From 09177b90d3a9abdf1eec9e76c9e1f10fc9fa1ab1 Mon Sep 17 00:00:00 2001 From: fkwp Date: Thu, 24 Apr 2025 23:40:32 +0200 Subject: [PATCH 01/22] added matrix-rtc server to route jwt and sfu traffic. renamed file to dev_nginx.conf --- ...ls_localhost_nginx.conf => dev_nginx.conf} | 49 ++++++++++++++++++- 1 file changed, 47 insertions(+), 2 deletions(-) rename backend/{tls_localhost_nginx.conf => dev_nginx.conf} (53%) diff --git a/backend/tls_localhost_nginx.conf b/backend/dev_nginx.conf similarity index 53% rename from backend/tls_localhost_nginx.conf rename to backend/dev_nginx.conf index 2a593210..e4d665d6 100644 --- a/backend/tls_localhost_nginx.conf +++ b/backend/dev_nginx.conf @@ -16,9 +16,9 @@ server { # currently rely for local development environment on deprecated config.json # setting for livekit_service_url location /.well-known/matrix/client { - return 200 '{"m.homeserver": {"base_url": "http://synapse.localhost:8008"}, "org.matrix.msc4143.rtc_foci": [{"type": "livekit", "livekit_service_url": "http://localhost:8080"}]}'; - default_type application/json; add_header Access-Control-Allow-Origin *; + return 200 '{"m.homeserver": {"base_url": "http://synapse.localhost:8008"}, "org.matrix.msc4143.rtc_foci": [{"type": "livekit", "livekit_service_url": "http://matrix-rtc.localhost:8008/livekit/jwt"}]}'; + default_type application/json; } # Reverse proxy for Matrix Synapse Homeserver @@ -38,3 +38,48 @@ server { error_page 500 502 503 504 /50x.html; } + +server { + listen 80; + listen [::]:80; + listen 443 ssl; + listen 8448 ssl; + listen [::]:443 ssl; + listen [::]:8448 ssl; + server_name matrix-rtc.localhost; + ssl_certificate /root/ssl/cert.pem; + ssl_certificate_key /root/ssl/key.pem; + + + location ^~ /livekit/jwt/ { + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # JWT Service running at port 8080 + proxy_pass http://auth-server:8080/; + } + + location ^~ /livekit/sfu/ { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_send_timeout 120; + proxy_read_timeout 120; + proxy_buffering off; + + proxy_set_header Accept-Encoding gzip; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # LiveKit SFU websocket connection running at port 7880 + proxy_pass http://livekit-sfu:7880/; + } + + error_page 500 502 503 504 /50x.html; + +} From 1ae876de26260fad6f14b2f8b92b8ee52fbb711b Mon Sep 17 00:00:00 2001 From: fkwp Date: Thu, 24 Apr 2025 23:40:58 +0200 Subject: [PATCH 02/22] remove legacy livekit key --- config/config.devenv.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/config.devenv.json b/config/config.devenv.json index cebca705..b0e38ee4 100644 --- a/config/config.devenv.json +++ b/config/config.devenv.json @@ -5,9 +5,6 @@ "server_name": "synapse.localhost" } }, - "livekit": { - "livekit_service_url": "http://localhost:8009" - }, "features": { "feature_use_device_session_member_events": true }, From 8ad1d60975303de635dfd53b397ce6abc85ff83f Mon Sep 17 00:00:00 2001 From: fkwp Date: Thu, 24 Apr 2025 23:45:53 +0200 Subject: [PATCH 03/22] remove NOTE wrt. legacy livekit key from README.md --- README.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/README.md b/README.md index 8ac32d80..4d843d55 100644 --- a/README.md +++ b/README.md @@ -192,11 +192,6 @@ To use it, create a local config by, e.g., The `config.devenv.json` config should work with the backend development environment as outlined in the next section out of box. -> [!NOTE] -> Be aware, that this `config.devenv.json` is exposing a deprecated fallback -> LiveKit config key. If the homeserver advertises SFU backend via -> `.well-known/matrix/client` this has precedence. - You're now ready to launch the development server: ```sh From b61bed019778ccea72acfd27eb08be695f4920f6 Mon Sep 17 00:00:00 2001 From: fkwp Date: Thu, 24 Apr 2025 23:46:45 +0200 Subject: [PATCH 04/22] cleanup used ports, reflect endpoint routing of JWT service and SFU websocket connection --- dev-backend-docker-compose.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/dev-backend-docker-compose.yml b/dev-backend-docker-compose.yml index 8d70bfc2..38853054 100644 --- a/dev-backend-docker-compose.yml +++ b/dev-backend-docker-compose.yml @@ -7,7 +7,7 @@ services: hostname: auth-server environment: - LK_JWT_PORT=8080 - - LIVEKIT_URL=ws://localhost:7880 + - LIVEKIT_URL=ws://matrix-rtc.localhost/livekit/sfu - LIVEKIT_KEY=devkey - LIVEKIT_SECRET=secret # If the configured homeserver runs on localhost, it'll probably be using @@ -18,12 +18,13 @@ services: condition: on-failure ports: # HOST_PORT:CONTAINER_PORT - - 8009:8080 + - 8080:8080 networks: - ecbackend livekit: image: livekit/livekit-server:latest + hostname: livekit-sfu command: --dev --config /etc/livekit.yaml restart: unless-stopped # The SFU seems to work far more reliably when we let it share the host @@ -85,11 +86,13 @@ services: hostname: synapse.localhost image: nginx:latest volumes: - - ./backend/tls_localhost_nginx.conf:/etc/nginx/conf.d/default.conf:Z + - ./backend/dev_nginx.conf:/etc/nginx/conf.d/default.conf:Z - ./backend/tls_localhost_key.pem:/root/ssl/key.pem:Z - ./backend/tls_localhost_cert.pem:/root/ssl/cert.pem:Z ports: # HOST_PORT:CONTAINER_PORT + - "80:80" + - "443:443" - "8008:80" - "4443:443" depends_on: From 9416c41d6215a70caaf4cc76fb854fa5dee68bb4 Mon Sep 17 00:00:00 2001 From: fkwp Date: Fri, 25 Apr 2025 00:09:39 +0200 Subject: [PATCH 05/22] added note about certificate exceptions --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 4d843d55..db7cc43f 100644 --- a/README.md +++ b/README.md @@ -225,6 +225,13 @@ yarn backend # podman-compose -f dev-backend-docker-compose.yml up ``` +> [!NOTE] +> To ensure your local development frontend functions properly, you’ll need to add +> certificate exceptions in your browser for both `https://localhost:3000` and +> `https://synapse.localhost/.well-known/matrix/client`. The easiest way to do this +> is to simply copy and paste each URL into your