# BeMyEars Server Setup Guide (Customized for webrtc.jaredlog.com) This guide details the steps to deploy the BeMyEars backend and a self-hosted TURN server (Coturn) on your specific server environment (`webrtc.jaredlog.com`). **Environment Details:** - **Domain:** `webrtc.jaredlog.com` (Used for both API and TURN) - **SSH Port:** **2222** (CRITICAL: Do not lock yourself out!) - **Existing Services:** Nginx (Proxying Gunicorn, etc.), Postgres, Redis, etc. --- ## 1. Install Node.js & Tools Your server has a node process on 5002, so Node might already be installed. Check version matches requirements (v18+ recommended). ```bash # Check existing version node -v # IF needed, update: curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash - sudo apt install -y nodejs # Install PM2 (Process Manager) globally if missing sudo npm install -g pm2 ts-node typescript ``` --- ## 2. Deploy Backend Code Deploy the code to a suitable directory (e.g. `/var/www/bemyears`). ```bash # Clone git clone https://github.com/your-repo/BeMyEars.git /var/www/bemyears # Install & Build cd /var/www/bemyears/backend npm install npm run build # Start with PM2 # Note: Your server has many services. We use port 8080 for the backend internally. # Ensure 8080 is free (it wasn't listed in your netprograms output, so it should be safe). pm2 start dist/server.js --name "bemyears-backend" # Save PM2 list pm2 save ``` The backend is now running on **127.0.0.1:8080**. --- ## 3. Setup COTURN (TURN Server) You need to run Coturn on this server to handle NAT traversal. **Ports Checked:** `3478` and `5349` are NOT listed in your `netprograms`, so they are available. ### 3.1 Install & Configure ```bash sudo apt install -y coturn sudo mv /etc/turnserver.conf /etc/turnserver.conf.backup sudo nano /etc/turnserver.conf ``` **Configuration (Copy/Paste):** Replace `` with your server's WAN IP (`74.50.98.226` from your output). ```ini # /etc/turnserver.conf listening-port=3478 tls-listening-port=5349 listening-ip=0.0.0.0 # External IP external-ip=74.50.98.226 # Domain (Using the same domain is fine) realm=webrtc.jaredlog.com server-name=webrtc.jaredlog.com # Static Auth user=user:password # Security no-cli no-loopback-peers no-multicast-peers # Certificate (Re-use existing Nginx certs if possible, or new ones) # Ideally point to the same certs Nginx uses for webrtc.jaredlog.com cert=/etc/letsencrypt/live/webrtc.jaredlog.com/fullchain.pem pkey=/etc/letsencrypt/live/webrtc.jaredlog.com/privkey.pem ``` ### 3.2 Start ```bash sudo sed -i 's/#TURNSERVER_ENABLED=1/TURNSERVER_ENABLED=1/g' /etc/default/coturn sudo systemctl restart coturn ``` --- ## 4. Nginx Configuration Your Nginx is already listening on 443. We will add a configuration to proxy `wss://webrtc.jaredlog.com` to your Node backend. ### 4.1 Create Config ```bash sudo nano /etc/nginx/sites-available/bemyears ``` **Content:** ```nginx server { listen 443 ssl; server_name webrtc.jaredlog.com; # SSL Config (Reuse your existing cert paths or generates new ones) # Check /etc/nginx/sites-enabled/ for examples of your existing SSL setup ssl_certificate /etc/letsencrypt/live/webrtc.jaredlog.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/webrtc.jaredlog.com/privkey.pem; location / { proxy_pass http://127.0.0.1:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } } ``` ### 4.2 Enable ```bash sudo ln -s /etc/nginx/sites-available/bemyears /etc/nginx/sites-enabled/ sudo systemctl reload nginx ``` ### 4.3 Obtain SSL Certificates (Certbot) Since Nginx is already configured and listening on port 80/443, we use the `--nginx` plugin to request the certificates securely. ```bash # 1. Obtain certs sudo certbot --nginx -d webrtc.jaredlog.com # 2. Verify paths # Certificates should be at: # /etc/letsencrypt/live/webrtc.jaredlog.com/fullchain.pem # /etc/letsencrypt/live/webrtc.jaredlog.com/privkey.pem ``` ### 4.4 Fix Permissions for Coturn Coturn runs as the `turnserver` user and typically cannot read files in `/etc/letsencrypt/`. We need to grant it read access. ```bash # Option A: Simple Group Access (Recommended) # Add turnserver user to the ssl-cert group defined by certbot (or root group if ssl-cert is missing) sudo usermod -a -G root turnserver # Note: On some systems, certbot keys are owned by root:root with 700 permissions. # A more robust hook prevents permission issues during renewal. # Option B: Use a Deploy Hook (Robust) # Create a script to copy certs to a turnserver-owned directory on renewal. sudo mkdir -p /etc/coturn/certs sudo chown -R turnserver:turnserver /etc/coturn/certs sudo chmod 700 /etc/coturn/certs # Create install script sudo nano /etc/letsencrypt/renewal-hooks/deploy/coturn-cert-deploy.sh ``` Paste this script: ```bash #!/bin/bash DOMAIN="webrtc.jaredlog.com" CERT_DIR="/etc/coturn/certs" if [ "$RENEWED_DOMAINS" = "$DOMAIN" ]; then cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem $CERT_DIR/turn_server_cert.pem cp /etc/letsencrypt/live/$DOMAIN/privkey.pem $CERT_DIR/turn_server_pkey.pem chown turnserver:turnserver $CERT_DIR/*.pem chmod 600 $CERT_DIR/*.pem systemctl restart coturn echo "Deployed new certs for Coturn" fi ``` Make it executable and run it once manually: ```bash sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/coturn-cert-deploy.sh # Run manually to populate first time (simulating environment variables) RENEWED_DOMAINS="webrtc.jaredlog.com" sudo -E /etc/letsencrypt/renewal-hooks/deploy/coturn-cert-deploy.sh ``` **Update Coturn Config:** If you used Option B, update `/etc/turnserver.conf`: ```ini cert=/etc/coturn/certs/turn_server_cert.pem pkey=/etc/coturn/certs/turn_server_pkey.pem ``` If you used Option A (Group), keep the default Let's Encrypt paths. --- ## 5. Firewall (CRITICAL) **⚠️ WARNING:** You have SSH running on port **2222**. The default UFW rule `allow ssh` opens port 22. You MUST explicitly open 2222 or you will be locked out. ```bash # 1. Allow Connection Management sudo ufw allow 2222/tcp # CRITICAL: Your SSH Port sudo ufw allow 80/tcp sudo ufw allow 443/tcp # 2. Allow TURN (Signaling & Relay) sudo ufw allow 3478/tcp sudo ufw allow 3478/udp sudo ufw allow 5349/tcp sudo ufw allow 5349/udp # 3. Allow Media Range (UDP) sudo ufw allow 49152:65535/udp # 4. Enable sudo ufw enable ``` --- ## 6. Verification 1. **WebSocket**: Connect to `wss://webrtc.jaredlog.com` (should hit your Node backend). 2. **TURN**: Test candidates using `turn:webrtc.jaredlog.com:3478` (user:password).