This page may be out of date. Please see the tutorial in the official documentation instead.
You can run Camus on a Raspberry Pi, which is useful if you want to set up a private Camus server on your local network. This is a step-by-step guide to help you install and configure all the necessary software.
If you haven't already, the first thing to do is install Ubuntu Server on your Raspberry Pi. It's recommended to use 20.04, which is the latest Long Term Support release. You can follow this tutorial to guide you through flashing your SD card and configuring Ubuntu for network access.
SSH into your Raspberry Pi, or open a terminal there, and install the Camus Snap package from the Snap Store:
$ sudo snap install camus
You can check the logs to verify that the Camus server is running:
$ sudo snap logs camus
2021-02-04T18:39:28Z systemd[1]: Started Service for snap application camus.camus.
2021-02-04T18:39:30Z camus.camus[55076]: [2021-02-04 18:39:30 +0000] [55076] [INFO] Running on http://127.0.0.1:5000 (CTRL + C to quit)
2021-02-04T18:39:30Z camus.camus[55076]: [INFO] in logging info 87: Running on http://127.0.0.1:5000 (CTRL + C to quit)
Later, we will use the hostname as part of the URL to access Camus from
a web browser. For a clean Ubuntu Server installation the hostname is
ubuntu
. While it's fine to keep the default, you'll probably want to
use a custom name to make it easier for users to remember the server
URL.
In this tutorial, we will set our hostname to camus
, which can be done
with the hostnamectl
command:
$ sudo hostnamectl set-hostname camus
Reboot the Pi for the change to take effect:
$ sudo shutdown -r now
Nginx is a reverse-proxy that will allow us to forward connections from a public port on the Raspberry Pi to the Camus server.
Install Nginx on the Pi:
$ sudo apt install nginx
Next, we need to add some configuration to tell Nginx to act as a proxy
for Camus. Create a new file at /etc/nginx/conf.d/camus.conf
and open
it with your preferred editor:
$ sudo touch /etc/nginx/conf.d/camus.conf
$ sudo nano /etc/nginx/conf.d/camus.conf
Copy the following into the file and save it. Note that the value for
server_name
should match the hostname of the Pi.
upstream camus_upstream {
ip_hash; # websocket connections need a constant server
server localhost:5000;
}
server {
server_name camus;
listen 80;
location / {
proxy_pass http://camus_upstream;
proxy_http_version 1.1;
}
# Settings required for websockets
location ~ ^/chat/(?<room_id>.+)/ws {
proxy_pass http://camus_upstream/chat/$room_id/ws;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 300;
proxy_send_timeout 300;
}
}
After saving the file, it's a good idea to check the configuration for errors:
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
After validating the configuration, restart Nginx and check that it is running successfully:
$ sudo service nginx restart
$ sudo service nginx status
If everything went as planned, you should now be able to access the
Camus server from the network. Open a web browser from another machine
on the same network as the Pi and navigate to http://camus/
(or
http://<hostname>/
where <hostname>
is your Pi's hostname). The
Camus landing page should load.
At this point, the Camus server should be running on your Pi and accessible from other machines on the network. However, most web browsers require sites to use HTTPS for webcam and microphone access. To satisfy this requirement, we'll need to obtain an SSL certificate and configure Nginx to use it.
Since our server should be exposed only to the local network (and not available publicly on the Internet), we'll create our own self-signed certificates. This will consist of several steps, namely:
- Create our own Certificate Authority (CA). Later we can add our CA's public certificate to a web browser so that the browser trusts any certificates signed by our CA.
- Create a Certificate Signing Request (CSR) and private key for our server.
- Use our CA to generate and sign a server certificate based on the CSR.
Create a self-signed CA certificate and private key:
$ openssl req \
-x509 \
-newkey rsa:4096 -nodes -keyout ca.key \
-new -out ca.crt
Create a server CSR and private key (replace "camus" with your hostname):
$ openssl req \
-subj "/CN=camus" \
-addext "subjectAltName = DNS:camus" \
-newkey rsa:2048 -nodes -keyout camus.key \
-out camus.csr
Create a server certificate and sign it with our CA (replace "camus" with your hostname):
$ openssl x509 -req \
-days 365 \
-extfile <(printf "subjectAltName=DNS:camus") \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in camus.csr \
-out camus.crt
Move the server certificate and key:
$ sudo mv camus.crt /etc/ssl/certs/camus.crt
$ sudo mv camus.key /etc/ssl/private/camus.key
Security warning: Keep your private keys safe and don't share them with anyone. If an attacker gains access to your CA private key, they could use it to sign SSL certificates and trick any browser that trusts your CA to also trust a malicious website.
Security warning: This section only provides the minimal setup necessary to get your Camus server up and running. For best practices around managing CA and SSL certificates, see a more complete guide such as OpenSSL Certificate Authority or the OpenSSL PKI Tutorial.
Now that we have SSL certificates, we need to configure Nginx to use
them to establish secure HTTPS connections. Update
/etc/nginx/conf.d/camus.conf
(again, the value for server_name
should be the Pi's hostname):
upstream camus_upstream {
ip_hash; # websocket connections need a constant server
server localhost:5000;
}
server {
server_name camus;
listen 80;
location / {
# Redirect to use HTTPS
return 301 https://$host$request_uri;
}
}
server {
server_name camus;
listen 443 ssl;
# SSL configuration
ssl_certificate /etc/ssl/certs/camus.crt;
ssl_certificate_key /etc/ssl/private/camus.key;
ssl_protocols TLSv1.2 TLSv1.3;
location / {
proxy_pass http://camus_upstream;
proxy_http_version 1.1;
}
# Settings required for websockets
location ~ ^/chat/(?<room_id>.+)/ws {
# These settings are needed for websockets
proxy_pass http://camus_upstream/chat/$room_id/ws;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 300;
proxy_send_timeout 300;
}
}
After saving the file, validate the configuration and restart nginx:
$ sudo nginx -t
$ sudo service nginx restart
For security, it's a good idea to set up a firewall so that only the necessary ports from your Pi are exposed to the network. For a basic Camus server, we'll want to make ports 22, 80, and 443 available for SSH, HTTP, and HTTPS traffic, respectively:
$ sudo ufw allow 22,80,443/tcp
$ sudo ufw enable
Verify that the firewall is configured correctly:
$ sudo ufw status
The final step is to add the CA public certificate to any web browsers
that you want to access Camus with. Adding a CA certificate tells the
browser to trust certificates signed by that CA (in our case, the server
certificate used by Nginx). In your web browser settings, import the
ca.crt
file created earlier and restart your browser. You should then
be able to access your Camus site and use your camera and microphone
without security errors.
- In Chromium-family browsers:
- Settings > Privacy and security > Security > Manage certificates > Authorities > Import
- In Firefox:
- Preferences > Privacy & Security > View Certificates > Authorities > Import
- Camus Discussions: for questions and general discussion about Camus
- Camus documentation
- OpenSSL Essentials (DigitalOcean)
- OpenSSL Certificate Authority
- OpenSSL PKI Tutorial
- Configuring HTTPS Servers (Nginx)
- Server Side TLS (Mozilla)