Danger

TVIP TMS Pro requires the presence and use of valid SSL certificates for both TMS and video servers

Configuration of the TVIP TMS frontend

The standard tvip-tms-standalone package uses nginx as frontend server.

file /etc/nginx/sites-enabled/tvip-tms-bundle.conf - nginx virtual server file, requires editing only for Pro versions and when SSL connections are required.
file /etc/nginx/tvip/tvip-tms-upstreams.conf - tvip-tms configuration file, no editing allowed, will be overwritten by tvip-tms-standalone package
file /etc/nginx/tvip/tvip-tms-locations.conf - tvip-tms configuration file, no editing allowed, will be overwritten by tvip-tms-standalone package

The virtual server configuration contains two directives include, which implement the configuration for using the TVIP TMS, defining the behavior of the virtual server when accessing certain locations. All logic is based on proxying requests to certain microservices.

Danger

The files tvip-tms-upstreams.conf and tvip-tms-locations.conf can be updated by the installer and editing them can make TMS as inoperable.

The end points for connecting external systems are described below:

Web interfaces

The admin web interface is available at http://tms.example.com/admin and uses the private Admin API.
The Provider web interface is available at http://tms.example.com/provider and uses the public Provider API.
The web interface of the client web application for PC is available at: https://tms.example.com/web-player/, it uses public TVIP API, usage with no SSL certificate is impossible.

Public APIs:

Provider API is located at http://tms.example.com/api/provider, used by the Provider Web Interface, designed primarily for integration with Service Provider Billing.
Stat API is located at http://tms.example.com/api/stats and can be used by billing, analysis software and other tools to collect and analyze statistics.
The TVIP API is available at http://tms.example.com/tvipapi, and it’s used by all client devices.

Built-in documentation for public APIs:

Documentation for Provider API is located at http://tms.example.com/provider/swagger-ui.html.
Documentation for Stat API is located at http://tms.example.com/api/stats/swagger-ui/index.html.

Configuring SSL in nginx

The default configuration of the nginx virtual server is shown below:

include /etc/nginx/tvip/tvip-tms-upstreams.conf;

log_format  log-tms-main  '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$request_id" ';

server {
  listen       80;
  server_name  localhost;

  # SSL configuration
  #
  listen 443 ssl default_server;

  ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
  ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

  error_log  /var/log/nginx/tvip-tms.error.log warn;
  access_log  /var/log/nginx/tvip-tms.access.log  log-tms-main;

  proxy_headers_hash_max_size 1024;
  proxy_headers_hash_bucket_size 128;

  include /etc/nginx/tvip/tvip-tms-locations.conf;
}

Using commercial certificates

The certificate set consists of a root certificate, an intermediate certificate and a certificate for the domain. If your SSL provider has provided a bundle.crt file, you can go straight to configuring nginx. Otherwise, you will need to merge the three certificate types into one file.

Creating `bundle.crt`

You should have three files: root.crt (root certificate), intermediate.crt (intermediate certificate) and your_domain.crt, copy them together with the file .key to an arbitrary directory on your server where you want to store them.

Merging certificate files into one crt file is done with the following command:

cat root.crt intermediate.crt your_domain.crt > bundle.crt

In some cases Certification Authorities send an archive with intermediate certificate and root certificate files already merged into one file. If so, you will need to merge it with the certificate file using the following command:

cat bundle.crt your_domain.crt > bundle.crt

After that you need to download certificates to the server and change the paths in the nginx configuration file.

ssl_certificate /etc/ssl/bundle.crt;
ssl_certificate_key /etc/ssl/your_domain.key

Now you can check if nginx is configured correctly with the command

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If everything is correct, restart nginx with the command:

nginx -s reload

Using Let’s encrypt

Installing Certbot

apt install certbot python3-certbot-nginx

Setting up and registering with Certbot

certbot register --agree-tos -m name@domain.com

“name@domain.com” - your email address

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n

Getting a Let’s Encrypt certificate

certbot --nginx -d tms.example.com

“tms.example.com” - your domain address

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for tms.examle.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/tvip-tms-bundle.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

To the question of the wizard, enter the answer: 2 ( Redirect)

Check:

Check that the certbot update service is running

systemctl status certbot.timer

Using ZeroSSL service

You will need to install the acme.sh utility to obtain the certificate

Execute the installation command:

curl https://get.acme.sh | sh

Register an account at ZeroSSL:

acme.sh --issue --nginx -m user@mail.com -d  --server zerossl

user@mail.com - your mail

Obtaining a certificate:

acme.sh --issue --nginx -m user@mail.com -d tms.example.com --server zerossl
-----END CERTIFICATE-----
[Thu Mar 16 12:50:32 UTC 2023] Your cert is in: /root/.acme.sh/tms.example.com_ecc/tms.example.com.cer
[Thu Mar 16 12:50:32 UTC 2023] Your cert key is in: /root/.acme.sh/tms.example.com_ecc/tms.example.com.key
[Thu Mar 16 12:50:32 UTC 2023] The intermediate CA cert is in: /root/.acme.sh/vj.test.jettv.org_ecc/ca.cer
[Thu Mar 16 12:50:32 UTC 2023] And the full chain certs is there: /root/.acme.sh/tms.example.com_ecc/fullchain.cer

–nginx - type of web server
tms.example.com - domain name for which we obtain the certificate

Copy the obtained certificates, do not use the certificate files in the ~/.acme.sh/ folder, they are for internal use only, the folder structure may change in the future.

acme.sh --install-cert -d tms.example.com --key-file /etc/ssl/tms.example.com.key  --fullchain-file /etc/ssl/fullchain.cer --reloadcmd     "service nginx force-reload"
[Thu Mar 16 13:37:14 UTC 2023] The domain 'tms.example.com' seems to have a ECC cert already, lets use ecc cert.
[Thu Mar 16 13:37:14 UTC 2023] Installing key to: /etc/ssl/tms.example.com.key
[Thu Mar 16 13:37:14 UTC 2023] Installing full chain to: /etc/ssl/fullchain.cer
[Thu Mar 16 13:37:14 UTC 2023] Run reload cmd: service nginx force-reload
[Thu Mar 16 13:37:14 UTC 2023] Reload success

Please be careful: The reloadcmd command is very important. The certificate can be automatically updated, but without the correct reloadcmd SSL certificate will not be updated after 60 days.

After that, specify the paths to the certificates in the nginx settings:

server_name         tms.example.com;
ssl_certificate     /etc/ssl/fullchain.cer;
ssl_certificate_key /etc/ssl/tms.example.com.key;

Now you can check if nginx is configured correctly with a command:

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful