Merge pull request #126 from cjhille/develop

Reintegrate turn with default ports and support for external certificates
This commit is contained in:
chandi 2021-06-21 16:47:37 +02:00 committed by GitHub
commit c2ebd3fcf9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 186 additions and 0 deletions

View File

@ -5,6 +5,7 @@ Version: 2.3.0 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/bigblue
## Features ## Features
- Easy installation - Easy installation
- Greenlight included - Greenlight included
- TURN server included
- Fully automated HTTPS certificates - Fully automated HTTPS certificates
- Full IPv6 support - Full IPv6 support
- Runs on any major linux distributon (Debian, Ubuntu, CentOS,...) - Runs on any major linux distributon (Debian, Ubuntu, CentOS,...)

View File

@ -319,6 +319,28 @@ services:
network_mode: host network_mode: host
{{end}} {{end}}
{{ if isTrue .Env.ENABLE_COTURN }}
# coturn
coturn:
image: instrumentisto/coturn:4.5
restart: unless-stopped
command:
- "--external-ip=${EXTERNAL_IPv4}/${EXTERNAL_IPv4}"
- "--external-ip=${EXTERNAL_IPv6:-::1}/${EXTERNAL_IPv6:-::1}"
- "--static-auth-secret=${TURN_SECRET}"
volumes:
{{ if isTrue .Env.ENABLE_HTTPS_PROXY }}
- ssl_data:/etc/resty-auto-ssl
{{else}}
- ${COTURN_TLS_CERT_PATH}:/tmp/cert.pem
- ${COTURN_TLS_KEY_PATH}:/tmp/key.pem
{{end}}
- ./mod/coturn/entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
- ./mod/coturn/turnserver.conf:/etc/coturn/turnserver.conf
network_mode: host
{{end}}
{{ if isTrue .Env.ENABLE_GREENLIGHT }} {{ if isTrue .Env.ENABLE_GREENLIGHT }}
# greenlight # greenlight
greenlight: greenlight:

View File

@ -7,6 +7,7 @@ you can run bbb-docker locally without any certificate issues with following `.e
DEV_MODE=true DEV_MODE=true
ENABLE_HTTPS_PROXY=true ENABLE_HTTPS_PROXY=true
#ENABLE_COTURN=true
#ENABLE_GREENLIGHT=true #ENABLE_GREENLIGHT=true
#ENABLE_WEBHOOKS=true #ENABLE_WEBHOOKS=true
#ENABLE_PROMETHEUS_EXPORTER=true #ENABLE_PROMETHEUS_EXPORTER=true
@ -16,7 +17,9 @@ DOMAIN=10.7.7.1
EXTERNAL_IPv4=10.7.7.1 EXTERNAL_IPv4=10.7.7.1
STUN_IP=216.93.246.18 STUN_IP=216.93.246.18
STUN_PORT=3478 STUN_PORT=3478
TURN_SERVER=turns:localhost:5349?transport=tcp
TURN_SECRET=SuperTurnSecret
SHARED_SECRET=SuperSecret SHARED_SECRET=SuperSecret
ETHERPAD_API_KEY=SuperEtherpadKey ETHERPAD_API_KEY=SuperEtherpadKey
RAILS_SECRET=SuperRailsSecret RAILS_SECRET=SuperRailsSecret

31
mod/coturn/entrypoint.sh Executable file
View File

@ -0,0 +1,31 @@
#!/bin/sh
set -e
if [ "$ENABLE_HTTPS_PROXY" == true ]; then
apk add jq
while [ ! -f /etc/resty-auto-ssl/storage/file/*latest ]
do
echo "ERROR: certificate doesn't exist yet."
echo "Certificate gets create on the first request to the HTTPS proxy."
echo "We will try again..."
sleep 10
done
# extract cert
cat /etc/resty-auto-ssl/storage/file/*%3Alatest | jq -r '.fullchain_pem' > /tmp/cert.pem
cat /etc/resty-auto-ssl/storage/file/*%3Alatest | jq -r '.privkey_pem' > /tmp/key.pem
fi
if [ ! -f /tmp/cert.pem ] || [ ! -f /tmp/key.pem ]; then
echo "ERROR: certificate not found, but coturn relies on it."
echo "Use either auto HTTPS proxy or"
echo "provide path to certificates in .env file"
exit 1
fi
# If command starts with an option, prepend with turnserver binary.
if [ "${1:0:1}" == '-' ]; then
set -- turnserver "$@"
fi
exec $(eval "echo $@")

