Using coturn to reduce the number of UDP ports

2024-11-22 16:13:20 +01:00 · 2018-07-07 16:39:32 -05:00 · 2018-07-07 16:39:32 -05:00 · ad4ea9b044
commit ad4ea9b044
parent edb5b5cb04
4 changed files with 210 additions and 18 deletions
--- a/5
+++ b/5
@ -2,7 +2,7 @@ FROM ubuntu:16.04
 MAINTAINER ffdixon@bigbluebutton.org

 ENV DEBIAN_FRONTEND noninteractive
-# RUN echo 'Acquire::http::Proxy "http://192.168.0.130:3142";'  > /etc/apt/apt.conf.d/01proxy
+RUN echo 'Acquire::http::Proxy "http://192.168.0.130:3142 ";'  > /etc/apt/apt.conf.d/01proxy
 RUN apt-get update && apt-get install -y wget

 RUN echo "deb http://ubuntu.bigbluebutton.org/xenial-200 bigbluebutton-xenial main   " | tee /etc/apt/sources.list.d/bigbluebutton.list
@ -51,6 +51,9 @@ ADD supervisord.conf /etc/supervisor/conf.d/supervisord.conf

 # -- Modify FreeSWITCH event_socket.conf.xml to listen to IPV4
 ADD mod/event_socket.conf.xml /opt/freeswitch/etc/freeswitch/autoload_configs
+ADD mod/external.xml          /opt/freeswitch/conf/sip_profiles/external.xml
+
+RUN apt-get install -y coturn vim

