fix: ssl error when using self signed certificate (#238)

fix: ssl error when using self signed certificate with remote deployment
2026-06-07 07:55:16 +02:00 · 2026-04-14 18:58:27 +05:30 · 2026-04-14 18:58:27 +05:30 · 50a59164e7
commit 50a59164e7
parent 7fab959e26
10 changed files with 285 additions and 292 deletions
--- a/scripts/setup_custom_domain.sh
+++ b/scripts/setup_custom_domain.sh
@ -207,6 +207,28 @@ server {
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;

+    # Backend API and WebSockets — bypass the UI, go straight to api:8000
+    location /api/v1/ {
+        proxy_pass http://api:8000;
+        proxy_http_version 1.1;
+
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+
+        # Long-lived WebSockets (audio streaming, signaling)
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+
+        # Don't buffer streamed responses
+        proxy_buffering off;
+        client_max_body_size 100M;
+    }
+
    location / {
        proxy_pass         http://ui:3010;
        proxy_http_version 1.1;
@ -248,16 +270,12 @@ echo -e "${GREEN}✓ nginx.conf updated${NC}"
 # Update .env file with domain name
 echo -e "${BLUE}[6/8] Updating environment variables...${NC}"
 if [[ -f ".env" ]]; then
-    # Update BACKEND_API_ENDPOINT to use domain
+    # Update BACKEND_API_ENDPOINT to use domain (public URL the backend advertises)
    sed -i.bak "s|^BACKEND_API_ENDPOINT=.*|BACKEND_API_ENDPOINT=https://$DOMAIN_NAME|" .env
-    # Update BACKEND_URL if present, otherwise add it
-    if grep -q "^BACKEND_URL=" .env; then
-        sed -i.bak "s|^BACKEND_URL=.*|BACKEND_URL=https://$DOMAIN_NAME|" .env
-    else
-        echo "" >> .env
-        echo "# Backend URL for UI" >> .env
-        echo "BACKEND_URL=https://$DOMAIN_NAME" >> .env
-    fi
+    # Drop any stale BACKEND_URL override — the ui container should use the
+    # internal Docker URL (http://api:8000) from docker-compose defaults.
+    sed -i.bak "/^BACKEND_URL=/d" .env
+    sed -i.bak "/^# Backend URL for UI$/d" .env
    # Update TURN_HOST to use domain
    sed -i.bak "s|^TURN_HOST=.*|TURN_HOST=$DOMAIN_NAME|" .env
    rm -f .env.bak
--- a/scripts/setup_remote.sh
+++ b/scripts/setup_remote.sh
@ -15,9 +15,11 @@ echo "║      Automated HTTPS deployment with TURN server             ║"
 echo "╚══════════════════════════════════════════════════════════════╝"
 echo -e "${NC}"

-# Get the public IP address
-echo -e "${YELLOW}Enter your server's public IP address:${NC}"
-read -p "> " SERVER_IP
+# Get the public IP address (skip prompt if SERVER_IP is already set)
+if [[ -z "$SERVER_IP" ]]; then
+    echo -e "${YELLOW}Enter your server's public IP address:${NC}"
+    read -p "> " SERVER_IP
+fi

 if [[ -z "$SERVER_IP" ]]; then
    echo -e "${RED}Error: IP address cannot be empty${NC}"
@ -30,29 +32,39 @@ if ! [[ "$SERVER_IP" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
    exit 1
 fi

-# Get the TURN secret
-echo -e "${YELLOW}Enter a shared secret for the TURN server (press Enter to generate a random one):${NC}"
-read -sp "> " TURN_SECRET
-echo ""
+# Get the TURN secret (skip prompt if TURN_SECRET is already set)
+if [[ -z "$TURN_SECRET" ]]; then
+    echo -e "${YELLOW}Enter a shared secret for the TURN server (press Enter to generate a random one):${NC}"
+    read -sp "> " TURN_SECRET
+    echo ""
+fi

 if [[ -z "$TURN_SECRET" ]]; then
    TURN_SECRET=$(openssl rand -hex 32)
    echo -e "${BLUE}Generated random TURN secret${NC}"
 fi

+# Telemetry opt-out (default: true)
+ENABLE_TELEMETRY="${ENABLE_TELEMETRY:-true}"
+
 echo ""
 echo -e "${GREEN}Configuration:${NC}"
 echo -e "  Server IP:     ${BLUE}$SERVER_IP${NC}"
 echo -e "  TURN Secret:   ${BLUE}********${NC}"
 echo ""

-# Create project directory if it doesn't exist
-mkdir -p dograh 2>/dev/null || true
-cd dograh
+# Create project directory and download compose file (skip when
+# DOGRAH_SKIP_DOWNLOAD=1 — e.g. e2e tests that already have a cloned repo).
+if [[ "$DOGRAH_SKIP_DOWNLOAD" != "1" ]]; then
+    mkdir -p dograh 2>/dev/null || true
+    cd dograh

-echo -e "${BLUE}[1/5] Downloading docker-compose.yaml...${NC}"
-curl -sS -o docker-compose.yaml https://raw.githubusercontent.com/dograh-hq/dograh/main/docker-compose.yaml
-echo -e "${GREEN}✓ docker-compose.yaml downloaded${NC}"
+    echo -e "${BLUE}[1/5] Downloading docker-compose.yaml...${NC}"
+    curl -sS -o docker-compose.yaml https://raw.githubusercontent.com/dograh-hq/dograh/main/docker-compose.yaml
+    echo -e "${GREEN}✓ docker-compose.yaml downloaded${NC}"
+else
+    echo -e "${BLUE}[1/5] Using docker-compose.yaml in current directory${NC}"
+fi

 echo -e "${BLUE}[2/5] Creating nginx.conf...${NC}"
 cat > nginx.conf << 'NGINX_EOF'
@ -75,6 +87,28 @@ server {
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

+    # Backend API and WebSockets — bypass the UI, go straight to api:8000
+    location /api/v1/ {
+        proxy_pass http://api:8000;
+        proxy_http_version 1.1;
+
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+
+        # Long-lived WebSockets (audio streaming, signaling)
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+
+        # Don't buffer streamed responses
+        proxy_buffering off;
+        client_max_body_size 100M;
+    }
+
    location / {
        proxy_pass         http://ui:3010;
        proxy_http_version 1.1;
@ -170,12 +204,9 @@ echo -e "${BLUE}[6/6] Creating environment file...${NC}"
 OSS_JWT_SECRET=$(openssl rand -hex 32)

 cat > .env << ENV_EOF
-# Backend API endpoint (for remote deployment)
+# Backend API endpoint (public URL the backend uses to build webhook/embed links)
 BACKEND_API_ENDPOINT=https://$SERVER_IP

-# Backend URL for UI
-BACKEND_URL=https://$SERVER_IP
-
 # TURN Server Configuration (time-limited credentials via TURN REST API)
 TURN_HOST=$SERVER_IP
 TURN_SECRET=$TURN_SECRET
@ -184,7 +215,7 @@ TURN_SECRET=$TURN_SECRET
 OSS_JWT_SECRET=$OSS_JWT_SECRET

 # Telemetry (set to false to disable)
-ENABLE_TELEMETRY=true
+ENABLE_TELEMETRY=$ENABLE_TELEMETRY
 ENV_EOF
 echo -e "${GREEN}✓ .env file created${NC}"