From 6248c9f93b91a257aefb35d0dd5fbc45e28160a6 Mon Sep 17 00:00:00 2001
From: chandi <git@chandi.it>
Date: Sat, 11 Apr 2020 10:43:25 +0200
Subject: [PATCH] close down lots of open ports
---
docker-compose.yml | 11 +-
mod/bbb-apps-akka/application.conf | 4 +-
mod/bbb-fsesl-akka/application.conf | 45 ++++++++
mod/core/bigbluebutton-sip.properties | 25 ++++
mod/core/bigbluebutton.properties | 32 ++++++
mod/core/red5.properties | 157 ++++++++++++++++++++++++++
mod/freeswitch/acl.conf.xml | 49 ++++++++
mod/freeswitch/event_socket.conf.xml | 4 +-
mod/freeswitch/external.xml | 4 +-
mod/freeswitch/vars.xml | 4 +-
mod/nginx/bbb/sip.nginx | 2 +-
11 files changed, 327 insertions(+), 10 deletions(-)
create mode 100644 mod/bbb-fsesl-akka/application.conf
create mode 100644 mod/core/bigbluebutton-sip.properties
create mode 100644 mod/core/bigbluebutton.properties
create mode 100644 mod/core/red5.properties
create mode 100644 mod/freeswitch/acl.conf.xml
diff --git a/docker-compose.yml b/docker-compose.yml
index e0ef22f..2f215e7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,6 +3,8 @@ version: '3.6'
services:
core:
image: bbb-core
+ depends_on:
+ - redis
cap_add:
- SYS_NICE # for realtime scheduling
- SYS_ADMIN # for systemd
@@ -20,11 +22,17 @@ services:
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro # for systemd
- ./mod/core/entrypoint.sh:/entrypoint.sh
+ - ./mod/core/red5.properties:/usr/share/red5/conf/red5.properties
+ - ./mod/core/bigbluebutton.properties:/usr/share/red5/webapps/bigbluebutton/WEB-INF/bigbluebutton.properties
+ - ./mod/core/bigbluebutton-sip.properties:/usr/share/red5/webapps/sip/WEB-INF/bigbluebutton-sip.properties
- ./mod/freeswitch/vars.xml:/opt/freeswitch/conf/vars.xml.tmpl
- ./mod/freeswitch/external.xml:/opt/freeswitch/conf/sip_profiles/external.xml
+ - ./mod/freeswitch/acl.conf.xml:/opt/freeswitch/conf/autoload_configs/acl.conf.xml
+ - ./mod/freeswitch/event_socket.conf.xml:/opt/freeswitch/conf/autoload_configs/event_socket.conf.xml
- ./mod/web/bigbluebutton.properties:/usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties.tmpl
- ./mod/core/bigbluebutton.yml:/usr/local/bigbluebutton/core/scripts/bigbluebutton.yml
- ./mod/bbb-apps-akka/application.conf:/usr/share/bbb-apps-akka/conf/application.conf.tmpl
+ - ./mod/bbb-fsesl-akka/application.conf:/etc/bbb-fsesl-akka/application.conf
network_mode: host
nginx:
@@ -95,7 +103,7 @@ services:
FREESWITCH_IP: host.docker.internal
FREESWITCH_SIP_IP: ${EXTERNAL_IP}
ESL_IP: host.docker.internal
- LOG_LEVEL: debug
+ LOG_LEVEL: info
NODE_CONFIG: '{"kurento":[{"ip":"${EXTERNAL_IP}","url":"ws://kurento:8888/kurento"}]}'
ports:
- "127.0.0.1:3008:3008"
@@ -109,6 +117,7 @@ services:
image: bbb-html5
depends_on:
- redis
+ - mongodb
- etherpad
environment:
DOMAIN: ${DOMAIN}
diff --git a/mod/bbb-apps-akka/application.conf b/mod/bbb-apps-akka/application.conf
index d382847..9b6f0fe 100644
