david_bai
8590eda2c2
- New modes: lan-http, lan-tls (self-signed), public, full - Add flags: --no-sni443, --enable-web-https (lan-tls), --test-renewal - generate-config: lan-tls HTTPS on 8443 only when explicitly enabled; HSTS only in full; SNI 443 default in full - detect-environment: remove interactive prompt; adjust public description to 'HTTP + TURN' - deploy.sh: pass new flags, add certbot scheduler (systemd timer or cron fallback), add dry-run renewal test - Docs (EN/zh-CN): update quick start, modes overview, LAN TLS guidance, LE auto-issue/renew section
13 KiB
13 KiB
PrivyDrop Docker One-Click Deployment (Recommended)
This guide provides a one-click Docker deployment for PrivyDrop. It supports both private and public networks, automates config/build/start, and provisions HTTPS certificates.
🚀 Quick Start (Top)
# Private LAN (no domain/public IP)
bash ./deploy.sh --mode lan-http
# Private LAN + TURN (for complex NAT/LAN)
bash ./deploy.sh --mode lan-http --with-turn
# LAN HTTPS (self-signed; dev/managed env; explicitly enable 8443)
bash ./deploy.sh --mode lan-tls --enable-web-https --with-nginx
# Public IP without domain (with TURN)
bash ./deploy.sh --mode public --with-turn
# Public domain (HTTPS + Nginx + TURN + SNI 443, auto-issue/renew certs)
bash ./deploy.sh --mode full --domain your-domain.com --with-nginx --with-turn --le-email you@domain.com
- Requires Docker Compose v2 (command
docker compose). - In full mode, Let’s Encrypt (webroot) is auto-issued and auto-renewed (no downtime); SNI 443 multiplexing is enabled by default (
turn.your-domain.com→ coturn:5349; others → web:8443).
Modes Overview
- lan-http: Intranet HTTP; fastest to start; no TLS
- lan-tls: Intranet HTTPS (self-signed; dev/managed env); 8443 disabled by default; enable via
--enable-web-https; HSTS disabled; turns:443 not guaranteed - public: Public HTTP + TURN; works without a domain (no HTTPS/turns:443)
- full: Domain + HTTPS (Let’s Encrypt auto-issue/renew) + TURN; SNI 443 split enabled by default (use
--no-sni443to disable)
🎯 Deployment Advantages
Compared to traditional deployment methods, Docker deployment offers the following advantages:
| Comparison | Traditional Deployment | Docker Deployment |
|---|---|---|
| Deploy Time | 30-60 minutes | 5 minutes |
| Technical Requirements | Linux ops experience | Basic Docker knowledge |
| Environment Requirements | Public IP + Domain | Works on private networks |
| Configuration Complexity | 10+ manual steps | One-click auto configuration |
| Success Rate | ~70% | >95% |
| Maintenance Difficulty | Manual multi-service management | Automatic container management |
📋 System Requirements
Minimum Configuration
- CPU: 1 core
- Memory: 512MB
- Disk: 2GB available space
- Network: Any network environment (private/public)
Recommended Configuration
- CPU: 2+ cores
- Memory: 1GB+
- Disk: 5GB+ available space
- Network: 100Mbps+
Software Dependencies
- Docker 20.10+
- Docker Compose 2.x (command
docker compose) - curl (for health checks, optional)
- openssl (cert tools; the script auto-installs certbot)
🚀 Quick Start
1. Get the Code
# Clone the project
git clone https://github.com/david-bai00/PrivyDrop.git
cd PrivyDrop
2. One-Click Deployment
# Basic deployment (recommended for beginners)
bash deploy.sh
# After deployment completes, visit:
# http://localhost:3002
That's it! 🎉
📚 Deployment Modes
Basic Mode (Default)
Use Case: Private network file transfer, personal use, testing environment
bash deploy.sh
Features:
- ✅ HTTP access
- ✅ Private network P2P transfer
- ✅ Uses public STUN servers
- ✅ Zero configuration startup
Public Mode
Use Case: Servers with public IP but no domain
bash deploy.sh --mode public --with-turn
Features:
- ✅ HTTP access
- ✅ Built-in TURN server
- ✅ Supports complex network environments
- ✅ Automatic NAT traversal configuration
Full Mode (full)
Use Case: Production environment, public servers with domain
bash ./deploy.sh --mode full --domain your-domain.com --with-nginx --with-turn --le-email you@domain.com
Features:
- ✅ HTTPS secure access (Let’s Encrypt auto-issue/renew, zero downtime)
- ✅ Nginx reverse proxy
- ✅ Built-in TURN server (default port range 49152-49252/udp)
- ✅ SNI 443 multiplexing (turn. → coturn:5349; others → web:8443)
- ✅ Complete production setup
Tip: If your network uses carrier-grade NAT or proxy and is mis-detected as public, append
--mode privateto skip public-IP probing and force basic mode. When the detected LAN IP is not the one you expect, append--local-ip 192.168.x.xto override it explicitly.