browser’s address bar and follow +> the prompts to add the exception. + ### Playwright tests Our Playwright tests run automatically as part of our CI along with our other From 06e1a4eb1e8120edef266467fc233580fef78b00 Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 12:57:23 +0200 Subject: [PATCH 06/22] Adapt new naming schema *.m.localhost --- backend/dev_homeserver.yaml | 4 ++-- backend/dev_nginx.conf | 6 +++--- dev-backend-docker-compose.yml | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/backend/dev_homeserver.yaml b/backend/dev_homeserver.yaml index 5697c32e..eab4e698 100644 --- a/backend/dev_homeserver.yaml +++ b/backend/dev_homeserver.yaml @@ -1,5 +1,5 @@ -server_name: "synapse.localhost" -public_baseurl: http://synapse.localhost:8008/ +server_name: "synapse.m.localhost" +public_baseurl: https://synapse.m.localhost/ pid_file: /data/homeserver.pid diff --git a/backend/dev_nginx.conf b/backend/dev_nginx.conf index e4d665d6..bc60f9c1 100644 --- a/backend/dev_nginx.conf +++ b/backend/dev_nginx.conf @@ -5,7 +5,7 @@ server { listen 8448 ssl; listen [::]:443 ssl; listen [::]:8448 ssl; - server_name synapse.localhost; + server_name synapse.m.localhost; ssl_certificate /root/ssl/cert.pem; ssl_certificate_key /root/ssl/key.pem; @@ -17,7 +17,7 @@ server { # setting for livekit_service_url location /.well-known/matrix/client { add_header Access-Control-Allow-Origin *; - return 200 '{"m.homeserver": {"base_url": "http://synapse.localhost:8008"}, "org.matrix.msc4143.rtc_foci": [{"type": "livekit", "livekit_service_url": "http://matrix-rtc.localhost:8008/livekit/jwt"}]}'; + return 200 '{"m.homeserver": {"base_url": "https://synapse.m.localhost"}, "org.matrix.msc4143.rtc_foci": [{"type": "livekit", "livekit_service_url": "https://matrix-rtc.m.localhost/livekit/jwt"}]}'; default_type application/json; } @@ -46,7 +46,7 @@ server { listen 8448 ssl; listen [::]:443 ssl; listen [::]:8448 ssl; - server_name matrix-rtc.localhost; + server_name matrix-rtc.m.localhost; ssl_certificate /root/ssl/cert.pem; ssl_certificate_key /root/ssl/key.pem; diff --git a/dev-backend-docker-compose.yml b/dev-backend-docker-compose.yml index 38853054..ad25bf75 100644 --- a/dev-backend-docker-compose.yml +++ b/dev-backend-docker-compose.yml @@ -7,7 +7,7 @@ services: hostname: auth-server environment: - LK_JWT_PORT=8080 - - LIVEKIT_URL=ws://matrix-rtc.localhost/livekit/sfu + - LIVEKIT_URL=wss://matrix-rtc.m.localhost/livekit/sfu - LIVEKIT_KEY=devkey - LIVEKIT_SECRET=secret # If the configured homeserver runs on localhost, it'll probably be using @@ -83,7 +83,7 @@ services: nginx: # openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls_localhost_key.pem -out tls_localhost_cert.pem -subj "/C=GB/ST=London/L=London/O=Alros/OU=IT Department/CN=localhost" - hostname: synapse.localhost + hostname: synapse.m.localhost image: nginx:latest volumes: - ./backend/dev_nginx.conf:/etc/nginx/conf.d/default.conf:Z From 08f034251c2abb8216a6f41aa8e90a8a57c49737 Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 13:02:58 +0200 Subject: [PATCH 07/22] Add call.m.localhost pointing to yarn dev --host --- backend/dev_nginx.conf | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/backend/dev_nginx.conf b/backend/dev_nginx.conf index bc60f9c1..1b201a89 100644 --- a/backend/dev_nginx.conf +++ b/backend/dev_nginx.conf @@ -1,3 +1,4 @@ +# Synapse reverse proxy including .well-known/matrix/client server { listen 80; listen [::]:80; @@ -39,12 +40,15 @@ server { } +# MatrixRTC reverse proxy +# - MatrixRTC Authorization Service +# - LiveKit SFU websocket signaling connection server { listen 80; listen [::]:80; listen 443 ssl; - listen 8448 ssl; listen [::]:443 ssl; + listen 8448 ssl; listen [::]:8448 ssl; server_name matrix-rtc.m.localhost; ssl_certificate /root/ssl/cert.pem; @@ -83,3 +87,37 @@ server { error_page 500 502 503 504 /50x.html; } + + +# Convenience reverse proxy for the call.m.localhost domain to yarn dev --host +server { + listen 80; + listen [::]:80; + server_name call.m.localhost; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name call.m.localhost; + ssl_certificate /root/ssl/cert.pem; + ssl_certificate_key /root/ssl/key.pem; + + + location ^~ / { + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass https://host.docker.internal:3000; + proxy_ssl_verify off; + + } + + error_page 500 502 503 504 /50x.html; + +} \ No newline at end of file From 14ff6dce9364ed362540d47cfe3e45f88b3829ff Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 13:05:07 +0200 Subject: [PATCH 08/22] localhost TLS mini CA including wildcard certs for *.m.localhost --- backend/dev_tls_local-ca.crt | 19 +++++++++++++++++ backend/dev_tls_local-ca.key | 28 +++++++++++++++++++++++++ backend/dev_tls_m.localhost.crt | 20 ++++++++++++++++++ backend/dev_tls_m.localhost.key | 28 +++++++++++++++++++++++++ backend/dev_tls_setup | 37 +++++++++++++++++++++++++++++++++ 5 files changed, 132 insertions(+) create mode 100644 backend/dev_tls_local-ca.crt create mode 100644 backend/dev_tls_local-ca.key create mode 100644 backend/dev_tls_m.localhost.crt create mode 100644 backend/dev_tls_m.localhost.key create mode 100644 backend/dev_tls_setup diff --git a/backend/dev_tls_local-ca.crt b/backend/dev_tls_local-ca.crt new file mode 100644 index 00000000..9c8ee3d7 --- /dev/null +++ b/backend/dev_tls_local-ca.