--- a/mod/bbb-apps-akka/application.conf
+++ b/mod/bbb-apps-akka/application.conf
@@ -28,7 +28,7 @@ akka {
}
redis {
- host="127.0.0.1"
+ host="10.7.7.5"
port=6379
password=""
# recording keys should expire in 14 days
@@ -65,7 +65,7 @@ sharedNotes {
}
http {
- interface = "0.0.0.0"
+ interface = "10.7.7.1"
port = 9999
}
diff --git a/mod/bbb-fsesl-akka/application.conf b/mod/bbb-fsesl-akka/application.conf
new file mode 100644
index 0000000..5a6b9e4
--- /dev/null
+++ b/mod/bbb-fsesl-akka/application.conf
@@ -0,0 +1,45 @@
+akka {
+ actor {
+ debug {
+ receive = on
+ }
+ }
+ loggers = ["akka.event.slf4j.Slf4jLogger"]
+ loglevel = "DEBUG"
+ stdout-loglevel = "DEBUG"
+
+ redis-subscriber-worker-dispatcher {
+ mailbox-type = "akka.dispatch.SingleConsumerOnlyUnboundedMailbox"
+ # Throughput defines the maximum number of messages to be
+ # processed per actor before the thread jumps to the next actor.
+ # Set to 1 for as fair as possible.
+ throughput = 512
+ }
+}
+
+
+freeswitch {
+ esl {
+ host="10.7.7.1"
+ port=8021
+ password="ClueCon"
+ }
+ conf {
+ profile="cdquality"
+ }
+}
+
+redis {
+ host="10.7.7.5"
+ port=6379
+ password=""
+ # recording keys should expire in 14 days
+ keyExpiry=1209600
+}
+
+http {
+ interface = "127.0.0.1"
+ interface = ${?INTERFACE}
+ port = 8900
+ port = ${?PORT}
+}
\ No newline at end of file
diff --git a/mod/core/bigbluebutton-sip.properties b/mod/core/bigbluebutton-sip.properties
new file mode 100644
index 0000000..2de5765
--- /dev/null
+++ b/mod/core/bigbluebutton-sip.properties
@@ -0,0 +1,25 @@
+# The ip and port the BBB SIP app is going to use
+bbb.sip.app.ip=127.0.0.1
+bbb.sip.app.port=5070
+
+# The username and password the BBB SIP app to use to
+# register with FreeSWITCH
+sip.server.username=bbbuser
+sip.server.password=secret
+
+# The ip and port of the FreeSWITCH server
+freeswitch.ip=127.0.0.1
+freeswitch.port=5060
+
+# The start/stop RTP port the application is going to use
+# for the media stream.
+startAudioPort=15000
+stopAudioPort=16383
+
+redis.host=10.7.7.5
+redis.port=6379
+redis.password=
+
+# If you want mjsip stack (red5/log/*access*.log) to minimize the amount of logs it
+# generates, set this to a lower value (e.g. 3).
+sipStackDebugLevel=3
\ No newline at end of file
diff --git a/mod/core/bigbluebutton.properties b/mod/core/bigbluebutton.properties
new file mode 100644
index 0000000..c602a1e
--- /dev/null
+++ b/mod/core/bigbluebutton.properties
@@ -0,0 +1,32 @@
+#
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/
+#
+# Copyright (c) 2012 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+#
+
+# Locate of BBB default meeting dir
+default.BigBlueButtonDirectory=/var/bigbluebutton
+
+freeswitch.esl.host=10.7.7.1
+freeswitch.esl.port=8021
+freeswitch.esl.password=ClueCon
+
+redisHost=10.7.7.5
+redisPort=6379
+redisPassword=
+redisExpireKey=1209600
+
+# Maximum message length allowed from the client.
