coturn integration

docker-compose.coturn.yml

@@ -0,0 +1,17 @@
+version: '3.6'
+services:
+  coturn:
+    image: instrumentisto/coturn:4.5
+    restart: unless-stopped
+    command:
+      - "--external-ip=${EXTERNAL_IP}"
+      - "--static-auth-secret=${TURN_SECRET}"
+    volumes:
+      - ssl_data:/etc/resty-auto-ssl
+      - ./mod/coturn/entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
+      - ./mod/coturn/turnserver.conf:/etc/coturn/turnserver.conf
+    network_mode: host
+
+volumes:
+  ssl_data:
+    name: ssl_data

docker-compose.https.yml

@@ -14,3 +14,4 @@ services:
 
 volumes:
   ssl_data:
+    name: ssl_data

mod/coturn/entrypoint.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+set -e 
+apk add jq
+
+while [ ! -f /etc/resty-auto-ssl/storage/file/*latest ]
+do
+  echo "ERROR: certificate doesn't exist yet."
+  echo "Certificate gets create on the first request to the HTTPS proxy."
+  echo "We will try again..."
+  sleep 10
+done
+
+# extract cert
+cat /etc/resty-auto-ssl/storage/file/*%3Alatest | jq -r '.fullchain_pem' > /tmp/cert.pem
+cat /etc/resty-auto-ssl/storage/file/*%3Alatest | jq -r '.privkey_pem' > /tmp/key.pem
+
+
+# If command starts with an option, prepend with turnserver binary.
+if [ "${1:0:1}" == '-' ]; then
+  set -- turnserver "$@"
+fi
+
+exec $(eval "echo $@")

mod/coturn/turnserver.conf

@@ -0,0 +1,63 @@
+# Example coturn configuration for BigBlueButton
+
+# These are the two network ports used by the TURN server which the client
+# may connect to. We enable the standard unencrypted port 3478 for STUN,
+# as well as port 443 for TURN over TLS, which can bypass firewalls.
+listening-port=3478
+
+# we use the SMTP over TLS Port, since 443 is already used for HTTPS
+tls-listening-port=465
+
+# If the server has multiple IP addresses, you may wish to limit which
+# addresses coturn is using. Do that by setting this option (it can be
+# specified multiple times). The default is to listen on all addresses.
+# You do not normally need to set this option.
+#listening-ip=172.17.19.101
+
+# If the server is behind NAT, you need to specify the external IP address.
+# If there is only one external address, specify it like this:
+#external-ip=172.17.19.120
+# If you have multiple external addresses, you have to specify which
+# internal address each corresponds to, like this. The first address is the
+# external ip, and the second address is the corresponding internal IP.
+#external-ip=172.17.19.131/10.0.0.11
+#external-ip=172.17.18.132/10.0.0.12
+
+# Fingerprints in TURN messages are required for WebRTC
+fingerprint
+
+# The long-term credential mechanism is required for WebRTC
+lt-cred-mech
+
+# Configure coturn to use the "TURN REST API" method for validating time-
+# limited credentials. BigBlueButton will generate credentials in this
+# format. Note that the static-auth-secret value specified here must match
+# the configuration in BigBlueButton's turn-stun-servers.xml
+# You can generate a new random value by running the command:
+#   openssl rand -hex 16
+use-auth-secret
+# static-auth-secret=<random value>
+
+# If the realm value is unspecified, it defaults to the TURN server hostname.
+# You probably want to configure it to a domain name that you control to
+# improve log output. There is no functional impact.
+realm=example.com
+
+# Configure TLS support.
+# Adjust these paths to match the locations of your certificate files
+cert=/tmp/cert.pem
+pkey=/tmp/key.pem
+# Limit the allowed ciphers to improve security
+# Based on https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
+
+# Enable longer DH TLS key to improve security
+dh2066
+
+# All WebRTC-compatible web browsers support TLS 1.2 or later, so disable
+# older protocols
+no-tlsv1
+no-tlsv1_1
+
+# To enable single filename logs you need to enable the simple-log flag
+syslog

sample.env

@@ -7,6 +7,10 @@
 # fully automated Lets Encrypt certificates
 ENABLE_HTTPS_PROXY=true
 
+# coturn (a TURN Server)
+# requires HTTPS Proxy to be enabled
+ENABLE_COTURN=true
+
 # Greenlight Frontend
 # https://docs.bigbluebutton.org/greenlight/gl-overview.html
 ENABLE_GREENLIGHT=true

scripts/compose

@@ -15,6 +15,11 @@ COMPOSE_FILES="-f docker-compose.yml"
 if [ "$ENABLE_HTTPS_PROXY" == true ]; then
     COMPOSE_FILES="$COMPOSE_FILES -f docker-compose.https.yml"
 fi
+
+if [ "$ENABLE_COTURN" == true ]; then
+    COMPOSE_FILES="$COMPOSE_FILES -f docker-compose.coturn.yml"
+fi
+
 if [ "$ENABLE_GREENLIGHT" == true ]; then
     COMPOSE_FILES="$COMPOSE_FILES -f docker-compose.greenlight.yml"
 fi

scripts/setup

@@ -31,6 +31,14 @@ while [[ ! $https_proxy =~ ^(y|n)$ ]]; do
     read -p "Should an automatic HTTPS Proxy be included? (y/n): " https_proxy
 done
 
+coturn=""
+if [ "$https_proxy" == "y" ]
+then
+    while [[ ! $coturn =~ ^(y|n)$ ]]; do
+        read -p "Should a coturn be included? (y/n): " coturn
+    done
+fi
+
 DOMAIN=""
 while [[ -z "$DOMAIN" ]]; do
     read -p "Please enter the domain name: " DOMAIN
@@ -66,6 +74,16 @@ then
     sed -i "s/ENABLE_HTTPS_PROXY.*/#ENABLE_HTTPS_PROXY=true/" .env
 fi
 
+if [ "$coturn" == "y" ]
+then
+    sed -i "s/.*TURN_SERVER=.*/TURN_SERVER=turns:$DOMAIN:465?transport=tcp/" .env
+    TURN_SECRET=$(head /dev/urandom | tr -dc A-Za-f0-9 | head -c 32)
+    sed -i "s/.*TURN_SECRET=.*/TURN_SECRET=$TURN_SECRET/" .env
+    sed -i "s/.*STUN_IP=.*/STUN_IP=$EXTERNAL_IP/" .env
+else
+    sed -i "s/ENABLE_COTURN.*/#ENABLE_COTURN=true/" .env
+fi
+
 # change secrets
 RANDOM_1=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 40)
 RANDOM_2=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 40)