add coturn
This commit is contained in:
parent
68fabec9ee
commit
226700ea0a
6 changed files with 127 additions and 3 deletions
|
@ -18,6 +18,10 @@ table inet filter {
|
||||||
# SSH
|
# SSH
|
||||||
tcp dport 995 limit rate 15/minute accept
|
tcp dport 995 limit rate 15/minute accept
|
||||||
|
|
||||||
|
# TURN
|
||||||
|
tcp dport { 3478, 5349 } limit rate 5/second accept
|
||||||
|
udp dport { 3478, 5349, 49152-49200 } limit rate 5/second accept
|
||||||
|
|
||||||
# Allow ICMP
|
# Allow ICMP
|
||||||
meta l4proto icmp limit rate 1/second accept
|
meta l4proto icmp limit rate 1/second accept
|
||||||
meta l4proto ipv6-icmp limit rate 1/second accept
|
meta l4proto ipv6-icmp limit rate 1/second accept
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
80/443 -> NGINX reverse proxy
|
80/443 -> NGINX reverse proxy
|
||||||
995 -> SSH
|
995 -> SSH
|
||||||
|
3478 -> coturn
|
||||||
3735 -> Etebase
|
3735 -> Etebase
|
||||||
|
5349 -> coturn
|
||||||
5432 -> Syncthing
|
5432 -> Syncthing
|
||||||
8008 -> Synapse
|
8008 -> Synapse
|
||||||
8080 -> Nextcloud AIO
|
8080 -> Nextcloud AIO
|
||||||
|
@ -11,3 +13,4 @@
|
||||||
8443 -> stdisco
|
8443 -> stdisco
|
||||||
11000 -> Nextcloud
|
11000 -> Nextcloud
|
||||||
22000 -> Syncthing
|
22000 -> Syncthing
|
||||||
|
49152-49200/udp -> coturn
|
||||||
|
|
17
synapse/coturn-docker-entrypoint.sh
Executable file
17
synapse/coturn-docker-entrypoint.sh
Executable file
|
@ -0,0 +1,17 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# If command starts with an option, prepend it with a `turnserver` binary.
|
||||||
|
if [ "${1:0:1}" == '-' ]; then
|
||||||
|
set -- turnserver "$@"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Evaluate each argument separately to avoid mixing them up in a single `eval`.
|
||||||
|
expanded=()
|
||||||
|
for i in "$@"; do
|
||||||
|
expanded+=("$(eval "echo $i")")
|
||||||
|
done
|
||||||
|
|
||||||
|
cp /etc/coturn/server.conf /tmp/turnserver.conf
|
||||||
|
cat /etc/coturn/secret.conf >> /tmp/turnserver.conf
|
||||||
|
|
||||||
|
exec "${expanded[@]}"
|
|
@ -1,4 +1,35 @@
|
||||||
services:
|
services:
|
||||||
|
coturn:
|
||||||
|
container_name: synapse_coturn
|
||||||
|
image: coturn/coturn:alpine
|
||||||
|
restart: always
|
||||||
|
user: '1003:1003'
|
||||||
|
command:
|
||||||
|
- "--log-file=stdout"
|
||||||
|
- "-c"
|
||||||
|
- "/tmp/turnserver.conf"
|
||||||
|
environment:
|
||||||
|
- DETECT_EXTERNAL_IP=yes
|
||||||
|
- DETECT_RELAY_IP=yes
|
||||||
|
- DETECT_EXTERNAL_IPV6=yes
|
||||||
|
- DETECT_RELAY_IPV6=yes
|
||||||
|
ports:
|
||||||
|
- 3478:3478
|
||||||
|
- 3478:3478/udp
|
||||||
|
- 5349:5349
|
||||||
|
- 5349:5349/udp
|
||||||
|
- 49152-49200:49152-49200/udp
|
||||||
|
tmpfs:
|
||||||
|
- /var/lib/coturn
|
||||||
|
volumes:
|
||||||
|
- ./turnserver.conf:/etc/coturn/server.conf
|
||||||
|
- ./coturn-docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
|
||||||
|
# Content of turn-secret.conf:
|
||||||
|
# static-auth-secret=someSecret
|
||||||
|
- ../turn-secret.conf:/etc/coturn/secret.conf
|
||||||
|
- ../turn-cert.pem:/etc/coturn/cert.pem
|
||||||
|
- ../turn-pkey.pem:/etc/coturn/pkey.pem
|
||||||
|
|
||||||
postgres:
|
postgres:
|
||||||
container_name: synapse_postgres
|
container_name: synapse_postgres
|
||||||
image: postgres:alpine
|
image: postgres:alpine
|
||||||
|
@ -20,10 +51,14 @@ services:
|
||||||
# command: generate
|
# command: generate
|
||||||
restart: always
|
restart: always
|
||||||
user: '991:991'
|
user: '991:991'
|
||||||
|
command: >
|
||||||
|
run
|
||||||
|
--config-path=/data/homeserver.yaml
|
||||||
|
--config-path=/data/secret.yaml
|
||||||
environment:
|
environment:
