3. Configuration

The major difference between the traditional setup of WebApp and the setup of Web Meetings is that the front end server, which provides SSL secured HTTPS connectivity, is the NGINX web server. The Apache server that hosts WebApp will need to be configured to listen to different port than 443. As an example we are choosing port 8000. This is due to the necessity to support secure web sockets for the web meetings service.

Important

On Web Meetings servers NGINX provides the frontend HTTPS connection.

3.1. Combined Setup of Web Meetings Components and WebApp on the same host

The suggested setup for single host KC systems is to combine WebApp and the Web Meeting components on the same server.

Note

Other setup variations are possible when multiple hosts are involed. Please contact Kopano Professional Services for more info.

3.1.1. Configuring Apache

Please configure Apache and WebApp as described in the KC Administrators Manual. In the following steps we will configure Apache to use a different port. Furthermore, if you are modifying an existing system, please remove the SSL configuration from Apache.

3.1.1.1. Configuring apache on Debian Wheezy (7.0) and Ubuntu

To configure Apache2 to listen on port 8000, edit /etc/apache2/ports.conf

NameVirtualHost *:8000
Listen 127.0.0.1:8000

(Remove /etc/apache2/mods-enabled/ssl.conf and ssl.load if SSL was configured in Apache)

Restart apache2:

service apache2 restart

3.1.1.2. Configuring Apache on CentOS 7.0

To configure Apache2 to listen on port 8000, edit /etc/httpd/conf/httpd.conf and locate the Listen setting and replace with the following:

NameVirtualHost *:8000
Listen 127.0.0.1:8000

(Please deactivate SSL if SSL was priorly configured in apache)

Restart apache2

service httpd restart

3.1.2. Configuring NGINX

Please configure NGINX by adding a conf.d file for your server that passes /webapp requests to the Apache2 server on port 8000 and everything else to the spreed.webrtc server. Below is an example for the test server spreed.example.com. Please note that Chrome, Firefox or Iridium will only remember your camera/mic access grant if the connection is a HTTPS connection. A simple HTTP setup will require granting camera/mic access every time. Here is the example /etc/nginx/conf.d/webapp_webmeetings_ssl.conf file, the bottom part includes the support for upgrading HTTP(S) connections to websocket. We assume for this setup that WebApp will be reached under the /webapp/ URL path and Web Meetings under the /webmeetings/ URL path.

Please enter this configuration into the existing default.conf file or remove the default.conf file. For further info please refer to http://nginx.org. Please note that the setting ssl_ciphers is one line and must end with a semicolon:

server {
        listen 212.234.234.234:443 ssl;
        server_name webapp.example.com;
        ssl on;
        ssl_certificate /etc/nginx/webapp.example.com.chained.crt;
        ssl_certificate_key /etc/nginx/webapp.example.com.key;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256:AES128:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK ;
        ssl_prefer_server_ciphers on;
        #
        # ssl_dhparam require you to create a dhparam.pem, this takes a long time
        #ssl_dhparam /etc/ssl/certs/dhparam.pem;
        #
        location /webmeetings {
                proxy_pass http://localhost:8090;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
        location /webapp {
                proxy_pass http://localhost:8000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}
map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
}
proxy_buffering on;
proxy_ignore_client_abort off;
proxy_redirect off;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;

Note

Please consider, that when also proxying Z-Push connections you should raise your proxy timeouts accordingly. e.g. proxy_connect_timeout 3600; proxy_send_timeout 3600; proxy_read_timeout 3600;

Then optionally generate a dhparam.pem file (this is going to take a long time):

cd /etc/ssl/certs && openssl dhparam -out dhparam.pem 4096

And then uncomment the following line in your configuration file:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Important

Do not forget to create the ssl-certificate and -key as configured above.

Important

Make sure you have installed a version from the nginx repository with support for the websockets (>=1.4).

Important

Make sure that port in the proxy_pass setting for the location / matches the port that kopano-webmeetings is running on. See the following section about Configuring kopano-webmeetings.

Restart NGINX

/etc/init.d/nginx restart

3.1.3. Configuring kopano-webmeetings

Please configure kopano-webmeetings powered by Spreed.WebRTC by editing its config file at /etc/kopano/webmeetings.cfg. If you set up your installation according to our standard recommendation, then the only changes you need to make are to assign your own secrets to sessionSecret, encryptionSecret and sharedsecret_secret. Please note that the length of sessionSecret and encryptionSecret must be exactly 16, 24 or 32 bytes to select AES-128, AES-192 or AES-256.

You need to choose a free port in case the default port defined in listen 8090 is not free.

