From 7056cc80df9cf1e1bb4d53d10eac9546b1d40a69 Mon Sep 17 00:00:00 2001 From: Viyurz <128215328+Viyurz@users.noreply.github.com> Date: Thu, 15 Feb 2024 11:24:39 +0100 Subject: [PATCH] Update for Coturn rootless (changed to slirp4netns driver). --- coturn/docker-compose.yaml | 7 +++++- coturn/turnserver.conf | 40 +++++++++++++++++++---------------- element/docker-compose.yaml | 2 +- etebase/docker-compose.yaml | 2 +- nc/docker-compose.yaml | 2 +- nftables.conf | 2 +- nginx-www/docker-compose.yaml | 2 +- searxng/docker-compose.yaml | 2 +- synapse/docker-compose.yaml | 2 +- synapse/homeserver.yaml | 2 +- syncthing/docker-compose.yaml | 4 ++-- vw/docker-compose.yaml | 2 +- 12 files changed, 39 insertions(+), 30 deletions(-) diff --git a/coturn/docker-compose.yaml b/coturn/docker-compose.yaml index ea4bf0d..0e38058 100644 --- a/coturn/docker-compose.yaml +++ b/coturn/docker-compose.yaml @@ -4,11 +4,16 @@ services: image: coturn/coturn:alpine restart: always user: '666:666' - network_mode: host command: - "--log-file=stdout" - "-c" - "/tmp/turnserver.conf" + ports: + - 3478:3478 + - 3478:3478/udp + - 5349:5349 + - 5349:5349/udp + - 49152-49172:49152-49172/udp tmpfs: - /var/lib/coturn volumes: diff --git a/coturn/turnserver.conf b/coturn/turnserver.conf index d8710d4..64ce8ec 100644 --- a/coturn/turnserver.conf +++ b/coturn/turnserver.conf @@ -1,14 +1,19 @@ -#verbose -fingerprint - -use-auth-secret -realm=turn.viyurz.fr +# Required behind NAT +external-ip=167.235.49.84 +#external-ip=2a01:4f8:c0c:a25a::1 # Lower and upper bounds of the UDP relay endpoints: # (default values are 49152 and 65535) -# min-port=49152 -max-port=49652 +max-port=49172 + +#verbose +fingerprint + +# Credentials in secrets.conf (static-auth-secret) +use-auth-secret + +realm=turn.viyurz.fr # TLS certificates, including intermediate certs. # For Let's Encrypt certificates, use `fullchain.pem` here. @@ -18,20 +23,27 @@ cert=/etc/coturn/cert.pem pkey=/etc/coturn/pkey.pem # Do not allow an TLS/DTLS version of protocol -# no-tlsv1 no-tlsv1_1 -#no-tlsv1_2 + +# Disable RFC5780 (NAT behavior discovery). +no-rfc5780 +no-stun-backward-compatibility +response-origin-only-with-rfc5780 +no-cli # VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay. no-tcp-relay +# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. +user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. +total-quota=1200 + # don't let the relay ever try to connect to private IP address ranges within your network (if any) # given the turn server is likely behind your firewall, remember to include any privileged public IPs too. denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=192.168.0.0-192.168.255.255 denied-peer-ip=172.16.0.0-172.31.255.255 - # recommended additional local peers to block, to mitigate external access to internal services. # https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability no-multicast-peers @@ -54,11 +66,3 @@ denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff - -# special case the turn server itself so that client->TURN->TURN->client flows work -# this should be one of the turn server's listening IPs -#allowed-peer-ip=10.0.0.1 - -# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. -user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. -total-quota=1200 diff --git a/element/docker-compose.yaml b/element/docker-compose.yaml index 603ca9d..4f60b70 100644 --- a/element/docker-compose.yaml +++ b/element/docker-compose.yaml @@ -4,6 +4,6 @@ services: image: vectorim/element-web:latest restart: always