How to deploy Camus on Raspberry Pi with Ubuntu Server¶
You can run Camus on a Raspberry Pi, which is useful if you want to set up a private Camus server on your local network. This is a step-by-step guide to help you install and configure all the necessary software.
If you haven’t already, the first thing to do is install Ubuntu Server on your Raspberry Pi. It’s recommended to use 20.04, which is the latest Long Term Support release. You can follow this tutorial to guide you through flashing your SD card and configuring Ubuntu for network access.
Install Camus¶
SSH into your Raspberry Pi, or open a terminal there, and install the Camus Snap package from the Snap Store:
$ sudo snap install camus
You can check the logs to verify that the Camus server is running:
$ sudo snap logs camus
2021-02-04T18:39:28Z systemd[1]: Started Service for snap application camus.camus.
2021-02-04T18:39:30Z camus.camus[55076]: [2021-02-04 18:39:30 +0000] [55076] [INFO] Running on http://127.0.0.1:5000 (CTRL + C to quit)
2021-02-04T18:39:30Z camus.camus[55076]: [INFO] in logging info 87: Running on http://127.0.0.1:5000 (CTRL + C to quit)
Change the hostname (optional)¶
Later, we will use the hostname as part of the URL to access Camus from a web
browser. For a clean Ubuntu Server installation the hostname is ubuntu.
While it’s fine to keep the default, you’ll probably want to use a custom name
to make it easier for users to remember the server URL.
In this tutorial, we will set our hostname to camus, which can be done with
the hostnamectl command:
$ sudo hostnamectl set-hostname camus
Reboot the Pi for the change to take effect:
$ sudo shutdown -r now
Note: Depending on your local network configuration and DNS settings, you may need to add an entry to the /etc/hosts file on other machines which use the hostname to communicate with the Camus server.
Install and configure Nginx¶
Nginx is a reverse-proxy that will allow us to forward connections from a public port on the Raspberry Pi to the Camus server.
Install Nginx on the Pi:
$ sudo apt install nginx
Next, we need to add some configuration to tell Nginx to act as a proxy for
Camus. Create a new file at /etc/nginx/conf.d/camus.conf and open it with
your preferred editor:
$ sudo touch /etc/nginx/conf.d/camus.conf
$ sudo nano /etc/nginx/conf.d/camus.conf
Copy the following into the file and save it. Note that the value for
server_name should match the hostname of the Pi.
upstream camus_upstream {
ip_hash; # websocket connections need a constant server
server localhost:5000;
}
server {
server_name camus;
listen 80;
location / {
proxy_pass http://camus_upstream;
proxy_http_version 1.1;
}
# Settings required for websockets
location ~ ^/room/(?<room_id>.+)/ws {
proxy_pass http://camus_upstream/room/$room_id/ws;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 300;
proxy_send_timeout 300;
}
}
After saving the file, it’s a good idea to check the configuration for errors:
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
After validating the configuration, restart Nginx and check that it is running successfully:
$ sudo service nginx restart
$ sudo service nginx status
If everything went as planned, you should now be able to access the Camus
server from the network. Open a web browser from another machine on the same
network as the Pi and navigate to http://camus/ (or http://<hostname>/
where <hostname> is your Pi’s hostname). The Camus landing page should load.
Generate SSL certificates¶
At this point, the Camus server should be running on your Pi and accessible from other machines on the network. However, most web browsers require sites to use HTTPS for webcam and microphone access. To satisfy this requirement, we’ll need to obtain an SSL certificate and configure Nginx to use it.
Since our server should be exposed only to the local network (and not available publicly on the Internet), we’ll create our own self-signed certificates. This will consist of several steps, namely:
Create our own Certificate Authority (CA). Later we can add our CA’s public certificate to a web browser so that the browser trusts any certificates signed by our CA.
Create a Certificate Signing Request (CSR) and private key for our server.
Use our CA to generate and sign a server certificate based on the CSR.
Create a self-signed CA certificate and private key:
$ openssl req \
-x509 \
-newkey rsa:4096 -nodes -keyout ca.key \
-new -out ca.crt
Create a server CSR and private key (replace “camus” with your hostname):
$ openssl req \
-subj "/CN=camus" \
-addext "subjectAltName = DNS:camus" \
-newkey rsa:2048 -nodes -keyout camus.key \
-out camus.csr
Create a server certificate and sign it with our CA (replace “camus” with your hostname):
$ openssl x509 -req \
-days 365 \
-extfile <(printf "subjectAltName=DNS:camus") \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in camus.csr \
-out camus.crt
Move the server certificate and key:
$ sudo mv camus.crt /etc/ssl/certs/camus.crt
$ sudo mv camus.key /etc/ssl/private/camus.key
Security warning: Keep your private keys safe and don’t share them with anyone. If an attacker gains access to your CA private key, they could use it to sign SSL certificates and trick any browser that trusts your CA to also trust a malicious website.
Security warning: This section only provides the minimal setup necessary to get your Camus server up and running. For best practices around managing CA and SSL certificates, see a more complete guide such as OpenSSL Certificate Authority or the OpenSSL PKI Tutorial.
Configure Nginx to use SSL¶
Now that we have SSL certificates, we need to configure Nginx to use them to
establish secure HTTPS connections. Update /etc/nginx/conf.d/camus.conf
(again, the value for server_name should be the Pi’s hostname):
upstream camus_upstream {
ip_hash; # websocket connections need a constant server
server localhost:5000;
}
server {
server_name camus;
listen 80;
location / {
# Redirect to use HTTPS
return 301 https://$host$request_uri;
}
}
server {
server_name camus;
listen 443 ssl;
# SSL configuration
ssl_certificate /etc/ssl/certs/camus.crt;
ssl_certificate_key /etc/ssl/private/camus.key;
ssl_protocols TLSv1.2 TLSv1.3;
location / {
proxy_pass http://camus_upstream;
proxy_http_version 1.1;
}
# Settings required for websockets
location ~ ^/chat/(?<room_id>.+)/ws {
# These settings are needed for websockets
proxy_pass http://camus_upstream/chat/$room_id/ws;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 300;
proxy_send_timeout 300;
}
}
After saving the file, validate the configuration and restart nginx:
$ sudo nginx -t
$ sudo service nginx restart
Configure the firewall (optional)¶
For security, it’s a good idea to set up a firewall so that only the necessary ports from your Pi are exposed to the network. For a basic Camus server, we’ll want to make ports 22, 80, and 443 available for SSH, HTTP, and HTTPS traffic, respectively:
$ sudo ufw allow 22,80,443/tcp
$ sudo ufw enable
Verify that the firewall is configured correctly:
$ sudo ufw status
Install the CA certificate in your web browser¶
The final step is to add the CA public certificate to any web browsers that you
want to access Camus with. Adding a CA certificate tells the browser to trust
certificates signed by that CA (in our case, the server certificate used by
Nginx). In your web browser settings, import the ca.crt file created earlier
and restart your browser. You should then be able to access your Camus site
and use your camera and microphone without security errors.
In Chromium-family browsers:
Settings > Privacy and security > Security > Manage certificates > Authorities > Import
In Firefox:
Preferences > Privacy & Security > View Certificates > Authorities > Import
Other resources¶
Camus Discussions: for questions and general discussion about Camus
OpenSSL Essentials (DigitalOcean)
Configuring HTTPS Servers (Nginx)
Server Side TLS (Mozilla)
