fix:Change the turns port used in WebRTC to 443

nginx(website on server) listens on port 4443 and then forwards to the frontend and backend.
nginx main configuration adds a stream block to uniformly listen on port 443, then forwards based on domain to coturn(5349) and website(4443).
The TURN port used in WebRTC is changed to 443.
The deployment document adds a script action to delete extra configurations generated by certbot.

backend/docker/Nginx/configure.sh

@@ -89,7 +89,7 @@ configure_nginx() {
 
 # Execute configuration
 configure_nginx
-cp docker/Nginx/nginx.conf /etc/nginx
+cp backend/docker/Nginx/nginx.conf /etc/nginx
 
 echo "Nginx base configuration generated successfully at /etc/nginx/sites-available/default."
 echo "The script no longer restarts Nginx automatically."

backend/docker/Nginx/default

@@ -1,14 +1,14 @@
-server {
-    # Redirect HTTP to HTTPS
-    listen 80;
-    server_name YourDomain www.YourDomain;
-    return 301 https://$server_name$request_uri;
+server { # Redirect HTTP to HTTPS
+listen 80;
+server_name YourDomain www.YourDomain;
+return 301 https://$server_name$request_uri;
 }
 
 server {
-    listen 443 ssl http2;      # Listen on TCP port 443, supporting HTTP/2 and SSL
-    listen 443 quic reuseport; # Listen on UDP port 443 for QUIC and HTTP/3
-    # 'reuseport' allows multiple worker processes to share the same port, recommended for QUIC
+# No longer listening on public 443/TCP, change to listening on internal port
+listen 127.0.0.1:4443 ssl http2; # Listen on TCP port 443, supporting HTTP/2 and SSL
+# QUIC/HTTP3 continues to listen on public UDP 443
+listen 443 quic reuseport; # Listen on UDP port 443 for QUIC and HTTP/3 # 'reuseport' allows multiple worker processes to share the same port, recommended for QUIC
 
     # Ensure that the SSL protocol includes at least TLSv1.3, as HTTP/3 requires TLSv1.3
     ssl_protocols TLSv1.3 TLSv1.2; # Make sure TLSv1.3 is at the front
@@ -24,12 +24,12 @@ server {
     ssl_early_data on;
 
     server_name YourDomain www.YourDomain;
-    
+
     # SSL Configuration (using placeholder certs for Certbot)
     # Certbot will find this block and replace these with the real certificates.
     ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
     ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
-    
+
     # SSL Optimization
     ssl_session_timeout 1d;
     ssl_session_cache shared:SSL:50m;
@@ -41,7 +41,7 @@ server {
 
     # HSTS (Enable with caution)
     # add_header Strict-Transport-Security "max-age=63072000" always;
-    
+
     # Define the root path of the frontend build artifacts inside the container
     # !!! Important: Please modify this path to the actual path of your frontend project build inside the Nginx container !!!
     set $frontend_build_root path/to/PrivyDrop/frontend;
@@ -64,7 +64,7 @@ server {
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
-        
+
         # CORS Configuration
         add_header 'Access-Control-Allow-Origin' '*' always;
         add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
@@ -90,7 +90,7 @@ server {
         add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
         add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
         add_header Access-Control-Allow-Credentials "true" always;
-        
+
     }
     # Next.js Image Optimization Service (usually handled by the Next.js application)
     location /_next/image {
@@ -123,4 +123,16 @@ server {
         proxy_set_header Host $host;
         proxy_cache_bypass $http_upgrade;
     }
-}
+
+}
+
+server { # Add a server block for Certbot to install certificates for turn.privydrop.app
+listen 80;
+server_name turn.privydrop.app;
+
+    # Only process Let's Encrypt validation requests
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+
+}

backend/docker/Nginx/del_redundant_cfg.sh

@@ -0,0 +1,144 @@
+#!/bin/bash
+
+# --- Configuration ---
+NGINX_CONF_FILE="/etc/nginx/sites-enabled/default"
+
+# Define the new configuration block to be added
+read -r -d '' NEW_BLOCK <<'EOF'
+
+# Configuration for turn.privydrop.app - used only for Certbot renewal
+server {
+    listen 80;
+    listen [::]:80;
+    server_name turn.privydrop.app;
+
+    # Handle only Let's Encrypt ACME challenge requests
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+
+    # Return 404 for all other requests
+    location / {
+        return 404;
+    }
+}
+EOF
+
+# --- Main function ---
+main() {
+    echo "▶️ Starting Nginx configuration check..."
+
+    # Check for root privileges
+    if [[ $EUID -ne 0 ]]; then
+        echo "❌ Error: This script must be run as root"
+        exit 1
+    fi
+
+    # Check if config file exists
+    if [ ! -f "$NGINX_CONF_FILE" ]; then
+        echo "❌ Error: Configuration file not found: $NGINX_CONF_FILE"
+        exit 1
+    fi
+
+    # Create a temporary backup
+    TEMP_FILE=$(mktemp)
+    cp "$NGINX_CONF_FILE" "$TEMP_FILE"
+    echo "🔐 Backup created at: $TEMP_FILE"
+
+    # Use Python to count and optionally remove the last two server blocks
+    ACTION=$(python3 -c "
+import re
+
+# Read the file
+try:
+    with open('$NGINX_CONF_FILE', 'r') as f:
+        lines = f.readlines()
+except Exception as e:
+    print('ERROR: Unable to read config file')
+    exit(1)
+
+# Find all server block start and end positions
+server_blocks = []
+i = 0
+while i < len(lines):
+    if re.match(r'^\s*server\s*\{', lines[i]):
+        start = i
+        brace_count = 1
+        j = i + 1
+        while j < len(lines) and brace_count > 0:
+            brace_count += lines[j].count('{') - lines[j].count('}')
+            j += 1
+        server_blocks.append((start, j-1))
+        i = j
+    else:
+        i += 1
+
+num_blocks = len(server_blocks)
+print(f'🔍 Found {num_blocks} server blocks')
+
+if num_blocks >= 4:
+    print('✅ Condition met (≥4 blocks), preparing to remove last two and add new config')
+    print('ACTION: MODIFY')
+    
+    # Keep up to the third-to-last block end, or before last two if only 4
+    if num_blocks > 2:
+        keep_until = server_blocks[-3][1] + 1
+    else:
+        keep_until = server_blocks[-2][0]
+    result_lines = lines[:keep_until]
+    
+    # Remove trailing empty lines
+    while result_lines and result_lines[-1].strip() == '':
+        result_lines.pop()
+    
+    # Ensure ends with newline
+    if result_lines and not result_lines[-1].endswith('\n'):
+        result_lines[-1] += '\n'
+
+    # Write modified content back
+    with open('$NGINX_CONF_FILE', 'w') as f:
+        f.writelines(result_lines)
+
+else:
+    print('ℹ️ Less than 4 server blocks found. No changes will be made.')
+    print('ACTION: SKIP')
+")
+
+    # Extract action decision from Python script output
+    ACTION=$(echo "$ACTION" | grep '^ACTION:' | cut -d' ' -f2 | tr -d '\r')
+
+    # Show number of blocks
+    echo "$ACTION" | grep -o 'Found [0-9]* server blocks' | head -1
+
+    if [[ "$ACTION" == "SKIP" ]]; then
+        echo "⏭️ Skipping modification and new configuration addition."
+        rm "$TEMP_FILE"
+        exit 0
+    fi
+
+    # Append the new configuration block
+    echo "✍️ Adding new configuration block for turn.privydrop.app..."
+    echo "$NEW_BLOCK" >> "$NGINX_CONF_FILE"
+
+    # Test the Nginx configuration
+    echo "🔍 Testing Nginx configuration..."
+    if nginx -t 2>/dev/null; then
+        echo "✅ Configuration test successful!"
+        echo "🚀 Apply changes with:"
+        echo "   sudo systemctl reload nginx"
+        echo ""
+        rm "$TEMP_FILE"
+    else
+        echo "❌ Configuration test failed. Showing details:"
+        nginx -t
+        echo ""
+        echo "🔄 Restoring from backup..."
+        cp "$TEMP_FILE" "$NGINX_CONF_FILE"
+        echo "✅ Original configuration restored"
+        rm "$TEMP_FILE"
+        exit 1
+    fi
+}
+
+# Run main function with all arguments
+main "$@"

backend/docker/Nginx/nginx.conf

@@ -11,6 +11,38 @@ events {
 	# multi_accept on;
 }
 
+stream {
+    # Define backend services
+    upstream turns_backend {
+        # Coturn's TURNS service, listening on local port 5349
+        server 127.0.0.1:5349;
+    }
+    upstream website_backend {
+        # Your website is now listening on the internal HTTPS port
+        server 127.0.0.1:4443;
+    }
+
+    # Use SNI hostname to determine traffic destination
+    map $ssl_preread_server_name $backend {
+        turn.privydrop.app    turns_backend;   # If accessing the turn subdomain, hand it over to Coturn
+        default               website_backend; # All other domains are handed over to the website
+    }
+
+    # Listening for all TCP traffic on port 443
+    server {
+        listen 443;
+        listen [::]:443;
+
+        # Enable SSL pre-read feature to obtain SNI hostname
+        ssl_preread on;
+
+        # Proxy traffic to the corresponding backend based on map results
+        proxy_pass $backend;
+        proxy_timeout 1d; # Suggest setting a longer timeout for TURN
+        proxy_connect_timeout 5s;
+    }
+}
+
 http {
 
 	##