fix: allow using sfu in the same domain

BreadGenie · BreadGenie · commit 2bba87facda2 · 2026-04-24T16:12:36.000+05:30
diff --git a/deploy/.env.example b/deploy/.env.example
@@ -9,12 +9,10 @@
 # ==============================================================================
 
 # === Domain & SSL =============================================================
-# Main domain for the Frappe Meet app (A record must point to this server).
+# Domain for Frappe Meet (A record must point to this server).
+# The SFU is served at https://DOMAIN/sfu/ — no separate subdomain needed.
 DOMAIN=meet.example.com
 
-# Subdomain for the SFU server (A record must point to this server).
-SFU_DOMAIN=sfu.meet.example.com
-
 # Email for Let's Encrypt certificate notifications.
 SSL_EMAIL=admin@example.com
 
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
@@ -96,7 +96,7 @@ check_env() {
     local errors=false
 
     # Required fields
-    for var in DOMAIN SFU_DOMAIN SSL_EMAIL DB_ROOT_PASSWORD DB_PASSWORD ADMIN_PASSWORD SITE_NAME; do
+    for var in DOMAIN SSL_EMAIL DB_ROOT_PASSWORD DB_PASSWORD ADMIN_PASSWORD SITE_NAME; do
         if [ -z "${!var:-}" ]; then
             err "$var must be set in .env"
             errors=true
@@ -122,8 +122,8 @@ check_env() {
     fi
 
     ok "DOMAIN = $DOMAIN"
-    ok "SFU_DOMAIN = $SFU_DOMAIN"
     ok "WEBRTC_ANNOUNCED_IP = $WEBRTC_ANNOUNCED_IP"
+    ok "SFU served at https://$DOMAIN/sfu/"
     ok "Configuration is valid"
 }
 
@@ -185,7 +185,7 @@ cmd_setup() {
     fi
 
     # Set SFU config on site
-    run_bench --site "$SITE_NAME" set-config sfu_server_url "https://$SFU_DOMAIN"
+    run_bench --site "$SITE_NAME" set-config sfu_server_url "https://$DOMAIN/sfu"
     run_bench --site "$SITE_NAME" set-config sfu_secret "$SFU_SECRET"
     ok "SFU configuration applied"
 
@@ -210,7 +210,7 @@ cmd_setup() {
     echo ""
     header "Setup complete!"
     ok "Meet is live at https://$DOMAIN"
-    ok "SFU is running at https://$SFU_DOMAIN"
+    ok "SFU endpoint: https://$DOMAIN/sfu/"
     info "Login: Administrator / <your ADMIN_PASSWORD>"
     echo ""
 }
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
@@ -148,7 +148,6 @@ services:
       - certbot-certs:/etc/letsencrypt:ro
     environment:
       DOMAIN: ${DOMAIN}
-      SFU_DOMAIN: ${SFU_DOMAIN}
       FRAPPE_UPSTREAM: frappe-frontend:8080
       SFU_UPSTREAM: ${WEBRTC_ANNOUNCED_IP:-127.0.0.1}:${SFU_PORT:-3000}
     depends_on:
diff --git a/deploy/nginx/certbot-init.sh b/deploy/nginx/certbot-init.sh
@@ -21,8 +21,8 @@ set -a
 source "$DEPLOY_DIR/.env"
 set +a
 
-if [ -z "${DOMAIN:-}" ] || [ -z "${SFU_DOMAIN:-}" ]; then
-    echo "[-] DOMAIN and SFU_DOMAIN must be set in .env"
+if [ -z "${DOMAIN:-}" ]; then
+    echo "[-] DOMAIN must be set in .env"
     exit 1
 fi
 
@@ -31,7 +31,7 @@ if [ -z "${SSL_EMAIL:-}" ]; then
     exit 1
 fi
 
-echo "[*] Provisioning SSL certificates for: $DOMAIN, $SFU_DOMAIN"
+echo "[*] Provisioning SSL certificate for: $DOMAIN"
 echo "[*] Registration email: $SSL_EMAIL"
 echo ""
 
@@ -72,20 +72,18 @@ echo "▶ Starting nginx for ACME challenge..."
 $COMPOSE_CMD up -d nginx
 sleep 3
 
-# Step 3: Request certificates
-for CERT_DOMAIN in "$DOMAIN" "$SFU_DOMAIN"; do
-    echo "▶ Requesting certificate for $CERT_DOMAIN..."
-    $COMPOSE_CMD \
-        run --rm --entrypoint certbot certbot \
-        certonly \
-        --webroot \
-        --webroot-path=/var/www/certbot \
-        --email "$SSL_EMAIL" \
-        --agree-tos \
-        --no-eff-email \
-        --force-renewal \
-        -d "$CERT_DOMAIN"
-done
+# Step 3: Request certificate
+echo "▶ Requesting certificate for $DOMAIN..."
+$COMPOSE_CMD \
+    run --rm --entrypoint certbot certbot \
+    certonly \
+    --webroot \
+    --webroot-path=/var/www/certbot \
+    --email "$SSL_EMAIL" \
+    --agree-tos \
+    --no-eff-email \
+    --force-renewal \
+    -d "$DOMAIN"
 