The relevant settings are listed below, please search for these config options in your config file and adapt appropriately.

The turnURIs and turnSecret options require a TURN server to be setup or to be present on a different machine. For a local LAN setup you should be able to test without, so the turnURIs parameter is optional. If you use the Kopano TURN service then you don’t need to set turnURIs and turnSecret (Kopano TURN service is configured in the Kopano webmeetings WebApp plugin).

Please edit the following items in the webmeetings.cfg in addtion to what is already in there:

[http]
; HTTP listener in format ip:port.
listen = 127.0.0.1:8090
; Full path to directory where to find the server web assets.
root = /usr/share/kopano-webmeetings/www
...
; Use basePath if the server does not run on the root path (/) of your server.
basePath = /webmeetings
[app]
;turnURIs = turn:turnserver:port?transport=udp
;turnSecret = the-default-turn-shared-secret-do-not-keep
sessionSecret = the-default-secret-do-not-keep-me
plugin = /webapp/plugins/spreedwebrtc/php/AngularPluginWrapper.php
encryptionSecret = the-default-encryption-block-key
...
authorizeRoomJoin = true
authorizeRoomCreation = true
[users]
enabled = true
mode = sharedsecret
sharedsecret_secret = TopSecretReplaceAndEnterTheSameInTheWebAppPluginConfigPHP

Restart the kopano-webmeetings server:

service kopano-webmeetings restart

Important

Make sure the port configured in the listen property is available and not blocked by a different service. If you change the port in the listen property, then you will need to adapt it in the proxy_pass setting for / in the NGINX configuration.

Important

Make sure you use the same shared secret you configured in sharedsecret_secret in kopano-presence and in the WebApp plugin. See the respective following sections.

Important

The value of sessionSecret and encryptionSecret should each have their own individual hex encoded string value. Their length must be exactly 16, 24 or 32 bytes to select AES-128, AES-192 or AES-256. You can generate a secret easily with xxd -ps -l 32 -c 32 /dev/random

3.1.4. Configuring kopano-presence

Please configure the kopano-presence service settings in /etc/kopano/presence.cfg.

plugins = spreed

Please configure the shared secret in /etc/kopano/presence.cfg in the server_secret_key property. This should be the same as the one configured in kopano-webmeetings.

server_secret_key = TopSecretReplaceAndEnterTheSameInTheWebAppPluginConfigPHP

You will need to add and activate the apache modules proxy and proxy_http:

a2enmod proxy
a2enmod proxy_http

Please configure a proxy pass entry in the kopano-webapp apache2 sites-available file for the kopano-presence service. Edit the file /etc/apache2/sites-available/kopano-webapp.conf and add the ProxyPass and ProxyPassReverse config lines below and ensure that the port number matches the port configured in /etc/kopano/presence.cfg.

Alias /webapp /usr/share/kopano-webapp
ProxyPass /webapp/presence http://localhost:1234/
ProxyPassReverse /webapp/presence http://localhost:1234/

Restart apache2

service apache2 restart

3.1.5. Configuring kopano-webmeetings WebApp plugin

Please configure the kopano-webmeetings powered by Spreed.WebRTC WebApp plugin. The recommended setup is that webapp and webmeetings are running behind the same NGINX host and webmeetings below the /webmeetings/ URL path. In this case no changes are required to PLUGIN_SPREEDWEBRTC_SPREED_URL. In this case PLUGIN_SPREEDWEBRTC_SPREED_DOMAIN and PLUGIN_SPREEDWEBRTC_WEBAPP_DOMAIN remain empty.

Edit /etc/kopano/webapp/config-meetings.php and make the following changes (set PLUGIN_SPREEDWEBRTC_USER_DEFAULT_ENABLE to true and set PLUGIN_SPREEDWEBRTC_WEBMEETINGS_SHARED_SECRET to your secret from webmeetings.cfg and assign your own secrets to PLUGIN_SPREEDWEBRTC_WEBAUTH_CODE_TOKEN_SECRET and PLUGIN_SPREEDWEBRTC_WEBAUTH_ACCESS_TOKEN_SECRET):

