Operating Conditions
Under the following recommended configuration conditions, the system is expected to support approximately 200 concurrent users (4 classes: 50 participants per class).
- Ubuntu 22.04 64-bit OS running Linux kernel 5.x
- Latest version of docker installed
- 16 GB of memory with swap enabled
- 8 CPU cores, with high single-thread performance
- 500 GB of free disk space (or more) for recordings, or 50GB if session recording is disabled on the server.
- TCP ports 80 and 443 are accessible
- UDP ports 16384 - 32768 are accessible
- 250 Mbits/sec bandwidth (symmetrical) or more
- TCP port 80 and 443 are not in use by another web server or reverse proxy
- A hostname (such as bbb.example.com) for setup of a SSL certificate
- IPV4 and IPV6 address
However, it can be used even with the following specifications by limiting the number of concurrent participants to around 20–25.
- 4 CPU cores/8 GB of memory
- Installation on a local VM container
- 50G of disk space
- IPV4 address only
Download bbb-docker
The system consists of the following group of containers. The Nginx port is set to 8443. Traffic from port 443 on the host is redirected to port 8443 using iptables (user-mode usage with Podman is also assumed).
After downloading the source from BBB-Docker Source:GitHub , check out the main branch (version 3.0.4), which is provided as the stable release.
$ git clone https://github.com/bigbluebutton/docker.git bbb-docker
$ cd bbb-docker
$ git checkout main
When you run the following script, .env and docker-compose.yml files will be created. (Since TLS authentication using Let’s Encrypt will be set up separately, choose “n”.)
$ ./scripts/setup
Should greenlight be included? (y/n): y
Should an automatic HTTPS Proxy be included? (y/n): n
Please enter the domain name: bbb.ficusonline.com
Should the recording feature be included?
IMPORTANT: this is currently a big privacy issues, because it will
record everything which happens in the conference, even when the button
suggests, that it does not.
make sure that you always get people's consent, before they join a room!
https://github.com/bigbluebutton/bigbluebutton/issues/9202
Choice (y/n): y
Should a Prometheus exporter be included? (y/n): n
Should old recordings be removed? (y/n): y
Please enter max age(days) for keeping recordings: 3
Is xx.xx.xx.xx your external IPv4 address? (y/n): y
Is xx:xx:xx:xx:xx:xx:xx:xx your external IPv6 address? (y/n): y
After checking and modifying the .env file, run the following script to apply its contents to the docker-compose.yml file.
$ ./scripts/generate-compose
Nginx Container
Change the Nginx container’s network from host to a Docker network, and also use it as a reverse proxy.
Add the following to the volumes section:
./nginx_config_temp:/etc/nginx/templates
Also, pre-acquire the Let’s Encrypt authentication files, and add that folder to the volumes section as well.
Since HTTPS requests received on the host’s port 443 are being redirected to port 8443 via iptables, also add the port mapping 8443:443.
- docker-compose.yml
nginx:
build:
context: mod/nginx
additional_contexts:
- src-learning-dashboard=./repos/bigbluebutton/bbb-learning-dashboard
- src-playback=./repos/bbb-playback
- src-html5=./repos/bigbluebutton/bigbluebutton-html5
args:
BBB_BUILD_TAG: v3.0.x-release--2025-02-06-143818
TAG_BBB: v3.0.4
image: alangecker/bbb-docker-nginx:v3.0.4-v5.3.1-1.25
restart: unless-stopped
ports:
- '8443:443'
volumes:
