Using coturn to reduce the number of UDP ports

This commit is contained in:
Fred Dixon 2018-07-07 16:39:32 -05:00
parent edb5b5cb04
commit ad4ea9b044
4 changed files with 210 additions and 18 deletions

View File

@ -2,7 +2,7 @@ FROM ubuntu:16.04
MAINTAINER ffdixon@bigbluebutton.org MAINTAINER ffdixon@bigbluebutton.org
ENV DEBIAN_FRONTEND noninteractive ENV DEBIAN_FRONTEND noninteractive
# RUN echo 'Acquire::http::Proxy "http://192.168.0.130:3142";' > /etc/apt/apt.conf.d/01proxy RUN echo 'Acquire::http::Proxy "http://192.168.0.130:3142 ";' > /etc/apt/apt.conf.d/01proxy
RUN apt-get update && apt-get install -y wget RUN apt-get update && apt-get install -y wget
RUN echo "deb http://ubuntu.bigbluebutton.org/xenial-200 bigbluebutton-xenial main " | tee /etc/apt/sources.list.d/bigbluebutton.list RUN echo "deb http://ubuntu.bigbluebutton.org/xenial-200 bigbluebutton-xenial main " | tee /etc/apt/sources.list.d/bigbluebutton.list
@ -51,6 +51,9 @@ ADD supervisord.conf /etc/supervisor/conf.d/supervisord.conf
# -- Modify FreeSWITCH event_socket.conf.xml to listen to IPV4 # -- Modify FreeSWITCH event_socket.conf.xml to listen to IPV4
ADD mod/event_socket.conf.xml /opt/freeswitch/etc/freeswitch/autoload_configs ADD mod/event_socket.conf.xml /opt/freeswitch/etc/freeswitch/autoload_configs
ADD mod/external.xml /opt/freeswitch/conf/sip_profiles/external.xml
RUN apt-get install -y coturn vim
# -- Finish startup # -- Finish startup
ADD setup.sh /root/setup.sh ADD setup.sh /root/setup.sh

