aheh/PrivyDrop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix:Change the turns port used in WebRTC to 443

Browse Source 
nginx(website on server) listens on port 4443 and then forwards to the frontend and backend.
nginx main configuration adds a stream block to uniformly listen on port 443, then forwards based on domain to coturn(5349) and website(4443).
The TURN port used in WebRTC is changed to 443.
The deployment document adds a script action to delete extra configurations generated by certbot.
This commit is contained in:
david_bai
2025-07-23 23:07:59 +08:00
parent 7e055643c5
commit 7950aec063
7 changed files with 339 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/docker/Nginx/configure.sh
+1 -1
View File
@@ -89,7 +89,7 @@ configure_nginx() {
# Execute configuration
configure_nginx
cp docker/Nginx/nginx.conf /etc/nginx
cp backend/docker/Nginx/nginx.conf /etc/nginx
echo "Nginx base configuration generated successfully at /etc/nginx/sites-available/default."
echo "The script no longer restarts Nginx automatically."
backend/docker/Nginx/default
+26 -14
View File
@@ -1,14 +1,14 @@
server {
# Redirect HTTP to HTTPS
listen 80;
server_name YourDomain www.YourDomain;
return 301 https://$server_name$request_uri;
server { # Redirect HTTP to HTTPS
listen 80;
server_name YourDomain www.YourDomain;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2; # Listen on TCP port 443, supporting HTTP/2 and SSL
listen 443 quic reuseport; # Listen on UDP port 443 for QUIC and HTTP/3
# 'reuseport' allows multiple worker processes to share the same port, recommended for QUIC
# No longer listening on public 443/TCP, change to listening on internal port
listen 127.0.0.1:4443 ssl http2; # Listen on TCP port 443, supporting HTTP/2 and SSL
# QUIC/HTTP3 continues to listen on public UDP 443
listen 443 quic reuseport; # Listen on UDP port 443 for QUIC and HTTP/3 # 'reuseport' allows multiple worker processes to share the same port, recommended for QUIC
# Ensure that the SSL protocol includes at least TLSv1.3, as HTTP/3 requires TLSv1.3
ssl_protocols TLSv1.3 TLSv1.2; # Make sure TLSv1.3 is at the front
@@ -24,12 +24,12 @@ server {
ssl_early_data on;
server_name YourDomain www.YourDomain;
# SSL Configuration (using placeholder certs for Certbot)
# Certbot will find this block and replace these with the real certificates.
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
# SSL Optimization
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
@@ -41,7 +41,7 @@ server {
# HSTS (Enable with caution)
# add_header Strict-Transport-Security "max-age=63072000" always;
# Define the root path of the frontend build artifacts inside the container
# !!! Important: Please modify this path to the actual path of your frontend project build inside the Nginx container !!!
set $frontend_build_root path/to/PrivyDrop/frontend;
@@ -64,7 +64,7 @@ server {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# CORS Configuration
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
@@ -90,7 +90,7 @@ server {
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
add_header Access-Control-Allow-Credentials "true" always;
}
# Next.js Image Optimization Service (usually handled by the Next.js application)
location /_next/image {
@@ -123,4 +123,16 @@ server {
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
}
server { # Add a server block for Certbot to install certificates for turn.privydrop.app
listen 80;
server_name turn.privydrop.app;
# Only process Let's Encrypt validation requests
location /.well-known/acme-challenge/ {
root /var/www/html;
}
}
backend/docker/Nginx/del_redundant_cfg.sh
+144
View File
@@ -0,0 +1,144 @@
#!/bin/bash
# --- Configuration ---
NGINX_CONF_FILE="/etc/nginx/sites-enabled/default"
# Define the new configuration block to be added
read -r -d '' NEW_BLOCK <<'EOF'
# Configuration for turn.privydrop.app - used only for Certbot renewal
server {
listen 80;
listen [::]:80;
server_name turn.privydrop.app;
# Handle only Let's Encrypt ACME challenge requests
location /.well-known/acme-challenge/ {
root /var/www/html;
}
# Return 404 for all other requests
location / {
return 404;
}
}
EOF
# --- Main function ---
main() {
echo "▶️ Starting Nginx configuration check..."