+maxMessageLength=32000
diff --git a/mod/core/red5.properties b/mod/core/red5.properties
new file mode 100644
index 0000000..dc7c795
--- /dev/null
+++ b/mod/core/red5.properties
@@ -0,0 +1,157 @@
+# Socket policy
+policy.host=10.7.7.1
+policy.port=843
+
+# HTTP
+http.host=10.7.7.1
+http.port=5080
+https.port=5443
+http.URIEncoding=UTF-8
+http.max_headers_size=8192
+http.max_keep_alive_requests=-1
+http.max_threads=20
+http.acceptor_thread_count=10
+http.processor_cache=20
+
+# RTMP
+rtmp.host=10.7.7.1
+rtmp.port=1935
+rtmp.io_threads=8
+rtmp.send_buffer_size=65536
+rtmp.receive_buffer_size=65536
+rtmp.ping_interval=1000
+rtmp.max_inactivity=20000
+rtmp.max_handshake_time=5000
+rtmp.tcp_nodelay=true
+rtmp.tcp_keepalive=false
+rtmp.default_server_bandwidth=10000000
+rtmp.default_client_bandwidth=10000000
+rtmp.client_bandwidth_limit_type=2
+rtmp.bandwidth_detection=false
+rtmp.encoder_base_tolerance=5000
+rtmp.encoder_drop_live_future=false
+# traffic optimization hinting. to disable set traffic class set to -1
+# low delay + high throughput == 24 (0x18)
+rtmp.traffic_class=-1
+# requested maximum length of the queue of incoming connections
+rtmp.backlog=32
+# the interval (seconds) between each throughput calculation
+rtmp.thoughput_calc_interval=15
+# enable use of the default mina acceptor
+rtmp.default_acceptor=true
+# socket i/o pool sizes used when default acceptor is disabled
+rtmp.initial_pool_size=0
+rtmp.max_pool_size=2
+rtmp.max_processor_pool_size=8
+rtmp.executor_keepalive_time=60000
+mina.logfilter.enable=false
+# scheduler configs (per application)
+rtmp.scheduler.pool_size=8
+rtmp.deadlockguard.sheduler.pool_size=8
+# message executor configs (per application) - adjust these as needed if you get tasks rejected
+rtmp.executor.core_pool_size=4
+rtmp.executor.max_pool_size=32
+rtmp.executor.queue_capacity=64
+# drop audio packets when queue is almost full, to disable this, set to 0
+rtmp.executor.queue_size_to_drop_audio_packets=60
+# maximum amount of time allotted to process a single rtmp message / packet in milliseconds, set it as 0 to disable timeout
+rtmp.max_handling_time=2000
+# connection tweaks - dont modify unless you know what you're doing
+rtmp.channel.initial.capacity=3
+rtmp.channel.concurrency.level=1
+rtmp.stream.initial.capacity=1
+rtmp.stream.concurrency.level=1
+rtmp.pending.calls.initial.capacity=3
+rtmp.pending.calls.concurrency.level=1
+rtmp.reserved.streams.initial.capacity=1
+rtmp.reserved.streams.concurrency.level=1
+rtmp.generateMetadata=false
+# maximum packet size allowed in bytes
+rtmp.max_packet_size=3145728
+
+# RTMPS
+rtmps.host=10.7.7.1
+rtmps.port=8443
+rtmps.ping_interval=5000
+rtmps.max_inactivity=20000
+rtmps.max_keep_alive_requests=-1
+rtmps.max_threads=8
+rtmps.acceptor_thread_count=2
+rtmps.processor_cache=20
+# RTMPS Key and Trust store parameters
+rtmps.keystorepass=password
+rtmps.keystorefile=conf/keystore.jks
+rtmps.truststorepass=password
+rtmps.truststorefile=conf/truststore.jks
+
+# RTMPT
+rtmpt.host=10.7.7.1
+rtmpt.port=8088
+rtmpt.ping_interval=5000
+rtmpt.max_inactivity=20000
+rtmpt.max_handshake_time=5000
+rtmpt.max_keep_alive_requests=-1
+rtmpt.max_threads=8
+rtmpt.acceptor_thread_count=2
+rtmpt.processor_cache=20
+rtmpt.encoder_base_tolerance=5000
+rtmpt.encoder_drop_live_future=true
+# better setting for streaming media
+rtmpt.target_reponse_size=32768
+# best setting for small messages or shared objects
