BigBlueButton 에 SSL 설치 및 영상 활성화

앞선 포스트에서 EC2 에 BigBlueButton 을 설치했다. 기본은 HTTP 접근을 허용하지만, Chrome 등의 브라우저에서는 HTTPS 에서만 화상/음성 데이터를 허용하고 있다. 그러나, AWS 의 LB 들은 UDP 에 대한 밸런싱이 불가능하기에 ACM 을 수 없어 직접 SSL 인증서 설치가 필요하다.

오픈소스 실시간 협업도구, BigBlueButton 설치 (on AWS)

무료 SSL 인증서로 사용하기에 충분히 훌륭한 Let’s Encrypt 가 있으니, 이를 이용해 SSL 환경을 구축해 화상/음성 테스트를 해보자.

 

Let’s Encrypt 클라이언트를 사용한 SSL 발급

웹 사이트에 별도 정보를 입력하지 않아도 uBuntu 를 위한 설치 클라이언트를 사용하면 쉽게 SSL 인증서 발급 및 관리가 가능하다. Let’s Encrypt SSL 은 수명주기가 3개월인 만큼, 매번 갱신하기가 귀찮다면 클라이언트를 이용하자. github 의 저장소를 복제하고, letsencrypt-auto –help 명령어를 사용하면 필요한 패키지가 자동 설치된다. (매우 간단!)

root@ip-10-10-102-122:/opt# git clone https://github.com/letsencrypt/letsencrypt
Cloning into 'letsencrypt'...
remote: Enumerating objects: 81, done.
remote: Counting objects: 100% (81/81), done.
remote: Compressing objects: 100% (54/54), done.
remote: Total 65796 (delta 41), reused 54 (delta 27), pack-reused 65715
Receiving objects: 100% (65796/65796), 21.64 MiB | 6.68 MiB/s, done.
Resolving deltas: 100% (48120/48120), done.
Checking connectivity... done.

root@ip-10-10-102-122:/opt# cd letsencrypt
root@ip-10-10-102-122:/opt/letsencrypt# ./letsencrypt-auto --help
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
Hit:1 http://ap-northeast-1.ec2.archive.ubuntu.com/ubuntu xenial InRelease
Get:2 http://ap-northeast-1.ec2.archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]
Get:3 http://ap-northeast-1.ec2.archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]
Get:4 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]
Hit:5 http://ppa.launchpad.net/jonathonf/ffmpeg-4/ubuntu xenial InRelease
Hit:6 https://ubuntu.bigbluebutton.org/xenial-200 bigbluebutton-xenial InRelease
Hit:7 http://ppa.launchpad.net/rmescandon/yq/ubuntu xenial InRelease

다시한번 letsencrypt-auto –help 명령을 입력하면 이번엔 도움말을 볼 수 있다. 아주 유용한 옵션인 –nginx 가 보인다. (세상 참 편해졌다) 이 옵션을 사용해 인증서를 설치하자.

※ bbb 가 nginx 를 사용하기 때문에 nginx 옵션을 사용하는 것이며, 다른 경우 apache 또는 manual 을 통해 인증서 발급 및 설치가 가능하다.

root@ip-10-10-102-122:/opt/letsencrypt# ./letsencrypt-auto --help
.
.

    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  --nginx           Use the Nginx plugin for authentication & installation
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
.
.

root@ip-10-10-102-122:/opt/letsencrypt# ./letsencrypt-auto certonly --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): gloriashield@m # 보안 이슈가 발생할 경우. 또는 리뉴얼이 필요한 경우 연락 받을 EMAIL 주소

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: # 약관에 동의해야 사용할 수 있으니 당연히 A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: # N 

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: webrtc.mtlabs.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): # nginx 에 설정된정보를 갖고온다. 숫자를 입력하면 된다.

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for webrtc.mtlabs.org
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/webrtc.mtlabs.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/webrtc.mtlabs.org/privkey.pem
   Your cert will expire on 2019-08-20. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

간단히 인증서 발급 완료. 생성된 인증서는 /etc/letsencrypt/live/{domain} 에 위치한다. 파일들의 설명은 README을 참고하자.

root@ip-10-10-102-122:/etc/letsencrypt/live/webrtc.mtlabs.org# ls -al
total 12
drwxr-xr-x 2 root root 4096 May 22 05:08 .
drwx------ 3 root root 4096 May 22 05:08 ..
lrwxrwxrwx 1 root root   45 May 22 05:08 cert.pem -> ../../archive/webrtc.mtlabs.org/cert1.pem
lrwxrwxrwx 1 root root   46 May 22 05:08 chain.pem -> ../../archive/webrtc.mtlabs.org/chain1.pem
lrwxrwxrwx 1 root root   50 May 22 05:08 fullchain.pem -> ../../archive/webrtc.mtlabs.org/fullchain1.pem
lrwxrwxrwx 1 root root   48 May 22 05:08 privkey.pem -> ../../archive/webrtc.mtlabs.org/privkey1.pem
-rw-r--r-- 1 root root  692 May 22 05:08 README
root@ip-10-10-102-122:/etc/letsencrypt/live/webrtc.mtlabs.org# cat README
This directory contains your keys and certificates.

