected. Possible Causes:
    • Loss of internet connection
    • Nginx restarting can cause this
  • 1002: Could not make a WebSocket connection - The initial WebSocket connection was unsuccessful. Possible Causes:
    • Firewall blocking ws protocol
    • Server is down or improperly configured
  • 1003: Browser version not supported - Browser doesn’t implement the necessary WebRTC API methods. Possible Causes:
    • Out of date browser
  • 1004: Failure on call - The call was attempted, but failed. Possible Causes:
    • For a full list of causes refer here, http://sipjs.com/api/0.6.0/causes/
    • There are 24 different causes so I don’t really want to list all of them
  • 1005: Call ended unexpectedly - The call was successful, but ended without user requesting to end the session. Possible Causes:
    • Unknown
  • 1006: Call timed out - The library took too long to try and connect the call. Possible Causes:
    • Previously caused by Firefox 33-beta on Mac. We’ve been unable to reproduce since release of FireFox 34
  • 1007: ICE negotiation failed - The browser and FreeSWITCH try to negotiate ports to use to stream the media and that negotiation failed. Possible Causes:
    • NAT is blocking the connection
    • Firewall is blocking the UDP connection/ports
  • 1008: Call transfer failed - A timeout while waiting for FreeSWITCH to transfer from the echo test to the real conference. This might be caused by a misconfiguration in FreeSWITCH, or there might be a media error and the DTMF command to transfer didn’t go through (In this case, the voice in the echo test probably didn’t work either.)
  • 1009: Could not fetch STUN/TURN server information - This indicates either a BigBlueButton bug (or you’re using an unsupported new client/old server combination), but could also happen due to a network interruption.
(1 vote(s))
Helpful
Not helpful

Comments (2)
RonaldZep
05 February 2019 04:27 PM
http://mysite.ru - http://mysite.ru
Allancak
14 February 2019 11:39 PM
Привет всем я обожаю смотреть кино online и хочу предложить сайт http://filminov.ru/
На этом сайте можно просматривать

смотреть новые фильмы фэнтези бесплатно в хорошем качестве hd http://filminov.ru/films/fentezy/ - http://filminov.ru/films/fentezy/

Лучшее историческое кино 2015 2016 2017 новые новинки http://filminov.ru/films/istoria/ - Лучшие исторические фильмы 2016 2017 cмотреть кино онлайн

Лучшие криминальные фильмы 2016 2017 cмотреть онлайн http://filminov.ru/films/kriminal/ - http://filminov.ru/films/kriminal/

мультфильмы онлайн бесплатно http://filminov.ru/films/multik/ - http://filminov.ru/films/multik/

Лучшие приключения 2016 2017 cмотреть онлайн бесплатно http://filminov.ru/films/prikluch/ - http://filminov.ru/films/prikluch/

Фильмы о спорте смотреть онлайн бесплатно http://filminov.ru/films/sports/ - http://filminov.ru/films/sports/

ужасы онлайн смотреть 2016-2017 новинки http://filminov.ru/films/ujas/ - http://filminov.ru/films/ujas/

Еще:

http://filminov.ru/films/anime/37531-smotret-koshachiy-apokalipsis-onlayn.html - http://filminov.ru/films/anime/37531-smotret-koshachiy-apokalipsis-onlayn.html
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).

Help Desk Software by Kayako