How to Install Spreed WebRTC Server on Ubuntu with Docker
Spreed is a free open-source (AGPL) WebRTC audio/video call and conferencing server designed with privacy in mind. WebRTC is a free and open technology allows browsers to talk to each other in a peer-to-peer fashion. Spreed WebRTC server uses end-to-end encryption to protect users’ privacy and security.
Spreed WebRTC allows you to do the following things.
- Secure audio, video and text chat
- Web conferencing
- One to one video chat
In a previous tutorial, we discussed how to install Spreed WebRTC server on Ubuntu 16.04 using the official PPA. This tutorial is going to show you how to install Spreed WebRTC server on Ubuntu using Docker image.
Why use Docker? The Spreed PPA only works on Ubuntu 16.04, so if you use Ubuntu 20.04, 18.04, or any other distro, you can’t use the PPA. The advantage of Docker is that it doesn’t matter whether you are using Debian, Ubuntu, CentOS, Redhat, SUSE, or whatever, as long as your distribution can run Docker engine, you can install Spreed WebRTC on it.
Step 1: Install Docker on Ubuntu
If you want the latest Docker version, you can install Docker from Docker’s APT repository. For simplicity, this tutorial installs Docker from the default Ubuntu software repository.
sudo apt update sudo apt install docker.io
Once installed, the Docker daemon should be automatically started. You can check its status with:
systemctl status docker
Hint: If the above command doesn’t quit immediately, you can press the Q key to make it quit.
If it’s not running, then start the daemon with this command:
sudo systemctl start docker
And enable autostart at boot time:
sudo systemctl enable docker
Step 2: Install Spreed WebRTC Server on Ubuntu Using Docker Image
Once you have Docker installed, run the following command to create a directory for Spreed WebRTC and download a server.conf file to that directory. This file allows you to provide customized parameters to Spreed WebRTC server when running the Docker image.
sudo mkdir /etc/spreed/ cd /etc/spreed/ sudo wget https://raw.githubusercontent.com/strukturag/spreed-webrtc/master/server.conf.in -O server.conf
Then edit the file with a command-line text editor like Nano.
sudo nano /etc/spreed/server.conf
Find the following line.
listen = 127.0.0.1:8080
Spreed needs to listen to 0.0.0.0:8080 in the Docker container, so it can receive requests from the host.
listen = 0.0.0.0:8080
Save and close the file.
Before running the Spreed WebRTC Docker container, we need to create enough entropy for server secrets generation. we can use rng-tools to create entropy.
sudo apt install rng-tools
Once installed, run
sudo rngd -r /dev/urandom
Then issue the following command to run the spreed/webrtc docker image with your server.conf file.
sudo docker run -d --name my-spreed-webrtc -p 127.0.0.1:8080:8080 -v /etc/spreed:/etc/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf
Where:
-d: Detached mode makes the container run in the background.--name: Give your Docker container a custom name.-p: Publish a container’s port to the host. The first port if the host port, the second is the container’s port. Spreed also listens on port 8443 in the Docker container for HTTPS request, but we will use Apache/Nginx to terminate TLS connection, so we don’t need to pubish the 8443 port to the host.-v: Create a bind mount. Docker bind mounts/etc/spreed/in the host to/etc/spreed/in the Docker container.-t: Allocate a pseudo-TTY.-c: Override the default/etc/spreed/server.conffile in the Docker container.
Now Spreed WebRTC server is listening on 127.0.0.1:8080, as can be seen with:
sudo ss -lnpt | grep docker
Step 3: Set up Reverse Proxy
To access the Spreed web interface via a domain name, we need to set up a reverse proxy for it using Apache or Nginx. It will also allow you to enable HTTPS, so the connection can be encrypted.
Apache
Install Apache web server on Ubuntu.
sudo apt install apache2
Then create a virtual host file for Spreed.
sudo nano /etc/apache2/sites-available/spreed-webrtc.conf
Put the following text into the file. Replace spreed.example.com with your preferred hostname and don’t forget to set a DNS A record for this hostname.
<VirtualHost *:80>
ServerName spreed.example.com
<Location />
ProxyPass http://127.0.0.1:8080/
ProxyPassReverse http://127.0.0.1:8080/
</Location>
<Location /ws>
ProxyPass ws://127.0.0.1:8080/
</Location>
ProxyVia On
ProxyPreserveHost On
</VirtualHost>
Save and close the file. Then we need to enable proxy_http module.
sudo a2enmod proxy_http
Next, enable this virtual host.
sudo a2ensite spreed-webrtc.conf
Test configurations and reload Apache
sudo apachectl configtest sudo systemctl reload apache2
Now you should be able to access Spreed WebRTC via http://spreed.example.com in web browser.