113
mod/external.xml Normal file
View File

@ -0,0 +1,113 @@
<profile name="external">
<!-- http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files -->
<!-- This profile is only for outbound registrations to providers -->
<gateways>
<X-PRE-PROCESS cmd="include" data="external/*.xml"/>
</gateways>
<aliases>
<!--
<alias name="outbound"/>
<alias name="nat"/>
-->
</aliases>
<domains>
<domain name="all" alias="false" parse="true"/>
</domains>
<settings>
<param name="debug" value="0"/>
<!-- If you want FreeSWITCH to shutdown if this profile fails to load, uncomment the next line. -->
<!-- <param name="shutdown-on-fail" value="true"/> -->
<param name="sip-trace" value="no"/>
<param name="sip-capture" value="no"/>
<param name="rfc2833-pt" value="101"/>
<!-- RFC 5626 : Send reg-id and sip.instance -->
<!--<param name="enable-rfc-5626" value="true"/> -->
<param name="sip-port" value="$${external_sip_port}"/>
<param name="dialplan" value="XML"/>
<param name="context" value="public"/>
<param name="dtmf-duration" value="2000"/>
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/>
<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/>
<param name="hold-music" value="$${hold_music}"/>
<param name="rtp-timer-name" value="soft"/>
<!--<param name="enable-100rel" value="true"/>-->
<!--<param name="disable-srv503" value="true"/>-->
<!-- This could be set to "passive" -->
<param name="local-network-acl" value="localnet.auto"/>
<param name="manage-presence" value="false"/>
<!-- used to share presence info across sofia profiles
manage-presence needs to be set to passive on this profile
if you want it to behave as if it were the internal profile
for presence.
-->
<!-- Name of the db to use for this profile -->
<!--<param name="dbname" value="share_presence"/>-->
<!--<param name="presence-hosts" value="$${domain}"/>-->
<!--<param name="force-register-domain" value="$${domain}"/>-->
<!--all inbound reg will stored in the db using this domain -->
<!--<param name="force-register-db-domain" value="$${domain}"/>-->
<!-- ************************************************* -->
<!--<param name="aggressive-nat-detection" value="true"/>-->
<param name="inbound-codec-negotiation" value="generous"/>
<param name="nonce-ttl" value="60"/>
<param name="auth-calls" value="false"/>
<param name="inbound-late-negotiation" value="true"/>
<param name="inbound-zrtp-passthru" value="true"/> <!-- (also enables late negotiation) -->
<!--
DO NOT USE HOSTNAMES, ONLY IP ADDRESSES IN THESE SETTINGS!
<param name="rtp-ip" value="$${local_ip_v4}"/>
<param name="sip-ip" value="$${local_ip_v4}"/>
<param name="ext-rtp-ip" value="auto-nat"/>
<param name="ext-sip-ip" value="auto-nat"/>
-->
<param name="rtp-ip" value="$${local_ip_v4}"/>
<param name="sip-ip" value="$${local_ip_v4}"/>
<param name="ext-rtp-ip" value="$${local_ip_v4}"/>
<param name="ext-sip-ip" value="$${local_ip_v4}"/>
<param name="rtp-timeout-sec" value="300"/>
<param name="rtp-hold-timeout-sec" value="1800"/>
<!--<param name="enable-3pcc" value="true"/>-->
<!-- TLS: disabled by default, set to "true" to enable -->
<param name="tls" value="$${external_ssl_enable}"/>
<!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
<param name="tls-only" value="false"/>
<!-- additional bind parameters for TLS -->
<param name="tls-bind-params" value="transport=tls"/>
<!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->
<param name="tls-sip-port" value="$${external_tls_port}"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
<!--<param name="tls-cert-dir" value=""/>-->
<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
<param name="tls-passphrase" value=""/>
<!-- Verify the date on TLS certificates -->
<param name="tls-verify-date" value="true"/>
<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'in_subjects', 'out_subjects' and 'all_subjects' for subject validation. Multiple policies can be split with a '|' pipe -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
<param name="tls-verify-depth" value="2"/>
<!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
<param name="tls-verify-in-subjects" value=""/>
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/>
<param name="ws-binding" value=":5066"/>
<param name="apply-candidate-acl" value="webrtc-turn"/>
<!-- enable rtcp on every channel also can be done per leg basis with rtcp_audio_interval_msec variable set to passthru to pass it across a call-->
<param name="rtcp-audio-interval-msec" value="5000"/>
<param name="rtcp-video-interval-msec" value="5000"/>
<!-- Cut down in the join time -->
<param name="dtmf-type" value="info"/>
<param name="liberal-dtmf" value="true"/>
</settings>
</profile>