 # Step 4: Restore real nginx config
 if [ -f "$BACKUP_CONF" ]; then
diff --git a/deploy/nginx/templates/default.conf.template b/deploy/nginx/templates/default.conf.template
@@ -2,7 +2,11 @@
 # Frappe Meet — Nginx Configuration
 # ==============================================================================
 # Variables substituted at container start by nginx:alpine entrypoint:
-#   $DOMAIN, $SFU_DOMAIN, $FRAPPE_UPSTREAM, $SFU_UPSTREAM
+#   $DOMAIN, $FRAPPE_UPSTREAM, $SFU_UPSTREAM
+#
+# Routing:
+#   https://DOMAIN/sfu/    → SFU server (path prefix stripped)
+#   https://DOMAIN/        → Frappe
 # ==============================================================================
 
 map $http_upgrade $connection_upgrade {
@@ -14,7 +18,7 @@ map $http_upgrade $connection_upgrade {
 server {
     listen 80;
     listen [::]:80;
-    server_name ${DOMAIN} ${SFU_DOMAIN};
+    server_name ${DOMAIN};
 
     location /.well-known/acme-challenge/ {
         root /var/www/certbot;
@@ -25,7 +29,7 @@ server {
     }
 }
 
-# ── HTTPS: Frappe Meet ───────────────────────────────────────────────────────
+# ── HTTPS ────────────────────────────────────────────────────────────────────
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
@@ -43,40 +47,11 @@ server {
 
     client_max_body_size 50m;
 
-    location / {
-        proxy_pass http://${FRAPPE_UPSTREAM};
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_read_timeout 120s;
-        proxy_send_timeout 120s;
-        proxy_buffering off;
-    }
-}
-
-# ── HTTPS: SFU Server ────────────────────────────────────────────────────────
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    server_name ${SFU_DOMAIN};
-
-    ssl_certificate     /etc/letsencrypt/live/${SFU_DOMAIN}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${SFU_DOMAIN}/privkey.pem;
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_prefer_server_ciphers off;
-    ssl_session_cache shared:SFU_SSL:10m;
-    ssl_session_timeout 1d;
-    ssl_session_tickets off;
-
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-
-    # Socket.IO / WebSocket
-    location /socket.io/ {
-        proxy_pass http://${SFU_UPSTREAM};
+    # ── SFU Server (path-based routing, prefix stripped) ──────────────────
+    # /sfu/socket.io/... → SFU socket.io
+    # /sfu/health        → SFU health check
+    location /sfu/ {
+        proxy_pass http://${SFU_UPSTREAM}/;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
@@ -89,25 +64,18 @@ server {
         proxy_buffering off;
     }
 
-    # HTTP API & Health
+    # ── Frappe (everything else) ──────────────────────────────────────────
     location / {
-        proxy_pass http://${SFU_UPSTREAM};
+        proxy_pass http://${FRAPPE_UPSTREAM};
         proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
-        proxy_read_timeout 86400s;
-        proxy_send_timeout 86400s;
+        proxy_read_timeout 120s;
+        proxy_send_timeout 120s;
         proxy_buffering off;
     }
-
-    location = /health {
-        proxy_pass http://${SFU_UPSTREAM}/health;
-        proxy_http_version 1.1;
-        proxy_set_header Host $host;
-        access_log off;
-    }
 }
diff --git a/frontend/src/utils/sfu-client.js b/frontend/src/utils/sfu-client.js
@@ -120,27 +120,30 @@ class SFUClient {
 		};
 	}
 
-	async getSFUEndpoint() {
+	getSFUEndpoint() {
 		const { sfuUrl, sfuPort } = this.connectionDetails;
 
-		let sfuEndpoint;
 		const urlObj = new URL(sfuUrl);
 		const isSecured = urlObj.protocol === "https:";
 
-		if (isSecured) {
-			sfuEndpoint = urlObj.origin;
-		} else {
-			sfuEndpoint = `${urlObj.protocol}//${urlObj.hostname}:${sfuPort}`;
-		}
+		const origin = isSecured
+			? urlObj.origin
+			: `${urlObj.protocol}//${urlObj.hostname}:${sfuPort}`;
+
+		// If the URL has a pathname (e.g. /sfu), use it as the socket.io path prefix.
+		// Otherwise fall back to the default /socket.io/.
+		const basePath = urlObj.pathname.replace(/\/$/, ""); // strip trailing slash
+		const socketPath = basePath ? `${basePath}/socket.io` : "/socket.io";
 
-		return sfuEndpoint;
+		return { origin, socketPath };
 	}
 
 	async establishSocketConnection() {
-		const sfuEndpoint = await this.getSFUEndpoint();
+		const { origin, socketPath } = this.getSFUEndpoint();
 		const { authToken } = this.connectionDetails;
 
-		this.socket = io(sfuEndpoint, {
+		this.socket = io(origin, {
+			path: socketPath,
 			auth: { token: authToken },
 			reconnection: true,
 			reconnectionAttempts: 5,
@@ -167,7 +170,8 @@ class SFUClient {
 					description: error.description,
 					context: error.context,
 					type: error.type,
-					endpoint: sfuEndpoint,
+					endpoint: origin,
+					path: socketPath,
 				});
 				this.connected = false;
 				reject(new Error(`SFU connection failed: ${error.message || error}`));