View File

@ -0,0 +1,73 @@
# Example coturn configuration for BigBlueButton
# These are the two network ports used by the TURN server which the client
# may connect to. We enable the standard unencrypted port 3478 for STUN,
listening-port=3478
# and since TLS over SMTP port (465) is now blocked by major browser vendors,
# we reverted to the most common coturn TLS port 5349, which has limitations
# in restrictive firewall environments. For maximum client support run
# coturn on a dedicated host on port 443.
tls-listening-port=5349
# If the server has multiple IP addresses, you may wish to limit which
# addresses coturn is using. Do that by setting this option (it can be
# specified multiple times). The default is to listen on all addresses.
# You do not normally need to set this option.
#listening-ip=172.17.19.101
# If the server is behind NAT, you need to specify the external IP address.
# If there is only one external address, specify it like this:
#external-ip=172.17.19.120
# If you have multiple external addresses, you have to specify which
# internal address each corresponds to, like this. The first address is the
# external ip, and the second address is the corresponding internal IP.
#external-ip=172.17.19.131/10.0.0.11
#external-ip=172.17.18.132/10.0.0.12
# Fingerprints in TURN messages are required for WebRTC
fingerprint
# The long-term credential mechanism is required for WebRTC
lt-cred-mech
# Configure coturn to use the "TURN REST API" method for validating time-
# limited credentials. BigBlueButton will generate credentials in this
# format. Note that the static-auth-secret value specified here must match
# the configuration in BigBlueButton's turn-stun-servers.xml
# You can generate a new random value by running the command:
# openssl rand -hex 16
use-auth-secret
# static-auth-secret=<random value>
# If the realm value is unspecified, it defaults to the TURN server hostname.
# You probably want to configure it to a domain name that you control to
# improve log output. There is no functional impact.
realm=example.com
# Configure TLS support.
# Adjust these paths to match the locations of your certificate files
cert=/tmp/cert.pem
pkey=/tmp/key.pem
# Limit the allowed ciphers to improve security
# Based on https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
# Enable longer DH TLS key to improve security
dh2066
# All WebRTC-compatible web browsers support TLS 1.2 or later, so disable
# older protocols
no-tlsv1
no-tlsv1_1
# To enable single filename logs you need to enable the simple-log flag
syslog
#verbose
# Allocate Address Family according
# If enabled then TURN server allocates address family according the TURN
# Client <=> Server communication address family.
# (By default Coturn works according RFC 6156.)
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
keep-address-family

View File

@ -7,6 +7,13 @@
# fully automated Lets Encrypt certificates # fully automated Lets Encrypt certificates
ENABLE_HTTPS_PROXY=true ENABLE_HTTPS_PROXY=true
# coturn (a TURN Server)
# requires either the abhove HTTPS Proxy to be enabled
# or TLS certificates to be mounted to container
ENABLE_COTURN=true
#COTURN_TLS_CERT_PATH=
#COTURN_TLS_KEY_PATH=
# Greenlight Frontend # Greenlight Frontend
# https://docs.bigbluebutton.org/greenlight/gl-overview.html # https://docs.bigbluebutton.org/greenlight/gl-overview.html
ENABLE_GREENLIGHT=true ENABLE_GREENLIGHT=true