103
setup.sh
View File

@ -3,7 +3,7 @@
# #
# BlueButton open source conferencing system - http://www.bigbluebutton.org/ # BlueButton open source conferencing system - http://www.bigbluebutton.org/
# #
# Copyright (c) 2018 BigBlueButton Inc. # Copyright (c) 2018 BigBlueButton Inc.
# #
# This program is free software; you can redistribute it and/or modify it under the # This program is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free Software # terms of the GNU Lesser General Public License as published by the Free Software
@ -37,8 +37,8 @@ while getopts "eh:" opt; do
e) e)
SECRET=$OPTARG SECRET=$OPTARG
;; ;;
:) :)
echo "Missing option argument for -$OPTARG" >&2; echo "Missing option argument for -$OPTARG" >&2;
exit 1 exit 1
;; ;;
\?) \?)
@ -74,19 +74,19 @@ PROTOCOL_HTTP=http
PROTOCOL_RTMP=rtmp PROTOCOL_RTMP=rtmp
IP=$(echo "$(LANG=c ifconfig | awk -v RS="" '{gsub (/\n[ ]*inet /," ")}1' | grep ^et.* | grep addr: | head -n1 | sed 's/.*addr://g' | sed 's/ .*//g')$(LANG=c ifconfig | awk -v RS="" '{gsub (/\n[ ]*inet /," ")}1' | grep ^en.* | grep addr: | head -n1 | sed 's/.*addr://g' | sed 's/ .*//g')" | head -n1) IP=$(echo "$(LANG=c ifconfig | awk -v RS="" '{gsub (/\n[ ]*inet /," ")}1' | grep ^et.* | grep addr: | head -n1 | sed 's/.*addr://g' | sed 's/ .*//g')$(LANG=c ifconfig | awk -v RS="" '{gsub (/\n[ ]*inet /," ")}1' | grep ^en.* | grep addr: | head -n1 | sed 's/.*addr://g' | sed 's/ .*//g')" | head -n1)
sed -i 's/<param name="rtp-start-port" value="[^"]*"\/>/<param name="rtp-start-port" value="16384"\/>/g' \ #sed -i 's/<param name="rtp-start-port" value="[^"]*"\/>/<param name="rtp-start-port" value="16384"\/>/g' \
/opt/freeswitch/etc/freeswitch/autoload_configs/switch.conf.xml # /opt/freeswitch/etc/freeswitch/autoload_configs/switch.conf.xml
sed -i 's/<param name="rtp-end-port" value="[^"]*"\/>/<param name="rtp-end-port" value="16434"\/>/g' \ #sed -i 's/<param name="rtp-end-port" value="[^"]*"\/>/<param name="rtp-end-port" value="16434"\/>/g' \
/opt/freeswitch/etc/freeswitch/autoload_configs/switch.conf.xml # /opt/freeswitch/etc/freeswitch/autoload_configs/switch.conf.xml
sed -i "s/stun:stun.freeswitch.org/$HOST/g" /opt/freeswitch/etc/freeswitch/vars.xml sed -i "s/stun:stun.freeswitch.org/$HOST/g" /opt/freeswitch/etc/freeswitch/vars.xml
sed -i "s/<X-PRE-PROCESS cmd=\"set\" data=\"local_ip_v4=.*//g" /opt/freeswitch/etc/freeswitch/vars.xml sed -i "s/<X-PRE-PROCESS cmd=\"set\" data=\"local_ip_v4=.*//g" /opt/freeswitch/etc/freeswitch/vars.xml
sed -i "s/ext-rtp-ip\" value=\"\$\${local_ip_v4/ext-rtp-ip\" value=\"\$\${external_rtp_ip/g" /opt/freeswitch/conf/sip_profiles/external.xml #sed -i "s/ext-rtp-ip\" value=\"\$\${local_ip_v4/ext-rtp-ip\" value=\"\$\${external_rtp_ip/g" /opt/freeswitch/conf/sip_profiles/external.xml
sed -i "s/ext-sip-ip\" value=\"\$\${local_ip_v4/ext-sip-ip\" value=\"\$\${external_sip_ip/g" /opt/freeswitch/conf/sip_profiles/external.xml #sed -i "s/ext-sip-ip\" value=\"\$\${local_ip_v4/ext-sip-ip\" value=\"\$\${external_sip_ip/g" /opt/freeswitch/conf/sip_profiles/external.xml
sed -i "s/<param name=\"ws-binding\".*/<param name=\"ws-binding\" value=\"$HOST:5066\"\/>/g" /opt/freeswitch/conf/sip_profiles/external.xml #sed -i "s/<param name=\"ws-binding\".*/<param name=\"ws-binding\" value=\":5066\"\/>/g" /opt/freeswitch/conf/sip_profiles/external.xml
sed -i "s/proxy_pass .*/proxy_pass $PROTOCOL_HTTP:\/\/$HOST:5066;/g" /etc/bigbluebutton/nginx/sip.nginx sed -i "s/proxy_pass .*/proxy_pass $PROTOCOL_HTTP:\/\/$IP:5066;/g" /etc/bigbluebutton/nginx/sip.nginx
