Domain & Certificate Configuration
This guide walks you through configuring a domain name and enabling HTTPS after completing the TgoRTC one-click deployment.
- TgoRTC has been deployed via
deploy.shand services are running normally - You own a domain name (we use
rtc.example.comas an example below) with DNS already pointing to your server's public IP - You have obtained an SSL certificate (Let's Encrypt or cloud provider certificate)
- The server has a public IP with ports 80/443 accessible
Step 1: Update .env
Edit the .env file and modify the following two entries:
# Change LIVEKIT_CLIENT_URL to https protocol + domain
# Before: LIVEKIT_CLIENT_URL=http://YOUR_IP:80
LIVEKIT_CLIENT_URL=https://rtc.example.com
# Change SERVER_HOST to domain
# Before: SERVER_HOST=YOUR_IP
SERVER_HOST=rtc.example.com
Step 2: Update nginx/nginx.conf
Replace the contents of nginx/nginx.conf with the following:
upstream livekit_cluster {
server livekit:7880 max_fails=3 fail_timeout=10s;
ip_hash;
keepalive 32;
}
# HTTP -> HTTPS redirect
server {
listen 80;
server_name rtc.example.com;
return 301 https://$host$request_uri;
}
# HTTPS main configuration
server {
listen 443 ssl;
server_name rtc.example.com;
# ---------- SSL Certificate ----------
# Let's Encrypt certificate (Option A)
ssl_certificate /etc/letsencrypt/live/rtc.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rtc.example.com/privkey.pem;
# Cloud provider certificate (Option B - comment out the two lines above and uncomment below)
# ssl_certificate /etc/nginx/ssl/cert.pem;
# ssl_certificate_key /etc/nginx/ssl/cert.key;
# ---------- SSL Security Parameters ----------
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
access_log /var/log/nginx/livekit-cluster-access.log;
error_log /var/log/nginx/livekit-cluster-error.log;
# LiveKit WebSocket proxy
location / {
proxy_pass http://livekit_cluster;
proxy_http_version 1.1;
# WebSocket upgrade
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Pass original request info
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Connection timeout settings
proxy_connect_timeout 5s;
proxy_send_timeout 7d;
proxy_read_timeout 7d;
# Fast failover
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_next_upstream_timeout 10s;
proxy_next_upstream_tries 2;
# Disable buffering (real-time streaming)
proxy_buffering off;
}
# Health check endpoint
location /health {
access_log off;
return 200 'OK';
add_header Content-Type text/plain;
}
}
Replace all occurrences of rtc.example.com with your actual domain name.
Step 3: Update docker-compose.yml
Edit docker-compose.yml, find the nginx service section, and make two changes:
1. Add port 443 mapping
nginx:
image: nginx:alpine
container_name: tgo-rtc-nginx
restart: always
ports:
- "80:80"
- "443:443" # Add this line
2. Mount certificate directory
Let's Encrypt certificate (Option A):
volumes:
- ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
- nginx_logs:/var/log/nginx
- /etc/letsencrypt:/etc/letsencrypt:ro # Add this line
Cloud provider certificate (Option B):
volumes:
- ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
- nginx_logs:/var/log/nginx
- ./nginx/ssl:/etc/nginx/ssl:ro # Add this line
Step 4: Update livekit.yaml
Edit livekit.yaml and change the TURN domain to your domain name:
turn:
enabled: true
domain: rtc.example.com # Change IP to domain
udp_port: 3478
tls_port: 5349 # Add: enable TURN TLS
Step 5: Open Port 443 in Firewall
# UFW (Ubuntu)
sudo ufw allow 443/tcp
# firewalld (CentOS)
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload
If using a cloud server, you also need to allow 443/TCP in the cloud console's security group settings.
Step 6: Restart Services
cd ~/tgortc
sudo docker compose down
sudo docker compose up -d
Verification
# Check if HTTPS is working
curl -I https://rtc.example.com/health
# Check if HTTP auto-redirects (should return 301)
curl -I http://rtc.example.com/health
# Check all container status
sudo docker compose ps
# View Nginx logs
sudo docker compose logs nginx
Automatic Certificate Renewal (Let's Encrypt)
Let's Encrypt certificates are valid for 90 days. Set up a crontab for automatic renewal:
sudo crontab -e
# Add the following line (auto-renew on the 1st of each month at 3 AM)
0 3 1 * * certbot renew --pre-hook "cd ~/tgortc && docker compose stop nginx" --post-hook "cd ~/tgortc && docker compose start nginx" >> /var/log/certbot-renew.log 2>&1
Summary of Changes
| File | Changes |
|---|---|
.env | LIVEKIT_CLIENT_URL changed to wss://domain |
.env | SERVER_HOST changed to domain |
nginx/nginx.conf | Listen on 443 + SSL config + HTTP redirect |
docker-compose.yml | Add port 443, mount certificate directory |
livekit.yaml | TURN domain changed to domain, enable tls_port |
FAQ
Q: Certificate request failed?
Ensure port 80 is not occupied (sudo lsof -i :80) and the domain has been correctly resolved to the server IP.
Q: Browser shows certificate insecure?
Check if the correct certificate file paths are being used and if the certificate has expired.
Q: WebSocket connection failed?
Check if LIVEKIT_CLIENT_URL has been changed to wss:// protocol and if the client is using the correct address.
Q: Configuration lost after redeployment?
deploy.sh will regenerate configuration files. You need to redo the steps in this guide after redeployment. It's recommended to back up your modified configuration files in advance.