View File

@ -19,6 +19,20 @@ if [ -z "$EXTERNAL_IPv4" ]; then
exit 1 exit 1
fi fi
if [ "$ENABLE_COTURN" == true ]; then
if [ -z "$ENABLE_HTTPS_PROXY" ] && [ -z "$COTURN_TLS_CERT_PATH" ]; then
echo "ERROR: coturn requires TLS certificates."
echo "Either enable the https proxy for certificate retrival"
echo "or provide a path to your certificates in .env file."
exit 1
fi
if [ -z "$ENABLE_HTTPS_PROXY" ] && [ "$DEV_MODE" == true ]; then
echo "ERROR: the https proxy can't get a certificate if ran locally and therefor coturn will never start"
echo "you should disable coturn in .env"
exit 1
fi
fi
docker run \ docker run \
--rm \ --rm \
-v $(pwd)/docker-compose.tmpl.yml:/docker-compose.tmpl.yml \ -v $(pwd)/docker-compose.tmpl.yml:/docker-compose.tmpl.yml \
@ -26,6 +40,7 @@ docker run \
-e ENABLE_RECORDING=${ENABLE_RECORDING:-false} \ -e ENABLE_RECORDING=${ENABLE_RECORDING:-false} \
-e ENABLE_HTTPS_PROXY=${ENABLE_HTTPS_PROXY:-false} \ -e ENABLE_HTTPS_PROXY=${ENABLE_HTTPS_PROXY:-false} \
-e ENABLE_WEBHOOKS=${ENABLE_WEBHOOKS:-false} \ -e ENABLE_WEBHOOKS=${ENABLE_WEBHOOKS:-false} \
-e ENABLE_COTURN=${ENABLE_COTURN:-false} \
-e ENABLE_GREENLIGHT=${ENABLE_GREENLIGHT:-false} \ -e ENABLE_GREENLIGHT=${ENABLE_GREENLIGHT:-false} \
-e ENABLE_PROMETHEUS_EXPORTER=${ENABLE_PROMETHEUS_EXPORTER:-false} \ -e ENABLE_PROMETHEUS_EXPORTER=${ENABLE_PROMETHEUS_EXPORTER:-false} \
-e NUMBER_OF_BACKEND_NODEJS_PROCESSES=${NUMBER_OF_BACKEND_NODEJS_PROCESSES:-1} \ -e NUMBER_OF_BACKEND_NODEJS_PROCESSES=${NUMBER_OF_BACKEND_NODEJS_PROCESSES:-1} \

View File

@ -32,6 +32,24 @@ while [[ ! $https_proxy =~ ^(y|n)$ ]]; do
read -p "Should an automatic HTTPS Proxy be included? (y/n): " https_proxy read -p "Should an automatic HTTPS Proxy be included? (y/n): " https_proxy
done done
coturn=""
while [[ ! $coturn =~ ^(y|n)$ ]]; do
read -p "Should a coturn be included? (y/n): " coturn
done
if [ "$coturn" == "y" ] && [ ! "$https_proxy" == "y" ]
then
echo "Coturn needs TLS to function properly."
echo " Since automatic HTTPS Proxy is disabled,"
echo " you must provide a relative or absolute path"
echo " to your certificates."
while [[ -z "$CERTPATH" ]]; do
read -p "Please enter path to cert.pem: " CERTPATH
done
while [[ -z "$KEYPATH" ]]; do
read -p "Please enter path to key.pem: " KEYPATH
done
fi
prometheus_exporter="" prometheus_exporter=""
while [[ ! $prometheus_exporter =~ ^(y|n)$ ]]; do while [[ ! $prometheus_exporter =~ ^(y|n)$ ]]; do
read -p "Should a Prometheus exporter be included? (y/n): " prometheus_exporter read -p "Should a Prometheus exporter be included? (y/n): " prometheus_exporter
@ -106,6 +124,22 @@ then
sed -i "s/#ENABLE_RECORDING.*/ENABLE_RECORDING=true/" .env sed -i "s/#ENABLE_RECORDING.*/ENABLE_RECORDING=true/" .env
fi fi
if [ "$coturn" == "y" ]
then
sed -i "s/.*TURN_SERVER=.*/TURN_SERVER=turns:$DOMAIN:5349?transport=tcp/" .env
TURN_SECRET=$(head /dev/urandom | tr -dc A-Za-f0-9 | head -c 32)
sed -i "s/.*TURN_SECRET=.*/TURN_SECRET=$TURN_SECRET/" .env
sed -i "s/.*STUN_IP=.*/STUN_IP=$EXTERNAL_IPv4/" .env
else
sed -i "s/ENABLE_COTURN.*/#ENABLE_COTURN=true/" .env
fi
if [ -n "$CERTPATH" ] && [ -n "$KEYPATH" ]
then
sed -i "s/#COTURN_TLS_CERT_PATH=.*/COTURN_TLS_CERT_PATH=$CERTPATH/" .env
sed -i "s/#COTURN_TLS_KEY_PATH=.*/COTURN_TLS_KEY_PATH=$KEYPATH/" .env
fi
if [ "$prometheus_exporter" == "y" ] if [ "$prometheus_exporter" == "y" ]
then then
sed -i "s/#ENABLE_PROMETHEUS_EXPORTER.*/ENABLE_PROMETHEUS_EXPORTER=true/" .env sed -i "s/#ENABLE_PROMETHEUS_EXPORTER.*/ENABLE_PROMETHEUS_EXPORTER=true/" .env