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDGjCCAgKgAwIBAgIUGdiFHhH4KL2pqBjMQHQ+PVIkSV8wDQYJKoZIhvcNAQEL +BQAwHjEcMBoGA1UEAwwTRWxlbWVudCBDYWxsIERldiBDQTAeFw0yNTA1MDUxMDMy +MDJaFw0zNTA1MDMxMDMyMDJaMB4xHDAaBgNVBAMME0VsZW1lbnQgQ2FsbCBEZXYg +Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA2y0hjmNn1vRsVSdy +8IOfo8N1q9UgkhQWpGKXzPh+D5d1fnuJEmHIVwtDEtS/PwQ43LTmegChPtKH9jdT +tG0IihW9Ja5YNG+9xAwaoA/sB3CGCBYsz+2/XjVUpXoBJXIPoFBWsn+K0oeFw9fw +eRO1z9abM4cl+LjKzMNM8CCyu9uI1MaGjYez2YIWvG854VucLxX7HSlMJxZNWnie +Ui7fMakuJhB2+aiIQjdKxy4E5RHNhzYG/LXhvP+wBYBDPNRsP3rtzEaE9HAveL9K +FGqd3R4cBia6r1WIXmpAzyu5RGP5Eou0TZlGkal96/bF0I7q/pKlL23Jt1BLPiQU +KGKrAgMBAAGjUDBOMB0GA1UdDgQWBBQJqBjMu61c1p24txw/y+kv3D+V6DAfBgNV +HSMEGDAWgBQJqBjMu61c1p24txw/y+kv3D+V6DAMBgNVHRMEBTADAQH/MA0GCSqG +SIb3DQEBCwUAA4IBAQB8m2YfFGLugNt5vAAOvNxVqDA8c72yCVYr3CBCpmTIEY5Z +d3qVGhG9//ux6+J8ntkSwd9nV5GJyYXHukCG1VavnAWolWdNF/WAllf0jhLuz7kD +/cJnuI1By4tBsBmSz851i6HJ4t5k99Be+6GQVzi0e7zzfxTHZE4xP2J6Ox8QbPsP +n0m76nIp/WbWaJqzvIIjJhmUUPPv+4wN+eOArgjiGLzptM2qTtGZtd0c9nS5gvep ++mEbSUN9zkhAroZf80wf+hEvy+fJ94VbZ9QjTzTg7odZLrsXGIe8DaG63EYRQ25b +W5iYBAreln5fGSt7qHsGfqwZibTEk/Lx3dydO1Kg +-----END CERTIFICATE----- diff --git a/backend/dev_tls_local-ca.key b/backend/dev_tls_local-ca.key new file mode 100644 index 00000000..c6de05c4 --- /dev/null +++ b/backend/dev_tls_local-ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDA2y0hjmNn1vRs +VSdy8IOfo8N1q9UgkhQWpGKXzPh+D5d1fnuJEmHIVwtDEtS/PwQ43LTmegChPtKH +9jdTtG0IihW9Ja5YNG+9xAwaoA/sB3CGCBYsz+2/XjVUpXoBJXIPoFBWsn+K0oeF +w9fweRO1z9abM4cl+LjKzMNM8CCyu9uI1MaGjYez2YIWvG854VucLxX7HSlMJxZN +WnieUi7fMakuJhB2+aiIQjdKxy4E5RHNhzYG/LXhvP+wBYBDPNRsP3rtzEaE9HAv +eL9KFGqd3R4cBia6r1WIXmpAzyu5RGP5Eou0TZlGkal96/bF0I7q/pKlL23Jt1BL +PiQUKGKrAgMBAAECggEAAPX2kxi5AQ7ul82SzT1KgpSXyDHLdYaUyAoYnaX9RO+B +8ylmpyeqygs4+KQS4EMJm9jpo85Oy37bIKdG3kljU6wQcKlL5Y+ZUOo1nzpV6fid +hGVs6ts8VXw8KshKQ9AyccZ8L/pirUfgOffgTwfjY7/90zceAL/s98GuZWc62nkX +55joQv/OikqYfAGP/U6Bp2Zyf23DwJB09Z3B6NnZj/ZyAbDrDEHuA15LhCOcCczp +IU/mFEywBPHT9Tg4w4Beq78PeAETvku2UalYRLhP3RLlXr2oEbwUtINRVt2QjZ85 +Esps4uCqL/mgQluIebtudD9HL/YMlNPXue1mDXFxJQKBgQDgZZY4yJBcf488T1V6 +HNm06b/LvVGj253pKgw14hpY1xQu3Ymgzv1GEqzhSYdzxhpmj0tMUNHxAp+YdGQu +SZ0wcPKhw0aYVkIjDRYDC3Wn5GJhyIEYHGYMo/n4l49UzHRBPOTDzp49DkHTKBgh +XgIIazYT3CkjTIMRrkUv+qfIPQKBgQDcBGu/mqbjxs4sN3zqPS4aB21o6t6W0sXs +ZP9w6RlTPQi5U2oRbftjZtYc0bbEgkMUImB1HwYPQT5pJ+MyC414xDvSc2exBr5d +To6yyPIy78Tf5PHM12fpKV92nSvoz/pSjYcGxxDtKfPqu+t8mOJfjCV1lLLA+xuB +DDaE4p8dBwKBgQCdAne6A5v/HMH8UQZeCxHJpESvKiiVnnU/UEx651nID7XvlNNX +0X0mKqsMd4ZvW43ddSYan/JF0LAa3FW8jYWO/3jF9vzOWoysOdvNBZetgf/Uq5ao +aDZ/YbzmVCXWD7jIbPMkjs3pqrAkL0mzDzQc7+dGviWKrV6IYIfIqnn7gQKBgDCz +vdIk/qpO+JZrFfiX4Fucp0hhLTJ/p5ZDaRPqVVPKn+K+Jy2ChfIj8mNgvK9VEloj +nexvGJ1J2PHYBX+vdPp1nbRhHWPfVUY8PHQw7QP/dToGaMvqJrNDGEGeWvjnCMc7 +UtdaO1H0Rm0AegkTopB56lTTvJnhO95eALd7nrMDAoGAEPdzJtWoKafp49svhSj0 +hiXQv2SPBwVUN4LZ4SOWiXUcmYYm80aNpYKLkBxYjrfqFWhE7NUHLGp8YorQWKY2 +acD9AReHk/xku0ABy6jeYmSCmCxASxst5liKD+l12sk0gB0rk5MBxB4Uu1MIbQZ2 +aCASX3AVD2/XyC2MKkzc8Eg= +-----END PRIVATE KEY----- diff --git a/backend/dev_tls_m.localhost.crt b/backend/dev_tls_m.localhost.crt new file mode 100644 index 00000000..be3eb0a3 --- /dev/null +++ b/backend/dev_tls_m.localhost.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDXDCCAkSgAwIBAgIUXizLjwkdqepX0bh0K3abeJxj68AwDQYJKoZIhvcNAQEL +BQAwHjEcMBoGA1UEAwwTRWxlbWVudCBDYWxsIERldiBDQTAeFw0yNTA1MDUxMDMy +MDJaFw0zNTA1MDMxMDMyMDJaMBgxFjAUBgNVBAMMDSoubS5sb2NhbGhvc3QwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbr79gttr7X8j+ISfdCV53PD8f +R6JsLf6nmkCbRqCaIq85Y82tnYbUB3B6F9RcosrxF+UHFMa/i1UiLSNL0GHisclB +5LII2RycsLJYShkO9pVioVDf3gh+hyVRySBQ2FgtLHB+ZgcZOCG8f75g9CdeVDmv +Kw4J29QV8bxFSafvTLOdqtupylfTSqYVTAE8HnIOsdnZ+mE6SjeS2wV3DYqdSXoa +xWmGranZUmrCgeZdukAZTWgAlHgQvuWVtgyAxPmhcr2KA50QHB/IJ2SDIaUiI++R +4nXkVChbePnNaxqw0kc0QD3Jpd3B1QhHlOhKi9R6Mo5Iyf0nsHnZaQ0bAzPDAgMB +AAGjgZcwgZQwHwYDVR0jBBgwFoAUCagYzLutXNaduLccP8vpL9w/legwCQYDVR0T +BAIwADALBgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwJQYDVR0RBB4w +HIILbS5sb2NhbGhvc3SCDSoubS5sb2NhbGhvc3QwHQYDVR0OBBYEFJgJZkgE6cem +HbSQ7P47rVhmeWjHMA0GCSqGSIb3DQEBCwUAA4IBAQBDocJIUHVxNvbvigPyZvZa +uAmj5eqhf8fDNtQM2tl8AuzOJm0TlggUuKDQNM6zRBXVHQRhCmtaZ3CMkmkTNNhH +aMfG7o/JVvQsxIuORMvAnPlivla2DgiEWr/NEaWISlINMov44DysOyupbHRXcbKd +WWB1cA+D5ZNb8ivOPT1edNSGavAiyEaCPA/qqGFZwq54EtJKIuteqV1UGn1nYD/W +a0niB157moRtlnzwNfwDDeW1Y4HBbuVkX2sipCO+HC6sn7Vni90LzK9zBolaWXTw +RxauTzS9IvtU1G/Gv5/VRzhzIb+ds2jEsdLLnBlTyA+Jh2Cqs002t7QJki6Qto5p +-----END CERTIFICATE----- diff --git a/backend/dev_tls_m.localhost.key b/backend/dev_tls_m.localhost.key new file mode 100644 index 00000000..d83c1dea --- /dev/null +++ b/backend/dev_tls_m.localhost.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCbr79gttr7X8j+ +ISfdCV53PD8fR6JsLf6nmkCbRqCaIq85Y82tnYbUB3B6F9RcosrxF+UHFMa/i1Ui +LSNL0GHisclB5LII2RycsLJYShkO9pVioVDf3gh+hyVRySBQ2FgtLHB+ZgcZOCG8 +f75g9CdeVDmvKw4J29QV8bxFSafvTLOdqtupylfTSqYVTAE8HnIOsdnZ+mE6SjeS +2wV3DYqdSXoaxWmGranZUmrCgeZdukAZTWgAlHgQvuWVtgyAxPmhcr2KA50QHB/I +J2SDIaUiI++R4nXkVChbePnNaxqw0kc0QD3Jpd3B1QhHlOhKi9R6Mo5Iyf0nsHnZ +aQ0bAzPDAgMBAAECggEARLRazvnzCnLbVrbYCjX7v7/RFWM9/OKRWnJ6p2uULWE4 +FaoDFuaJHSHJU8AXYegfiiTi1+ylxtrcr4/e3zKvN+UAbXlYzgnOFCHwGoFcrJtK +EnQhJiIsenX2lLCe9755rznIzScGY+0/ChoPsGaexwSBTlnAQL6HykVbMfKOz03H +ywEx4g3AK1rgTnqNLFHkl+1ainoW6ffeM6thMD/bObGz+PoGSMqbTA80TGMswgMN +Ipnt0AwSgKweLmYG00t667c9htxY6DPRUoJ55dqsAFS8VMa4hhcslyhktPXTGEXh +x2r8UAFavEo2IdRnR8vfNfOv6twsWSHTVRGc7qmKDQKBgQDX0HnMAnBb8KB1zj/O +1prhAlhc6Jtwf3s5Hm/2MW0Jg/u7bZx81s206rvcTJtUJ2ROH+K7Rx3iASWzcsuW +XljCWA9G156SuOBE6mIS1EMI1EKgjbJBru1cOco6AIwI0SuJKcEX/1RtzoBbIIbZ +qhn99RszqAKDjw1iqbpyZCX5PQKBgQC4rRLsMTVvFTqWPEAA7SeJr3LZF+eoap/U +1+MA+J49D5ykQMFHjL1VSdfWgKIm3i4xDbDLAX1BYELxeKVLIp6CL808zEldGQy5 +g+O4dJlmz1PUGorb28qKGJnfwXK7F5tJuX+NgQM2zJnueyTv+fsskBp79CWNQvzr +ueG41o6w/wKBgG7sA+3LQxy+LHrgKwOQYcJMhkYad+n2W8sbzcfn13cQkw3eZJP1 +g3z9ONkdtqgmJvPQh6RiBQXoOQxmcCU1EMGyqQdsQ2B+DSbeoNG0r0+WaThEG96O +ngjM2xe8uDy/5XR2NXy0Cxz1ChvMOAMf3oQcuoJuU/xyRhrzyZSJzMqxAoGAH8hx +nEKvzolZxudhoIcwKcsPOfuaO+r1zPzGrbEcEqgwLjiSywyWvSnzQpBq18OfMYQI +rDd6Zhj6DHLWB8NSgldVvCPwcFxSS08+js1KZV5DMBrNUR9XkULAoLi7VSWv7RVG +tYTBl9nImDmLVt2v87BtTm3rVI911d/s0BHlBuMCgYEAs0AFMsTE+22Y44JMcTAE +OeHEsEDXI5cTlcNmwFKWY+UCZnb2FXflO2XNeqyi6ReYMUyBI2wHdUGvh2B1c2Ac +3z/SShBLS7bMGgyvYE/By1xnemiy+6vG2NIYHKExZfOphx8rDTfm5Qlj6LxstY9+ +Tx2VzAs01UIZGDhJ94u5imo= +-----END PRIVATE KEY----- diff --git a/backend/dev_tls_setup b/backend/dev_tls_setup new file mode 100644 index 00000000..4276e148 --- /dev/null +++ b/backend/dev_tls_setup @@ -0,0 +1,37 @@ +#!