<div dir="ltr"><div>Hi John,</div><div dir="ltr"><br></div><div dir="ltr">I have been looking for an easy way to setup WSS using LetsEncrypt certificates on OpenSIPS 2.4 in order to implement WebRTC. After testing multiple scenarios using WSS and TLS_MGM modules I found a simpler approach: using Nginx to handle TLS. </div><div dir="ltr"><br></div><div dir="ltr">Cerbot fully automates the process of obtaining and installing certificates on Nginx. Also, Cerbot auto-renewed certificates are used by Nginx without having to restart or reload the service. In the other hand, using LetsEncrypt on OpenSIPS involves permissions changes to give opensips user account access to certificates and they have to be provisioned via DB if we want to avoid restarting OpenSIPS when a renewal occurs.</div><div dir="ltr"><br></div><div dir="ltr">In order to use Nginx as a WSS proxy we have to enable WS in OpenSIPS, listening on localhost, e.g. listen=ws:<a href="http://127.0.0.1:8080">127.0.0.1:8080</a>. It is not necessary to load, neither install WSS and TLS_MGM modules. Then, we have to configure Nginx as a forward proxy. The whole configuration section of a server listening on 443 port, using LetsEncrypt, and forwarding WSS requests to OpenSIPS WS looks like:<br><br><font face="courier new, monospace"> server {<br> server_name <a href="http://host.mydomain.com">host.mydomain.com</a>;<br><br> # Load configuration files for the default server block.<br> include /etc/nginx/default.d/*.conf;<br><br> location / {<br> proxy_pass <a href="http://127.0.0.1:8080">http://127.0.0.1:8080</a>;<br> proxy_http_version 1.1;<br> proxy_set_header Upgrade $http_upgrade;<br> proxy_set_header Connection 'upgrade';<br> proxy_set_header Host $host;<br> proxy_cache_bypass $http_upgrade; <br> }<br><br></font><span style="font-family:"courier new",monospace"> </span><font face="courier new, monospace">listen [::]:443 ssl ipv6only=on; # managed by Certbot<br></font><span style="font-family:"courier new",monospace"> </span><font face="courier new, monospace">listen 443 ssl; # managed by Certbot<br></font><span style="font-family:"courier new",monospace"> </span><font face="courier new, monospace">ssl_certificate /etc/letsencrypt/live/<a href="http://host.mydomain.com/fullchain.pem">host.mydomain.com/fullchain.pem</a>; # managed by Certbot<br></font><span style="font-family:"courier new",monospace"> </span><font face="courier new, monospace">ssl_certificate_key /etc/letsencrypt/live/<a href="http://host.mydomain.com/privkey.pem">host.mydomain.com/privkey.pem</a>; # managed by Certbot<br></font><span style="font-family:"courier new",monospace"> </span><font face="courier new, monospace">include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot<br></font><span style="font-family:"courier new",monospace"> </span><font face="courier new, monospace">ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot<br></font><span style="font-family:"courier new",monospace"> </span> <font face="courier new, monospace">}</font><br> <br>Note than the last 6 lines are managed by Certbot. After activating the Cerbot certificate, it is only necessary to add the "location /" section with the proxy_* parameters to Nginx configuration. This is the same approach used to implement RESTFul APIs using Node.js Express: you create a server listening on a specific port (localhost) and let Nginx work in front and handle SSL.<br><div><br></div><div>Regards,</div><div><br></div><div>Dioris Moreno</div><div>Libereco Systems</div><div><a href="http://libersys.io">libersys.io</a></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Aug 8, 2018 at 10:57 AM John Quick <<a href="mailto:john.quick@smartvox.co.uk">john.quick@smartvox.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Vlad,<br>
<br>
I now realise that the problem I'm having is that "default" is a reserved word in MySQL.<br>
When I tried to set the 'domain' field to the text "default", it actually sets it to blank because that is the default value for this column.<br>
😊<br>
<br>
John Quick<br>
Smartvox Limited<br>
Web: <a href="http://www.smartvox.co.uk" rel="noreferrer" target="_blank">www.smartvox.co.uk</a><br>
<br>
<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div></div>