jared/BeMyEars
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
BeMyEars/server-setup.md
jared d29b8182ca Initial commit 
Add iOS app with Node.js/TypeScript backend for BeMyEars project.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-19 21:51:47 -05:00

249 lines
6.6 KiB
Markdown
Raw Permalink Blame History

# BeMyEars Server Setup Guide (Customized for webrtc.jaredlog.com)
This guide details the steps to deploy the BeMyEars backend and a self-hosted TURN server (Coturn) on your specific server environment (`webrtc.jaredlog.com`).
**Environment Details:**
- **Domain:** `webrtc.jaredlog.com` (Used for both API and TURN)
- **SSH Port:** **2222** (CRITICAL: Do not lock yourself out!)
- **Existing Services:** Nginx (Proxying Gunicorn, etc.), Postgres, Redis, etc.
---
## 1. Install Node.js & Tools
Your server has a node process on 5002, so Node might already be installed. Check version matches requirements (v18+ recommended).
```bash
# Check existing version
node -v
# IF needed, update:
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt install -y nodejs
# Install PM2 (Process Manager) globally if missing
sudo npm install -g pm2 ts-node typescript
```
---
## 2. Deploy Backend Code
Deploy the code to a suitable directory (e.g. `/var/www/bemyears`).
```bash
# Clone
git clone https://github.com/your-repo/BeMyEars.git /var/www/bemyears
# Install & Build
cd /var/www/bemyears/backend
npm install
npm run build
# Start with PM2
# Note: Your server has many services. We use port 8080 for the backend internally.
# Ensure 8080 is free (it wasn't listed in your netprograms output, so it should be safe).
pm2 start dist/server.js --name "bemyears-backend"
# Save PM2 list
pm2 save
```
The backend is now running on **127.0.0.1:8080**.
---
## 3. Setup COTURN (TURN Server)
You need to run Coturn on this server to handle NAT traversal.
**Ports Checked:** `3478` and `5349` are NOT listed in your `netprograms`, so they are available.
### 3.1 Install & Configure
```bash
sudo apt install -y coturn
sudo mv /etc/turnserver.conf /etc/turnserver.conf.backup
sudo nano /etc/turnserver.conf
```
**Configuration (Copy/Paste):**
Replace `<PUBLIC_IP>` with your server's WAN IP (`74.50.98.226` from your output).
```ini
# /etc/turnserver.conf
listening-port=3478
tls-listening-port=5349
listening-ip=0.0.0.0
# External IP
external-ip=74.50.98.226
# Domain (Using the same domain is fine)
realm=webrtc.jaredlog.com
server-name=webrtc.jaredlog.com
# Static Auth
user=user:password
# Security
no-cli
no-loopback-peers
no-multicast-peers
# Certificate (Re-use existing Nginx certs if possible, or new ones)
# Ideally point to the same certs Nginx uses for webrtc.jaredlog.com
cert=/etc/letsencrypt/live/webrtc.jaredlog.com/fullchain.pem
pkey=/etc/letsencrypt/live/webrtc.jaredlog.com/privkey.pem
```
### 3.2 Start
```bash
sudo sed -i 's/#TURNSERVER_ENABLED=1/TURNSERVER_ENABLED=1/g' /etc/default/coturn
sudo systemctl restart coturn
```
---
## 4. Nginx Configuration
Your Nginx is already listening on 443. We will add a configuration to proxy `wss://webrtc.jaredlog.com` to your Node backend.
### 4.1 Create Config
```bash
sudo nano /etc/nginx/sites-available/bemyears
```
**Content:**
```nginx
server {
listen 443 ssl;
server_name webrtc.jaredlog.com;
# SSL Config (Reuse your existing cert paths or generates new ones)
# Check /etc/nginx/sites-enabled/ for examples of your existing SSL setup
ssl_certificate /etc/letsencrypt/live/webrtc.jaredlog.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/webrtc.jaredlog.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
```
### 4.2 Enable
```bash
sudo ln -s /etc/nginx/sites-available/bemyears /etc/nginx/sites-enabled/
sudo systemctl reload nginx
```
### 4.3 Obtain SSL Certificates (Certbot)
Since Nginx is already configured and listening on port 80/443, we use the `--nginx` plugin to request the certificates securely.
```bash
# 1. Obtain certs
sudo certbot --nginx -d webrtc.jaredlog.com
# 2. Verify paths
# Certificates should be at:
# /etc/letsencrypt/live/webrtc.jaredlog.com/fullchain.pem
# /etc/letsencrypt/live/webrtc.jaredlog.com/privkey.pem
```
### 4.4 Fix Permissions for Coturn
Coturn runs as the `turnserver` user and typically cannot read files in `/etc/letsencrypt/`. We need to grant it read access.
```bash
# Option A: Simple Group Access (Recommended)
# Add turnserver user to the ssl-cert group defined by certbot (or root group if ssl-cert is missing)
sudo usermod -a -G root turnserver
# Note: On some systems, certbot keys are owned by root:root with 700 permissions.
# A more robust hook prevents permission issues during renewal.
# Option B: Use a Deploy Hook (Robust)
# Create a script to copy certs to a turnserver-owned directory on renewal.
sudo mkdir -p /etc/coturn/certs
sudo chown -R turnserver:turnserver /etc/coturn/certs
sudo chmod 700 /etc/coturn/certs
# Create install script
sudo nano /etc/letsencrypt/renewal-hooks/deploy/coturn-cert-deploy.sh
```
Paste this script:
```bash
#!/bin/bash
DOMAIN="webrtc.jaredlog.com"
CERT_DIR="/etc/coturn/certs"
if [ "$RENEWED_DOMAINS" = "$DOMAIN" ]; then
cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem $CERT_DIR/turn_server_cert.pem
cp /etc/letsencrypt/live/$DOMAIN/privkey.pem $CERT_DIR/turn_server_pkey.pem
chown turnserver:turnserver $CERT_DIR/*.pem
chmod 600 $CERT_DIR/*.pem
systemctl restart coturn
echo "Deployed new certs for Coturn"
fi
```
Make it executable and run it once manually:
```bash
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/coturn-cert-deploy.sh
# Run manually to populate first time (simulating environment variables)
RENEWED_DOMAINS="webrtc.jaredlog.com" sudo -E /etc/letsencrypt/renewal-hooks/deploy/coturn-cert-deploy.sh
```
**Update Coturn Config:**
If you used Option B, update `/etc/turnserver.conf`:
```ini
cert=/etc/coturn/certs/turn_server_cert.pem
pkey=/etc/coturn/certs/turn_server_pkey.pem
```
If you used Option A (Group), keep the default Let's Encrypt paths.
---
## 5. Firewall (CRITICAL)
**⚠️ WARNING:** You have SSH running on port **2222**. The default UFW rule `allow ssh` opens port 22. You MUST explicitly open 2222 or you will be locked out.
```bash
# 1. Allow Connection Management
sudo ufw allow 2222/tcp # CRITICAL: Your SSH Port
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# 2. Allow TURN (Signaling & Relay)
sudo ufw allow 3478/tcp
sudo ufw allow 3478/udp
sudo ufw allow 5349/tcp
sudo ufw allow 5349/udp
# 3. Allow Media Range (UDP)
sudo ufw allow 49152:65535/udp
# 4. Enable
sudo ufw enable
```
---
## 6. Verification
1. **WebSocket**: Connect to `wss://webrtc.jaredlog.com` (should hit your Node backend).
2. **TURN**: Test candidates using `turn:webrtc.jaredlog.com:3478` (user:password).
Reference in New Issue View Git Blame Copy Permalink