Set up TLS#

plans-img Available on all plans

deployment-img self-hosted deployments

Configure TLS on Fangout file server#

You have two options if you want users to connect with HTTPS:

  1. Set up TLS on Fangout server.

  2. Install a proxy such as NGINX and set up TLS on the proxy.

The easiest option is to set up TLS on the Fangout Server, but if you expect to have more than 200 users, use a proxy for better performance. A proxy server also provides standard HTTP request logs.

Note

Your Fangout server must be accessible from the Let’s Encrypt CA in order to verify your domain name and issue the certificate. Be sure to open your firewall and configure any reverse proxies to forward traffic to ports 80 and 443. More information can be found at Let’s Encrypt.

Tip

Before Let’s Encrypt, you can use http_endpoint in /opt/fangout/fangout.json like below for Let’s Encrypt to verify the domain.

{
    "http_endpoint": "0.0.0.0:55000"
}

Configure TLS on the Fangout server#

  1. Activate the CAP_NET_BIND_SERVICE capability to allow Fangout to bind to low ports.

    sudo setcap cap_net_bind_service=+ep /opt/fangout/bin/fangout

  2. Install the security certificate. You can use Let’s Encrypt to automatically install and setup the certificate, or you can specify your own certificate.

  3. Open the fangout config file /opt/fangout/fangout.json and edit the file like below and replace the site URL with your own and restart the service.

{
    "https_endpoint":"0.0.0.0:443",
    "cert_path":"/etc/letsencrypt/live/fangout.example.com/fullchain.pem",
    "private_key_path":"/etc/letsencrypt/live/fangout.example.com/privkey.pem"
}

Note

Password-protected certificates are not supported.

Use TLS on NGINX (as a proxy)#

Note

Do not set up TLS on Fangout before doing so for NGINX. It breaks the connection as the TLS prevents it from successfully communicating with the Fangout server.

  • NGINX will act as a forward proxy to encrypt the traffic between the client and Fangout server. After installing the SSL certificate, the incoming traffic will be handled via NGINX on port 443 exposed to the internet, proxy to the Fangout server running on port 55000.

  • (Optional) Upstream encryption between NGINX to Fangout server is allowed.

  • Follow NGINX’s guide on setting up SSL Termination for TCP Upstream Servers.

Other helpful resources: