diff --git a/README.md b/README.md index afb6e0f..8ebc8ba 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Version: 2.3.0 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/bigblue ## Features - Easy installation - Greenlight included +- TURN server included - Fully automated HTTPS certificates - Full IPv6 support - Runs on any major linux distributon (Debian, Ubuntu, CentOS,...) diff --git a/docker-compose.tmpl.yml b/docker-compose.tmpl.yml index d7c0640..2e86700 100644 --- a/docker-compose.tmpl.yml +++ b/docker-compose.tmpl.yml @@ -319,6 +319,28 @@ services: network_mode: host {{end}} +{{ if isTrue .Env.ENABLE_COTURN }} + # coturn + coturn: + image: instrumentisto/coturn:4.5 + restart: unless-stopped + command: + - "--external-ip=${EXTERNAL_IPv4}/${EXTERNAL_IPv4}" + - "--external-ip=${EXTERNAL_IPv6:-::1}/${EXTERNAL_IPv6:-::1}" + - "--static-auth-secret=${TURN_SECRET}" + volumes: + {{ if isTrue .Env.ENABLE_HTTPS_PROXY }} + - ssl_data:/etc/resty-auto-ssl + {{else}} + - ${COTURN_TLS_CERT_PATH}:/tmp/cert.pem + - ${COTURN_TLS_KEY_PATH}:/tmp/key.pem + {{end}} + - ./mod/coturn/entrypoint.sh:/usr/local/bin/docker-entrypoint.sh + - ./mod/coturn/turnserver.conf:/etc/coturn/turnserver.conf + network_mode: host +{{end}} + + {{ if isTrue .Env.ENABLE_GREENLIGHT }} # greenlight greenlight: diff --git a/docs/development.md b/docs/development.md index 96b6629..4985548 100644 --- a/docs/development.md +++ b/docs/development.md @@ -7,6 +7,7 @@ you can run bbb-docker locally without any certificate issues with following `.e DEV_MODE=true ENABLE_HTTPS_PROXY=true +#ENABLE_COTURN=true #ENABLE_GREENLIGHT=true #ENABLE_WEBHOOKS=true #ENABLE_PROMETHEUS_EXPORTER=true @@ -16,7 +17,9 @@ DOMAIN=10.7.7.1 EXTERNAL_IPv4=10.7.7.1 STUN_IP=216.93.246.18 STUN_PORT=3478 +TURN_SERVER=turns:localhost:5349?transport=tcp +TURN_SECRET=SuperTurnSecret SHARED_SECRET=SuperSecret ETHERPAD_API_KEY=SuperEtherpadKey RAILS_SECRET=SuperRailsSecret diff --git a/mod/coturn/entrypoint.sh b/mod/coturn/entrypoint.sh new file mode 100755 index 0000000..c916cee --- /dev/null +++ b/mod/coturn/entrypoint.sh @@ -0,0 +1,31 @@ +#!/bin/sh +set -e +if [ "$ENABLE_HTTPS_PROXY" == true ]; then + apk add jq + + while [ ! -f /etc/resty-auto-ssl/storage/file/*latest ] + do + echo "ERROR: certificate doesn't exist yet." + echo "Certificate gets create on the first request to the HTTPS proxy." + echo "We will try again..." + sleep 10 + done + + # extract cert + cat /etc/resty-auto-ssl/storage/file/*%3Alatest | jq -r '.fullchain_pem' > /tmp/cert.pem + cat /etc/resty-auto-ssl/storage/file/*%3Alatest | jq -r '.privkey_pem' > /tmp/key.pem +fi + +if [ ! -f /tmp/cert.pem ] || [ ! -f /tmp/key.pem ]; then + echo "ERROR: certificate not found, but coturn relies on it." + echo "Use either auto HTTPS proxy or" + echo "provide path to certificates in .env file" + exit 1 +fi + +# If command starts with an option, prepend with turnserver binary. +if [ "${1:0:1}" == '-' ]; then + set -- turnserver "$@" +fi + +exec $(eval "echo $@") \ No newline at end of file diff --git a/mod/coturn/turnserver.conf b/mod/coturn/turnserver.conf new file mode 100644 index 0000000..be71ffe --- /dev/null +++ b/mod/coturn/turnserver.conf @@ -0,0 +1,73 @@ +# Example coturn configuration for BigBlueButton + +# These are the two network ports used by the TURN server which the client +# may connect to. We enable the standard unencrypted port 3478 for STUN, +listening-port=3478 + +# and since TLS over SMTP port (465) is now blocked by major browser vendors, +# we reverted to the most common coturn TLS port 5349, which has limitations +# in restrictive firewall environments. For maximum client support run +# coturn on a dedicated host on port 443. +tls-listening-port=5349 + +# If the server has multiple IP addresses, you may wish to limit which +# addresses coturn is using. Do that by setting this option (it can be +# specified multiple times). The default is to listen on all addresses. +# You do not normally need to set this option. +#listening-ip=172.17.19.101 + +# If the server is behind NAT, you need to specify the external IP address. +# If there is only one external address, specify it like this: +#external-ip=172.17.19.120 +# If you have multiple external addresses, you have to specify which +# internal address each corresponds to, like this. The first address is the +# external ip, and the second address is the corresponding internal IP. +#external-ip=172.17.19.131/10.0.0.11 +#external-ip=172.17.18.132/10.0.0.12 + +# Fingerprints in TURN messages are required for WebRTC +fingerprint + +# The long-term credential mechanism is required for WebRTC +lt-cred-mech + +# Configure coturn to use the "TURN REST API" method for validating time- +# limited credentials. BigBlueButton will generate credentials in this +# format. Note that the static-auth-secret value specified here must match +# the configuration in BigBlueButton's turn-stun-servers.xml +# You can generate a new random value by running the command: +# openssl rand -hex 16 +use-auth-secret +# static-auth-secret= + +# If the realm value is unspecified, it defaults to the TURN server hostname. +# You probably want to configure it to a domain name that you control to +# improve log output. There is no functional impact. +realm=example.com + +# Configure TLS support. +# Adjust these paths to match the locations of your certificate files +cert=/tmp/cert.pem +pkey=/tmp/key.pem +# Limit the allowed ciphers to improve security +# Based on https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ +cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS" + +# Enable longer DH TLS key to improve security +dh2066 + +# All WebRTC-compatible web browsers support TLS 1.2 or later, so disable +# older protocols +no-tlsv1 +no-tlsv1_1 + +# To enable single filename logs you need to enable the simple-log flag +syslog +#verbose + +# Allocate Address Family according +# If enabled then TURN server allocates address family according the TURN +# Client <=> Server communication address family. +# (By default Coturn works according RFC 6156.) +# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!! +keep-address-family diff --git a/sample.env b/sample.env index 6d3c328..bc842a3 100644 --- a/sample.env +++ b/sample.env @@ -7,6 +7,13 @@ # fully automated Lets Encrypt certificates ENABLE_HTTPS_PROXY=true +# coturn (a TURN Server) +# requires either the abhove HTTPS Proxy to be enabled +# or TLS certificates to be mounted to container +ENABLE_COTURN=true +#COTURN_TLS_CERT_PATH= +#COTURN_TLS_KEY_PATH= + # Greenlight Frontend # https://docs.bigbluebutton.org/greenlight/gl-overview.html ENABLE_GREENLIGHT=true diff --git a/scripts/generate-compose b/scripts/generate-compose index e2e7691..37b8353 100755 --- a/scripts/generate-compose +++ b/scripts/generate-compose @@ -19,6 +19,20 @@ if [ -z "$EXTERNAL_IPv4" ]; then exit 1 fi +if [ "$ENABLE_COTURN" == true ]; then + if [ -z "$ENABLE_HTTPS_PROXY" ] && [ -z "$COTURN_TLS_CERT_PATH" ]; then + echo "ERROR: coturn requires TLS certificates." + echo "Either enable the https proxy for certificate retrival" + echo "or provide a path to your certificates in .env file." + exit 1 + fi + if [ -z "$ENABLE_HTTPS_PROXY" ] && [ "$DEV_MODE" == true ]; then + echo "ERROR: the https proxy can't get a certificate if ran locally and therefor coturn will never start" + echo "you should disable coturn in .env" + exit 1 + fi +fi + docker run \ --rm \ -v $(pwd)/docker-compose.tmpl.yml:/docker-compose.tmpl.yml \ @@ -26,6 +40,7 @@ docker run \ -e ENABLE_RECORDING=${ENABLE_RECORDING:-false} \ -e ENABLE_HTTPS_PROXY=${ENABLE_HTTPS_PROXY:-false} \ -e ENABLE_WEBHOOKS=${ENABLE_WEBHOOKS:-false} \ + -e ENABLE_COTURN=${ENABLE_COTURN:-false} \ -e ENABLE_GREENLIGHT=${ENABLE_GREENLIGHT:-false} \ -e ENABLE_PROMETHEUS_EXPORTER=${ENABLE_PROMETHEUS_EXPORTER:-false} \ -e NUMBER_OF_BACKEND_NODEJS_PROCESSES=${NUMBER_OF_BACKEND_NODEJS_PROCESSES:-1} \ diff --git a/scripts/setup b/scripts/setup index 101cc1a..fb32153 100755 --- a/scripts/setup +++ b/scripts/setup @@ -32,6 +32,24 @@ while [[ ! $https_proxy =~ ^(y|n)$ ]]; do read -p "Should an automatic HTTPS Proxy be included? (y/n): " https_proxy done +coturn="" +while [[ ! $coturn =~ ^(y|n)$ ]]; do + read -p "Should a coturn be included? (y/n): " coturn +done +if [ "$coturn" == "y" ] && [ ! "$https_proxy" == "y" ] +then + echo "Coturn needs TLS to function properly." + echo " Since automatic HTTPS Proxy is disabled," + echo " you must provide a relative or absolute path" + echo " to your certificates." + while [[ -z "$CERTPATH" ]]; do + read -p "Please enter path to cert.pem: " CERTPATH + done + while [[ -z "$KEYPATH" ]]; do + read -p "Please enter path to key.pem: " KEYPATH + done +fi + prometheus_exporter="" while [[ ! $prometheus_exporter =~ ^(y|n)$ ]]; do read -p "Should a Prometheus exporter be included? (y/n): " prometheus_exporter @@ -106,6 +124,22 @@ then sed -i "s/#ENABLE_RECORDING.*/ENABLE_RECORDING=true/" .env fi +if [ "$coturn" == "y" ] +then + sed -i "s/.*TURN_SERVER=.*/TURN_SERVER=turns:$DOMAIN:5349?transport=tcp/" .env + TURN_SECRET=$(head /dev/urandom | tr -dc A-Za-f0-9 | head -c 32) + sed -i "s/.*TURN_SECRET=.*/TURN_SECRET=$TURN_SECRET/" .env + sed -i "s/.*STUN_IP=.*/STUN_IP=$EXTERNAL_IPv4/" .env +else + sed -i "s/ENABLE_COTURN.*/#ENABLE_COTURN=true/" .env +fi + +if [ -n "$CERTPATH" ] && [ -n "$KEYPATH" ] +then + sed -i "s/#COTURN_TLS_CERT_PATH=.*/COTURN_TLS_CERT_PATH=$CERTPATH/" .env + sed -i "s/#COTURN_TLS_KEY_PATH=.*/COTURN_TLS_KEY_PATH=$KEYPATH/" .env +fi + if [ "$prometheus_exporter" == "y" ] then sed -i "s/#ENABLE_PROMETHEUS_EXPORTER.*/ENABLE_PROMETHEUS_EXPORTER=true/" .env