 # -- Finish startup
 ADD setup.sh /root/setup.sh
--- a/mod/external.xml
+++ b/mod/external.xml
@ -0,0 +1,113 @@
+<profile name="external">
+  <!-- http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files -->
+  <!-- This profile is only for outbound registrations to providers -->
+  <gateways>
+    <X-PRE-PROCESS cmd="include" data="external/*.xml"/>
+  </gateways>
+
+  <aliases>
+    <!--
+        <alias name="outbound"/>
+        <alias name="nat"/>
+    -->
+  </aliases>
+
+  <domains>
+    <domain name="all" alias="false" parse="true"/>
+  </domains>
+
+  <settings>
+    <param name="debug" value="0"/>
+    <!-- If you want FreeSWITCH to shutdown if this profile fails to load, uncomment the next line. -->
+    <!-- <param name="shutdown-on-fail" value="true"/> -->
+    <param name="sip-trace" value="no"/>
+    <param name="sip-capture" value="no"/>
+    <param name="rfc2833-pt" value="101"/>
+    <!-- RFC 5626 : Send reg-id and sip.instance -->
+    <!--<param name="enable-rfc-5626" value="true"/> -->
+    <param name="sip-port" value="$${external_sip_port}"/>
+    <param name="dialplan" value="XML"/>
+    <param name="context" value="public"/>
+    <param name="dtmf-duration" value="2000"/>
+    <param name="inbound-codec-prefs" value="$${global_codec_prefs}"/>
+    <param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/>
+    <param name="hold-music" value="$${hold_music}"/>
+    <param name="rtp-timer-name" value="soft"/>
+    <!--<param name="enable-100rel" value="true"/>-->
+    <!--<param name="disable-srv503" value="true"/>-->
+    <!-- This could be set to "passive" -->
+    <param name="local-network-acl" value="localnet.auto"/>
+    <param name="manage-presence" value="false"/>
+
+    <!-- used to share presence info across sofia profiles
+         manage-presence needs to be set to passive on this profile
+         if you want it to behave as if it were the internal profile
+         for presence.
+    -->
+    <!-- Name of the db to use for this profile -->
+    <!--<param name="dbname" value="share_presence"/>-->
+    <!--<param name="presence-hosts" value="$${domain}"/>-->
+    <!--<param name="force-register-domain" value="$${domain}"/>-->
+    <!--all inbound reg will stored in the db using this domain -->
+    <!--<param name="force-register-db-domain" value="$${domain}"/>-->
+    <!-- ************************************************* -->
+
+    <!--<param name="aggressive-nat-detection" value="true"/>-->
+    <param name="inbound-codec-negotiation" value="generous"/>
+    <param name="nonce-ttl" value="60"/>
+    <param name="auth-calls" value="false"/>
+    <param name="inbound-late-negotiation" value="true"/>
+    <param name="inbound-zrtp-passthru" value="true"/> <!-- (also enables late negotiation) -->
+    <!--
+        DO NOT USE HOSTNAMES, ONLY IP ADDRESSES IN THESE SETTINGS!
+    <param name="rtp-ip" value="$${local_ip_v4}"/>
+    <param name="sip-ip" value="$${local_ip_v4}"/>
+    <param name="ext-rtp-ip" value="auto-nat"/>
+    <param name="ext-sip-ip" value="auto-nat"/>
+    -->
+
+    <param name="rtp-ip" value="$${local_ip_v4}"/>
+    <param name="sip-ip" value="$${local_ip_v4}"/>
+    <param name="ext-rtp-ip" value="$${local_ip_v4}"/>
+    <param name="ext-sip-ip" value="$${local_ip_v4}"/>
+
+    <param name="rtp-timeout-sec" value="300"/>
+    <param name="rtp-hold-timeout-sec" value="1800"/>
+    <!--<param name="enable-3pcc" value="true"/>-->
+
+    <!-- TLS: disabled by default, set to "true" to enable -->
+    <param name="tls" value="$${external_ssl_enable}"/>
+    <!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
+    <param name="tls-only" value="false"/>
+    <!-- additional bind parameters for TLS -->
+    <param name="tls-bind-params" value="transport=tls"/>
+    <!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->
+    <param name="tls-sip-port" value="$${external_tls_port}"/>
+    <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
+    <!--<param name="tls-cert-dir" value=""/>-->
+    <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
+    <param name="tls-passphrase" value=""/>
+    <!-- Verify the date on TLS certificates -->
+    <param name="tls-verify-date" value="true"/>
+    <!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
+    <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'in_subjects', 'out_subjects' and 'all_subjects' for subject validation. Multiple policies can be split with a '|' pipe -->
+    <param name="tls-verify-policy" value="none"/>
+    <!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
+    <param name="tls-verify-depth" value="2"/>
+    <!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
+    <param name="tls-verify-in-subjects" value=""/>
+    <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
+    <param name="tls-version" value="$${sip_tls_version}"/>
+    <param name="ws-binding"  value=":5066"/>
+    <param name="apply-candidate-acl" value="webrtc-turn"/>
+
+    <!-- enable rtcp on every channel also can be done per leg basis with rtcp_audio_interval_msec variable set to passthru to pass it across a call-->
+    <param name="rtcp-audio-interval-msec" value="5000"/>
+    <param name="rtcp-video-interval-msec" value="5000"/>
+
+    <!-- Cut down in the join time -->
+    <param name="dtmf-type" value="info"/>
+    <param name="liberal-dtmf" value="true"/>
+  </settings>
+</profile>
+
--- a/setup.sh
+++ b/setup.sh
@ -3,7 +3,7 @@
 #
 # BlueButton open source conferencing system - http://www.bigbluebutton.org/
 #
-# Copyright (c) 2018 BigBlueButton Inc. 
+# Copyright (c) 2018 BigBlueButton Inc.
 #
 # This program is free software; you can redistribute it and/or modify it under the
 # terms of the GNU Lesser General Public License as published by the Free Software
@ -37,8 +37,8 @@ while getopts "eh:" opt; do
    e)
      SECRET=$OPTARG
      ;;
-    :) 
-      echo "Missing option argument for -$OPTARG" >&2; 
+    :)
+      echo "Missing option argument for -$OPTARG" >&2;
      exit 1
      ;;
    \?)
@ -74,19 +74,19 @@ PROTOCOL_HTTP=http
 PROTOCOL_RTMP=rtmp
 IP=$(echo "$(LANG=c ifconfig  | awk -v RS="" '{gsub (/\n[ ]*inet /," ")}1' | grep ^et.* | grep addr: | head -n1 | sed 's/.*addr://g' | sed 's/ .*//g')$(LANG=c ifconfig  | awk -v RS="" '{gsub (/\n[ ]*inet /," ")}1' | grep ^en.* | grep addr: | head -n1 | sed 's/.*addr://g' | sed 's/ .*//g')" | head -n1)