DEFINE('PLUGIN_SPREEDWEBRTC_USER_DEFAULT_ENABLE', true);
DEFINE('PLUGIN_SPREEDWEBRTC_SPREED_DOMAIN', '');
DEFINE('PLUGIN_SPREEDWEBRTC_SPREED_URL', '/webmeetings/');
DEFINE('PLUGIN_SPREEDWEBRTC_WEBAPP_DOMAIN', '');
DEFINE('PLUGIN_SPREEDWEBRTC_WEBMEETINGS_SHARED_SECRET', 'TopSecretReplaceAndEnterTheSameInTheWebAppPluginConfigPHP');
DEFINE('PLUGIN_SPREEDWEBRTC_WEBAUTH_CODE_TOKEN_SECRET', 'the-default-secret-do-not-keep-me');
DEFINE('PLUGIN_SPREEDWEBRTC_WEBAUTH_ACCESS_TOKEN_SECRET', 'the-default-secret-do-not-keep-me');

Important

Upgrading from kopano-webmeetings WebApp plugin version 1.0 to 1.1: please take note, that the PLUGIN_SPREEDWEBRTC_WEBAPP_URL, PLUGIN_SPREEDWEBRTC_WEBAUTH_CODE_TOKEN_SECRET and PLUGIN_SPREEDWEBRTC_WEBAUTH_ACCESS_TOKEN_SECRET settings are new and require configuration. Please backup your configuration files, install the latest configuration files from the package and merge your settings.

If WebApp and Web Meetings are not running behind a common NGINX host, you will need to make further settings to PLUGIN_SPREEDWEBRTC_SPREED_DOMAIN and PLUGIN_SPREEDWEBRTC_WEBAPP_DOMAIN.

Important

Please note that this kind of distributed setup limits the available features, such as screen sharing.

Set the Spreed Base URL, which will be your server URL. If you server doesn’t yet have a DNS entry you can use an IP in the URL like https://212.234.234.234. In general these are the URLs to call from the client browser in front of NGINX.

DEFINE('PLUGIN_SPREEDWEBRTC_SPREED_DOMAIN', 'https://webmeetings.example.com');
DEFINE('PLUGIN_SPREEDWEBRTC_SPREED_URL', '/webmeetings/');
DEFINE('PLUGIN_SPREEDWEBRTC_WEBAPP_DOMAIN', 'https://webapp.example.com');

You need to configure the shared secret for the kopano-presence service in PLUGIN_SPREEDWEBRTC_PRESENCE_SHARED_SECRET:

DEFINE('PLUGIN_SPREEDWEBRTC_PRESENCE_SHARED_SECRET', 'TopSecretReplaceAndEnterTheSameInTheWebAppPluginConfigPHP');

To simplify your setup Kopano provides a TURN service. Please fill out the form at https://portal.kopano.com/content/turn-server-access-request to obtain your personal credentials. To enable the TURN service please set PLUGIN_SPREEDWEBRTC_TURN_USE_KOPANO_SERVICE to true. You enter the credentials supplied by Kopano in PLUGIN_SPREEDWEBRTC_TURN_AUTHENTICATION_USER and PLUGIN_SPREEDWEBRTC_TURN_AUTHENTICATION_PASSWORD:

DEFINE('PLUGIN_SPREEDWEBRTC_TURN_USE_KOPANO_SERVICE', true);
DEFINE('PLUGIN_SPREEDWEBRTC_TURN_AUTHENTICATION_URL', 'https://turnauth.kopano.com/turnserverauth/');
DEFINE('PLUGIN_SPREEDWEBRTC_TURN_AUTHENTICATION_USER', 'turn-server-account-provided-by-kopano');
DEFINE('PLUGIN_SPREEDWEBRTC_TURN_AUTHENTICATION_PASSWORD', 'turn-server-password-provided-by-kopano');

Restart Apache2

service apache2 restart

Important

Make sure you have the same shared secret in PLUGIN_SPREEDWEBRTC_WEBMEETINGS_SHARED_SECRET as in webmeetings.cfg.

Important

Make sure you have the same shared secret in PLUGIN_SPREEDWEBRTC_PRESENCE_SHARED_SECRET as in presence.cfg.

In the following table we summarize the shared secrets that must be defined or generated and in which configuration files and parameters they are located.

Table 3.1. Shared secrets used between the Kopano Web Meetings components

Component config-meetings.php webmeetings.cfg presence.cfg
webmeetings session secret   sessionSecret  
webmeetings encryption secret   encryptionSecret  
webmeetings shared secret PLUGIN_SPREEDWEBRTC_ WEBMEETINGS_SHARED_SECRET sharedsecret_secret  
presence shared secret PLUGIN_SPREEDWEBRTC_ PRESENCE_SHARED_SECRET   server_secret_key
webauth code token shared secret PLUGIN_SPREEDWEBRTC_ WEBAUTH_CODE_TOKEN_SECRET    
webauth access tok en shared secret PLUGIN_SPREEDWEBRTC_ WEBAUTH_ACCESS_TOKEN_SECRET