[OpenSIPS-Users] Using LetsEncrypt certs with v2.4
Dioris Moreno
nesken at gmail.com
Mon Jul 8 09:55:33 EDT 2019
Hi John,
I have been looking for an easy way to setup WSS using LetsEncrypt
certificates on OpenSIPS 2.4 in order to implement WebRTC. After testing
multiple scenarios using WSS and TLS_MGM modules I found a simpler
approach: using Nginx to handle TLS.
Cerbot fully automates the process of obtaining and installing certificates
on Nginx. Also, Cerbot auto-renewed certificates are used by Nginx without
having to restart or reload the service. In the other hand, using
LetsEncrypt on OpenSIPS involves permissions changes to give opensips user
account access to certificates and they have to be provisioned via DB if we
want to avoid restarting OpenSIPS when a renewal occurs.
In order to use Nginx as a WSS proxy we have to enable WS in OpenSIPS,
listening on localhost, e.g. listen=ws:127.0.0.1:8080. It is not necessary
to load, neither install WSS and TLS_MGM modules. Then, we have to
configure Nginx as a forward proxy. The whole configuration section of a
server listening on 443 port, using LetsEncrypt, and forwarding WSS
requests to OpenSIPS WS looks like:
server {
server_name host.mydomain.com;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/
host.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/
host.mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by
Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Note than the last 6 lines are managed by Certbot. After activating the
Cerbot certificate, it is only necessary to add the "location /" section
with the proxy_* parameters to Nginx configuration. This is the same
approach used to implement RESTFul APIs using Node.js Express: you create a
server listening on a specific port (localhost) and let Nginx work in front
and handle SSL.
Regards,
Dioris Moreno
Libereco Systems
libersys.io
On Wed, Aug 8, 2018 at 10:57 AM John Quick <john.quick at smartvox.co.uk>
wrote:
> Hi Vlad,
>
> I now realise that the problem I'm having is that "default" is a reserved
> word in MySQL.
> When I tried to set the 'domain' field to the text "default", it actually
> sets it to blank because that is the default value for this column.
> 😊
>
> John Quick
> Smartvox Limited
> Web: www.smartvox.co.uk
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190708/a3b58378/attachment-0001.html>
More information about the Users
mailing list