# Check for root privileges
if [[ $EUID -ne 0 ]]; then
echo "❌ Error: This script must be run as root"
exit 1
fi
# Check if config file exists
if [ ! -f "$NGINX_CONF_FILE" ]; then
echo "❌ Error: Configuration file not found: $NGINX_CONF_FILE"
exit 1
fi
# Create a temporary backup
TEMP_FILE=$(mktemp)
cp "$NGINX_CONF_FILE" "$TEMP_FILE"
echo "🔐 Backup created at: $TEMP_FILE"
# Use Python to count and optionally remove the last two server blocks
ACTION=$(python3 -c "
import re
# Read the file
try:
with open('$NGINX_CONF_FILE', 'r') as f:
lines = f.readlines()
except Exception as e:
print('ERROR: Unable to read config file')
exit(1)
# Find all server block start and end positions
server_blocks = []
i = 0
while i < len(lines):
if re.match(r'^\s*server\s*\{', lines[i]):
start = i
brace_count = 1
j = i + 1
while j < len(lines) and brace_count > 0:
brace_count += lines[j].count('{') - lines[j].count('}')
j += 1
server_blocks.append((start, j-1))
i = j
else:
i += 1
num_blocks = len(server_blocks)
print(f'🔍 Found {num_blocks} server blocks')
if num_blocks >= 4:
print('✅ Condition met (≥4 blocks), preparing to remove last two and add new config')
print('ACTION: MODIFY')
# Keep up to the third-to-last block end, or before last two if only 4
if num_blocks > 2:
keep_until = server_blocks[-3][1] + 1
else:
keep_until = server_blocks[-2][0]
result_lines = lines[:keep_until]
# Remove trailing empty lines
while result_lines and result_lines[-1].strip() == '':
result_lines.pop()
# Ensure ends with newline
if result_lines and not result_lines[-1].endswith('\n'):
result_lines[-1] += '\n'
# Write modified content back
with open('$NGINX_CONF_FILE', 'w') as f:
f.writelines(result_lines)
else:
print('️ Less than 4 server blocks found. No changes will be made.')
print('ACTION: SKIP')
")
# Extract action decision from Python script output
ACTION=$(echo "$ACTION" | grep '^ACTION:' | cut -d' ' -f2 | tr -d '\r')
# Show number of blocks
echo "$ACTION" | grep -o 'Found [0-9]* server blocks' | head -1
if [[ "$ACTION" == "SKIP" ]]; then
echo "⏭️ Skipping modification and new configuration addition."
rm "$TEMP_FILE"
exit 0
fi
# Append the new configuration block
echo "✍️ Adding new configuration block for turn.privydrop.app..."
echo "$NEW_BLOCK" >> "$NGINX_CONF_FILE"
# Test the Nginx configuration
echo "🔍 Testing Nginx configuration..."
if nginx -t 2>/dev/null; then
echo "✅ Configuration test successful!"
echo "🚀 Apply changes with:"
echo " sudo systemctl reload nginx"
echo ""
rm "$TEMP_FILE"
else
echo "❌ Configuration test failed. Showing details:"
nginx -t
echo ""
echo "🔄 Restoring from backup..."
cp "$TEMP_FILE" "$NGINX_CONF_FILE"
echo "✅ Original configuration restored"
rm "$TEMP_FILE"
exit 1
fi
}
# Run main function with all arguments
main "$@"
backend/docker/Nginx/nginx.conf
+32
View File
@@ -11,6 +11,38 @@ events {
# multi_accept on;
}
stream {
# Define backend services
upstream turns_backend {
# Coturn's TURNS service, listening on local port 5349
server 127.0.0.1:5349;
}
upstream website_backend {
# Your website is now listening on the internal HTTPS port
server 127.0.0.1:4443;
}
# Use SNI hostname to determine traffic destination
map $ssl_preread_server_name $backend {
turn.privydrop.app turns_backend; # If accessing the turn subdomain, hand it over to Coturn
default website_backend; # All other domains are handed over to the website
}
# Listening for all TCP traffic on port 443
server {
listen 443;
listen [::]:443;
# Enable SSL pre-read feature to obtain SNI hostname
ssl_preread on;
# Proxy traffic to the corresponding backend based on map results
proxy_pass $backend;
proxy_timeout 1d; # Suggest setting a longer timeout for TURN
proxy_connect_timeout 5s;
}
}
http {
##
docs/DEPLOYMENT.md
+68 -48
View File
@@ -56,16 +56,19 @@ sudo apt install coturn
2. **Firewall Configuration:**
Open the necessary ports on your server's firewall (e.g., using `ufw`):
- TCP & UDP `3478`: For STUN and TURN.
- TCP & UDP `5349`: For TURNS (TURN over TLS/DTLS).
- UDP `49152-65535`: Coturn's default relay port range.
