From b010da33a2434532150759904ffbfc89a60ed9c3 Mon Sep 17 00:00:00 2001 From: chandi Date: Sun, 7 Jun 2020 13:58:56 +0200 Subject: [PATCH] coturn integration --- docker-compose.coturn.yml | 17 ++++++++++ docker-compose.https.yml | 1 + mod/coturn/entrypoint.sh | 23 ++++++++++++++ mod/coturn/turnserver.conf | 63 ++++++++++++++++++++++++++++++++++++++ sample.env | 4 +++ scripts/compose | 5 +++ scripts/setup | 18 +++++++++++ 7 files changed, 131 insertions(+) create mode 100644 docker-compose.coturn.yml create mode 100755 mod/coturn/entrypoint.sh create mode 100644 mod/coturn/turnserver.conf diff --git a/docker-compose.coturn.yml b/docker-compose.coturn.yml new file mode 100644 index 0000000..e50708d --- /dev/null +++ b/docker-compose.coturn.yml @@ -0,0 +1,17 @@ +version: '3.6' +services: + coturn: + image: instrumentisto/coturn:4.5 + restart: unless-stopped + command: + - "--external-ip=${EXTERNAL_IP}" + - "--static-auth-secret=${TURN_SECRET}" + volumes: + - ssl_data:/etc/resty-auto-ssl + - ./mod/coturn/entrypoint.sh:/usr/local/bin/docker-entrypoint.sh + - ./mod/coturn/turnserver.conf:/etc/coturn/turnserver.conf + network_mode: host + +volumes: + ssl_data: + name: ssl_data \ No newline at end of file diff --git a/docker-compose.https.yml b/docker-compose.https.yml index aa0bab2..cf0ca3a 100644 --- a/docker-compose.https.yml +++ b/docker-compose.https.yml @@ -14,3 +14,4 @@ services: volumes: ssl_data: + name: ssl_data diff --git a/mod/coturn/entrypoint.sh b/mod/coturn/entrypoint.sh new file mode 100755 index 0000000..057489e --- /dev/null +++ b/mod/coturn/entrypoint.sh @@ -0,0 +1,23 @@ +#!/bin/sh +set -e +apk add jq + +while [ ! -f /etc/resty-auto-ssl/storage/file/*latest ] +do + echo "ERROR: certificate doesn't exist yet." + echo "Certificate gets create on the first request to the HTTPS proxy." + echo "We will try again..." + sleep 10 +done + +# extract cert +cat /etc/resty-auto-ssl/storage/file/*%3Alatest | jq -r '.fullchain_pem' > /tmp/cert.pem +cat /etc/resty-auto-ssl/storage/file/*%3Alatest | jq -r '.privkey_pem' > /tmp/key.pem + + +# If command starts with an option, prepend with turnserver binary. +if [ "${1:0:1}" == '-' ]; then + set -- turnserver "$@" +fi + +exec $(eval "echo $@") \ No newline at end of file diff --git a/mod/coturn/turnserver.conf b/mod/coturn/turnserver.conf new file mode 100644 index 0000000..832897e --- /dev/null +++ b/mod/coturn/turnserver.conf @@ -0,0 +1,63 @@ +# Example coturn configuration for BigBlueButton + +# These are the two network ports used by the TURN server which the client +# may connect to. We enable the standard unencrypted port 3478 for STUN, +# as well as port 443 for TURN over TLS, which can bypass firewalls. +listening-port=3478 + +# we use the SMTP over TLS Port, since 443 is already used for HTTPS +tls-listening-port=465 + +# If the server has multiple IP addresses, you may wish to limit which +# addresses coturn is using. Do that by setting this option (it can be +# specified multiple times). The default is to listen on all addresses. +# You do not normally need to set this option. +#listening-ip=172.17.19.101 + +# If the server is behind NAT, you need to specify the external IP address. +# If there is only one external address, specify it like this: +#external-ip=172.17.19.120 +# If you have multiple external addresses, you have to specify which +# internal address each corresponds to, like this. The first address is the +# external ip, and the second address is