/bin/bash + +# Step 1: Create a Root CA key and cert +openssl genrsa -out dev_tls_local-ca.key 2048 +openssl req -x509 -new -nodes \ + -days 3650 \ + -subj "/CN=Element Call Dev CA" \ + -key dev_tls_local-ca.key \ + -out dev_tls_local-ca.crt \ + -sha256 -addext "basicConstraints=CA:TRUE" + +# Step 2: Create a private key and CSR for *.m.localhost +openssl req -new -nodes -newkey rsa:2048 \ + -keyout dev_tls_m.localhost.key \ + -out dev_tls_m.localhost.csr \ + -subj "/CN=*.m.localhost" + +# Step 3: Sign the CSR with your CA +openssl x509 \ + -req -in dev_tls_m.localhost.csr \ + -CA dev_tls_local-ca.crt -CAkey dev_tls_local-ca.key \ + -CAcreateserial \ + -out dev_tls_m.localhost.crt \ + -days 3650 \ + -sha256 \ + -extfile <( cat < Date: Mon, 5 May 2025 13:06:02 +0200 Subject: [PATCH 09/22] add new certs to nginx section --- dev-backend-docker-compose.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/dev-backend-docker-compose.yml b/dev-backend-docker-compose.yml index ad25bf75..c2786583 100644 --- a/dev-backend-docker-compose.yml +++ b/dev-backend-docker-compose.yml @@ -82,19 +82,22 @@ services: - ecbackend nginx: - # openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls_localhost_key.pem -out tls_localhost_cert.pem -subj "/C=GB/ST=London/L=London/O=Alros/OU=IT Department/CN=localhost" + # see backend/dev_tls_setup for how to generate the tls certs hostname: synapse.m.localhost image: nginx:latest volumes: - ./backend/dev_nginx.conf:/etc/nginx/conf.d/default.conf:Z - - ./backend/tls_localhost_key.pem:/root/ssl/key.pem:Z - - ./backend/tls_localhost_cert.pem:/root/ssl/cert.pem:Z + - ./backend/dev_tls_m.localhost.key:/root/ssl/key.pem:Z + - ./backend/dev_tls_m.localhost.crt:/root/ssl/cert.pem:Z ports: # HOST_PORT:CONTAINER_PORT - "80:80" - "443:443" - "8008:80" - "4443:443" + - "8448:8448" + extra_hosts: + - "host.docker.internal:host-gateway" depends_on: - synapse networks: From fb63e64eb4476c14398c2f7a27975391845f49dc Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 13:06:58 +0200 Subject: [PATCH 10/22] removed old localhost tls certificates --- backend/tls_localhost_cert.pem | 22 ---------------------- backend/tls_localhost_key.pem | 28 ---------------------------- 2 files changed, 50 deletions(-) delete mode 100644 backend/tls_localhost_cert.pem delete mode 100644 backend/tls_localhost_key.pem diff --git a/backend/tls_localhost_cert.pem b/backend/tls_localhost_cert.pem deleted file mode 100644 index 267ce0d5..00000000 --- a/backend/tls_localhost_cert.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDtzCCAp+gAwIBAgIUCmJjl3HAeLmrPwRg+/OzikW6peQwDQYJKoZIhvcNAQEL -BQAwazELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9u -ZG9uMQ4wDAYDVQQKDAVBbHJvczEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDESMBAG -A1UEAwwJbG9jYWxob3N0MB4XDTI0MTEwNDIxNDcwMFoXDTM0MTEwMjIxNDcwMFow -azELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9u -MQ4wDAYDVQQKDAVBbHJvczEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDESMBAGA1UE -AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs368 -ExLSudP8luNoY5UfaPqBSVJUPYBi+JGyd36tyN75p5OI7xSfHTttQxuD4KrExBFP -C8mAhE1eoZPBVBOZJ4FYWBJfMaQnCjeqU+laP36td65kSJYbUYlKYH1WpxEpCdgx -wWOKkP/kPX5YXbYqODx9aBJXgoT3yAJW7AniIoL+eLFnS9Xo86TPqCDBTJU9ocwK -gPIDLhDv60724rhZT1kbGp7ECqRovndoDTQjuws2D3yNMfQ+4rrQGPXHGmP5PcaR -0R7uueB+6APyC7MJbuhbxxg/+DFHrRi3lJsgwxuh2hi/+vWw8zgKlgYIwHFA9X0l -cX0UlQdENMH3bgcGIwIDAQABo1MwUTAdBgNVHQ4EFgQUUFGxw7zoiHXGwRqtagjZ -RPYc85cwHwYDVR0jBBgwFoAUUFGxw7zoiHXGwRqtagjZRPYc85cwDwYDVR0TAQH/ -BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEALokb1z2lu3qW141b2wm14ilZQKCZ -reNNuUR95Uom96FXPH4QVEH+mYTXXJ5UrfNhQYKQFpdE+5S4HL/UqEOxtWvbAHpK -nsLQ62J8m+0+uwiJGqeQpWr03KJgXDAVE9X3XwMlp/+buxSLhc+GIHWuXW56itV2 -jiZJYjhO5SnhhgTWNoVZk93qXuuWEN0yacw7c3Fr1IvFYYYWufbXTk70dbZihPDK -VD141o8tpp6FerSKHNYDqkVFDyTz3DVOhQQJ59zfMre7bFr+PpTTl4vIuGzXEY+E -HPjUSlOzwkCoh5fu7Fs3qG55rJt8akhTEoKpiBTaLucgAjVWNHeci1+Yxg== ------END CERTIFICATE----- diff --git a/backend/tls_localhost_key.pem b/backend/tls_localhost_key.pem deleted file mode 100644 index 32801b3c..00000000 --- a/backend/tls_localhost_key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCzfrwTEtK50/yW -42hjlR9o+oFJUlQ9gGL4kbJ3fq3I3vmnk4jvFJ8dO21DG4PgqsTEEU8LyYCETV6h -k8FUE5kngVhYEl8xpCcKN6pT6Vo/fq13rmRIlhtRiUpgfVanESkJ2DHBY4qQ/+Q9 -flhdtio4PH1oEleChPfIAlbsCeIigv54sWdL1ejzpM+oIMFMlT2hzAqA8gMuEO/r -TvbiuFlPWRsansQKpGi+d2gNNCO7CzYPfI0x9D7iutAY9ccaY/k9xpHRHu654H7o -A/ILswlu6FvHGD/4MUetGLeUmyDDG6HaGL/69bDzOAqWBgjAcUD1fSVxfRSVB0Q0 -wfduBwYjAgMBAAECggEACTqdSExxzJ+LX5ARFaWyOBSWly2GKqSyR14+aInOklhx -9QgkmfOxJrCf3TvJ8RWhXloW0Aqr8qGDxG0Ixgjn7rG7gskXCey1xn8MNppLS0kj -ztaG+NB3AR89ABm8XdoHsSY45geh3/Ni9I0i1VardGQafUJhgNLTZqjwIodzkBtJ -S/bi4uFk1lGNfuvWQvWqzGXUvd1l1YupV6iA4GfhXlUvrSBZwftLBD6xEvQaSqsA -pHvBxTfMXG4RMAkNPDIElkuQ8++CGi1gIRkJfmrv4OgbbitteMnxqqqGYV0zSNCg -R/5FG6umIV7lDLBHZCSCk7wmfmq2UUvzhHThHy4yMQKBgQDu4TwFJCIcVIj7Wj4r -DUBFvz6Lgbltqb+YAMUBtpiDcAQxDJWmedh6dK04ts5CFAFRlRjjuz2uFn7qlVBm -uye9R7tL+tOv5viqDXU78a4snFywoXub6yzpbxrW8B4W1pdIUvQmhwCcDwvO1V24 -7Vj2vxcM5I9dsk1aCQSi3VY5yQKBgQDAW/VoTRwhU6OUc6sji5Z5dnkMjkP6NZK9 -CSrTWLAMGaLPY+g6fFS7JMNSvfWm/okypD6rcN7p0cxMK3mfFKmMiyPRde0wdrci -sGFjGxM/2d2D7KTMC9iMYwA0K17UIna+UiYPfhR/muIg/dCyjlkKDFs9Z4jk//r1 -91bmznt2iwKBgFdiYXhn/Wprqih4nKFXGZnqGdEixVhObl4GegrkZuo+AeqHdf8O -N5ikMfG7PbyCYPEdH5u/FRMn+4mI0X6jHChroyJqQSHp1jEu9yHUiSicknOyvusM -nsNN932FHRyxp2m3nsSxQhHUlzc0ajKJ8K9iu+XlfmSCIzW6cs25Nh+xAoGBAJro -M0wIdPPdsCj3sUVRvx8XqknTM6kGhaIYBNXoYPWNm5BaC4U15OJEq8sxUOdnqcMP -g6x6m/k+S8C3bh0O/a9Bydl/l0BlCfw0gGjYP/s2ju4Tn272xy/e9iYNGzPIgUmp -TB9D0GwmpZ4d6HgyrD+sTbm4bATGpCp6QhBjDggbAoGBAJVMMtZ4pF8D6mLMRZGR -pQjNPy+MH13XYmDRc/BSF8KJ4yKk3tohr9LSXzxR0SEB43NoL1bHkucZrNjGyL8x -jktnwkoIs96kO2mPrl1TqWkXs5RjGkkSTbAJovIcvkRU31SWap/WzN2kHpmRVcQc -KEFKXT5fUYZCLLWxhgZFlGPp ------END PRIVATE KEY----- From 9c65b402251a8307215c8f437579a2aaa62758f9 Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 13:07:37 +0200 Subject: [PATCH 11/22] adapt new hostname schema and move to https URLs --- config/config.devenv.