Configuring HTTPS on a BigBlueButton server

[Fred Dixon]

Hi Everyone,

We've published documentation on how to modify a BigBlueButton 0.9 server to support HTTPS.  See

  http://docs.bigbluebutton.org/install/install.html#configuring-https-on-bigbluebutton

For production servers, users are increasingly expecting content to be served from HTTPS.

There is also another reason to support HTTPS: the upcoming Chrome 46, which is due for release soon, will not allow users to access their microphone via WebRTC unless the site is served from HTTPS (see https://goo.gl/u4TqKV).

Therefore, we recommend that anyone running a BigBlueButton 0.9 server with WebRTC audio enabled configure the server for HTTPS.

If you don't upgrade your server to support HTTPS then users will get the following error message when using Chrome 46 (and later).  This message will appear after giving permission to access their microphone

Detected the following WebRTC issue: Could not get your microphone for a WebRTC call. Do you want to try Flash instead?

Using Flash-based audio works as before.

If you have any questions about adding support for HTTPS please post a follow-up to this thread.

Regards,... Fred

--

BigBlueButton Developer

http://bigbluebutton.org/
http://code.google.com/p/bigbluebutton

BigBlueButton on twitter: @bigbluebutton

[Andrew Ensley]

Fantastic news! Thanks for your work on this.

[Insightcollector]

Hi Fred,

two short questions:

1. Have you any estimation how transfering all data via https affects the CPU requirements for BBB?

2. Will these manual changes always have to be repeated after each upgrade or are you planning to have the update process recognize that the server was configured for https usage and thus make sure that when files get updated/replaced that https will still be working after the update ?

Best regards
Oliver

[Fred Dixon]

Hi Oliver,

> 1. Have you any estimation how transfering all 

> data via https affects the CPU requirements for BBB?

The addition of HTTPS affects nginx and FreeSWITCH (thought the affect on FreeSWITCH is minimal as the WebRTC data was already encrypted).  

The addition of HTTPS does not affect the transmission/receiving of data by red5, such as video, which uses RTMP. 

We don't have any estimation on the impact of nginx, but the articles we've seen suggest the impact will be minimal.  See

  https://www.maxcdn.com/blog/ssl-performance-myth/

  https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

and the thread on Stack Overflow

  http://stackoverflow.com/questions/548029/how-much-overhead-does-ssl-impose

> 2. Will these manual changes always have to be repeated after each upgrade

For a BigBlueButton 0.9 server, yes.  However, we invested a lot of time (over four months) into testing and hardening 0.9 release before it went to release candidate, so there have actually been minimal updates since it's release.

There is one coming update to 0.9: an upgrade to the the code signing certificate for the desktop sharing applet.

For the upcoming BigBlueButton 1.0 beta release, we'll be building intelligence into the upgrade scripts to preserve many of the configurations changes needed to add HTTPS to BigBlueButton.  

Regards,... Fred 

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To post to this group, send email to bigblueb...@googlegroups.com.
Visit this group at http://groups.google.com/group/bigbluebutton-dev.
For more options, visit https://groups.google.com/d/optout.

[xonox]

hi fred

do i need to configure freeswitch with WSS certificate or its not necessary??? and why?


regards

[Calvin Walton]

When using BigBlueButton configured with HTTPS, the WSS connection is
actually being reverse-proxied by nginx from port 443.

As a result, you only need to configure the certificate for nginx; the
browsers aren't talking to FreeSWITCH directly so FreeSWITCH doesn't
need a valid certificate. FreeSWITCH will automatically generate a self
-signed certificate which is sufficient.


That said, if you want to, you can still configure FreeSWITCH to use
the same certificate for WSS as you're using for HTTPS; see the
FreeSWITCH documentation for details.

--
Calvin Walton <calvin...@kepstin.ca>
BigBlueButton Developer

[Marc Schipperheyn]

We moved to spdy ssl a while ago and recently upgraded to http2. 

I'm wondering if anyone has any experience with BigBlueButton in this respect as http2 is supposedly much more efficient on SSL connections. Of course, a recent version of nginx is required for this.

Cheers,

Marc

[Insightcollector]

Hi Marc,

I have used BBB with http2 for about 4 weeks now and have not encountered any http2 related problems, just a few issues with playback but they are ssl related and not specific to http2 so there should be no big issues. Only problem I noticed is that nginx 1.9.x requires some changes with respect to log rotation but besides that it works very well with BBB for me.

