Managing a JackTrip Server
      Back to home
      1. Knowledge Base
      2. Managing a JackTrip Server

      Unmanaged Studio Server - Using Let's Encrypt to Handle TLS for You

      This example uses the popular certbot software and Let's Encrypt service to obtain a new TLS certificate for your server, which is automatically rotated.

      This example uses the popular certbot software and Let's Encrypt service to obtain a new TLS certificate for your server, which is automatically rotated. It's based on guidance from this Medium article which we recommend reading first for additional context. In fact, you may want to set up a basic web server by following those instructions, before attempting to do it for your studio.

      Note that this example also requires having TCP port 80 accessible from the Internet.

      1. Create a new directory called "studio"
      2. Create a new "default.conf" file with the following contents: 
        ## Basic Settings
        tcp_nopush on;
        tcp_nodelay on;
        types_hash_max_size 2048;
        proxy_read_timeout 300;
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        gzip off;


        ## SSL Settings
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;


        ## Connection upgrade for websockets
        map $http_upgrade $connection_upgrade {
          default upgrade;
          ''      close;
        }

        ## This is used by certbot for domain validation
        server {
          listen 80;
          server_name REPLACE_WITH_FQDN;

          location /.well-known/acme-challenge/ {
            root /var/www/certbot;
          }

          location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
          }
        }

        ## Forward 443/tcp to studio container port 8000
        server {
          listen 443 ssl;
          server_name REPLACE_WITH_FQDN;

          # Certificates generated by Let's Encrypt
          ssl_certificate /etc/letsencrypt/live/REPLACE_WITH_FQDN/fullchain.pem;
          ssl_certificate_key /etc/letsencrypt/live/REPLACE_WITH_FQDN/privkey.pem;

          # Let's Encrypt best practice configs for nginx
          include /etc/letsencrypt/options-ssl-nginx.conf;
          ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

          location / {
            proxy_pass http://REPLACE_WITH_FQDN:8000;
            proxy_buffers 100 128k;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
          }
        }
        Replace "REPLACE_WITH_FQDN" with your server's fully-qualified domain name.
      3. Create a new "compose.yaml" file with the following contents: 
        services:
          nginx:
            image: nginx
            container_name: nginx
            ports:
              - "80:80"
              - "443:443"
            volumes:
              - ./data/certbot/conf:/etc/letsencrypt:z
              - ./data/certbot/www:/var/www/certbot:z
              - ./default.conf:/etc/nginx/conf.d/default.conf:z
            command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
          certbot:
            image: certbot/certbot
            volumes:
              - ./data/certbot/conf:/etc/letsencrypt:z
              - ./data/certbot/www:/var/www/certbot:z
            entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
          studio:
            image: jacktrip/studio
            container_name: studio
            privileged: true
            shm_size: '128M'
            cap_add:
              - sys_nice
            ulimits:
              rtprio: 95
            network_mode: host
            environment:
              - JACKTRIP_STUDIO_ID=REPLACE_WITH_STUDIO_ID
              - JACKTRIP_STUDIO_TOKEN=REPLACE_WITH_STUDIO_TOKEN
        Replace "REPLACE_WITH_STUDIO_ID" with your JACKTRIP_STUDIO_ID environment variable.
        Replace "REPLACE_WITH_STUDIO_TOKEN" with your JACKTRIP_STUDIO_TOKEN environment variable.
      4. Create a bootstrap certificate for "the chicken or the egg problem" (from Medium article):

        1. Download the script to your working directory as init-letsencrypt.sh:

          curl -L https://raw.githubusercontent.com/wmnnd/nginx-certbot/master/init-letsencrypt.sh > init-letsencrypt.sh

        2. Edit the script to add in your domain(s) and your email address.

        3. Then run chmod +x init-letsencrypt.sh and ./init-letsencrypt.sh.

      5. You should now be able to start up your studio server by running: 
        docker-compose up -d

      6. Test to make sure the containers are running and TLS works

        $ docker ps
        CONTAINER ID   IMAGE             COMMAND                  CREATED              STATUS              PORTS                                                                      NAMES
        391547e7d2a9   jacktrip/studio   "/sbin/init"             About a minute ago   Up About a minute                                                                              studio
        74fd54feb41a   certbot/certbot   "/bin/sh -c 'trap ex…"   About a minute ago   Up About a minute   80/tcp, 443/tcp                                                            example2-certbot-1
        4afbcc334962   nginx             "/docker-entrypoint.…"   About a minute ago   Up About a minute   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   nginx

        $ curl https://REPLACE_WITH_FQDN/ping
        {"status":"OK"}

      7. You are now ready to join your unmanaged studio!

        To stop the server after you are finished, run: 
        docker-compose down