- ./data/bigbluebutton:/var/bigbluebutton
- ${DEFAULT_PRESENTATION:-/dev/null}:/www/default.pdf
- ./mod/nginx/bigbluebutton/:/etc/nginx/conf.d/default.conf
- ./mod/nginx/nginx.conf:/etc/nginx/nginx.conf
# in advance, execute certbot on docker to get ssl certification.
# "$ sudo docker run -it --rm --name certbot -v "$PWD/letsencrypt:/etc/letsencrypt" -p 80:80 certbot/certbot certonly --standalone -d www.example.com"
# added 4096-bit diffie-hellman parameters. see https://docs.bigbluebutton.org/2.2/install.html#configure-freeswitch-for-using-ssl
# need /etc/letsencrypt/dhp-4096.pem: "$ openssl dhparam -out letsencrypt/dhp-4096.pem 4096"
# For FreeSwith Web Socket, need to implement the following files.
# $ sudo cat cert.pem privkey.pem fullchain.pem > wss.pem
# add symbolic links
# "$ sudo ln -s wss.pem agent.pem"
# "$ sudo ln -s wss.pem tls.pem"
# "$ sudo ln -s wss.pem dtls-srtp.pem"
- ./letsencrypt:/etc/letsencrypt
# added for reverse-proxy config template file; see https://hub.docker.com/_/nginx
# *.conf.template changed into /etc/nginx/conf.d/*.conf after variables transferred.
- ./nginx_config_temp:/etc/nginx/templates
tmpfs:
- /tmp
# network_mode: host
networks:
bbb-net:
ipv4_address: 10.7.7.3
ipv6_address: fd6c:dfc7:8a45:2::3
extra_hosts:
- "host.docker.internal:10.7.7.1"
- "bbb-web:10.7.7.2"
- "etherpad:10.7.7.4"
- "webrtc-sfu:10.7.7.1"
- "greenlight:10.7.7.21"
- "bbb-graphql-server:10.7.7.31"
- "bbb-graphql-middleware:10.7.7.32"
- nginx_config_temp/reverse-proxy.conf.template
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
map $remote_addr $endpoint_addr {
"~:" [::1];
default 127.0.0.1;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name test.ficusonline.com;
ssl_certificate /etc/letsencrypt/live/ficusonline.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ficusonline.com/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;
# on the host machine, "$ sudo openssl dhparam -out ./letsencrypt/ssl-dhparams.pem 4096"
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
access_log /var/log/nginx/bigbluebutton.access.log;
error_log /var/log/nginx/bigbluebutton.error.log;
location / {
proxy_http_version 1.1;
proxy_pass http://$endpoint_addr:48087;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_cache_bypass $http_upgrade;
}
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://collabora:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
# we accept 'lool' to be backward compatible
location ~ ^/(c|l)ool {
proxy_pass http://collabora:9980;
proxy_set_header Host $host;
}
}
File modifications
Modified content of related files due to changes in Nginx configuration rules and switching Nginx’s network from host to Docker network. Also fixed typos and adjusted Mediasoup settings.
- mod/nginx.conf
- mod/bigbluebutton
- reverse-proxy.conf.template
Due to the “http2” directive is deprecated" error, modify the HTTP/2 notation in the above Nginx configuration file.
listen 443 ssl hhtp2;
After modifications
listen 443 ssl;
http2 on;
To apply this change, a rebuild is necessary, so the modified file will be directly loaded into the nginx container through the docker-compose.yml file.
- docker-compose.yml
volumes:
- ./mod/nginx/bigbluebutton/:/etc/nginx/conf.d/default.conf
- ./mod/nginx/nginx.conf:/etc/nginx/nginx.conf
Modification due to changing the network mode of Nginx from ‘host’ to the Docker network.
The listen IP in the following configuration file needs to be changed to the Docker network IP assigned to the Nginx container, which is 10.7.7.3.
- mod/bigbluebutton
server {
listen 10.7.7.3:8185;
listen 127.0.0.1:8185;
Change the IP in the following file from 10.7.7.1 to 10.7.7.3 for the same reason.
- docker-compose.yml
bbb-graphql-middleware:
extra_hosts:
- "nginx:10.7.7.3"
- mod/nginx/nginx.conf
server {
# additional server only used for greenlight in dev mode
# allows it to use the BBB API without failing
# due to the self signed certificates
#
# all other requests (e.g. /join) is then redirected
listen 48083;
http2 on;
location /bigbluebutton/api/join {
return 301 https://10.7.7.3$request_uri;
}
location /bigbluebutton/api {
proxy_pass http://127.0.0.1:48087;
}
location / {
return 301 https://10.7.7.3$request_uri;
}
}
}
The following is when DEV_MODE is enabled.
