add coturn
This commit is contained in:
parent
68fabec9ee
commit
226700ea0a
6 changed files with 127 additions and 3 deletions
|
@ -18,6 +18,10 @@ table inet filter {
|
|||
# SSH
|
||||
tcp dport 995 limit rate 15/minute accept
|
||||
|
||||
# TURN
|
||||
tcp dport { 3478, 5349 } limit rate 5/second accept
|
||||
udp dport { 3478, 5349, 49152-49200 } limit rate 5/second accept
|
||||
|
||||
# Allow ICMP
|
||||
meta l4proto icmp limit rate 1/second accept
|
||||
meta l4proto ipv6-icmp limit rate 1/second accept
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
80/443 -> NGINX reverse proxy
|
||||
995 -> SSH
|
||||
3478 -> coturn
|
||||
3735 -> Etebase
|
||||
5349 -> coturn
|
||||
5432 -> Syncthing
|
||||
8008 -> Synapse
|
||||
8080 -> Nextcloud AIO
|
||||
|
@ -11,3 +13,4 @@
|
|||
8443 -> stdisco
|
||||
11000 -> Nextcloud
|
||||
22000 -> Syncthing
|
||||
49152-49200/udp -> coturn
|
||||
|
|
17
synapse/coturn-docker-entrypoint.sh
Executable file
17
synapse/coturn-docker-entrypoint.sh
Executable file
|
@ -0,0 +1,17 @@
|
|||
#!/bin/bash
|
||||
|
||||
# If command starts with an option, prepend it with a `turnserver` binary.
|
||||
if [ "${1:0:1}" == '-' ]; then
|
||||
set -- turnserver "$@"
|
||||
fi
|
||||
|
||||
# Evaluate each argument separately to avoid mixing them up in a single `eval`.
|
||||
expanded=()
|
||||
for i in "$@"; do
|
||||
expanded+=("$(eval "echo $i")")
|
||||
done
|
||||
|
||||
cp /etc/coturn/server.conf /tmp/turnserver.conf
|
||||
cat /etc/coturn/secret.conf >> /tmp/turnserver.conf
|
||||
|
||||
exec "${expanded[@]}"
|
|
@ -1,4 +1,35 @@
|
|||
services:
|
||||
coturn:
|
||||
container_name: synapse_coturn
|
||||
image: coturn/coturn:alpine
|
||||
restart: always
|
||||
user: '1003:1003'
|
||||
command:
|
||||
- "--log-file=stdout"
|
||||
- "-c"
|
||||
- "/tmp/turnserver.conf"
|
||||
environment:
|
||||
- DETECT_EXTERNAL_IP=yes
|
||||
- DETECT_RELAY_IP=yes
|
||||
- DETECT_EXTERNAL_IPV6=yes
|
||||
- DETECT_RELAY_IPV6=yes
|
||||
ports:
|
||||
- 3478:3478
|
||||
- 3478:3478/udp
|
||||
- 5349:5349
|
||||
- 5349:5349/udp
|
||||
- 49152-49200:49152-49200/udp
|
||||
tmpfs:
|
||||
- /var/lib/coturn
|
||||
volumes:
|
||||
- ./turnserver.conf:/etc/coturn/server.conf
|
||||
- ./coturn-docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
|
||||
# Content of turn-secret.conf:
|
||||
# static-auth-secret=someSecret
|
||||
- ../turn-secret.conf:/etc/coturn/secret.conf
|
||||
- ../turn-cert.pem:/etc/coturn/cert.pem
|
||||
- ../turn-pkey.pem:/etc/coturn/pkey.pem
|
||||
|
||||
postgres:
|
||||
container_name: synapse_postgres
|
||||
image: postgres:alpine
|
||||
|
@ -20,10 +51,14 @@ services:
|
|||
# command: generate
|
||||
restart: always
|
||||
user: '991:991'
|
||||
command: >
|
||||
run
|
||||
--config-path=/data/homeserver.yaml
|
||||
--config-path=/data/secret.yaml
|
||||
environment:
|
||||
# SYNAPSE_SERVER_NAME: viyurz.fr
|
||||
# SYNAPSE_REPORT_STATS: "yes"
|
||||
# SYNAPSE_HTTP_PORT: 8008
|
||||
SYNAPSE_SERVER_NAME: viyurz.fr
|
||||