-sed -i 's/<param name="rtp-start-port" value="[^"]*"\/>/<param name="rtp-start-port" value="16384"\/>/g' \
-  /opt/freeswitch/etc/freeswitch/autoload_configs/switch.conf.xml
-sed -i 's/<param name="rtp-end-port" value="[^"]*"\/>/<param name="rtp-end-port" value="16434"\/>/g' \
-  /opt/freeswitch/etc/freeswitch/autoload_configs/switch.conf.xml
+#sed -i 's/<param name="rtp-start-port" value="[^"]*"\/>/<param name="rtp-start-port" value="16384"\/>/g' \
+#  /opt/freeswitch/etc/freeswitch/autoload_configs/switch.conf.xml
+#sed -i 's/<param name="rtp-end-port" value="[^"]*"\/>/<param name="rtp-end-port" value="16434"\/>/g' \
+#  /opt/freeswitch/etc/freeswitch/autoload_configs/switch.conf.xml

 sed -i "s/stun:stun.freeswitch.org/$HOST/g" /opt/freeswitch/etc/freeswitch/vars.xml
 sed -i "s/<X-PRE-PROCESS cmd=\"set\" data=\"local_ip_v4=.*//g" /opt/freeswitch/etc/freeswitch/vars.xml

-sed -i "s/ext-rtp-ip\" value=\"\$\${local_ip_v4/ext-rtp-ip\" value=\"\$\${external_rtp_ip/g" /opt/freeswitch/conf/sip_profiles/external.xml
-sed -i "s/ext-sip-ip\" value=\"\$\${local_ip_v4/ext-sip-ip\" value=\"\$\${external_sip_ip/g" /opt/freeswitch/conf/sip_profiles/external.xml
-sed -i "s/<param name=\"ws-binding\".*/<param name=\"ws-binding\"  value=\"$HOST:5066\"\/>/g" /opt/freeswitch/conf/sip_profiles/external.xml
+#sed -i "s/ext-rtp-ip\" value=\"\$\${local_ip_v4/ext-rtp-ip\" value=\"\$\${external_rtp_ip/g" /opt/freeswitch/conf/sip_profiles/external.xml
+#sed -i "s/ext-sip-ip\" value=\"\$\${local_ip_v4/ext-sip-ip\" value=\"\$\${external_sip_ip/g" /opt/freeswitch/conf/sip_profiles/external.xml
+#sed -i "s/<param name=\"ws-binding\".*/<param name=\"ws-binding\"  value=\":5066\"\/>/g" /opt/freeswitch/conf/sip_profiles/external.xml

-sed -i "s/proxy_pass .*/proxy_pass $PROTOCOL_HTTP:\/\/$HOST:5066;/g" /etc/bigbluebutton/nginx/sip.nginx
+sed -i "s/proxy_pass .*/proxy_pass $PROTOCOL_HTTP:\/\/$IP:5066;/g" /etc/bigbluebutton/nginx/sip.nginx

 #sed -i "s/porttest host=\(\"[^\"]*\"\)/porttest host=\"$HOST\"/g" /var/www/bigbluebutton/client/conf/config.xml
 sed -i "s/publishURI=\"[^\"]*\"/publishURI=\"$HOST\"/" /var/www/bigbluebutton/client/conf/config.xml
@ -114,14 +114,83 @@ sed -i "s/deskshareip[ ]*=[ ]*\"[^\"]*\"/deskshareip=\"$HOST\"/g" \
 sed -i  "s/defaultPresentationURL[ ]*=[ ]*\"[^\"]*\"/defaultPresentationURL=\"${PROTOCOL_HTTP}:\/\/$HOST\/default.pdf\"/g" \
  /usr/share/bbb-apps-akka/conf/application.conf

-cat > /etc/kurento/modules/kurento/BaseRtpEndpoint.conf.ini << HERE
-minPort=16435
-maxPort=16484
-HERE
+#cat > /etc/kurento/modules/kurento/BaseRtpEndpoint.conf.ini << HERE
+#minPort=16435
+#maxPort=16484
+#HERE

 sed -i 's/.*stunServerAddress.*/stunServerAddress=64.233.177.127/g' /etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini
 sed -i 's/.*stunServerPort.*/stunServerPort=19302/g' /etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini

