openvidu/setup-livekit-ssl.sh

#!/bin/bash
set -e

echo "🔒 CONFIGURACIÓN SSL PARA LIVEKIT CON DOMINIO"
echo "=============================================="

DOMAIN="nextream.sytes.net"
EMAIL="tu-email@dominio.com"  # Cambia por tu email

echo "📋 Configuración:"
echo "   • Dominio: $DOMAIN"
echo "   • Email: $EMAIL"
echo "   • Puerto HTTPS: 443"
echo "   • Puerto LiveKit: 7880"

# Instalar certbot si no existe
if ! command -v certbot &> /dev/null; then
    echo "📦 Instalando Certbot..."
    sudo apt update
    sudo apt install -y certbot python3-certbot-nginx
fi

# Generar certificado SSL
echo "🔐 Generando certificado SSL..."
sudo certbot certonly --standalone \
    --email $EMAIL \
    --agree-tos \
    --no-eff-email \
    -d $DOMAIN

# Crear configuración Nginx para LiveKit
echo "⚙️ Configurando Nginx para LiveKit..."
sudo tee /etc/nginx/sites-available/livekit-ssl > /dev/null <<EOF
server {
    listen 443 ssl http2;
    server_name $DOMAIN;
    
    # Certificados SSL
    ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
    
    # Configuración SSL moderna
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    
    # Headers de seguridad
    add_header Strict-Transport-Security "max-age=63072000" always;
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    
    # Proxy hacia LiveKit (HTTP a HTTPS)
    location / {
        proxy_pass http://127.0.0.1:7880;
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_set_header X-Forwarded-Host \$host;
        proxy_set_header X-Forwarded-Port \$server_port;
        
        # Timeouts para WebSocket
        proxy_connect_timeout 7d;
        proxy_send_timeout 7d;
        proxy_read_timeout 7d;
    }
}

# Redireccionar HTTP a HTTPS
server {
    listen 80;
    server_name $DOMAIN;
    return 301 https://\$server_name\$request_uri;
}
EOF

# Activar sitio
sudo ln -sf /etc/nginx/sites-available/livekit-ssl /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

echo "✅ SSL configurado correctamente"
echo ""
echo "🌐 URLs actualizadas:"
echo "   • HTTP:  http://$DOMAIN → redirige a HTTPS"
echo "   • HTTPS: https://$DOMAIN"
echo "   • WSS:   wss://$DOMAIN"
echo ""
echo "⚠️  IMPORTANTE: Actualiza la configuración de OpenVidu Meet:"
echo "   LIVEKIT_URL=wss://$DOMAIN"
echo "   LIVEKIT_URL_PRIVATE=wss://$DOMAIN"