jared/BeMyEars
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
BeMyEars/server-setup.md
jared d29b8182ca Initial commit 
Add iOS app with Node.js/TypeScript backend for BeMyEars project.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-19 21:51:47 -05:00

6.6 KiB
Raw Permalink Blame History

BeMyEars Server Setup Guide (Customized for webrtc.jaredlog.com)

This guide details the steps to deploy the BeMyEars backend and a self-hosted TURN server (Coturn) on your specific server environment (webrtc.jaredlog.com).

Environment Details:

  • Domain: webrtc.jaredlog.com (Used for both API and TURN)
  • SSH Port: 2222 (CRITICAL: Do not lock yourself out!)
  • Existing Services: Nginx (Proxying Gunicorn, etc.), Postgres, Redis, etc.

1. Install Node.js & Tools

Your server has a node process on 5002, so Node might already be installed. Check version matches requirements (v18+ recommended).

# Check existing version
node -v

# IF needed, update:
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt install -y nodejs

# Install PM2 (Process Manager) globally if missing
sudo npm install -g pm2 ts-node typescript

2. Deploy Backend Code

Deploy the code to a suitable directory (e.g. /var/www/bemyears).

# Clone
git clone https://github.com/your-repo/BeMyEars.git /var/www/bemyears

# Install & Build
cd /var/www/bemyears/backend
npm install
npm run build

# Start with PM2
# Note: Your server has many services. We use port 8080 for the backend internally.
# Ensure 8080 is free (it wasn't listed in your netprograms output, so it should be safe).
pm2 start dist/server.js --name "bemyears-backend"

# Save PM2 list
pm2 save

The backend is now running on 127.0.0.1:8080.

3. Setup COTURN (TURN Server)

You need to run Coturn on this server to handle NAT traversal. Ports Checked: 3478 and 5349 are NOT listed in your netprograms, so they are available.

3.1 Install & Configure

sudo apt install -y coturn
sudo mv /etc/turnserver.conf /etc/turnserver.conf.backup
sudo nano /etc/turnserver.conf

Configuration (Copy/Paste): Replace <PUBLIC_IP> with your server's WAN IP (74.50.98.226 from your output).

# /etc/turnserver.conf
listening-port=3478
tls-listening-port=5349
listening-ip=0.0.0.0

# External IP
external-ip=74.50.98.226

# Domain (Using the same domain is fine)
realm=webrtc.jaredlog.com
server-name=webrtc.jaredlog.com

# Static Auth
user=user:password

# Security
no-cli
no-loopback-peers
no-multicast-peers

# Certificate (Re-use existing Nginx certs if possible, or new ones)
# Ideally point to the same certs Nginx uses for webrtc.jaredlog.com
cert=/etc/letsencrypt/live/webrtc.jaredlog.com/fullchain.pem
pkey=/etc/letsencrypt/live/webrtc.jaredlog.com/privkey.pem

3.2 Start

sudo sed -i 's/#TURNSERVER_ENABLED=1/TURNSERVER_ENABLED=1/g' /etc/default/coturn
sudo systemctl restart coturn

4. Nginx Configuration

Your Nginx is already listening on 443. We will add a configuration to proxy wss://webrtc.jaredlog.com to your Node backend.

4.1 Create Config

sudo nano /etc/nginx/sites-available/bemyears

Content:

server {
    listen 443 ssl;
    server_name webrtc.jaredlog.com;

    # SSL Config (Reuse your existing cert paths or generates new ones)
    # Check /etc/nginx/sites-enabled/ for examples of your existing SSL setup
    ssl_certificate /etc/letsencrypt/live/webrtc.jaredlog.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/webrtc.jaredlog.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

4.2 Enable

sudo ln -s /etc/nginx/sites-available/bemyears /etc/nginx/sites-enabled/
sudo systemctl reload nginx

4.3 Obtain SSL Certificates (Certbot)

Since Nginx is already configured and listening on port 80/443, we use the --nginx plugin to request the certificates securely.

# 1. Obtain certs
sudo certbot --nginx -d webrtc.jaredlog.com

# 2. Verify paths
# Certificates should be at:
# /etc/letsencrypt/live/webrtc.jaredlog.com/fullchain.pem
# /etc/letsencrypt/live/webrtc.jaredlog.com/privkey.pem

4.4 Fix Permissions for Coturn

Coturn runs as the turnserver user and typically cannot read files in /etc/letsencrypt/. We need to grant it read access.

# Option A: Simple Group Access (Recommended)
# Add turnserver user to the ssl-cert group defined by certbot (or root group if ssl-cert is missing)
sudo usermod -a -G root turnserver 
# Note: On some systems, certbot keys are owned by root:root with 700 permissions.
# A more robust hook prevents permission issues during renewal.

# Option B: Use a Deploy Hook (Robust)
# Create a script to copy certs to a turnserver-owned directory on renewal.

sudo mkdir -p /etc/coturn/certs
sudo chown -R turnserver:turnserver /etc/coturn/certs
sudo chmod 700 /etc/coturn/certs

# Create install script
sudo nano /etc/letsencrypt/renewal-hooks/deploy/coturn-cert-deploy.sh

Paste this script:

#!/bin/bash
DOMAIN="webrtc.jaredlog.com"
CERT_DIR="/etc/coturn/certs"

if [ "$RENEWED_DOMAINS" = "$DOMAIN" ]; then
    cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem $CERT_DIR/turn_server_cert.pem
    cp /etc/letsencrypt/live/$DOMAIN/privkey.pem $CERT_DIR/turn_server_pkey.pem
    chown turnserver:turnserver $CERT_DIR/*.pem
    chmod 600 $CERT_DIR/*.pem
    systemctl restart coturn
    echo "Deployed new certs for Coturn"
fi

Make it executable and run it once manually:

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/coturn-cert-deploy.sh
# Run manually to populate first time (simulating environment variables)
RENEWED_DOMAINS="webrtc.jaredlog.com" sudo -E /etc/letsencrypt/renewal-hooks/deploy/coturn-cert-deploy.sh

Update Coturn Config: If you used Option B, update /etc/turnserver.conf:

cert=/etc/coturn/certs/turn_server_cert.pem
pkey=/etc/coturn/certs/turn_server_pkey.pem

If you used Option A (Group), keep the default Let's Encrypt paths.

5. Firewall (CRITICAL)

⚠️ WARNING: You have SSH running on port 2222. The default UFW rule allow ssh opens port 22. You MUST explicitly open 2222 or you will be locked out.

# 1. Allow Connection Management
sudo ufw allow 2222/tcp  # CRITICAL: Your SSH Port
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# 2. Allow TURN (Signaling & Relay)
sudo ufw allow 3478/tcp
sudo ufw allow 3478/udp
sudo ufw allow 5349/tcp
sudo ufw allow 5349/udp

# 3. Allow Media Range (UDP)
sudo ufw allow 49152:65535/udp

# 4. Enable
sudo ufw enable

6. Verification

  1. WebSocket: Connect to wss://webrtc.jaredlog.com (should hit your Node backend).
  2. TURN: Test candidates using turn:webrtc.jaredlog.com:3478 (user:password).
Reference in New Issue View Git Blame Copy Permalink