🔧 Advanced Configuration
Custom Ports
# Modify .env file
FRONTEND_PORT=8080
BACKEND_PORT=8081
HTTP_PORT=8000
Build-Time Proxy (optional)
Set the following variables in .env (or export them before running deploy.sh) when the build needs to go through a proxy. The configuration generator now preserves these fields on subsequent runs.
HTTP_PROXY=http://your-proxy:7890
HTTPS_PROXY=http://your-proxy:7890
NO_PROXY=localhost,127.0.0.1,backend,frontend,redis,coturn
docker compose passes these values as build args; the Dockerfiles expose them as environment variables so npm/pnpm automatically reuse the proxy. Leave them blank if you don't need a proxy.
Common Flags
# Enable only Nginx reverse proxy
bash ./deploy.sh --with-nginx
# Enable TURN (recommended in public/full)
bash ./deploy.sh --with-turn
# Explicitly enable SNI 443 (auto-enabled in full+domain; use --no-sni443 to disable)
bash ./deploy.sh --with-sni443
# Adjust TURN port range (default 49152-49252/udp)
bash ./deploy.sh --mode full --with-turn --turn-port-range 55000-55100
🌐 Access Methods
Local Access
- Frontend App: http://localhost:3002
- API Interface: http://localhost:3001
- Health Check: http://localhost:3001/health
LAN Access
After deployment, the script automatically displays LAN access addresses:
🌐 LAN Access:
Frontend App: http://192.168.1.100:3002
Backend API: http://192.168.1.100:3001
HTTPS Access (full mode)
- Public HTTPS: https://your-domain.com
- Certificate Source: Let’s Encrypt (auto issue/renew via webroot)
- Runtime Location: Copied to
docker/ssl/and hot-reloaded
Notes:
- First-time issuance happens automatically after Nginx:80 is up; then 443 is enabled and hot-reloaded.
- Renewal is automated: a deploy-hook copies renewed certs to
docker/ssl/and reloads Nginx; coturn is HUP’ed/restarted for TLS as needed.
🔍 Management Commands
View Service Status
docker compose ps
View Service Logs
# View all service logs
docker compose logs -f
# View specific service logs
docker compose logs -f backend
docker compose logs -f frontend
docker compose logs -f redis
Restart Services
# Restart all services
docker compose restart
# Restart specific service
docker compose restart backend
Stop Services
# Stop services but keep data
docker compose stop
# Stop services and remove containers
docker compose down
Complete Cleanup
# Clean all containers, images and data
bash deploy.sh --clean
🛠️ Troubleshooting
Common Issues
1. Port Already in Use
Symptom: Deployment shows port occupation warning
⚠️ The following ports are already in use: 3002, 3001
Solution:
# First try cleaning previous containers
bash deploy.sh --clean # or docker compose down
# If the port is still occupied, locate the process
sudo ss -tulpn | grep :3002
sudo kill -9 <PID>
# Finally, adjust the exposed ports in .env if necessary
vim .env # Update FRONTEND_PORT / BACKEND_PORT
2. Insufficient Memory
Symptom: Containers fail to start or restart frequently
Solution:
# Check memory usage
free -h
# Add swap space (temporary solution)
sudo fallocate -l 1G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
3. Docker Permission Issues
Symptom: Permission denied errors
Solution:
# Add user to docker group
sudo usermod -aG docker $USER
# Re-login or refresh group permissions
newgrp docker
4. Service Inaccessible
Symptom: Browser cannot open pages
Solution:
# 1. Check service status
docker-compose ps
# 2. Check health status
curl http://localhost:3001/health
curl http://localhost:3002/api/health
# 3. View detailed logs
docker-compose logs -f
# 4. Check firewall
sudo ufw status
5. WebRTC Connection Failure
Symptom: Cannot establish P2P connections
Solution:
