From 5aafb4d7790f4d0962967372bcea90b01e911d34 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sun, 14 Sep 2025 17:56:27 +0200 Subject: [PATCH 1/3] Update network-config.md to current situation This still listed old (now removed) containers and missed newly added ones, which are now fixed. This also makes the network_mode: host listings consistent, and removes the "extra_hosts" listed for nginx (this does not really seem to have much advantage in docs, unlike a list of allocated IP addresses which *is* useful). The list is slightly reordered to match the order in docker-compose.tmpl.yml. --- docs/network-config.md | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/docs/network-config.md b/docs/network-config.md index 32891837..1e437a98 100644 --- a/docs/network-config.md +++ b/docs/network-config.md @@ -1,30 +1,33 @@ ## Network Configuration Services as configured. -|Service | Network | IP address | Other Option | + +|Service | Network | IP address | --- | --- | --- | --- +| html5-dev | network_mode: host | | | bbb-web | bbb-net | 10.7.7.2 | +| freeswitch| bbb-net | 10.7.7.10 | +| nginx | network_mode: host | | +| etherpad | bbb-net | 10.7.7.4 | | bbb-pads | bbb-net | 10.7.7.18 | -| html5-backend-{{$i}} | bbb-net | 10.7.7.{{add 100 $i}}| Port {{ add 4000 $i }} -| html5-frontend-{{$i}}| bbb-net | 10.7.7.{{add 200 $i}}| Port {{ add 4100 $i }} -| freeswitch| network_mode: host | | -| nginx | network_mode: host| | extra_hosts:
- "host.docker.internal:10.7.7.1"
- "core:10.7.7.2"
- "etherpad:10.7.7.4"
- "webrtc-sfu:10.7.7.10"
- "html5:10.7.7.11" -| etherpad | bbb-net | 10.7.7.4| -| redis | bbb-net | 10.7.7.5| -| mongodb | bbb-net | 10.7.7.6| -| kurento | network-mode: host | | -| webrtc-sfu | bbb-net | | network_mode: host +| bbb-export-annotations | bbb-net | 10.7.7.19 | +| redis | bbb-net | 10.7.7.5 | +| webrtc-sfu | network_mode: host | | | fsesl-akka | bbb-net | 10.7.7.14 | | apps-akka | bbb-net | 10.7.7.15 | -| libreoffice | bbb-net | 10.7.7.7 | +| bbb-graphql-server | bbb-net | 10.7.7.31 | +| bbb-graphql-actions | bbb-net | 10.7.7.30 | +| bbb-graphql-middleware | bbb-net | 10.7.7.32 | +| collabora | bbb-net | 10.7.7.20 | | periodic | bbb-net | 10.7.7.12 | | recordings | bbb-net | 10.7.7.16 | +| bbb-webrtc-recorder | network_mode: host | | | webhooks | bbb-net | 10.7.7.17 | -| https_proxy | bbb-net | |network_mode: host +| haproxy | network_mode: host | | | coturn | network_mode: host | | -| greenlight | | | ports: 10.7.7.1:5000:80 -| prometheus | bbb-net | 10.7.7.33 | -| bbb-export-annotations | bbb-net | 10.7.7.19 | +| greenlight | bbb-net | 10.7.7.21 | +| postgres | bbb-net | 10.7.7.22 | +| prometheus-exporter | bbb-net | 10.7.7.33 | ```yml networks: From 134e5f84fc1aaa91747a75bc6b58fd28b60cd51d Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sun, 14 Sep 2025 17:40:42 +0200 Subject: [PATCH 2/3] Do not use network_mode: host for nginx This is not really needed, nginx is always intended to be behind a reverse proxy, so it can just expose its ports on the internal network. This prevents having the 4808x ports exposed externally (though a user can still expose them explicitly with a ports directive if needed). This removes the "nginx" extra-hosts definition from the bbb-graphql-middleware host container, since the "nginx" name now resolves to the nginx internal IP normally. In the haproxy config, this updates the IP address instead of using the "nginx" name, as it seems that the haproxy resolv.conf does not list the docker resolver but somehow uses the (host system) external DNS directly. Nginx also listens on port 8185. Previously this bound to 127.0.0.1 and 10.7.7.1 (the host-side IP of the internal network) explicitly, presumably to prevent this port being available publically, but this is no longer needed, so now it can just bind to the port directly. --- docker-compose.tmpl.yml | 8 ++++---- docs/existing-web-server.md | 12 +++++++++++- docs/network-config.md | 2 +- mod/haproxy/haproxy.cfg | 4 ++-- mod/nginx/bigbluebutton | 3 +-- 5 files changed, 19 insertions(+), 10 deletions(-) diff --git a/docker-compose.tmpl.yml b/docker-compose.tmpl.yml index 7f8acd19..1fb0d918 100644 --- a/docker-compose.tmpl.yml +++ b/docker-compose.tmpl.yml @@ -126,9 +126,11 @@ services: # overwrite html5 config - ./mod/nginx/bbb-html5.dev.nginx:/etc/nginx/bbb/bbb-html5.nginx:ro {{ end }} + networks: + bbb-net: + ipv4_address: 10.7.7.34 tmpfs: - /tmp - network_mode: host extra_hosts: - "host.docker.internal:10.7.7.1" - "bbb-web:10.7.7.2" @@ -353,8 +355,6 @@ services: networks: bbb-net: ipv4_address: 10.7.7.32 - extra_hosts: - - "nginx:10.7.7.1" {{ if isTrue .Env.DEV_MODE }} user: ${BBB_DEV_UID}:${BBB_DEV_GID} @@ -512,7 +512,7 @@ services: DATABASE_URL: postgres://postgres:${POSTGRESQL_SECRET:-password}@postgres:5432/greenlight REDIS_URL: redis://redis:6379 {{ if $ignore_tls_cert_errors }} - BIGBLUEBUTTON_ENDPOINT: http://10.7.7.1:48083/bigbluebutton/api + BIGBLUEBUTTON_ENDPOINT: http://10.7.7.34:48083/bigbluebutton/api {{else}} BIGBLUEBUTTON_ENDPOINT: https://${DOMAIN}/bigbluebutton/api {{end}} diff --git a/docs/existing-web-server.md b/docs/existing-web-server.md index adf2ff82..4ca3f09a 100644 --- a/docs/existing-web-server.md +++ b/docs/existing-web-server.md @@ -8,7 +8,17 @@ You could dedicate a virtual host to BigBlueButton, allowing external access to ## Installation 1. Install BigBlueButton Docker [as explained above](#install). While running the setup script, please choose `n` when you're asked the following question: `Should an automatic HTTPS Proxy be included? (y/n)`. -2. Now all the required Docker containers should be running. BigBlueButton listens to port 48087. Create a virtual host by which BigBlueButton will be publicly accessible (in this case, let's assume the following server name for the virtual host: `bbb.example.com`). Enable SSL for the new _https_ virtual host. Make sure that the SSL certificate you will be using is signed by a CA (Certificate Authority). You could generate an SSL certificate for free using Let's Encrypt. It is suggested to add some directives to the _http_ virtual host `bbb.example.com` to redirect all requests to the _https_ one. +2. Now all the required Docker containers should be running. BigBlueButton listens to port 48087 (among others, but 48087 is intended for external reverse proxies). By default, the port is only opened on the internal bbb-net network created by docker-compose, so either your reverse proxy should run within the same docker-compose file or otherwise have access to the network, or the port should be made available on the host system by adding something like: + ``` + ports: + - "127.0.0.1:48087:48087 + - "[::1]:48087:48087 + ``` + In the `nginx` container config in `docker-compose.yml`. + + The rest of this document assumes you did the latter. + +3. Create a virtual host by which BigBlueButton will be publicly accessible (in this case, let's assume the following server name for the virtual host: `bbb.example.com`). Enable SSL for the new _https_ virtual host. Make sure that the SSL certificate you will be using is signed by a CA (Certificate Authority). You could generate an SSL certificate for free using Let's Encrypt. It is suggested to add some directives to the _http_ virtual host `bbb.example.com` to redirect all requests to the _https_ one. At this point, choose one of the following sections according to which Web server you're running ([Apache](#integration-with-apache)). diff --git a/docs/network-config.md b/docs/network-config.md index 1e437a98..d9a58ef7 100644 --- a/docs/network-config.md +++ b/docs/network-config.md @@ -7,7 +7,7 @@ Services as configured. | html5-dev | network_mode: host | | | bbb-web | bbb-net | 10.7.7.2 | | freeswitch| bbb-net | 10.7.7.10 | -| nginx | network_mode: host | | +| nginx | bbb-net | 10.7.7.34 | | etherpad | bbb-net | 10.7.7.4 | | bbb-pads | bbb-net | 10.7.7.18 | | bbb-export-annotations | bbb-net | 10.7.7.19 | diff --git a/mod/haproxy/haproxy.cfg b/mod/haproxy/haproxy.cfg index a66c2dd8..eb95d569 100644 --- a/mod/haproxy/haproxy.cfg +++ b/mod/haproxy/haproxy.cfg @@ -73,8 +73,8 @@ backend turn backend nginx mode tcp - server localhost 10.7.7.1:48081 send-proxy check + server localhost 10.7.7.34:48081 send-proxy check backend nginx-http2 mode tcp - server localhost 10.7.7.1:48082 send-proxy check + server localhost 10.7.7.34:48082 send-proxy check diff --git a/mod/nginx/bigbluebutton b/mod/nginx/bigbluebutton index 58c5b20f..a7ff2f02 100644 --- a/mod/nginx/bigbluebutton +++ b/mod/nginx/bigbluebutton @@ -70,8 +70,7 @@ upstream hasura { # server 127.0.0.1:8086; } server { - listen 10.7.7.1:8185; - listen 127.0.0.1:8185; + listen 8185; root /var/www/html; From 6310b1b34f096101918ec8c57c5f7b96ebf186d6 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sun, 14 Sep 2025 17:40:42 +0200 Subject: [PATCH 3/3] Do not use network_mode: host for haproxy This is not really needed, haproxy only needs to expose two ports externally, so better to make that explicit using a ports directive, which also gives the user more control. --- docker-compose.tmpl.yml | 7 ++++++- docs/network-config.md | 2 +- mod/nginx/nginx.conf | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/docker-compose.tmpl.yml b/docker-compose.tmpl.yml index 1fb0d918..8570eafc 100644 --- a/docker-compose.tmpl.yml +++ b/docker-compose.tmpl.yml @@ -479,7 +479,12 @@ services: - IGNORE_TLS_CERT_ERRORS={{$ignore_tls_cert_errors}} - CERT1=${DOMAIN} - EMAIL=${LETSENCRYPT_EMAIL} - network_mode: host + ports: + - 80:80 + - 443:443 + networks: + bbb-net: + ipv4_address: 10.7.7.35 {{end}} # coturn diff --git a/docs/network-config.md b/docs/network-config.md index d9a58ef7..cc0d757a 100644 --- a/docs/network-config.md +++ b/docs/network-config.md @@ -23,7 +23,7 @@ Services as configured. | recordings | bbb-net | 10.7.7.16 | | bbb-webrtc-recorder | network_mode: host | | | webhooks | bbb-net | 10.7.7.17 | -| haproxy | network_mode: host | | +| haproxy | bbb-net | 10.7.7.35 | | coturn | network_mode: host | | | greenlight | bbb-net | 10.7.7.21 | | postgres | bbb-net | 10.7.7.22 | diff --git a/mod/nginx/nginx.conf b/mod/nginx/nginx.conf index 270b9eae..fbc8cdc4 100644 --- a/mod/nginx/nginx.conf +++ b/mod/nginx/nginx.conf @@ -40,13 +40,13 @@ http { listen 48083 http2; location /bigbluebutton/api/join { - return 301 https://10.7.7.1$request_uri; + return 301 https://10.7.7.35$request_uri; } location /bigbluebutton/api { proxy_pass http://127.0.0.1:48087; } location / { - return 301 https://10.7.7.1$request_uri; + return 301 https://10.7.7.35$request_uri; } }