`privkey.pem`  : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem`     : will break many server configurations, and should not be used
                 without reading further documentation (see link below).

WARNING: DO NOT MOVE OR RENAME THESE FILES!
         Certbot expects these files to remain in this location in order
         to function properly!

We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

디피 헬만 키 (Diffie-Hellman Key)를 생성하자.

root@ip-10-10-102-122:/etc/letsencrypt/live/webrtc.api.mtlabs.org# openssl dhparam -out ./dhp-2048.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.
.

 

NGINX 설정 수정

발급받은 SSL 인증서를 서버에 반영하자. NGINX 의 활성화된 사이트(sites-available) 폴더에 bigbluebutton 설정 파일을 수정하면 된다.

server {
  server_name webrtc.mtlabs.org;
  listen 80;
  listen [::]:80;
  listen 443 ssl;
  listen [::]:443 ssl;
  ssl_certificate /etc/letsencrypt/live/webrtc.mtlabs.org/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/webrtc.mtlabs.org/privkey.pem;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256";
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/letsencrypt/live/webrtc.mtlabs.org/dhp-2048.pem;

nginx 의 설정이 끝났다. nginx 의 설정 파일 이상여부를 확인 후 재가동하자.

root@ip-10-10-102-122:/etc/letsencrypt/live/webrtc.mtlabs.org# service nginx configtest
 * Testing nginx configuration [ OK ]
root@ip-10-10-102-122:/etc/letsencrypt/live/webrtc.mtlabs.org# service nginx reload

 

 

WS 에 Secure Port 추가 (WSS)

SSL 인증서가 추가 되었기 때문에 WSS 를 위한 포트 설정을 추가해야한다. /opt/freeswitch/conf/sip_profiles/external.xml 파일을 열어 ws-binding 하단에 wss-binding 추가 및 포트를 7443 으로 지정한다.

<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/>
<param name="ws-binding"  value=":5066"/>
<param name="wss-binding"  value=":7443"/>

그리고 Security Group 에 7443 포트를 추가(개방)하고 /etc/bigbluebutton/nginx/sip.nginx 의 proxy_pass  역시 7443 으로 수정하자.

root@ip-10-10-102-122:/opt# vi /etc/bigbluebutton/nginx/sip.nginx
location /ws {
        proxy_pass https://10.10.102.122:7443; #http > https, 5066 > 7443
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_read_timeout 6h;
        proxy_send_timeout 6h;
        client_body_timeout 6h;
        send_timeout 6h;
}

 

HTTPS 세션 전환

nginx 가 이제 https 를 사용해 기본적 통신이 가능하게 변경 되었다. FreeSWITCH 에 HTTPS 를 반영해야 필요한 서비스들을 모두 사용할 수 있다.

root@ip-10-10-102-122:/opt# vi /var/lib/tomcat7/webapps/bigbluebutton/WEB-INF/classes/bigbluebutton.properties
.
.
.
bigbluebutton.web.serverURL= # http://.. > https://..

.
.
root@ip-10-10-102-122:/opt# vi /usr/share/red5/webapps/screenshare/WEB-INF/screenshare.properties
.
.

jnlpUrl= # http://.. > https://..
jnlpFile= # http://.. > https://..
.
.


# config.xml 은 양이 많으니 한번에 변경하자
root@ip-10-10-102-122:/opt# sed -e 's|http://|https://|g' -i /var/www/bigbluebutton/client/conf/config.xml


root@ip-10-10-102-122:/opt# vi /usr/local/bigbluebutton/core/scripts/bigbluebutton.yml
.
.
playback_protocol: http # http > https
.
.

root@ip-10-10-102-122:/opt# vi /var/lib/tomcat7/webapps/demo/bbb_api_conf.jsp
.
.
String BigBlueButtonURL = http://.. > https://..
.
.

수정이 완료 되었으면 서버를 재시작하자.

root@ip-10-10-102-122:/opt# bbb-conf --restart

 

HTTPS 확인 및 화상 테스트

모든 설정이 성공적이라면 이제 영상/음성을 사용할 수 있다.