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/config.devenv.json b/config/config.devenv.json index b0e38ee4..59608d13 100644 --- a/config/config.devenv.json +++ b/config/config.devenv.json @@ -1,8 +1,8 @@ { "default_server_config": { "m.homeserver": { - "base_url": "http://synapse.localhost:8008", - "server_name": "synapse.localhost" + "base_url": "https://synapse.m.localhost", + "server_name": "synapse.m.localhost" } }, "features": { From 25afbf430322aeaec83fa2bb4ff2feaedf6217ad Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 14:20:51 +0200 Subject: [PATCH 12/22] base playwright backend on dev-backend --- backend/ew.test.config.json | 4 +- backend/playwright_homeserver.yaml | 4 +- ...wright-backend-docker-compose.override.yml | 4 + playwright-backend-docker-compose.yml | 99 +------------------ 4 files changed, 10 insertions(+), 101 deletions(-) create mode 100644 playwright-backend-docker-compose.override.yml diff --git a/backend/ew.test.config.json b/backend/ew.test.config.json index fac478dd..3644714b 100644 --- a/backend/ew.test.config.json +++ b/backend/ew.test.config.json @@ -1,8 +1,8 @@ { "default_server_config": { "m.homeserver": { - "base_url": "http://synapse.localhost:8008", - "server_name": "synapse.localhost" + "base_url": "http://synapse.m.localhost:8008", + "server_name": "synapse.m.localhost" } }, "disable_custom_urls": false, diff --git a/backend/playwright_homeserver.yaml b/backend/playwright_homeserver.yaml index d4d0a041..ca45cf3f 100644 --- a/backend/playwright_homeserver.yaml +++ b/backend/playwright_homeserver.yaml @@ -1,5 +1,5 @@ -server_name: "synapse.localhost" -public_baseurl: http://synapse.localhost:8008/ +server_name: "synapse.m.localhost" +public_baseurl: https://synapse.m.localhost/ pid_file: /data/homeserver.pid diff --git a/playwright-backend-docker-compose.override.yml b/playwright-backend-docker-compose.override.yml new file mode 100644 index 00000000..34f01682 --- /dev/null +++ b/playwright-backend-docker-compose.override.yml @@ -0,0 +1,4 @@ +services: + synapse: + volumes: + - ./backend/playwright_homeserver.yaml:/data/cfg/homeserver.yaml:Z \ No newline at end of file diff --git a/playwright-backend-docker-compose.yml b/playwright-backend-docker-compose.yml index e5cf12b5..4ac42faf 100644 --- a/playwright-backend-docker-compose.yml +++ b/playwright-backend-docker-compose.yml @@ -1,97 +1,2 @@ -networks: - ecbackend: - -services: - auth-service: - image: ghcr.io/element-hq/lk-jwt-service:latest-ci - hostname: auth-server - environment: - - LK_JWT_PORT=8080 - - LIVEKIT_URL=ws://localhost:7880 - - LIVEKIT_KEY=devkey - - LIVEKIT_SECRET=secret - # If the configured homeserver runs on localhost, it'll probably be using - # a self-signed certificate - - LIVEKIT_INSECURE_SKIP_VERIFY_TLS=YES_I_KNOW_WHAT_I_AM_DOING - deploy: - restart_policy: - condition: on-failure - ports: - # HOST_PORT:CONTAINER_PORT - - 8009:8080 - networks: - - ecbackend - - livekit: - image: livekit/livekit-server:latest - command: --dev --config /etc/livekit.yaml - restart: unless-stopped - # The SFU seems to work far more reliably when we let it share the host - # network rather than opening specific ports (but why?? we're not missing - # any…) - ports: - # HOST_PORT:CONTAINER_PORT - - 7880:7880/tcp - - 7881:7881/tcp - - 7882:7882/tcp - - 50100-50200:50100-50200/udp - volumes: - - ./backend/dev_livekit.yaml:/etc/livekit.yaml:Z - networks: - - ecbackend - - redis: - image: redis:6-alpine - command: redis-server /etc/redis.conf - ports: - # HOST_PORT:CONTAINER_PORT - - 6379:6379 - volumes: - - ./backend/redis.conf:/etc/redis.conf:Z - networks: - - ecbackend - - element-web: - image: ghcr.io/element-hq/element-web:develop - volumes: - - ./backend/ew.test.config.json:/app/config.json - environment: - ELEMENT_WEB_PORT: 81 - ports: - - "8081:81" - networks: - - ecbackend - - synapse: - hostname: homeserver - image: docker.io/matrixdotorg/synapse:latest - environment: - - SYNAPSE_CONFIG_PATH=/data/cfg/homeserver.yaml - # Needed for rootless podman-compose such that the uid/gid mapping does - # fit local user uid. If the container runs as root (uid 0) it is fine as - # it actually maps to your non-root user on the host (e.g. 1000). - # Otherwise uid mapping will not match your non-root user. - - UID=0 - - GID=0 - volumes: - - ./backend/synapse_tmp:/data:Z - - ./backend/playwright_homeserver.yaml:/data/cfg/homeserver.yaml:Z - networks: - - ecbackend - - nginx: - # openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls_localhost_key.pem -out tls_localhost_cert.pem -subj "/C=GB/ST=London/L=London/O=Alros/OU=IT Department/CN=localhost" - hostname: synapse.localhost - image: nginx:latest - volumes: - - ./backend/tls_localhost_nginx.conf:/etc/nginx/conf.d/default.conf:Z - - ./backend/tls_localhost_key.pem:/root/ssl/key.pem:Z - - ./backend/tls_localhost_cert.pem:/root/ssl/cert.pem:Z - ports: - # HOST_PORT:CONTAINER_PORT - - "8008:80" - - "4443:443" - depends_on: - - synapse - networks: - - ecbackend +include: + - dev-backend-docker-compose.yml \ No newline at end of file From 76fb16dbfd391b5c94f9a476f3ae731a72a7a3d9 Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 14:44:21 +0200 Subject: [PATCH 13/22] update README.md to reflect TLS settings --- README.md | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index db7cc43f..f7530e4c 100644 --- a/README.md +++ b/README.md @@ -207,12 +207,19 @@ See also: A docker compose file `dev-backend-docker-compose.yml` is provided to start the whole stack of components which is required for a local development environment: -- Minimum Synapse Setup (servername: `synapse.localhost`) -- LiveKit JWT Service (Note requires Federation API and hence a TLS reverse proxy) -- Minimum TLS reverse proxy (servername: `synapse.localhost`) Note certificates - are valid for at least 10 years from now +- Minimum Synapse Setup (servername: `synapse.m.localhost`) +- LiveKit Authorization Service (Note requires Federation API and hence a TLS reverse proxy) - Minimum LiveKit SFU Setup using dev defaults for config - Redis db for completeness +- Minimum `localhost` Certificate Authority (CA) for Transport Layer Security (TLS) + - Hostnames: `m.localhost`, `*.m.localhost` + - Add [./backend/dev_tls_local-ca.crt](./backend/dev_tls_local-ca.crt) to your web browsers trusted + certificates +- Minimum TLS reverse proxy for + - Synapse homeserver: `synapse.m.localhost` + - MatrixRTC backend: `matrix-rtc.m.localhost` + - Local Element Call development `call.m.localhost` + - Note certificates will expire on Thu, 03 May 2035 10:32:02 GMT These use a test 'secret' published in this repository, so this must be used only for local development and **_never be exposed to the public Internet._** @@ -226,11 +233,14 @@ yarn backend ``` > [!NOTE] -> To ensure your local development frontend functions properly, you’ll need to add -> certificate exceptions in your browser for both `https://localhost:3000` and -> `https://synapse.localhost/.well-known/matrix/client`. The easiest way to do this -> is to simply copy and paste each URL into your browser’s address bar and follow -> the prompts to add the exception. +> To ensure your local development frontend functions properly, you’ll need to +> add certificate exceptions in your browser for `https://localhost:3000`, +> `https://matrix-rtc.m.localhost/livekit/jwt/healthz` and +> `https://synapse.m.localhost/.well-known/matrix/client`. This can be either +> done by adding the minimum localhost CA +> ([./backend/dev_tls_local-ca.crt](./backend/dev_tls_local-ca.crt)) to your web +> browsers trusted certificates or by simply copying and pasting each URL into +> your browser’s address bar and follow the prompts to add the exception. ### Playwright tests From 005402d8d148110e1aee3c548e8a358c0b454a16 Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 14:48:45 +0200 Subject: [PATCH 14/22] prettier --- README.md | 4 ++-- playwright-backend-docker-compose.override.yml | 2 +- playwright-backend-docker-compose.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f7530e4c..ac9a61db 100644 --- a/README.md +++ b/README.md @@ -212,8 +212,8 @@ whole stack of components which is required for a local development environment: - Minimum LiveKit SFU Setup using dev defaults for config - Redis db for completeness - Minimum `localhost` Certificate Authority (CA) for Transport Layer Security (TLS) - - Hostnames: `m.localhost`, `*.m.localhost` - - Add [./backend/dev_tls_local-ca.crt](./backend/dev_tls_local-ca.crt) to your web browsers trusted + - Hostnames: `m.localhost`, `*.m.localhost` + - Add [./backend/dev_tls_local-ca.crt](./backend/dev_tls_local-ca.crt) to your web browsers trusted certificates - Minimum TLS reverse proxy for - Synapse homeserver: `synapse.m.localhost` diff --git a/playwright-backend-docker-compose.override.yml b/playwright-backend-docker-compose.override.yml index 34f01682..dadbccc2 100644 --- a/playwright-backend-docker-compose.override.yml +++ b/playwright-backend-docker-compose.override.yml @@ -1,4 +1,4 @@ services: synapse: volumes: - - ./backend/playwright_homeserver.yaml:/data/cfg/homeserver.yaml:Z \ No newline at end of file + - ./backend/playwright_homeserver.yaml:/data/cfg/homeserver.yaml:Z diff --git a/playwright-backend-docker-compose.yml b/playwright-backend-docker-compose.yml index 4ac42faf..bb6686d0 100644 --- a/playwright-backend-docker-compose.yml +++ b/playwright-backend-docker-compose.yml @@ -1,2 +1,2 @@ include: - - dev-backend-docker-compose.yml \ No newline at end of file + - dev-backend-docker-compose.yml From 34a223f04b54b950080dc26001db00d5d1e25987 Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 14:54:14 +0200 Subject: [PATCH 15/22] add yarn dev --host hint --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ac9a61db..9fb653f5 100644 --- a/README.md +++ b/README.md @@ -218,7 +218,7 @@ whole stack of components which is required for a local development environment: - Minimum TLS reverse proxy for - Synapse homeserver: `synapse.m.localhost` - MatrixRTC backend: `matrix-rtc.m.localhost` - - Local Element Call development `call.m.localhost` + - Local Element Call development `call.m.localhost` via `yarn dev --host ` - Note certificates will expire on Thu, 03 May 2035 10:32:02 GMT These use a test 'secret' published in this repository, so this must be used From 9dcaa60982ab864e07e60c7e298afa35a94e012e Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 15:26:47 +0200 Subject: [PATCH 16/22] added app.m.localhost for element web --- backend/dev_nginx.conf | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/backend/dev_nginx.conf b/backend/dev_nginx.conf index 1b201a89..59a25ba0 100644 --- a/backend/dev_nginx.conf +++ b/backend/dev_nginx.conf @@ -88,7 +88,6 @@ server { } - # Convenience reverse proxy for the call.m.localhost domain to yarn dev --host server { listen 80; @@ -120,4 +119,37 @@ server { error_page 500 502 503 504 /50x.html; +} + +# Convenience reverse proxy app.m.localhost for element web +server { + listen 80; + listen [::]:80; + server_name app.m.localhost; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name app.m.localhost; + ssl_certificate /root/ssl/cert.pem; + ssl_certificate_key /root/ssl/key.pem; + + + location ^~ / { + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://element-web:81; + proxy_ssl_verify off; + + } + + error_page 500 502 503 504 /50x.html; + } \ No newline at end of file From 679ff8c2afe027da9c7617b6de7119aee1d03857 Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 15:47:03 +0200 Subject: [PATCH 17/22] adapt to TLS setup --- README.md | 1 + backend/ew.test.config.