```bash
sudo ufw allow 3478
sudo ufw allow 5349
sudo ufw allow 49152:65535/udp
sudo ufw reload # or ufw enable
```
**Engineer's Note**: Detailed production configuration for Coturn (like SSL certificates, username, password, etc.) will be handled in `Section 4: Application Deployment` alongside Nginx and the main application to ensure a streamlined and unified process.
- TCP & UDP `3478`: For STUN and TURN.
- TCP & UDP `5349`: For TURNS (TURN over TLS/DTLS).
- UDP `49152-65535`: Coturn's default relay port range.
```bash
sudo ufw allow 3478
sudo ufw allow 5349
sudo ufw allow 49152:65535/udp
sudo ufw reload # or ufw enable
```
**Engineer's Note**: Detailed production configuration for Coturn (like SSL certificates, username, password, etc.) will be handled in `Section 4: Application Deployment` alongside Nginx and the main application to ensure a streamlined and unified process.
## 4. Application Deployment (Production)
@@ -100,19 +103,21 @@ In production, Nginx will act as the entry point for all traffic, handling SSL t
1. **Prepare Production Environment Variables for Backend and Frontend**
Before deployment, ensure the production environment files for both backend and frontend are ready. You will need to copy them from the example files and modify them with your server's information.
- **Backend Configuration:**
```bash
# From the project root
cp backend/.env_production_example backend/.env.production
```
Then, edit `backend/.env.production`, configuring at least `CORS_ORIGIN` to your main domain (e.g., `https://privydrop.app`) and your `REDIS` details.
- **Backend Configuration:**
- **Frontend Configuration:**
```bash
# From the project root
cp frontend/.env_production_example frontend/.env.production
```
Then, edit `frontend/.env.production` to set `NEXT_PUBLIC_API_URL` to your backend service domain (e.g., `https://privydrop.app`).
```bash
# From the project root
cp backend/.env_production_example backend/.env.production
```
Then, edit `backend/.env.production`, configuring at least `CORS_ORIGIN` to your main domain (e.g., `https://privydrop.app`) and your `REDIS` details.
- **Frontend Configuration:**
```bash
# From the project root
cp frontend/.env_production_example frontend/.env.production
```
Then, edit `frontend/.env.production` to set `NEXT_PUBLIC_API_URL` to your backend service domain (e.g., `https://privydrop.app`).
2. **Install Nginx:** It's recommended to install a newer version that supports HTTP/3.
@@ -121,16 +126,17 @@ In production, Nginx will act as the entry point for all traffic, handling SSL t
4. **Generate Base Nginx Configuration:**
The `backend/docker/Nginx/` directory provides a configuration script and template. This template uses a temporary "placeholder" certificate to ensure the Nginx configuration is valid before obtaining a real certificate.
- Now, edit the `backend/.env.production` file and add the `NGINX_*` related variables. **Do not include SSL certificate paths yet**. Example:
```
NGINX_SERVER_NAME=privydrop.app # Your main domain
NGINX_FRONTEND_ROOT=/path/to/your/PrivyDrop/frontend # Path to the frontend project root
```
- Execute the script to generate the Nginx configuration file:
```bash
# This script uses variables from your .env file to generate the Nginx config
sudo bash backend/docker/Nginx/configure.sh backend/.env.production
```
- Now, edit the `backend/.env.production` file and add the `NGINX_*` related variables. **Do not include SSL certificate paths yet**. Example:
```
NGINX_SERVER_NAME=privydrop.app # Your main domain
NGINX_FRONTEND_ROOT=/path/to/your/PrivyDrop/frontend # Path to the frontend project root
```
- Execute the script to generate the Nginx configuration file:
```bash
# This script uses variables from your .env file to generate the Nginx config
sudo bash backend/docker/Nginx/configure.sh backend/.env.production
```
### 4.4. Use Certbot to Install a Unified SSL Certificate
With the base Nginx configuration in place, we can now use Certbot to obtain and install a real SSL certificate. We will request a single, unified certificate for all our services (main domain, www, and TURN) and let Certbot automatically update our Nginx configuration.
@@ -142,9 +148,10 @@ With the base Nginx configuration in place, we can now use Certbot to obtain and
```
2. **Run Certbot to Request the Certificate:**
- This command automatically detects your Nginx configuration.
- The `-d` flag specifies all domains to be included in the certificate. Ensure your domains' DNS records correctly point to your server's IP.
- The `--deploy-hook` is a crucial parameter: it will automatically restart the Coturn service after a successful certificate renewal, applying the new certificate. This enables fully automated certificate maintenance.