+echo "denied-peer-ip=0.0.0.0-255.255.255.255" >> /etc/turnserver.conf
+echo "allowed-peer-ip=$IP"                    >> /etc/turnserver.conf
+
+TURN_SECRET=`openssl rand -hex 16`
+
+cat > /etc/turnserver.conf << HERE
+denied-peer-ip=0.0.0.0-255.255.255.255
+allowed-peer-ip=$IP
+fingerprint
+lt-cred-mech
+use-auth-secret
+static-auth-secret=$TURN_SECRET
+HERE
+
+cat > /var/lib/tomcat7/webapps/bigbluebutton/WEB-INF/spring/turn-stun-servers.xml << HERE
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xsi:schemaLocation="http://www.springframework.org/schema/beans
+http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
+
+<bean id="turn0" class="org.bigbluebutton.web.services.turn.TurnServer">
+<constructor-arg index="0"
+value="$TURN_SECRET"/>
+<constructor-arg index="1"
+value="turn:$HOST:3478"/>
+<constructor-arg index="2" value="86400"/>
+        </bean>
+
+        <bean id="turn1" class="org.bigbluebutton.web.services.turn.TurnServer">
+                <constructor-arg index="0"
+value="$TURN_SECRET"/>
+<constructor-arg index="1"
+value="turn:$HOST:3479?transport=tcp"/>
+<constructor-arg index="2" value="86400"/>
+</bean>
+
+<bean id="stunTurnService"
+class="org.bigbluebutton.web.services.turn.StunTurnService">
+<property name="stunServers"><set></set></property>
+<property name="turnServers">
+<set>
+<ref bean="turn0"/>
+<ref bean="turn1"/>
+</set>
+</property>
+<property name="remoteIceCandidates"><set></set></property>
+        </bean>
+</beans>
+HERE
+
+cat > /opt/freeswitch/conf/autoload_configs/acl.conf.xml << HERE
+<configuration name="acl.conf" description="Network Lists">
+  <network-lists>
+    <list name="domains" default="allow">
+      <!-- domain= is special it scans the domain from the directory to build the ACL -->
+      <node type="allow" domain="\$\${domain}"/>
+      <!-- use cidr= if you wish to allow ip ranges to this domains acl. -->
+      <!-- <node type="allow" cidr="192.168.0.0/24"/> -->
+    </list>
+
+    <list name="webrtc-turn" default="deny">
+      <node type="allow" cidr="$IP/32"/>
+    </list>
+
+  </network-lists>
+</configuration>
+HERE
+

 # Fix to ensure application.conf has the latest shared secret
 SECRET=$(cat /var/lib/tomcat7/webapps/bigbluebutton/WEB-INF/classes/bigbluebutton.properties | grep -v '#' | grep securitySalt | cut -d= -f2);
@ -145,7 +214,7 @@ rm /usr/share/red5/log/sip.log
 sed -i 's/BigBlueButton.logger.debug("rap-archive-worker done")/sleep 20; BigBlueButton.logger.debug("rap-archive-worker done")/g' /usr/local/bigbluebutton/core/scripts/rap-archive-worker.rb
 sed -i 's/BigBlueButton.logger.debug("rap-process-worker done")/sleep 20; BigBlueButton.logger.debug("rap-process-worker done")/g' /usr/local/bigbluebutton/core/scripts/rap-process-worker.rb
 sed -i 's/BigBlueButton.logger.debug("rap-sanity-worker done")/sleep 20 ; BigBlueButton.logger.debug("rap-sanity-worker done")/g'  /usr/local/bigbluebutton/core/scripts/rap-sanity-worker.rb
-sed -i 's/BigBlueButton.logger.debug("rap-publish-worker done")/sleep 20; BigBlueButton.logger.debug("rap-publish-worker done")/g' /usr/local/bigbluebutton/core/scripts/rap-publish-worker.rb 
+sed -i 's/BigBlueButton.logger.debug("rap-publish-worker done")/sleep 20; BigBlueButton.logger.debug("rap-publish-worker done")/g' /usr/local/bigbluebutton/core/scripts/rap-publish-worker.rb

 # Start BigBlueButton!
 #
@ -156,5 +225,5 @@ export DAEMON_LOG=/var/log/kurento-media-server
 export GST_DEBUG="3,Kurento*:4,kms*:4"
 export KURENTO_LOGS_PATH=$DAEMON_LOG

-/usr/bin/supervisord
+exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf

--- a/supervisord.conf
+++ b/supervisord.conf
@ -96,3 +96,10 @@ startsecs = 0
 autorestart = false
 user=tomcat7
 command=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin/java -Djava.util.logging.config.file=/var/lib/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC -Xms256m -Xmx256m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/bigbluebutton/diagnostics -Djava.endorsed.dirs=/usr/share/tomcat7/endorsed -classpath /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat7 -Dcatalina.home=/usr/share/tomcat7 -Djava.io.tmpdir=/tmp/tomcat7-tomcat7-tmp org.apache.catalina.startup.Bootstrap start
+
+[program:coturn]
+startsecs = 0
+autorestart = false
+user=turnserver
+command=/usr/bin/turnserver -c /etc/turnserver.conf
+