- mod/nginx/bbb-html5.dev.nginx
proxy_pass http://10.7.7.3:3000/;
freeswitch container IP is incorrect : 10.7.7.1 —> 10.7.7.10
- mod/periodic/bbb-resync-freeswitch
docker exec -it bbb-freeswitch fs_cli -H 10.7.7.10 -P 8021 -x 'fsctl sync_clock_when_idle'
Connection error with audio and video devices
Change Mediasoup ListenIP
- docker-compose.yml
webrtc-sfu:
environment:
ESL_PASSWORD: ${FSESL_PASSWORD:-ClueCon}
#MS_WEBRTC_LISTEN_IPS: '[{"ip":"::", "announcedIp":"${EXTERNAL_IPv6}"}, {"ip":"${EXTERNAL_IPv4}", "announcedIp":"${EXTERNAL_IPv4}"}]'
MS_WEBRTC_LISTEN_IPS: '[{"ip":"0.0.0.0", "announcedIp":"${EXTERNAL_IPv4}"}, {"ip":"${EXTERNAL_IPv6}"}]'
Collabora Online
Collabora Online is a web application that allows you to operate LibreOffice in a browser.
Since Etherpad by itself does not support PDF output, Collabora Online is used as a backend to convert HTML to PDF.
Etherpad HTML output -> Request to Collabora Online (/convert-to?pdf) -> PDF generation with LibreOffice engine -> Etherpad receives it and returns it to the user.
To support TLS authentication, modify the relevant files so that access to the Collabora container goes through an Nginx reverse proxy.
In the following script, since curl is specifying https, change the URL to the correct domain and remove the -k option.
- mod/bbb-web/office-convert.sh
timeout $(printf %03d $timeoutSecs)s curl -F "data=@${source}" https://test.ficusonline.com/cool/convert-to/$convertTo > "${dest}"
- mod/etherpad/etherpad-export.sh
curl -v -F "data=@${src}" https://test.ficusonline.com/cool/convert-to/$convertTo > "${dest}"
Add a location section for Collabora in the Nginx proxy configuration file.
- nginx_config_temp/reverse-proxy.conf.template
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://collabora:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
# we accept 'lool' to be backward compatible
location ~ ^/(c|l)ool {
proxy_pass http://collabora:9980;
proxy_set_header Host $host;
}
You can either rebuild and reflect the contents of the above .sh file, or directly override it by specifying it in the docker-compose file. Additionally, you will add environment variables to the Collabora service (disable SSL authentication in the container: extra_params=–o:ssl.enable=false --o:ssl.termination=true).
- docker-compose.yml
bbb-web:
# overwrite script for collabora
- ./mod/bbb-web/office-convert.sh:/usr/share/bbb-libreoffice-conversion/convert.sh
etherpad:
# added the below volume section for having modified script.
volumes:
- ./mod/etherpad/etherpad-export.sh:/etherpad-export.sh
collabora:
environment:
- extra_params=--o:ssl.enable=false --o:ssl.termination=true
Refer to the following for environment variables. Collabora Online Docker Environment
Launch BigBlueButton
Refer to the following for environment variables.
$ docker compose up -d
Create a temporary administrator account to log in with administrator privileges.
$ docker compose exec greenlight bundle exec rake admin:create
User account was created successfully!
Name: Administrator
Email: [email protected]
Password: Administrator1!
Role: Administrator
Log in with the above temporary administrator account (email address and password).
Create a legitimate administrator after logging in and then log out.
Log in as a legitimate administrator (email activation required).
After logging in, delete the temporary administrator and create a meeting room.
Conference Room View
Microphone and video functionality check, screen sharing, recording feature check.
Screen sharing, camera, and microphone functionality check.
Recording list (Confirm Playback)
Check on Android (Screen Sharing)
Collabora View