ports: - - "[::1]:8084:80" + - 8084:80 volumes: - ./config.json:/app/config.json diff --git a/etebase/docker-compose.yaml b/etebase/docker-compose.yaml index 74be5b6..7e37640 100644 --- a/etebase/docker-compose.yaml +++ b/etebase/docker-compose.yaml @@ -10,6 +10,6 @@ services: SUPER_USER: v444599a8zJUBud60fu9uk9Vo3xXHinp AUTO_UPDATE: 'true' ports: - - "[::1]:3735:3735" + - 3735:3735 volumes: - /mnt/etebasedata:/data diff --git a/nc/docker-compose.yaml b/nc/docker-compose.yaml index a9ab8b8..d618e35 100644 --- a/nc/docker-compose.yaml +++ b/nc/docker-compose.yaml @@ -9,7 +9,7 @@ services: - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir - WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock ports: - - "[::1]:8080:8080" + - 8080:8080 volumes: - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work - $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'! diff --git a/nftables.conf b/nftables.conf index 2e686ae..a211706 100755 --- a/nftables.conf +++ b/nftables.conf @@ -20,7 +20,7 @@ table inet filter { # TURN tcp dport { 3478, 5349 } limit rate 5/second accept - udp dport { 3478, 5349, 49152-49652 } limit rate 5/second accept + udp dport { 3478, 5349, 49152-49172 } limit rate 5/second accept # Allow ICMP meta l4proto icmp limit rate 1/second accept diff --git a/nginx-www/docker-compose.yaml b/nginx-www/docker-compose.yaml index b0e425f..251e859 100644 --- a/nginx-www/docker-compose.yaml +++ b/nginx-www/docker-compose.yaml @@ -5,7 +5,7 @@ services: container_name: nginx-www user: '101:101' ports: - - "[::1]:8082:80" + - 8082:80 volumes: - ./nginx.conf:/etc/nginx/nginx.conf - ./index:/mnt/index diff --git a/searxng/docker-compose.yaml b/searxng/docker-compose.yaml index cfccf04..d5e2d30 100644 --- a/searxng/docker-compose.yaml +++ b/searxng/docker-compose.yaml @@ -26,7 +26,7 @@ services: networks: - searxng ports: - - "[::1]:8083:8080" + - 8083:8080 volumes: - ./settings.yml:/etc/searxng/settings.yml - ./limiter.toml:/etc/searxng/limiter.toml diff --git a/synapse/docker-compose.yaml b/synapse/docker-compose.yaml index aaff099..d0419b1 100644 --- a/synapse/docker-compose.yaml +++ b/synapse/docker-compose.yaml @@ -32,7 +32,7 @@ services: networks: - synapse ports: - - "[::1]:8008:8008" + - 8008:8008 volumes: - /mnt/synapsedata:/data - ./homeserver.yaml:/data/homeserver.yaml diff --git a/synapse/homeserver.yaml b/synapse/homeserver.yaml index 6d53978..8e40326 100644 --- a/synapse/homeserver.yaml +++ b/synapse/homeserver.yaml @@ -70,7 +70,7 @@ url_preview_accept_language: # TURN -turn_uris: ["turn:turns.viyurz.fr?transport=udp", "turn:turns.viyurz.fr?transport=tcp"] +turn_uris: ["turn:turn.viyurz.fr?transport=udp", "turn:turn.viyurz.fr?transport=tcp"] turn_user_lifetime: 86400000 turn_allow_guests: true diff --git a/syncthing/docker-compose.yaml b/syncthing/docker-compose.yaml index 6237618..5017562 100644 --- a/syncthing/docker-compose.yaml +++ b/syncthing/docker-compose.yaml @@ -8,7 +8,7 @@ services: - PUID=1001 - PGID=1001 ports: - - "[::1]:8384:8384" # Web UI + - 8384:8384 # Web UI - 22000:22000/tcp # TCP file transfers - 22000:22000/udp # QUIC file transfers - 5432:22000/tcp @@ -30,7 +30,7 @@ services: networks: - disco ports: - - "[::1]:8443:8443" + - 8443:8443 networks: disco: diff --git a/vw/docker-compose.yaml b/vw/docker-compose.yaml index 0dfdd2c..e1d5c3c 100644 --- a/vw/docker-compose.yaml +++ b/vw/docker-compose.yaml @@ -9,6 +9,6 @@ services: - SIGNUPS_ALLOWED=false - INVITATIONS_ALLOWED=false ports: - - "[::1]:8081:80" + - 8081:80 volumes: - /mnt/vwdata:/data