|
||||||
# SYNAPSE_SERVER_NAME: viyurz.fr
|
SYNAPSE_SERVER_NAME: viyurz.fr
|
||||||
# SYNAPSE_REPORT_STATS: "yes"
|
SYNAPSE_REPORT_STATS: "yes"
|
||||||
# SYNAPSE_HTTP_PORT: 8008
|
SYNAPSE_HTTP_PORT: 8008
|
||||||
TZ: "Europe/Paris"
|
TZ: "Europe/Paris"
|
||||||
networks:
|
networks:
|
||||||
- synapse
|
- synapse
|
||||||
|
@ -32,6 +67,9 @@ services:
|
||||||
volumes:
|
volumes:
|
||||||
- /mnt/synapsedata:/data
|
- /mnt/synapsedata:/data
|
||||||
- ./homeserver.yaml:/data/homeserver.yaml
|
- ./homeserver.yaml:/data/homeserver.yaml
|
||||||
|
# Content of turn-secret.yaml:
|
||||||
|
# turn_shared_secret: "someSecret"
|
||||||
|
- ../turn-secret.yaml:/data/secret.yaml
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
synapse:
|
synapse:
|
||||||
|
|
|
@ -65,4 +65,7 @@ url_preview_ip_range_blacklist:
|
||||||
- 'ff00::/8'
|
- 'ff00::/8'
|
||||||
- 'fec0::/10'
|
- 'fec0::/10'
|
||||||
|
|
||||||
|
turn_uris: [ "turn:turn.viyurz.fr?transport=udp", "turn:turn.viyurz.fr?transport=tcp" ]
|
||||||
|
turn_user_lifetime: 86400000
|
||||||
|
turn_allow_guests: true
|
||||||
# vim:ft=yaml
|
# vim:ft=yaml
|
||||||
|
|
59
synapse/turnserver.conf
Normal file
59
synapse/turnserver.conf
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
verbose
|
||||||
|
fingerprint
|
||||||
|
|
||||||
|
listening-port=3478
|
||||||
|
tls-listening-port=5349
|
||||||
|
|
||||||
|
use-auth-secret
|
||||||
|
realm=turn.viyurz.fr
|
||||||
|
|
||||||
|
# Lower and upper bounds of the UDP relay endpoints:
|
||||||
|
# (default values are 49152 and 65535)
|
||||||
|
#
|
||||||
|
min-port=49152
|
||||||
|
max-port=49200
|
||||||
|
|
||||||
|
# TLS certificates, including intermediate certs.
|
||||||
|
# For Let's Encrypt certificates, use `fullchain.pem` here.
|
||||||
|
cert=/etc/coturn/cert.pem
|
||||||
|
|
||||||
|
# TLS private key file
|
||||||
|
pkey=/etc/coturn/pkey.pem
|
||||||
|
|
||||||
|
# Do not allow an TLS/DTLS version of protocol
|
||||||
|
#
|
||||||
|
#no-tlsv1
|
||||||
|
#no-tlsv1_1
|
||||||
|
#no-tlsv1_2
|
||||||
|
|
||||||
|
# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
|
||||||
|
no-tcp-relay
|
||||||
|
|
||||||
|
# don't let the relay ever try to connect to private IP address ranges within your network (if any)
|
||||||
|
# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
|
||||||
|
denied-peer-ip=10.0.0.0-10.255.255.255
|
||||||
|
denied-peer-ip=192.168.0.0-192.168.255.255
|
||||||
|
denied-peer-ip=172.16.0.0-172.31.255.255
|
||||||
|
|
||||||
|
# recommended additional local peers to block, to mitigate external access to internal services.
|
||||||
|
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
|
||||||
|
no-multicast-peers
|
||||||
|
denied-peer-ip=0.0.0.0-0.255.255.255
|
||||||
|
denied-peer-ip=100.64.0.0-100.127.255.255
|
||||||
|
denied-peer-ip=127.0.0.0-127.255.255.255
|
||||||
|
denied-peer-ip=169.254.0.0-169.254.255.255
|
||||||
|
denied-peer-ip=192.0.0.0-192.0.0.255
|
||||||
|
denied-peer-ip=192.0.2.0-192.0.2.255
|
||||||
|
denied-peer-ip=192.88.99.0-192.88.99.255
|
||||||
|
denied-peer-ip=198.18.0.0-198.19.255.255
|
||||||
|
denied-peer-ip=198.51.100.0-198.51.100.255
|
||||||
|
denied-peer-ip=203.0.113.0-203.0.113.255
|
||||||
|
denied-peer-ip=240.0.0.0-255.255.255.255
|
||||||
|
|
||||||
|
# special case the turn server itself so that client->TURN->TURN->client flows work
|
||||||
|
# this should be one of the turn server's listening IPs
|
||||||
|
#allowed-peer-ip=10.0.0.1
|
||||||
|
|
||||||
|
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
|
||||||
|
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
|
||||||
|
total-quota=1200
|
Loading…
Reference in a new issue