Best regards
Oliver

[Marc Schipperheyn]

Ok, so I assume you upgraded the required nginx server like so:

add-apt-repository ppa:nginx/stable

apt-get update

apt-get install nginx

[Marc Schipperheyn]

Correction. That should be  add-apt-repository ppa:nginx/development

This will install the mainline version, which is stable version but with experimental features.

[Marc Schipperheyn]

Just destroyed my server trying to get nginx with http2 support. Tread with care.

[Fred Dixon]

Hi Marc,

> Just destroyed my server trying to get nginx with http2 support. Tread with care.

For the benefit of everyone reading this thread, the original post on this thread about add HTTPS support does not require the administrator to upgrade their servers to the later version of nginx with http2 support.

Since Marc didn't share any details on what happened, and since we've not tried it ourselves, if you want to try using the later version of nginx, you probably want to try it with a VM.

Regards,... Fred

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To post to this group, send email to bigblueb...@googlegroups.com.
Visit this group at http://groups.google.com/group/bigbluebutton-dev.
For more options, visit https://groups.google.com/d/optout.

--

BigBlueButton Developer

http://bigbluebutton.org/

@bigbluebutton

[Insightcollector]

Hi Marc,

Fred might be right that a discussion on http2 will confuse users who just want to enable ssl so we should not discuss it in this thread just two remarks: You have to use the mainline version of nginx which comes directly from nginx.org and NOT the ppa versions you mentioned because they are both NOT mainline. You find the instructions at nginx.org how to use mainline. In case you use the nginx-full package you have to replace it with the regular nginx package, because mainline does not provide nginx-full. Also upgrading nginx from 1.4.6 to anything newer than 1.6.x requires additional changes but they are not related to BBB but to nginx in general, so they should be discussed in a nginx forum and not here.

Best regards
Oliver

[Marc Schipperheyn]

Sure, yes. Sorry about that. 

So just for anyone reading this. SSL is and old protocol and the powers that be (Google etc) have been working on a new and much faster and more efficient protocol. An early version of this was called SPDY, and the new and official version is called http2.  

spdy has been supported in nginx for a while now, but http2 is new and "experimental", meaning that it's not part of the stable release train of nginx which you will get by default on Ubuntu LTS versions. http2 is currently part of the so called "mainline" release train, which is considered stable but contains experimental features (such as http2).

Normally, you would install this by enabling an alternative repository:

add-apt-repository ppa:nginx/development
apt-get update
apt-get install nginx

As I discovered, this version hasn't been compiled with http2 support, which I found surprising. So, then I tried to the repository hosted by nginx itself. I don't remember exactly what went wrong, but I ended up having to uninstall nginx which in turn lead to a bunch of unrecoverable problems with bbb. Suffice it to say: EC2s exchangeable boot volumes saved the day.

So, the gist of it is, if you want to try out better ssl performance, go with spdy for now. It's reliable and much faster than standard SSL. I will be trying this out myself as soon as I solve some other issues I'm having.

   

[Marc Schipperheyn]

So, yes, the default nginx implementation (1.4.6) of bigbluebutton supports SPDY. Unless experiences suggest otherwise, I would recommend enabling it, in addition to forcing HTTPS connections for added security. 

SPDY is supported by a wide variety of modern browsers: http://caniuse.com/#feat=spdy. And it your browsers doesn't support it, nginx should automatically switch back to standard ssl.

You can verify nginx support of spdy by typing

sudo service nginx -V

it should be one of the modules listed

The change is simple

       listen 443 ssl spdy;

       add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

Then, when there is a new major upgrade of bigbluebutton in the future, which includes a version of nginx that supports http2, all you have to do is replace "spdy" with "http2".

[Colin Stewart]

All,

I've followed the HTTPS instructions and it all works OK apart from playing back recordings.

I get the following error in Chrome browser:

Mixed Content: The page at 'https://***.*******.co.uk/playback/presentation/0.9.0/playback.html?meetingId=1a81c1ce69a142a67634caefbbe949580ce8cf3a-1447355647368' was loaded over HTTPS, but requested an insecure plugin resource 'http://***.*******.co.uk/presentation/1a81c1ce69a142a67634caefbbe949580ce8cf3a-1447355647368/shapes.svg'. This request has been blocked; the content must be served over HTTPS.