- This command automatically detects your Nginx configuration.
- The `-d` flag specifies all domains to be included in the certificate. Ensure your domains' DNS records correctly point to your server's IP.
- The `--deploy-hook` is a crucial parameter: it will automatically restart the Coturn service after a successful certificate renewal, applying the new certificate. This enables fully automated certificate maintenance.
```bash
# Replace privydrop.app with your main domain
@@ -154,16 +161,26 @@ With the base Nginx configuration in place, we can now use Certbot to obtain and
-d turn.privydrop.app \
--deploy-hook "sudo systemctl restart coturn"
```
Follow the on-screen prompts from Certbot (e.g., enter your email, agree to the ToS). Once complete, Certbot will automatically modify your Nginx configuration to enable HTTPS and reload the Nginx service.
3. **Verification and Troubleshooting (Important):**
3. **Remove the redundant configuration generated by Certbot:**
```bash
sudo bash backend/docker/Nginx/del_redundant_cfg.sh
```
4. **Verification and Troubleshooting (Important):**
First, verify that the certificate path in your Nginx configuration has been updated automatically.
```bash
sudo grep ssl_certificate /etc/nginx/sites-available/default
```
You should see a path pointing to `/etc/letsencrypt/live/privydrop.app/`.
If, after running `certbot --nginx`, the path still points to the old placeholder, run the following command to force the certificate installation:
```bash
sudo certbot install --cert-name privydrop.app -d privydrop.app -d www.privydrop.app -d turn.privydrop.app
# Then, reload Nginx to apply the changes
@@ -176,6 +193,7 @@ With the unified SSL certificate obtained, we can now complete the production co
1. **Configure Environment Variables**:
Open your `backend/.env.production` file and configure all `TURN_*` related variables.
```ini
# .env.production
@@ -215,19 +233,21 @@ With the unified SSL certificate obtained, we can now complete the production co
sudo bash ./docker/TURN/configure.sh backend/.env.production
```
4. **Check Service Status and Test Online**:
- Check the service status:
```bash
sudo systemctl status coturn
# Also, check the logs to ensure there are no permission errors
# sudo journalctl -u coturn -f
```
- **Online Test (Recommended)**:
Once the service is running, use an online tool like the [Metered TURN Server Tester](https://www.metered.ca/turn-server-testing) to verify that your TURNS service is working correctly:
- **TURNS URL**: `turns:turn.privydrop.app:5349` (replace with your domain)
- **Username**: `The username you set in your .env file`
- **Password**: `The password you set in your .env file`
If all checkpoints show a green "Success" or "Reachable", your TURN server is configured successfully.
- Check the service status:
```bash
sudo systemctl status coturn
# Also, check the logs to ensure there are no permission errors
# sudo journalctl -u coturn -f
```
- **Online Test (Recommended)**:
Once the service is running, use an online tool like the [Metered TURN Server Tester](https://www.metered.ca/turn-server-testing) to verify that your TURNS service is working correctly:
- **TURNS URL**: `turn:turn.privydrop.app:3478` (replace with your domain)
- **Username**: `The username you set in your .env file`
- **Password**: `The password you set in your .env file`
If all checkpoints show a green "Success" or "Reachable", your TURN server is configured successfully.
### 4.6. Run the Application with PM2
docs/DEPLOYMENT.zh-CN.md
+67 -47
View File
@@ -56,15 +56,18 @@ sudo apt install coturn
2. **防火墙配置:**
在服务器的防火墙上打开必要的端口 (例如,使用 `ufw`)
- TCP & UDP `3478`: 用于 STUN 和 TURN。
- TCP & UDP `5349`: 用于 TURNS (TURN over TLS/DTLS)
- UDP `49152-65535`: Coturn 的默认中继端口范围
- TCP & UDP `3478`: 用于 STUN 和 TURN
- TCP & UDP `5349`: 用于 TURNS (TURN over TLS/DTLS)
- UDP `49152-65535`: Coturn 的默认中继端口范围。
```bash
sudo ufw allow 3478
sudo ufw allow 5349
sudo ufw allow 49152:65535/udp
sudo ufw reload # 或 ufw enable
sudo ufw allow 3478
sudo ufw allow 5349
sudo ufw allow 49152:65535/udp
sudo ufw reload # 或 ufw enable
```
**工程师提示**:关于 Coturn 在生产环境中的详细配置(如 SSL 证书、用户名、密码等),将在 `第 4 节:应用部署` 中与 Nginx 和主应用一同进行,以确保流程的统一和简化。
## 4. 应用部署 (生产环境)
@@ -100,19 +103,21 @@ cd backend && npm run build && cd ..