the corresponding internal IP. +#external-ip=172.17.19.131/10.0.0.11 +#external-ip=172.17.18.132/10.0.0.12 + +# Fingerprints in TURN messages are required for WebRTC +fingerprint + +# The long-term credential mechanism is required for WebRTC +lt-cred-mech + +# Configure coturn to use the "TURN REST API" method for validating time- +# limited credentials. BigBlueButton will generate credentials in this +# format. Note that the static-auth-secret value specified here must match +# the configuration in BigBlueButton's turn-stun-servers.xml +# You can generate a new random value by running the command: +# openssl rand -hex 16 +use-auth-secret +# static-auth-secret= + +# If the realm value is unspecified, it defaults to the TURN server hostname. +# You probably want to configure it to a domain name that you control to +# improve log output. There is no functional impact. +realm=example.com + +# Configure TLS support. +# Adjust these paths to match the locations of your certificate files +cert=/tmp/cert.pem +pkey=/tmp/key.pem +# Limit the allowed ciphers to improve security +# Based on https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ +cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS" + +# Enable longer DH TLS key to improve security +dh2066 + +# All WebRTC-compatible web browsers support TLS 1.2 or later, so disable +# older protocols +no-tlsv1 +no-tlsv1_1 + +# To enable single filename logs you need to enable the simple-log flag +syslog \ No newline at end of file diff --git a/sample.env b/sample.env index 4764d2c..d4157b8 100644 --- a/sample.env +++ b/sample.env @@ -7,6 +7,10 @@ # fully automated Lets Encrypt certificates ENABLE_HTTPS_PROXY=true +# coturn (a TURN Server) +# requires HTTPS Proxy to be enabled +ENABLE_COTURN=true + # Greenlight Frontend # https://docs.bigbluebutton.org/greenlight/gl-overview.html ENABLE_GREENLIGHT=true diff --git a/scripts/compose b/scripts/compose index 2b41314..357df59 100755 --- a/scripts/compose +++ b/scripts/compose @@ -15,6 +15,11 @@ COMPOSE_FILES="-f docker-compose.yml" if [ "$ENABLE_HTTPS_PROXY" == true ]; then COMPOSE_FILES="$COMPOSE_FILES -f docker-compose.https.yml" fi + +if [ "$ENABLE_COTURN" == true ]; then + COMPOSE_FILES="$COMPOSE_FILES -f docker-compose.coturn.yml" +fi + if [ "$ENABLE_GREENLIGHT" == true ]; then COMPOSE_FILES="$COMPOSE_FILES -f docker-compose.greenlight.yml" fi diff --git a/scripts/setup b/scripts/setup index 9ae72b0..dca0fbf 100755 --- a/scripts/setup +++ b/scripts/setup @@ -31,6 +31,14 @@ while [[ ! $https_proxy =~ ^(y|n)$ ]]; do read -p "Should an automatic HTTPS Proxy be included? (y/n): " https_proxy done +coturn="" +if [ "$https_proxy" == "y" ] +then + while [[ ! $coturn =~ ^(y|n)$ ]]; do + read -p "Should a coturn be included? (y/n): " coturn + done +fi + DOMAIN="" while [[ -z "$DOMAIN" ]]; do read -p "Please enter the domain name: " DOMAIN @@ -66,6 +74,16 @@ then sed -i "s/ENABLE_HTTPS_PROXY.*/#ENABLE_HTTPS_PROXY=true/" .env fi +if [ "$coturn" == "y" ] +then + sed -i "s/.*TURN_SERVER=.*/TURN_SERVER=turns:$DOMAIN:465?transport=tcp/" .env + TURN_SECRET=$(head /dev/urandom | tr -dc A-Za-f0-9 | head -c 32) + sed -i "s/.*TURN_SECRET=.*/TURN_SECRET=$TURN_SECRET/" .env + sed -i "s/.*STUN_IP=.*/STUN_IP=$EXTERNAL_IP/" .env +else + sed -i "s/ENABLE_COTURN.*/#ENABLE_COTURN=true/" .env +fi + # change secrets RANDOM_1=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 40) RANDOM_2=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 40)