#sed -i "s/porttest host=\(\"[^\"]*\"\)/porttest host=\"$HOST\"/g" /var/www/bigbluebutton/client/conf/config.xml #sed -i "s/porttest host=\(\"[^\"]*\"\)/porttest host=\"$HOST\"/g" /var/www/bigbluebutton/client/conf/config.xml
sed -i "s/publishURI=\"[^\"]*\"/publishURI=\"$HOST\"/" /var/www/bigbluebutton/client/conf/config.xml sed -i "s/publishURI=\"[^\"]*\"/publishURI=\"$HOST\"/" /var/www/bigbluebutton/client/conf/config.xml
@ -114,14 +114,83 @@ sed -i "s/deskshareip[ ]*=[ ]*\"[^\"]*\"/deskshareip=\"$HOST\"/g" \
sed -i "s/defaultPresentationURL[ ]*=[ ]*\"[^\"]*\"/defaultPresentationURL=\"${PROTOCOL_HTTP}:\/\/$HOST\/default.pdf\"/g" \ sed -i "s/defaultPresentationURL[ ]*=[ ]*\"[^\"]*\"/defaultPresentationURL=\"${PROTOCOL_HTTP}:\/\/$HOST\/default.pdf\"/g" \
/usr/share/bbb-apps-akka/conf/application.conf /usr/share/bbb-apps-akka/conf/application.conf
cat > /etc/kurento/modules/kurento/BaseRtpEndpoint.conf.ini << HERE #cat > /etc/kurento/modules/kurento/BaseRtpEndpoint.conf.ini << HERE
minPort=16435 #minPort=16435
maxPort=16484 #maxPort=16484
HERE #HERE
sed -i 's/.*stunServerAddress.*/stunServerAddress=64.233.177.127/g' /etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini sed -i 's/.*stunServerAddress.*/stunServerAddress=64.233.177.127/g' /etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini
sed -i 's/.*stunServerPort.*/stunServerPort=19302/g' /etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini sed -i 's/.*stunServerPort.*/stunServerPort=19302/g' /etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini
echo "denied-peer-ip=0.0.0.0-255.255.255.255" >> /etc/turnserver.conf
echo "allowed-peer-ip=$IP" >> /etc/turnserver.conf
TURN_SECRET=`openssl rand -hex 16`
cat > /etc/turnserver.conf << HERE
denied-peer-ip=0.0.0.0-255.255.255.255
allowed-peer-ip=$IP
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=$TURN_SECRET
HERE
cat > /var/lib/tomcat7/webapps/bigbluebutton/WEB-INF/spring/turn-stun-servers.xml << HERE
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
<bean id="turn0" class="org.bigbluebutton.web.services.turn.TurnServer">
<constructor-arg index="0"
value="$TURN_SECRET"/>
<constructor-arg index="1"
value="turn:$HOST:3478"/>
<constructor-arg index="2" value="86400"/>
</bean>
<bean id="turn1" class="org.bigbluebutton.web.services.turn.TurnServer">
<constructor-arg index="0"
value="$TURN_SECRET"/>
<constructor-arg index="1"
value="turn:$HOST:3479?transport=tcp"/>
<constructor-arg index="2" value="86400"/>
</bean>
<bean id="stunTurnService"
class="org.bigbluebutton.web.services.turn.StunTurnService">
<property name="stunServers"><set></set></property>
<property name="turnServers">
<set>
<ref bean="turn0"/>
<ref bean="turn1"/>
</set>
</property>
<property name="remoteIceCandidates"><set></set></property>
</bean>
</beans>
HERE
cat > /opt/freeswitch/conf/autoload_configs/acl.conf.xml << HERE
<configuration name="acl.conf" description="Network Lists">
<network-lists>
<list name="domains" default="allow">
<!-- domain= is special it scans the domain from the directory to build the ACL -->
<node type="allow" domain="\$\${domain}"/>
<!-- use cidr= if you wish to allow ip ranges to this domains acl. -->
<!-- <node type="allow" cidr="192.168.0.0/24"/> -->
</list>
<list name="webrtc-turn" default="deny">
<node type="allow" cidr="$IP/32"/>
</list>
</network-lists>
</configuration>
HERE