1. **为后端和前端准备生产环境变量**
在部署之前,请确保后端和前端的生产环境变量文件已准备就绪。您需要从示例文件复制并根据您的服务器信息进行修改。
- **后端配置:**
```bash
# 位于项目根目录
cp backend/.env_production_example backend/.env.production
```
然后编辑 `backend/.env.production`,至少配置 `CORS_ORIGIN` 为您的主域名 (例如 `https://privydrop.app`) 以及 `REDIS` 相关信息。
- **后端配置:**
- **前端配置:**
```bash
# 位于项目根目录
cp frontend/.env_production_example frontend/.env.production
```
然后编辑 `frontend/.env.production`,配置 `NEXT_PUBLIC_API_URL` 为您的后端服务域名 (例如 `https://privydrop.app`)。
```bash
# 位于项目根目录
cp backend/.env_production_example backend/.env.production
```
然后编辑 `backend/.env.production`至少配置 `CORS_ORIGIN` 为您的域名 (例如 `https://privydrop.app`) 以及 `REDIS` 相关信息
- **前端配置:**
```bash
# 位于项目根目录
cp frontend/.env_production_example frontend/.env.production
```
然后编辑 `frontend/.env.production`,配置 `NEXT_PUBLIC_API_URL` 为您的后端服务域名 (例如 `https://privydrop.app`)。
2. **安装 Nginx:** 推荐安装支持 HTTP/3 的较新版本。
@@ -121,16 +126,17 @@ cd backend && npm run build && cd ..
4. **生成 Nginx 基础配置:**
后端项目 `backend/docker/Nginx/` 目录中提供了配置脚本和模板。此模板使用一个临时的"占位符"证书,以确保 Nginx 配置在申请真实证书前是有效的。
- 现在,编辑 `backend/.env.production` 文件,添加 `NGINX_*` 相关变量。**无需 SSL 证书路径**。示例为:
```
NGINX_SERVER_NAME=privydrop.app # 你的主域名
NGINX_FRONTEND_ROOT=/path/to/your/PrivyDrop/frontend # 前端项目根目录
```
- 执行脚本生成 Nginx 配置文件:
```bash
# 此脚本会使用 .env 文件中的变量来生成 Nginx 配置文件
sudo bash backend/docker/Nginx/configure.sh backend/.env.production
```
- 现在,编辑 `backend/.env.production` 文件,添加 `NGINX_*` 相关变量。**无需 SSL 证书路径**。示例为:
```
NGINX_SERVER_NAME=privydrop.app # 你的主域名
NGINX_FRONTEND_ROOT=/path/to/your/PrivyDrop/frontend # 前端项目根目录
```
- 执行脚本生成 Nginx 配置文件:
```bash
# 此脚本会使用 .env 文件中的变量来生成 Nginx 配置文件
sudo bash backend/docker/Nginx/configure.sh backend/.env.production
```
### 4.4. 使用 Certbot 安装统一 SSL 证书
现在 Nginx 有了基础配置,我们可以使用 Certbot 来获取并安装真实的 SSL 证书。我们将为所有服务(主域名、www 和 TURN)申请一张统一的证书,并让 Certbot 自动更新 Nginx 配置。
@@ -142,9 +148,10 @@ cd backend && npm run build && cd ..
```
2. **运行 Certbot 申请证书:**
- 此命令会自动检测您的 Nginx 配置并为其安装证书。
- `-d` 参数指定所有需要包含在此证书中的域名。请确保您的域名 DNS 已正确解析到服务器 IP
- `--deploy-hook` 是一个关键参数:它会在证书成功续期后,自动重启 Coturn 服务,以加载新证书。这实现了完全自动化的证书维护
- 此命令会自动检测您的 Nginx 配置并为其安装证书
- `-d` 参数指定所有需要包含在此证书中的域名。请确保您的域名 DNS 已正确解析到服务器 IP
- `--deploy-hook` 是一个关键参数:它会在证书成功续期后,自动重启 Coturn 服务,以加载新证书。这实现了完全自动化的证书维护。
```bash
# 将 privydrop.app 替换为你的主域名
@@ -154,16 +161,26 @@ cd backend && npm run build && cd ..