SYNAPSE_REPORT_STATS: "yes"
|
||||
SYNAPSE_HTTP_PORT: 8008
|
||||
TZ: "Europe/Paris"
|
||||
networks:
|
||||
- synapse
|
||||
|
@ -32,6 +67,9 @@ services:
|
|||
volumes:
|
||||
- /mnt/synapsedata:/data
|
||||
- ./homeserver.yaml:/data/homeserver.yaml
|
||||
# Content of turn-secret.yaml:
|
||||
# turn_shared_secret: "someSecret"
|
||||
- ../turn-secret.yaml:/data/secret.yaml
|
||||
|
||||
networks:
|
||||
synapse:
|
||||
|
|
|
@ -65,4 +65,7 @@ url_preview_ip_range_blacklist:
|
|||
- 'ff00::/8'
|
||||
- 'fec0::/10'
|
||||
|
||||
turn_uris: [ "turn:turn.viyurz.fr?transport=udp", "turn:turn.viyurz.fr?transport=tcp" ]
|
||||
turn_user_lifetime: 86400000
|
||||
turn_allow_guests: true
|
||||
# vim:ft=yaml
|
||||
|
|
59
synapse/turnserver.conf
Normal file
59
synapse/turnserver.conf
Normal file
|
@ -0,0 +1,59 @@
|
|||
verbose
|
||||
fingerprint
|
||||
|
||||
listening-port=3478
|
||||
tls-listening-port=5349
|
||||
|
||||
use-auth-secret
|
||||
realm=turn.viyurz.fr
|
||||
|
||||
# Lower and upper bounds of the UDP relay endpoints:
|
||||
# (default values are 49152 and 65535)
|
||||
#
|
||||
min-port=49152
|
||||
max-port=49200
|
||||
|
||||
# TLS certificates, including intermediate certs.
|
||||
# For Let's Encrypt certificates, use `fullchain.pem` here.
|
||||
cert=/etc/coturn/cert.pem
|
||||
|
||||
# TLS private key file
|
||||
pkey=/etc/coturn/pkey.pem
|
||||
|
||||
# Do not allow an TLS/DTLS version of protocol
|
||||
#
|
||||
#no-tlsv1
|
||||
#no-tlsv1_1
|
||||
#no-tlsv1_2
|
||||
|
||||
# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
|
||||
no-tcp-relay
|
||||
|
||||
# don't let the relay ever try to connect to private IP address ranges within your network (if any)
|
||||
# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
|
||||
denied-peer-ip=10.0.0.0-10.255.255.255
|
||||
denied-peer-ip=192.168.0.0-192.168.255.255
|
||||
denied-peer-ip=172.16.0.0-172.31.255.255
|
||||
|
||||
# recommended additional local peers to block, to mitigate external access to internal services.
|
||||
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
|
||||
no-multicast-peers
|
||||
denied-peer-ip=0.0.0.0-0.255.255.255
|
||||
denied-peer-ip=100.64.0.0-100.127.255.255
|
||||
denied-peer-ip=127.0.0.0-127.255.255.255
|
||||
denied-peer-ip=169.254.0.0-169.254.255.255
|
||||
denied-peer-ip=192.0.0.0-192.0.0.255
|
||||
denied-peer-ip=192.0.2.0-192.0.2.255
|
||||
denied-peer-ip=192.88.99.0-192.88.99.255
|
||||
denied-peer-ip=198.18.0.0-198.19.255.255
|
||||
denied-peer-ip=198.51.100.0-198.51.100.255
|
||||
denied-peer-ip=203.0.113.0-203.0.113.255
|
||||
denied-peer-ip=240.0.0.0-255.255.255.255
|
||||
|
||||
# special case the turn server itself so that client->TURN->TURN->client flows work
|
||||
# this should be one of the turn server's listening IPs
|
||||
#allowed-peer-ip=10.0.0.1
|
||||
|
||||
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
|
||||
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
|
||||
total-quota=1200
|
Loading…
Reference in a new issue