# Fix to ensure application.conf has the latest shared secret # Fix to ensure application.conf has the latest shared secret
SECRET=$(cat /var/lib/tomcat7/webapps/bigbluebutton/WEB-INF/classes/bigbluebutton.properties | grep -v '#' | grep securitySalt | cut -d= -f2); SECRET=$(cat /var/lib/tomcat7/webapps/bigbluebutton/WEB-INF/classes/bigbluebutton.properties | grep -v '#' | grep securitySalt | cut -d= -f2);
@ -145,7 +214,7 @@ rm /usr/share/red5/log/sip.log
sed -i 's/BigBlueButton.logger.debug("rap-archive-worker done")/sleep 20; BigBlueButton.logger.debug("rap-archive-worker done")/g' /usr/local/bigbluebutton/core/scripts/rap-archive-worker.rb sed -i 's/BigBlueButton.logger.debug("rap-archive-worker done")/sleep 20; BigBlueButton.logger.debug("rap-archive-worker done")/g' /usr/local/bigbluebutton/core/scripts/rap-archive-worker.rb
sed -i 's/BigBlueButton.logger.debug("rap-process-worker done")/sleep 20; BigBlueButton.logger.debug("rap-process-worker done")/g' /usr/local/bigbluebutton/core/scripts/rap-process-worker.rb sed -i 's/BigBlueButton.logger.debug("rap-process-worker done")/sleep 20; BigBlueButton.logger.debug("rap-process-worker done")/g' /usr/local/bigbluebutton/core/scripts/rap-process-worker.rb
sed -i 's/BigBlueButton.logger.debug("rap-sanity-worker done")/sleep 20 ; BigBlueButton.logger.debug("rap-sanity-worker done")/g' /usr/local/bigbluebutton/core/scripts/rap-sanity-worker.rb sed -i 's/BigBlueButton.logger.debug("rap-sanity-worker done")/sleep 20 ; BigBlueButton.logger.debug("rap-sanity-worker done")/g' /usr/local/bigbluebutton/core/scripts/rap-sanity-worker.rb
sed -i 's/BigBlueButton.logger.debug("rap-publish-worker done")/sleep 20; BigBlueButton.logger.debug("rap-publish-worker done")/g' /usr/local/bigbluebutton/core/scripts/rap-publish-worker.rb sed -i 's/BigBlueButton.logger.debug("rap-publish-worker done")/sleep 20; BigBlueButton.logger.debug("rap-publish-worker done")/g' /usr/local/bigbluebutton/core/scripts/rap-publish-worker.rb
# Start BigBlueButton! # Start BigBlueButton!
# #
@ -156,5 +225,5 @@ export DAEMON_LOG=/var/log/kurento-media-server
export GST_DEBUG="3,Kurento*:4,kms*:4" export GST_DEBUG="3,Kurento*:4,kms*:4"
export KURENTO_LOGS_PATH=$DAEMON_LOG export KURENTO_LOGS_PATH=$DAEMON_LOG
/usr/bin/supervisord exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf

View File

@ -96,3 +96,10 @@ startsecs = 0
autorestart = false autorestart = false
user=tomcat7 user=tomcat7
command=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin/java -Djava.util.logging.config.file=/var/lib/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC -Xms256m -Xmx256m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/bigbluebutton/diagnostics -Djava.endorsed.dirs=/usr/share/tomcat7/endorsed -classpath /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat7 -Dcatalina.home=/usr/share/tomcat7 -Djava.io.tmpdir=/tmp/tomcat7-tomcat7-tmp org.apache.catalina.startup.Bootstrap start command=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin/java -Djava.util.logging.config.file=/var/lib/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC -Xms256m -Xmx256m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/bigbluebutton/diagnostics -Djava.endorsed.dirs=/usr/share/tomcat7/endorsed -classpath /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat7 -Dcatalina.home=/usr/share/tomcat7 -Djava.io.tmpdir=/tmp/tomcat7-tomcat7-tmp org.apache.catalina.startup.Bootstrap start
[program:coturn]
startsecs = 0
autorestart = false
user=turnserver
command=/usr/bin/turnserver -c /etc/turnserver.conf