Nginx
First, install Nginx on Ubuntu.
sudo apt install nginx
Then create a server block file for Spreed WebRTC.
sudo nano /etc/nginx/conf.d/spreed-webrtc.conf
Put the following text into the file. Replace spreed.example.com with your preferred hostname and don’t forget to set DNS A record for this hostname.
server {
listen 80;
listen [::]:80;
server_name spreed.example.com;
error_log /var/log/nginx/spreed.error;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering on;
proxy_ignore_client_abort off;
proxy_redirect off;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
}
location ~ /.well-known/acme-challenge {
root /usr/share/nginx/spreed/;
allow all;
}
}
Save and close the file. Then test Nginx configurations and reload.
sudo nginx -t sudo systemctl reload nginx
Now you should be able to access Spreed WebRTC via http://spreed.example.com in web browser.
Step 4: Obtain and Install TLS Certificate
Now let’s obtain a free TLS certificate from Let’s encrypt. Run the following commands to install Let’s Encrypt client (certbot) from the official certbot PPA.
sudo apt install certbot
If you use Apache web server, then you also need to install the Certbot Apache plugin.
sudo apt install python3-certbot-apache
Then issue the following command to obtain a free TLS/SSL certificate.
sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d spreed.example.com
If you use Nginx web server, then you need to install the Certbot Nginx plugin.
sudo apt install python3-certbot-nginx
Then use the Nginx plugin to obtain and install the certificate by running the following command.
sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d spreed.example.com
You will see the following text indicating that you have successfully obtained a TLS certificate.
Step 5: Install a TURN/STUN Server
WebRTC won’t work if users are behind different NAT devices. It will be blocked. To traverse NAT, we need to set up a TURN/STUN server as a relay between Web browsers. TURN stands for Traversal Using Relays around NAT. Coturn is a free and open-source TURN and STUN server for VoIP and WebRTC.
Coturn is available from the Ubuntu repository, so install it with the following command:
sudo apt install coturn
Once it’s installed, it will be automatically started. You can check its status with:
systemctl status coturn
Sample Output:
If it isn’t running, then manually start it with:
sudo systemctl start coturn
And also enable auto-start at boot time:
sudo systemctl enable coturn
Step 6: Configure Coturn for Spreed WebRTC
Edit the main configuration file.
sudo nano /etc/turnserver.conf
By default, all lines in this file are commented out. Below is an example configuration that you can copy and paste into your file.
- Replace
your-domain.comwith the domain name for your NextCloud or Spreed WebRTC. - Replace
12.34.56.78with the server public IP address. - Set a long and secure authenticate secret. (You can use the
openssl rand -base64 20command to generate a random string.)
# Run as TURN server only, all STUN requests will be ignored. no-stun # Specify listening port. Change to 80 or 443 to go around some strict NATs. listening-port=8443 tls-listening-port=5349 # Specify listening IP, if not set then Coturn listens on all system IPs. listening-ip=12.34.56.78 relay-ip=12.34.56.78 # These lines enable support for WebRTC fingerprint lt-cred-mech realm=your-domain.com # Authentication method use-auth-secret static-auth-secret=your-auth-secret total-quota=100 # Total bytes-per-second bandwidth the TURN server is allowed to allocate # for the sessions, combined (input and output network streams are treated separately). bps-capacity=0 # This line provides extra security. stale-nonce log-file=/var/log/turnserver/turn.log no-loopback-peers no-multicast-peers
Save and close the file. Then restart coturn server with:
sudo systemctl restart coturn
Coturn runs as the turnserver user. Run the following command and you should see it’s listening on port 8443.
sudo ss -lnpt | grep turnserver
Now let’s edit Spreed WebRTC configuration file.
sudo nano /etc/spreed/server.conf
Add the following two lines in the [app] section. Replace red-text accordingly.
turnURIs = turn:coturn-server-ip:8443?transport=udp turnSecret = your-auth-secrect
Save and close the file. Then restart Spreed WebRTC docker container with
sudo docker restart my-spreed-webrtc
You should open TCP and UDP port 8843 in the firewall for Coturn to work. If you use the UFW firewall, run the following commands.
sudo ufw allow 8443/tcp sudo ufw allow 8443/udp
Once Coturn is running and Spreed WebRTC is restarted, users who are behind NAT should be able to use audio/video calls normally.
Next Step
I hope this tutorial helped you install Spreed WebRTC server on Ubuntu using the Docker image. You may also want to integrate Spreed.Me with NextCloud.
As always, if you found this post useful, then subscribe to our free newsletter.
Strange – I configured my server as in this documentation. I’m able to open the Spreed server on the local machine (localhost:8080) – but when I try this via the proxy on the same machine with simple plain http then though I’m displayed the spreed’s greetings page it shows an error message which reads “your browser doesn’t support WebRTC. No calls possible” (*) It does – because it is the same I called localhost from.
(*) the server or browser recognizes my language settings and speaks German no me: “Ihr Browser unterstützt kein WebRTC. Keine Anrufe möglich.”
That means you have to use https. It’s browser restriction. The problem is even with https, the UI loads correctly, but I get this error in console (websocket connection to wss://domain.com/ws failed:)
And the stranger thing, is that if I access with https://ip_address:8443, and I let kaspersky generate self signed certificate, the spreed webrtc works well and I am able to make calls.
note: in this tutorial there is some mistakes. spreed wrtc, does not start at 8080, but at 8084, and when enabling https on it, it listen to 8443, this is why we have to change coturn port from 8443 to another one.