-d turn.privydrop.app \
--deploy-hook "sudo systemctl restart coturn"
```
按照 Certbot 的提示操作(例如输入邮箱、同意服务条款等)。
3. **验证与排错 (重要):**
3. **删除由 Certbot 产生的多余配置:**
```bash
sudo bash backend/docker/Nginx/del_redundant_cfg.sh
```
4. **验证与排错 (重要):**
首先,验证 Nginx 配置文件中的证书路径是否已自动更新。
```bash
sudo grep ssl_certificate /etc/nginx/sites-available/default
```
正常情况下,您应该能看到指向 `/etc/letsencrypt/live/privydrop.app/` 的路径。
如果 `certbot --nginx` 执行后,上述路径依然是旧的占位符路径,请运行以下命令强制更新证书:
```bash
sudo certbot install --cert-name privydrop.app -d privydrop.app -d www.privydrop.app -d turn.privydrop.app
# 然后重载 Nginx 使之生效
@@ -176,6 +193,7 @@ cd backend && npm run build && cd ..
1. **配置环境变量**:
打开后端的 `.env.production` 文件,配置所有 `TURN_*` 相关变量。
```ini
# .env.production
@@ -206,6 +224,7 @@ cd backend && npm run build && cd ..
sudo chown -R root:ssl-cert /etc/letsencrypt/
sudo chmod -R 750 /etc/letsencrypt/
```
3. **生成配置文件并启动服务**:
运行项目提供的脚本,它会根据 `.env.production` 文件生成 `/etc/turnserver.conf` 并重启 Coturn。
```bash
@@ -213,19 +232,21 @@ cd backend && npm run build && cd ..
sudo bash backend/docker/TURN/configure.sh backend/.env.production
```
4. **检查服务状态与在线测试**:
- 检查服务状态:
```bash
sudo systemctl status coturn
# 同时检查日志确保没有权限错误
# sudo journalctl -u coturn -f
```
- **在线测试 (推荐)**:
服务启动后,使用在线工具,如 [Metered TURN Server Tester](https://www.metered.ca/turn-server-testing),验证 TURNS 服务是否正常工作:
- **TURNS URL**: `turns:turn.privydrop.app:5349` (将域名替换为你的)
- **Username**: `你在 .env 中设置的用户名`
- **Password**: `你在 .env 中设置的密码`
如果所有检查点都显示绿色 "Success" 或 "Reachable",则表示您的 TURN 服务器已成功配置。
- 检查服务状态:
```bash
sudo systemctl status coturn
# 同时检查日志确保没有权限错误
# sudo journalctl -u coturn -f
```
- **在线测试 (推荐)**:
服务启动后,使用在线工具,如 [Metered TURN Server Tester](https://www.metered.ca/turn-server-testing),验证 TURNS 服务是否正常工作:
- **TURNS URL**: `turn:turn.privydrop.app:3478` (将域名替换为你的)
- **Username**: `你在 .env 中设置的用户名`
- **Password**: `你在 .env 中设置的密码`
如果所有检查点都显示绿色 "Success" 或 "Reachable",则表示您的 TURN 服务器已成功配置。
### 4.6. 使用 PM2 运行应用
@@ -270,8 +291,7 @@ PM2 是一个强大的 Node.js 进程管理器,我们将用它来分别运行
- **连接问题:** 检查防火墙、Nginx 代理设置、CORS_ORIGIN 配置,确保所有 PM2 进程都在运行。
- **Nginx 错误:** `sudo nginx -t` 检查语法,查看 `/var/log/nginx/error.log`。
- **PM2 问题:** `pm2 logs <app_name>` 查看应用日志。
- **证书权限 (生产环境)** 如果 Coturn 或 Nginx 无法读取 SSL 证书,请仔细检查 `第 4.5 节` 中的文件权限和用户/组设置。
- **证书权限 (生产环境)** 如果 Coturn 或 Nginx 无法读取 SSL 证书,请仔细检查 `第 4.5 节` 中的文件权限和用户/组设置。
## 7. 安全与维护
frontend/app/config/environment.ts
+1 -1
View File
@@ -21,7 +21,7 @@ export const getIceServers = () => {
// Add self-hosted TURN/STUN server if configured through environment variables
if (config.TURN_HOST && config.TURN_USERNAME && config.TURN_CREDENTIAL) {
const turnUrls = config.USE_HTTPS
? [`turns:${config.TURN_HOST}:5349`, `turn:${config.TURN_HOST}:3478`]
? [`turns:${config.TURN_HOST}:443`, `turn:${config.TURN_HOST}:3478`]
: [`turn:${config.TURN_HOST}:3478`];
// Add STUN from the self-hosted server