+#rtmpt.target_reponse_size=8192
+# max incoming messages to process at a time. the most that FP appears to send is 166
+rtmpt.max_in_msg_process=166
+# max time in millis that we will wait when offering data to the in or out queue
+rtmpt.max_queue_offer_time=125
+# max offer attempts
+rtmpt.max_queue_offer_attempts=4
+
+# WebSocket
+ws.host=10.7.7.1
+ws.port=8081
+
+# Debug proxy (needs to be activated in red5-core.xml)
+proxy.source_host=127.0.0.1
+proxy.source_port=1936
+proxy.destination_host=127.0.0.1
+proxy.destination_port=1935
+
+# JMX
+jmx.rmi.host=localhost
+jmx.rmi.port=9999
+jmx.rmi.sport=9998
+jmx.rmi.port.remoteobjects=
+jmx.keystorepass=password
+jmx.mina.monitor.enable=false
+jmx.mina.poll.interval=1000
+# Whether to always create the registry in-process, not attempting to
+# locate an existing registry at the specified port. Set to "true" in order
+# to avoid the overhead of locating an existing registry when you always intend
+# to create a new registry in any case.
+jmx.registry.create=true
+# Whether or not the MBeanServerFactoryBean should attempt to locate a running
+# MBeanServer before creating one
+jmx.reuse.existing.server=true
+# Whether to register the MBeanServer with the MBeanServerFactory, making it
+# available through MBeanServerFactory.findMBeanServer()
+jmx.register.factory=true
+# Whether any threads started for the JMXConnectorServer should be started as daemon threads
+jmx.daemon=true
+# Whether the JMXConnectorServer should be started in a separate thread
+jmx.threaded=true
+
+# Server properties
+# max events to send in a single update
+so.max.events.per.update=64
+so.scheduler.pool_size=4
+keyframe.cache.entry.max=500
+war.deploy.server.check.interval=600000
+fileconsumer.delayed.write=true
+fileconsumer.queue.size=120
+fileconsumer.wait.for.keyframe=true
+subscriberstream.buffer.check.interval=5000
+subscriberstream.underrun.trigger=100
+subscriberstream.max.pending.frames=10
+subscriberstream.max.sequential.frames=10
+broadcaststream.auto.record=false
diff --git a/mod/freeswitch/acl.conf.xml b/mod/freeswitch/acl.conf.xml
new file mode 100644
index 0000000..4f1e6a6
--- /dev/null
+++ b/mod/freeswitch/acl.conf.xml
@@ -0,0 +1,49 @@
+<configuration name="acl.conf" description="Network Lists">
+ <network-lists>
+ <!--
+ These ACL's are automatically created on startup.
+
+ rfc1918.auto - RFC1918 Space
+ nat.auto - RFC1918 Excluding your local lan.
+ localnet.auto - ACL for your local lan.
+ loopback.auto - ACL for your local lan.
+ -->
+
+ <list name="lan" default="allow">
+ <node type="allow" cidr="127.0.0.1/32"/>
+ <node type="allow" cidr="10.130.218.147/32"/>
+ <node type="allow" cidr="10.0.0.0/8"/>
+ <node type="allow" cidr="192.168.0.0/16"/>
+ </list>
+
+ <!--
+ custom "loopback" so that traffic from docker
+ containers is also considered as local
+ -->
+ <list name="loopback.custom" default="deny">
+ <node type="allow" cidr="127.0.0.1/32"/>
+ <node type="allow" cidr="10.0.0.0/8"/>
+ <node type="allow" cidr="192.168.0.0/16"/>
+ </list>
+
+ <list name="deny_private_v6" default="allow">
+ <node type="deny" cidr="0.0.0.0/0"/>
+ <node type="deny" cidr="fe80::/10"/>
+ <node type="deny" cidr="fc00::/7"/>
+ </list>
+ <!--
+ This will traverse the directory adding all users
+ with the cidr= tag to this ACL, when this ACL matches
+ the users variables and params apply as if they
+ digest authenticated.