# Enable TURN server
bash deploy.sh --with-turn
# Check network connectivity
curl -I http://localhost:3001/api/get_room
Health Checks
The project provides comprehensive health check functionality:
# Run health check tests
bash test-health-apis.sh
# Manual service checks
curl http://localhost:3001/health # Backend basic check
curl http://localhost:3001/health/detailed # Backend detailed check
curl http://localhost:3002/api/health # Frontend check
Performance Monitoring
# View container resource usage
docker stats
# View disk usage
docker system df
# Clean unused resources
docker system prune -f
📊 Performance Optimization
Production Environment Optimization
- Enable Nginx Caching:
bash deploy.sh --with-nginx
- Configure Resource Limits:
# Add to docker-compose.yml
services:
backend:
deploy:
resources:
limits:
memory: 256M
reservations:
memory: 128M
- Enable Log Rotation:
# Configure log size limits
echo '{"log-driver":"json-file","log-opts":{"max-size":"10m","max-file":"3"}}' | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
Network Optimization
- Use Dedicated Network:
networks:
privydrop-network:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/16
- Enable HTTP/2:
# Auto-enabled (requires HTTPS)
bash deploy.sh --mode full --with-nginx
🔒 Security Configuration
LAN HTTPS (lan-tls, self-signed, dev/managed env)
- 8443 is disabled by default; explicitly enable with:
bash ./deploy.sh --mode lan-tls --enable-web-https --with-nginx
- For development or managed devices only (internal CA trusted fleet-wide); HSTS disabled;
turns:443not guaranteed. For restricted networks (443-only), use full (domain + trusted cert + SNI 443).
Public Domain Deployment (HTTPS + Nginx) — Quick Test
-
Point your domain A record to the server IP (optional: also
turn.<your-domain>to the same IP) -
Run:
./deploy.sh --mode full --domain <your-domain> --with-nginx --with-turn --le-email you@domain.com
-
Open ports:
80,443,3478/udp,5349/tcp,5349/udp -
Verify: visit
https://<your-domain>,/api/healthreturns 200; openchrome://webrtc-internalsand check forrelaycandidates (TURN)
SSL/TLS Automation (Let’s Encrypt)
In full mode, certificates are auto-issued and auto-renewed:
- Initial issuance: webroot (no downtime); system certs live under
/etc/letsencrypt/live/<domain>/; copied todocker/ssl/and 443 is enabled. - Renewal:
certbot.timeror/etc/cron.d/certbotruns daily; the deploy-hook copies new certs todocker/ssl/and hot-reloads Nginx/Coturn. - Lineage suffixes (-0001/-0002) are handled automatically.
Network Security
- Firewall Configuration:
# Ubuntu/Debian
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 3478/udp # TURN server
- Container Network Isolation:
- All services run in isolated networks
- Only necessary ports exposed
- Internal services communicate using container names
📈 Monitoring and Logging
Log Management
All service logs are centrally stored in the logs/ directory:
logs/
├── nginx/ # Nginx access and error logs
├── backend/ # Backend application logs
├── frontend/ # Frontend application logs
└── coturn/ # TURN server logs
🔄 Updates and Maintenance
Update Application
# Pull latest code
git pull origin main
# Redeploy
bash deploy.sh
Data Backup
# Backup Redis data
docker-compose exec redis redis-cli BGSAVE
# Backup SSL certificates
tar -czf ssl-backup.tar.gz docker/ssl/
# Backup configuration files
cp .env .env.backup
Regular Maintenance
# Clean unused images and containers
docker system prune -f
# Update base images
docker-compose pull
docker-compose up -d
🆘 Getting Help
Command Line Help
bash deploy.sh --help
Online Resources
Community Support
- GitHub Issues: Technical questions and bug reports