Any idea on what else needs to be changed to fix this problem?

Thanks,

Colin.

On Friday, September 11, 2015 at 8:02:20 PM UTC+1, Fred Dixon wrote:

Hi Everyone,

We've published documentation on how to modify a BigBlueButton 0.9 server to support HTTPS.  See

  http://docs.bigbluebutton.org/install/install.html#configuring-https-on-bigbluebutton

For production servers, users are increasingly expecting content to be served from HTTPS.

There is also another reason to support HTTPS: the upcoming Chrome 46, which is due for release soon, will not allow users to access their microphone via WebRTC unless the site is served from HTTPS (see https://goo.gl/u4TqKV).

Therefore, we recommend that anyone running a BigBlueButton 0.9 server with WebRTC audio enabled configure the server for HTTPS.

If you don't upgrade your server to support HTTPS then users will get the following error message when using Chrome 46 (and later).  This message will appear after giving permission to access their microphone

Detected the following WebRTC issue: Could not get your microphone for a WebRTC call. Do you want to try Flash instead?

Using Flash-based audio works as before.

If you have any questions about adding support for HTTPS please post a follow-up to this thread.

Regards,... Fred

--

BigBlueButton Developer

http://bigbluebutton.org/
http://code.google.com/p/bigbluebutton

BigBlueButton on twitter: @bigbluebutton

[Fred Dixon]

Hi Colin,

See this thread

  https://groups.google.com/d/msg/bigbluebutton-setup/KQbJXCzDCq0/tKCOKO8vBQAJ

Regards,... Fred

--

You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To post to this group, send email to bigblueb...@googlegroups.com.
Visit this group at http://groups.google.com/group/bigbluebutton-dev.
For more options, visit https://groups.google.com/d/optout.

--

BigBlueButton Developer

http://bigbluebutton.org/

@bigbluebutton

[Colin Stewart]

Thanks Fred,

Yes that now works correctly.

In file:

/var/bigbluebutton/playback/presentation/0.9.0/lib/writing.js

Changed 'http' to 'https' on this line:

var url = "https://" + HOST + "/presentation/" + MEETINGID;

Colin.

[Madhukar]

Hi Fred, 

Presently i have installed Bigbluebutton 0.9 , till now my WebRTC audio worked fine, but presently am getting WebRTC Audio error message like " Detected the following WebRTC issue: Could not get your microphone for a WebRTC call. Do you want to try Flash instead?", Currently am accesing my server through IP Address not through Domain name, So how to solve this issue, Please help me on this

Thanks, 

Madhukar

[Arie Syamsudin]

Hi,

Can you tell me how to configure HTTPS (SSL from comodo) to BBB 2.0, I following this url :

  http://docs.bigbluebutton.org/install/install.html#configuring-https-on-bigbluebutton

But still failed. :(

[Fred Dixon]

HI Arie,

If this is a new server that has an external IP address, you can use bbb-install.sh to configure the server with a Let's Encrypt certificate, see

 https://github.com/bigbluebutton/bbb-install

> But still failed. :(

Can you give us more details?  Did you get an error message at any of the steps?  What was the output from SSLLabs?

  http://docs.bigbluebutton.org/install/install.html#test-your-https-configuration

Regards,... Fred

--

You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To post to this group, send email to bigblueb...@googlegroups.com.

Visit this group at https://groups.google.com/group/bigbluebutton-dev.

For more options, visit https://groups.google.com/d/optout.

--

BigBlueButton Developer

http://bigbluebutton.org/

@bigbluebutton

[Arie Syamsudin]

Dear Mr Fred,

My Problem has been solved. Thanks

I want to ask, how to hidden or remove SessionToken on My URL?

Thanks,

Regards,

Arie

[Fred Dixon]

Hi Are,

> I want to ask, how to hidden or remove SessionToken on My URL?

Can you post this in a new thread.  This is off-topic in this thread.

Regards,... Fred

[Arie Syamsudin]

Dear Mr. Fred,

I have been post this in a new thread https://groups.google.com/forum/#!topic/bigbluebutton-dev/z3-UTlpiIeQ

Please help me.

Thanks.

Regards,

Arie