+ -->
+ <list name="domains" default="allow">
+ <!-- domain= is special it scans the domain from the directory to build the ACL -->
+ <node type="allow" domain="$${domain}"/>
+ <node type="allow" domain="10.0.0.0/8"/>
+ <!-- use cidr= if you wish to allow ip ranges to this domains acl. -->
+ <!-- <node type="allow" cidr="192.168.0.0/24"/> -->
+ </list>
+
+ </network-lists>
+</configuration>
diff --git a/mod/freeswitch/event_socket.conf.xml b/mod/freeswitch/event_socket.conf.xml
index 8a3c8b4..74d171c 100644
--- a/mod/freeswitch/event_socket.conf.xml
+++ b/mod/freeswitch/event_socket.conf.xml
@@ -1,10 +1,10 @@
<configuration name="event_socket.conf" description="Socket Client">
<settings>
<param name="nat-map" value="false"/>
- <param name="listen-ip" value="0.0.0.0"/>
+ <param name="listen-ip" value="$${local_ip_v4}"/>
<param name="listen-port" value="8021"/>
<param name="password" value="ClueCon"/>
- <!--<param name="apply-inbound-acl" value="loopback.auto"/>-->
+ <param name="apply-inbound-acl" value="loopback.custom"/>
<!--<param name="stop-on-bind-error" value="true"/>-->
</settings>
</configuration>
\ No newline at end of file
diff --git a/mod/freeswitch/external.xml b/mod/freeswitch/external.xml
index 3c2e2ab..a3adaca 100644
--- a/mod/freeswitch/external.xml
+++ b/mod/freeswitch/external.xml
@@ -105,8 +105,8 @@
<param name="tls-verify-in-subjects" value=""/>
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/>
- <!-- <param name="ws-binding" value="144.76.97.34:5066"/> -->
- <param name="wss-binding" value="$${external_rtp_ip}:7443"/>
+ <param name="ws-binding" value="0.0.0.0:5066"/>
+ <param name="wss-binding" value="$${local_ip_v4}:7443"/>
<!-- enable rtcp on every channel also can be done per leg basis with rtcp_audio_interval_msec variable set to passthru to pass it across a call-->
diff --git a/mod/freeswitch/vars.xml b/mod/freeswitch/vars.xml
index 43cef8a..9d32678 100644
--- a/mod/freeswitch/vars.xml
+++ b/mod/freeswitch/vars.xml
@@ -58,8 +58,8 @@
affect the sip authentication. Please review conf/directory/default.xml for more
information on this topic.
-->
- <X-PRE-PROCESS cmd="set" data="local_ip_v4=0.0.0.0"/>
-
+ <X-PRE-PROCESS cmd="set" data="local_ip_v4=10.7.7.1"/>
+ <X-PRE-PROCESS cmd="set" data="local_ip_v6=::1"/>
<X-PRE-PROCESS cmd="set" data="domain=meet.livingutopia.org"/>
<X-PRE-PROCESS cmd="set" data="domain_name=$${domain}"/>
<X-PRE-PROCESS cmd="set" data="hold_music=local_stream://moh"/>
diff --git a/mod/nginx/bbb/sip.nginx b/mod/nginx/bbb/sip.nginx
index 2e468d1..8e5e962 100644
--- a/mod/nginx/bbb/sip.nginx
+++ b/mod/nginx/bbb/sip.nginx
@@ -1,5 +1,5 @@
location /ws {
- proxy_pass https://144.76.97.34:7443;
+ proxy_pass https://host.docker.internal:7443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";