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9fb653f5..510b7c76 100644 --- a/README.md +++ b/README.md @@ -219,6 +219,7 @@ whole stack of components which is required for a local development environment: - Synapse homeserver: `synapse.m.localhost` - MatrixRTC backend: `matrix-rtc.m.localhost` - Local Element Call development `call.m.localhost` via `yarn dev --host ` + - Element Web `app.m.localhost` - Note certificates will expire on Thu, 03 May 2035 10:32:02 GMT These use a test 'secret' published in this repository, so this must be used diff --git a/backend/ew.test.config.json b/backend/ew.test.config.json index 3644714b..52be51b8 100644 --- a/backend/ew.test.config.json +++ b/backend/ew.test.config.json @@ -1,7 +1,7 @@ { "default_server_config": { "m.homeserver": { - "base_url": "http://synapse.m.localhost:8008", + "base_url": "https://synapse.m.localhost", "server_name": "synapse.m.localhost" } }, From 128851263b2191090926eb3e9bad0daf77b9a81f Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 16:01:58 +0200 Subject: [PATCH 18/22] use ssl cert from mini localhost CA --- vite.config.js | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/vite.config.js b/vite.config.js index 590f3c16..4985e75a 100644 --- a/vite.config.js +++ b/vite.config.js @@ -11,8 +11,8 @@ import { createHtmlPlugin } from "vite-plugin-html"; import { codecovVitePlugin } from "@codecov/vite-plugin"; import { sentryVitePlugin } from "@sentry/vite-plugin"; import react from "@vitejs/plugin-react"; -import basicSsl from "@vitejs/plugin-basic-ssl"; import { realpathSync } from "fs"; +import * as fs from "node:fs"; // https://vitejs.dev/config/ export default defineConfig(({ mode, packageType }) => { @@ -24,7 +24,6 @@ export default defineConfig(({ mode, packageType }) => { process.env.VITE_PACKAGE = packageType ?? "full"; const plugins = [ react(), - basicSsl(), svgrPlugin({ svgrOptions: { // This enables ref forwarding on SVGR components, which is needed, for @@ -83,7 +82,11 @@ export default defineConfig(({ mode, packageType }) => { return { server: { port: 3000, - fs: { allow }, + fs: { allow }, + https: { + key: fs.readFileSync('./backend/dev_tls_m.localhost.key'), + cert: fs.readFileSync('./backend/dev_tls_m.localhost.crt'), + }, }, build: { sourcemap: true, From f2b68e6deeaad13fbe0be60ed82646db46ffc1db Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 16:02:19 +0200 Subject: [PATCH 19/22] add localhost domain to certificate --- backend/dev_tls_m.localhost.crt | 37 +++++++++++------------ backend/dev_tls_m.localhost.key | 52 ++++++++++++++++----------------- backend/dev_tls_setup | 5 ++-- 3 files changed, 48 insertions(+), 46 deletions(-) diff --git a/backend/dev_tls_m.localhost.crt b/backend/dev_tls_m.localhost.crt index be3eb0a3..5d6251a9 100644 --- a/backend/dev_tls_m.localhost.crt +++ b/backend/dev_tls_m.localhost.crt @@ -1,20 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDXDCCAkSgAwIBAgIUXizLjwkdqepX0bh0K3abeJxj68AwDQYJKoZIhvcNAQEL -BQAwHjEcMBoGA1UEAwwTRWxlbWVudCBDYWxsIERldiBDQTAeFw0yNTA1MDUxMDMy -MDJaFw0zNTA1MDMxMDMyMDJaMBgxFjAUBgNVBAMMDSoubS5sb2NhbGhvc3QwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbr79gttr7X8j+ISfdCV53PD8f -R6JsLf6nmkCbRqCaIq85Y82tnYbUB3B6F9RcosrxF+UHFMa/i1UiLSNL0GHisclB -5LII2RycsLJYShkO9pVioVDf3gh+hyVRySBQ2FgtLHB+ZgcZOCG8f75g9CdeVDmv -Kw4J29QV8bxFSafvTLOdqtupylfTSqYVTAE8HnIOsdnZ+mE6SjeS2wV3DYqdSXoa -xWmGranZUmrCgeZdukAZTWgAlHgQvuWVtgyAxPmhcr2KA50QHB/IJ2SDIaUiI++R -4nXkVChbePnNaxqw0kc0QD3Jpd3B1QhHlOhKi9R6Mo5Iyf0nsHnZaQ0bAzPDAgMB -AAGjgZcwgZQwHwYDVR0jBBgwFoAUCagYzLutXNaduLccP8vpL9w/legwCQYDVR0T -BAIwADALBgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwJQYDVR0RBB4w -HIILbS5sb2NhbGhvc3SCDSoubS5sb2NhbGhvc3QwHQYDVR0OBBYEFJgJZkgE6cem -HbSQ7P47rVhmeWjHMA0GCSqGSIb3DQEBCwUAA4IBAQBDocJIUHVxNvbvigPyZvZa -uAmj5eqhf8fDNtQM2tl8AuzOJm0TlggUuKDQNM6zRBXVHQRhCmtaZ3CMkmkTNNhH -aMfG7o/JVvQsxIuORMvAnPlivla2DgiEWr/NEaWISlINMov44DysOyupbHRXcbKd -WWB1cA+D5ZNb8ivOPT1edNSGavAiyEaCPA/qqGFZwq54EtJKIuteqV1UGn1nYD/W -a0niB157moRtlnzwNfwDDeW1Y4HBbuVkX2sipCO+HC6sn7Vni90LzK9zBolaWXTw -RxauTzS9IvtU1G/Gv5/VRzhzIb+ds2jEsdLLnBlTyA+Jh2Cqs002t7QJki6Qto5p +MIIDZzCCAk+gAwIBAgIUXizLjwkdqepX0bh0K3abeJxj68IwDQYJKoZIhvcNAQEL +BQAwHjEcMBoGA1UEAwwTRWxlbWVudCBDYWxsIERldiBDQTAeFw0yNTA1MDUxMzU5 +MTFaFw0zNTA1MDMxMzU5MTFaMBgxFjAUBgNVBAMMDSoubS5sb2NhbGhvc3QwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrzGSScSgaQuZdELGFYiLiYRwr +LKyUdNr0rsPcOo0bvbeZ3zQMeUMRNlA69zGFdarumiDRXUoAmZI39WmH95aX3d+A +U7EFnWev7xpWSVhSYj8T0d4rke8HjGk3LpaffJ93tbJuagBIH1ouuN6AOdzWs8hp +RYIomWleEeeuVnnfaMwaXOdc+ihJJ6wzm2hwQSfdpjZPWBDd/DFft1ZXxIZOCjDs +rEIiI7uU8iZPLB3QEM/tgxSSAOxrcKvQvxZokk+FD7aMJFP71IfieLCEzMTP1VXa +tP7UTAKAqB2NyDJ8m3IHbOINiqcdFvFR3R1D9bXOYE4oRynNvYZrQUGnL2RtAgMB +AAGjgaIwgZ8wHwYDVR0jBBgwFoAUCagYzLutXNaduLccP8vpL9w/legwCQYDVR0T +BAIwADALBgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwMAYDVR0RBCkw +J4IJbG9jYWxob3N0ggttLmxvY2FsaG9zdIINKi5tLmxvY2FsaG9zdDAdBgNVHQ4E +FgQUfdh1p52ZgWyZcBgBXGwKi4EnUE0wDQYJKoZIhvcNAQELBQADggEBAKrHEuB6 +33j8+EwSHw3zrvt/DRXK2BDHI1Ir9JcztSunaKAjZXVvf/dvZp0Xs1dEdJIdnv6G +iZYhBbOqDqpQZbf2h/h0kuu5yZSBUdnQXnYNxlhp2UaC/UEgw5iZT/p1rm7RjVie +y4Dp2WytV5iZOLmLj6xDvd3DXazgJPWIRX8p8qJZbKTkwCjTr7nDIj8jjG1sVFf7 +1RJBO5/6WSnImrpDmlLUrvjiKvbxcdseDJyBOhTwdRdSk4S2M+s5tR5j2I1gXLOq +J5ioN76+SCrTY0K0WKRy9oOXWO1/X3+VYcekp+0F3SGkd5w17jylCv1XIGHAdEsQ +v2z2/aMI/7sAD2Q= -----END CERTIFICATE----- diff --git a/backend/dev_tls_m.localhost.key b/backend/dev_tls_m.localhost.key index d83c1dea..73d89ce4 100644 --- a/backend/dev_tls_m.localhost.key +++ b/backend/dev_tls_m.localhost.