Production setup
1. Choose a cloud hosting provider:
The first step is to select a cloud hosting provider that suits your needs. Some popular options are Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. Make sure you choose a plan that can handle the expected traffic and load.
2. Set up a machine:
After selecting a cloud hosting provider, set up a virtual machine (VM) that will host your backend application. This VM should have an operating system installed, such as Ubuntu and a docker with docker compose.
3. Configure your firewall: It's important to configure your firewall to allow traffic only from trusted sources. You can set up a firewall using iptables or UFW (Uncomplicated Firewall) depending on your operating system.
In production setup STANAG On Demand Server only requires the following ports to be opened:
VOD
Port | Description |
---|---|
443 | HTTPS ecure Server access |
Live
For direct udp streams ingress open the ports specified in the platforms configuration, for example:
Port | Description |
---|---|
30120-30130 (udp) | Stream channels udp ports - default platform configuration |
For SRT ingress open the ports specified in the srt listener, for example:
Port | Description |
---|---|
4200-4010 (udp) | Stream channels srt listener ports |
4. Create a local folder (for example, ~/stserver/).
Create a new folder for the server, change the ownership to your user and then enter the directory you created.
sudo mkdir stserver
sudo chown -R yourUser:yourGroup stserver
cd stserver
5. Download the setup.
Download the stserver-install.tar.gz file from the Stanag On Demand server github repository website or use the command:
wget https://github.com/impleotv/stserver-release/releases/download/v2.10.4/stserver-install.tar.gz
Extract files:
tar -xvf stserver-install.tar.gz
6. In a terminal, change the directory to the location of docker-compose-production.yml file.
Edit .env file.
Warning
In the .env file, there are some directories where the content will be stored, like ~/videos/. Create the directories and make sure the server (Docker) has the permission to write to these directories.
Configure the environmental variables:
Enable revese proxy in the .env file:
USING_REVERSE_PROXY=true
Uncomment the following line and set up the domain
SERVER_DOMAIN=mydomain.com
If you want to use revese proxy without domain, you can set the ip address of the host:
SERVER_DOMAIN=50.16.0.24
7. Configure DNS:
Once your server backend is ready and Cloudflare or a reverse proxy is set up, configure your DNS records to point to your server's IP address or domain name.
8. Install the necessary software:
Once your VM is set up, you'll need to install the necessary software to run your backend application.
Configure SSL/TLS: To secure traffic between the client and the server, you should set up SSL/TLS encryption. You can obtain SSL/TLS certificates from a certificate authority (CA) like Let's Encrypt or purchase them from a commercial provider. Or you can use Cloudflare to provide additional security and performance benefits. Cloudflare offers DDoS protection, caching, and SSL/TLS encryption
9. Start all the services by running docker-compose:
You can use this file docker-compose-production.yml (with -f arg) or simply rename the file to docker-compose.yml, so docker compose can be used with defaults.
docker compose -f docker-compose-production.yml up -d
or, if you have an old version of Docker Compose, run
docker-compose -f docker-compose-production.yml up -d
If you renamed the file to docker-compose.yml, just use
docker compose up -d
When you run this for the first time, docker will download the required images and start containers.
When the docker finishes downloading and starts the containers, restart the server.
docker compose down
docker compose up -d
Test your setup: Finally, test your server backend by accessing it through a web browser or API client. Make sure that all functionality is working correctly and that SSL/TLS encryption is properly configured.
That's it! the server should be running now!
Warning
Docker and UFW security flawIf you are using Docker on Linux along with the Uncomplicated Firewall (UFW), the default configuration creates a security issue. This is because Docker bypasses UFW and directly modifies iptables, allowing containers to bind to ports. Consequently, any UFW rules you have established will not be applicable to Docker containers. Docker manages its own network interfaces and iptables rules, which can sometimes lead to conflicts or unexpected behaviors with external firewalls like UFW. To prevent Docker from bypassing UFW rules, you can take the following steps:
1. Configure Docker to Use UFW: Docker provides an option to configure it to use the host's firewall rules. To enable this, you need to create or edit a Docker configuration file. Create a file named /etc/docker/daemon.json if it doesn't exist, and add the following content:
{
"iptables": false
}
This configuration prevents Docker from creating its own iptables rules and should make it follow the UFW rules.
2. Reload Docker Daemon: After editing the Docker configuration, you need to restart the Docker daemon to apply the changes:
sudo systemctl restart docker
Another way to fix this -go to the terminal on your Docker server and issue the command sudo nano /etc/default/docker and add the following line:
DOCKER_OPTS="--iptables=false"
Save and close that file. Restart the docker daemon with the command sudo systemctl restart docker. Now, when you deploy a container, it will no longer alter iptables and will honor UFW.