search

SEPIA-Framework / sepia-docs

Documentation and Wiki for SEPIA. Please post your questions and bug-reports here in the issues section! Thank you :-)
https://sepia-framework.github.io/
236 stars 16 forks source link

Secure connnection to latest STT server #125

Open gafk opened 2 years ago

gafk commented 2 years ago

After successfully upgrading to the latest version of both assist server as well as the DIY client, I thought it is time to take the next step and get the STT server up and running as well. In the past I have been using the native Google STT, but I would of definitely prefer a private, local solution.

I was able to get the STT docker container up and running on my Synology NAS, but I am having trouble with establishing a secure connetion to it that works. I set up a reverse proxy on my NAS like this:

source: https://diskstation:20744 - destination: http://diskstation:20741

I can reach the ui of the STT server with both URLs, but under the https connection (port 20744), I get an error message when I hit connection -> open:

ERROR: ?

I am guessing it has something to do with the different ports...? Are there some settings I can adjust to make ths setup work?

Accessing the server via http (port 20741), I can successfully open the connection, but then of course I cannot record audio:

Init. ERROR - Likely because of insecure origin (no HTTPS or localhost)

Also note that the LetsEncrypt certificate I am using on the NAS is meant for external access (so for the external domain) and it is therefor giving me a warning when I access via the local "diskstation" device name. Is it necessary to allow untrusted certificates? I do not want to expose sepia to the internet for now...

fquirin commented 2 years ago

ERROR: ?

That's all? :sweat_smile: :see_no_evil: Could you check the browser console (F12) if there is any more info?

I am guessing it has something to do with the different ports...?

Do you know what kind of proxy is running on the NAS? Usually the WebSocket connection to the server requires some configuration tweaks (HTTP connection upgrade). Here are some examples for Nginx and Apache: Proxy setups.

The SEPIA DIY client should still be able to use the "unsafe" HTTP URL and for testing in your main browser you can try: this.

Is it necessary to allow untrusted certificates?

This is a topic that is giving me constant headaches :nauseated_face: since every device is acting differently and self-signed certificates usually need to be imported by devices (and then expire from time to time etc.). What I've done is to take one Raspberry Pi inside my network that acts as a reverse proxy for every SEPIA component. In theory this could be the Nginx of your SEPIA-Home server, but I'm not 100% sure how it behaves when inside a Docker container. If your NAS points to this proxy (Port 20726) you could try to open the terminal inside the container and go to /etc/nginx/sites-enabled, open the SEPIA config and look for /stt there you could use the IP of the STT server instead of localhost, store the changes and restart Nginx sudo service nginx stop && sudo service nginx start. Obviously this change will be lost if the container is reset but we could add another shared folder that points to the Nginx config maybe.