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCbr79gttr7X8j+ -ISfdCV53PD8fR6JsLf6nmkCbRqCaIq85Y82tnYbUB3B6F9RcosrxF+UHFMa/i1Ui -LSNL0GHisclB5LII2RycsLJYShkO9pVioVDf3gh+hyVRySBQ2FgtLHB+ZgcZOCG8 -f75g9CdeVDmvKw4J29QV8bxFSafvTLOdqtupylfTSqYVTAE8HnIOsdnZ+mE6SjeS -2wV3DYqdSXoaxWmGranZUmrCgeZdukAZTWgAlHgQvuWVtgyAxPmhcr2KA50QHB/I -J2SDIaUiI++R4nXkVChbePnNaxqw0kc0QD3Jpd3B1QhHlOhKi9R6Mo5Iyf0nsHnZ -aQ0bAzPDAgMBAAECggEARLRazvnzCnLbVrbYCjX7v7/RFWM9/OKRWnJ6p2uULWE4 -FaoDFuaJHSHJU8AXYegfiiTi1+ylxtrcr4/e3zKvN+UAbXlYzgnOFCHwGoFcrJtK -EnQhJiIsenX2lLCe9755rznIzScGY+0/ChoPsGaexwSBTlnAQL6HykVbMfKOz03H -ywEx4g3AK1rgTnqNLFHkl+1ainoW6ffeM6thMD/bObGz+PoGSMqbTA80TGMswgMN -Ipnt0AwSgKweLmYG00t667c9htxY6DPRUoJ55dqsAFS8VMa4hhcslyhktPXTGEXh -x2r8UAFavEo2IdRnR8vfNfOv6twsWSHTVRGc7qmKDQKBgQDX0HnMAnBb8KB1zj/O -1prhAlhc6Jtwf3s5Hm/2MW0Jg/u7bZx81s206rvcTJtUJ2ROH+K7Rx3iASWzcsuW -XljCWA9G156SuOBE6mIS1EMI1EKgjbJBru1cOco6AIwI0SuJKcEX/1RtzoBbIIbZ -qhn99RszqAKDjw1iqbpyZCX5PQKBgQC4rRLsMTVvFTqWPEAA7SeJr3LZF+eoap/U -1+MA+J49D5ykQMFHjL1VSdfWgKIm3i4xDbDLAX1BYELxeKVLIp6CL808zEldGQy5 -g+O4dJlmz1PUGorb28qKGJnfwXK7F5tJuX+NgQM2zJnueyTv+fsskBp79CWNQvzr -ueG41o6w/wKBgG7sA+3LQxy+LHrgKwOQYcJMhkYad+n2W8sbzcfn13cQkw3eZJP1 -g3z9ONkdtqgmJvPQh6RiBQXoOQxmcCU1EMGyqQdsQ2B+DSbeoNG0r0+WaThEG96O -ngjM2xe8uDy/5XR2NXy0Cxz1ChvMOAMf3oQcuoJuU/xyRhrzyZSJzMqxAoGAH8hx -nEKvzolZxudhoIcwKcsPOfuaO+r1zPzGrbEcEqgwLjiSywyWvSnzQpBq18OfMYQI -rDd6Zhj6DHLWB8NSgldVvCPwcFxSS08+js1KZV5DMBrNUR9XkULAoLi7VSWv7RVG -tYTBl9nImDmLVt2v87BtTm3rVI911d/s0BHlBuMCgYEAs0AFMsTE+22Y44JMcTAE -OeHEsEDXI5cTlcNmwFKWY+UCZnb2FXflO2XNeqyi6ReYMUyBI2wHdUGvh2B1c2Ac -3z/SShBLS7bMGgyvYE/By1xnemiy+6vG2NIYHKExZfOphx8rDTfm5Qlj6LxstY9+ -Tx2VzAs01UIZGDhJ94u5imo= +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrzGSScSgaQuZd +ELGFYiLiYRwrLKyUdNr0rsPcOo0bvbeZ3zQMeUMRNlA69zGFdarumiDRXUoAmZI3 +9WmH95aX3d+AU7EFnWev7xpWSVhSYj8T0d4rke8HjGk3LpaffJ93tbJuagBIH1ou +uN6AOdzWs8hpRYIomWleEeeuVnnfaMwaXOdc+ihJJ6wzm2hwQSfdpjZPWBDd/DFf +t1ZXxIZOCjDsrEIiI7uU8iZPLB3QEM/tgxSSAOxrcKvQvxZokk+FD7aMJFP71Ifi +eLCEzMTP1VXatP7UTAKAqB2NyDJ8m3IHbOINiqcdFvFR3R1D9bXOYE4oRynNvYZr +QUGnL2RtAgMBAAECggEAJaFQii8U/KOYt9vXNoMnZvSkaeSQLLhn2V6Kciu1CtWE +aMTWLsFE6nk+G5xXkYcTmM3T0GghtH3u5CjyI6EcsEkeEorCZJt0wbmayDmqiekR +LfMzOdHuTHX5+edPgMGYYG1BFyRKyYFsjH1b5zRFZhXdGQnrl5760GsVlz9D1KZQ +iHcT+q1S2tmZeoUukQnADENKXUMCyTGM5FCddgNtsWnGDsTDayh7hUdvDkB+mW4G +lSp+BZuc3PCwpbD6qkXvfugWs6CUAAtXoV3ceWgxQ+TEnNlwxaG1AyugfgNUBolk +8xgeZt4r5QId03jsHDf7hpBAofcaCd5EMIIQYFvWoQKBgQDlbAvAzEFPTZZn2nRV +Xagw4xjqVc1LLEKLCWq0N5rEkwn0h90Dz5N7/3NuonP/sIDsDHCbyiOYBI1Ck6Xi +0WuB+OyKDh+xeF2mekN9G9ywPahdK5lT/TVsxXFyZlwtVv1x/6KBO4yv5URizxqU +gyAPDDxfD/KcNjkOBaodWEwQGQKBgQC/s2gPDBtQkjLwkHXchBomLww5eLlVrac1 +WK4UX6uSdOgrjJ375OOgMTxe8NVZdOuAKytGXRWDwgH3nVWvuZhe7dGlX3JMuSer +e9VwDpBESrvqcR4ruL6wm8wej6BXyjH0wD3FHb0S5HfuBDxTn+4bDwrbRzOUMNgy +lSppuflxdQKBgQDiZcIfazFT8evn5nMAvuC4BZNTxIJHmZC9JfjPiUPIkpWzYtOe +7BvNtKOT3Op9uw8uYYRKqKqBXJSNy6ha8XCXHS9HeXKbLn20SFkLQBCDNwVLlDfF +40zyXtF6JDr4XyzSb4NM5pgKCER5AYloXxGm59s3sEQpFXUuOjbKqJS/GQKBgAoI +c7vF4HAZFr1sch62cz/oWnVvkhOf4Q5zs7ixQSOLJtOQqnwSgK9TpFs7s47ZBbJR +kBRAru2Ua9Hv1Bo8VnMxczV6h1roneDlvEf/GyHX33nnrbKQGrrXjJlU3wl5NaAf +p5v3cHvapUQ5yIZ/6lBUOzc6xMJOxCHxmKSr7Rg5AoGAbEE4lt6Xh2dnBPJ81eNI +IDrw/3ITY53qAY4Bx88CByIFuu8CEUdUZprh98jSl6ic1tMinZfUhRMwABLrUD51 +DGst8iGLPD9u83iMcUHI/L+p7AbxrKLvWXZrF5UZm440c9mSWqfhPaTBosPtNDsG +LfETwH1flKXMTXd2xA9RTE4= -----END PRIVATE KEY----- diff --git a/backend/dev_tls_setup b/backend/dev_tls_setup index 4276e148..8a778dc8 100644 --- a/backend/dev_tls_setup +++ b/backend/dev_tls_setup @@ -31,7 +31,8 @@ extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] -DNS.1 = m.localhost -DNS.2 = *.m.localhost +DNS.1 = localhost +DNS.2 = m.localhost +DNS.3 = *.m.localhost EOF ) From 48b4fd63fe1e24689cec49971d146cad0a71fbae Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 16:09:34 +0200 Subject: [PATCH 20/22] prettier --- vite.config.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/vite.config.js b/vite.config.js index 4985e75a..5b800f7a 100644 --- a/vite.config.js +++ b/vite.config.js @@ -82,11 +82,11 @@ export default defineConfig(({ mode, packageType }) => { return { server: { port: 3000, - fs: { allow }, - https: { - key: fs.readFileSync('./backend/dev_tls_m.localhost.key'), - cert: fs.readFileSync('./backend/dev_tls_m.localhost.crt'), - }, + fs: { allow }, + https: { + key: fs.readFileSync("./backend/dev_tls_m.localhost.key"), + cert: fs.readFileSync("./backend/dev_tls_m.localhost.crt"), + }, }, build: { sourcemap: true, From e12dfa9a9fb7523b234c4be8c367b1ee44e425ed Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 16:17:16 +0200 Subject: [PATCH 21/22] prettier --- package.json | 1 - 1 file changed, 1 deletion(-) diff --git a/package.json b/package.json index ab541644..2f693995 100644 --- a/package.json +++ b/package.json @@ -77,7 +77,6 @@ "@use-gesture/react": "^10.2.11", "@vector-im/compound-design-tokens": "^3.0.0", "@vector-im/compound-web": "^7.2.0", - "@vitejs/plugin-basic-ssl": "^1.0.1", "@vitejs/plugin-react": "^4.0.1", "@vitest/coverage-v8": "^3.0.0", "babel-plugin-transform-vite-meta-env": "^1.0.3", From b7e5b81dbf2182a552c8875422d6d5e2159ab365 Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 5 May 2025 16:25:18 +0200 Subject: [PATCH 22/22] update yarn.lock to remove plugin-basic-ssl --- yarn.lock | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/yarn.lock b/yarn.lock index 394e81a7..ef372359 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5127,15 +5127,6 @@ __metadata: languageName: node linkType: hard -"@vitejs/plugin-basic-ssl@npm:^1.0.1": - version: 1.2.0 - resolution: "@vitejs/plugin-basic-ssl@npm:1.2.0" - peerDependencies: - vite: ^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 - checksum: 10c0/0d360fcca01f91ade6e451edbea09a107ff9e95cd3c3766c7a069d1a168709df92d96c0bd1eccc66e2739a153e07c75a45321ec487450c0da942606200d8441d - languageName: node - linkType: hard - "@vitejs/plugin-react@npm:^4.0.1": version: 4.3.4 resolution: "@vitejs/plugin-react@npm:4.3.4" @@ -6968,7 +6959,6 @@ __metadata: "@use-gesture/react": "npm:^10.2.11" "@vector-im/compound-design-tokens": "npm:^3.0.0" "@vector-im/compound-web": "npm:^7.2.0" - "@vitejs/plugin-basic-ssl": "npm:^1.0.1" "@vitejs/plugin-react": "npm:^4.0.1" "@vitest/coverage-v8": "npm:^3.0.0" babel-plugin-transform-vite-meta-env: "npm:^1.0.3"