Open mizo-aq opened 1 year ago
hostbbb
commented
1 year ago haproxy in 2.6.1 inspects first few bytes of data and determines whether its coturn, or bbb nginx. so seems like another rule to look for keycloak packet may be able to be added to proxy those requests to keycloak.
will defer to experts on how to exactly do.
antobinary
commented
1 year ago I think this github issue would get more traction if it was under bbb-install project. I will transfer it there.
mizo-aq
commented
1 year ago Thank you, antobinary! Please transfer it.
Hello everyone!
I would like to report on one of the themes of the thread bigbluebutton/bigbluebutton#13421, Port 443 sharing, for BBB 2.6.1. The BBB development team already proposed the solution for my request, as we can see from the -k option in bbb-install-2.6.sh, so I am just modifying the proposal. The -k option is for installing Keycloak 20 with the BBB simultaneously. Keycloak 20 is configured to run under the Nginx reverse proxy. It is defined in the file /usr/share/bigbluebutton/nginx/keycloak.nginx, which is included in the file /etc/nginx/sites-available/bigbluebutton. The following modification of the above reverse proxy definition transfers the packets to another version of the Keycloak; here, Keycloak 18.0.2 runs on server_b in the same segment from the BBB server, server_a.
$ cat /usr/share/bigbluebutton/nginx/keycloak18.nginx server_name server_b.com;
location /keycloak18/ { proxy_pass https://[local IP of server_b]/keycloak18/; proxy_redirect off; proxy_read_timeout 60s; proxy_cookie_path /keycloak18/ /keycloak18/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k;
NAXSI
}
It is necessary to create the common SSL certificate files for the two hosts, which are the hostname of server_a and server_b, i.e., server_a.com and server_b.com, respectively. The bbb-install-2.6.sh script stores the SSL certificate files under /etc/letsencrypt/live folder, which Nginx references, and you can overwrite the common SSL certificate files in this folder. The SSL certificate file for haproxy is created by the following commands, referring to the bbb-install-2.6.sh, for the Letsencrypt SSL.
$ cat /etc/letsencrypt/live/server_a.com/{fullchain,privkey}.pem > /etc/haproxy/certbundle.pem.new $ chown root:haproxy /etc/haproxy/certbundle.pem.new $ chmod 0640 /etc/haproxy/certbundle.pem.new $ mv /etc/haproxy/certbundle.pem.new /etc/haproxy/certbundle.pem $ systemctl reload haproxy
To start the Keycloak 18.0.2 service, set the http-relative-path parameter to /keycloak18 as shown below, and the above nginx reverse proxy will work.
$ /opt/keycloak-18.0.2/bin/kc.sh build --http-relative-path=/keycloak18 $ /opt/keycloak-18.0.2/bin/kc.sh start
The above configuration works well in my environment. If we run Keycloak with a custom port for some services, e.g., moodle will regard it as untrustworthy and reject it due to its custom port. Thus, there is a situation where we do not want BBB to occupy port 443, especially with authentication services such as Keycloak. Therefore, sharing Port 443 is an essential topic for BBB users with limited Internet resources. Did the BBB development team read the thread to show us the example of port 443 sharing of Keycloak and BBB 2.6.1? In any case, I want to thank the BBB development team.
Regards, Yoichi Mizomata https://sites.google.com/view/beyond-the-net
Originally posted by @mizo-aq in https://github.com/bigbluebutton/bigbluebutton/issues/13421#issuecomment-1500203932