Update for Coturn rootless (changed to slirp4netns driver).

This commit is contained in:
Viyurz 2024-02-15 11:24:39 +01:00
parent e96bcc0904
commit 7056cc80df
12 changed files with 39 additions and 30 deletions

View file

@ -4,11 +4,16 @@ services:
image: coturn/coturn:alpine image: coturn/coturn:alpine
restart: always restart: always
user: '666:666' user: '666:666'
network_mode: host
command: command:
- "--log-file=stdout" - "--log-file=stdout"
- "-c" - "-c"
- "/tmp/turnserver.conf" - "/tmp/turnserver.conf"
ports:
- 3478:3478
- 3478:3478/udp
- 5349:5349
- 5349:5349/udp
- 49152-49172:49152-49172/udp
tmpfs: tmpfs:
- /var/lib/coturn - /var/lib/coturn
volumes: volumes:

View file

@ -1,14 +1,19 @@
#verbose # Required behind NAT
fingerprint external-ip=167.235.49.84
#external-ip=2a01:4f8:c0c:a25a::1
use-auth-secret
realm=turn.viyurz.fr
# Lower and upper bounds of the UDP relay endpoints: # Lower and upper bounds of the UDP relay endpoints:
# (default values are 49152 and 65535) # (default values are 49152 and 65535)
#
min-port=49152 min-port=49152
max-port=49652 max-port=49172
#verbose
fingerprint
# Credentials in secrets.conf (static-auth-secret)
use-auth-secret
realm=turn.viyurz.fr
# TLS certificates, including intermediate certs. # TLS certificates, including intermediate certs.
# For Let's Encrypt certificates, use `fullchain.pem` here. # For Let's Encrypt certificates, use `fullchain.pem` here.
@ -18,20 +23,27 @@ cert=/etc/coturn/cert.pem
pkey=/etc/coturn/pkey.pem pkey=/etc/coturn/pkey.pem
# Do not allow an TLS/DTLS version of protocol # Do not allow an TLS/DTLS version of protocol
#
no-tlsv1 no-tlsv1
no-tlsv1_1 no-tlsv1_1
#no-tlsv1_2
# Disable RFC5780 (NAT behavior discovery).
no-rfc5780
no-stun-backward-compatibility
response-origin-only-with-rfc5780
no-cli
# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay. # VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
no-tcp-relay no-tcp-relay
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
total-quota=1200
# don't let the relay ever try to connect to private IP address ranges within your network (if any) # don't let the relay ever try to connect to private IP address ranges within your network (if any)
# given the turn server is likely behind your firewall, remember to include any privileged public IPs too. # given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255 denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255 denied-peer-ip=172.16.0.0-172.31.255.255
# recommended additional local peers to block, to mitigate external access to internal services. # recommended additional local peers to block, to mitigate external access to internal services.
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability # https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
no-multicast-peers no-multicast-peers
@ -54,11 +66,3 @@ denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
# special case the turn server itself so that client->TURN->TURN->client flows work
# this should be one of the turn server's listening IPs
#allowed-peer-ip=10.0.0.1
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
total-quota=1200

View file

@ -4,6 +4,6 @@ services:
image: vectorim/element-web:latest image: vectorim/element-web:latest
restart: always restart: always
ports: ports:
- "[::1]:8084:80" - 8084:80
volumes: volumes:
- ./config.json:/app/config.json - ./config.json:/app/config.json

View file

@ -10,6 +10,6 @@ services:
SUPER_USER: v444599a8zJUBud60fu9uk9Vo3xXHinp SUPER_USER: v444599a8zJUBud60fu9uk9Vo3xXHinp
AUTO_UPDATE: 'true' AUTO_UPDATE: 'true'
ports: ports:
- "[::1]:3735:3735" - 3735:3735
volumes: volumes:
- /mnt/etebasedata:/data - /mnt/etebasedata:/data

View file

@ -9,7 +9,7 @@ services:
- NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
- WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock - WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock
ports: ports:
- "[::1]:8080:8080" - 8080:8080
volumes: volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
- $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'! - $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!

View file

@ -20,7 +20,7 @@ table inet filter {
# TURN # TURN
tcp dport { 3478, 5349 } limit rate 5/second accept tcp dport { 3478, 5349 } limit rate 5/second accept
udp dport { 3478, 5349, 49152-49652 } limit rate 5/second accept udp dport { 3478, 5349, 49152-49172 } limit rate 5/second accept
# Allow ICMP # Allow ICMP
meta l4proto icmp limit rate 1/second accept meta l4proto icmp limit rate 1/second accept

View file

@ -5,7 +5,7 @@ services:
container_name: nginx-www container_name: nginx-www
user: '101:101' user: '101:101'
ports: ports:
- "[::1]:8082:80" - 8082:80
volumes: volumes:
- ./nginx.conf:/etc/nginx/nginx.conf - ./nginx.conf:/etc/nginx/nginx.conf
- ./index:/mnt/index - ./index:/mnt/index

View file

@ -26,7 +26,7 @@ services:
networks: networks:
- searxng - searxng
ports: ports:
- "[::1]:8083:8080" - 8083:8080
volumes: volumes:
- ./settings.yml:/etc/searxng/settings.yml - ./settings.yml:/etc/searxng/settings.yml
- ./limiter.toml:/etc/searxng/limiter.toml - ./limiter.toml:/etc/searxng/limiter.toml

View file

@ -32,7 +32,7 @@ services:
networks: networks:
- synapse - synapse
ports: ports:
- "[::1]:8008:8008" - 8008:8008
volumes: volumes:
- /mnt/synapsedata:/data - /mnt/synapsedata:/data
- ./homeserver.yaml:/data/homeserver.yaml - ./homeserver.yaml:/data/homeserver.yaml

View file

@ -70,7 +70,7 @@ url_preview_accept_language:
# TURN # TURN
turn_uris: ["turn:turns.viyurz.fr?transport=udp", "turn:turns.viyurz.fr?transport=tcp"] turn_uris: ["turn:turn.viyurz.fr?transport=udp", "turn:turn.viyurz.fr?transport=tcp"]
turn_user_lifetime: 86400000 turn_user_lifetime: 86400000
turn_allow_guests: true turn_allow_guests: true

View file

@ -8,7 +8,7 @@ services:
- PUID=1001 - PUID=1001
- PGID=1001 - PGID=1001
ports: ports:
- "[::1]:8384:8384" # Web UI - 8384:8384 # Web UI
- 22000:22000/tcp # TCP file transfers - 22000:22000/tcp # TCP file transfers
- 22000:22000/udp # QUIC file transfers - 22000:22000/udp # QUIC file transfers
- 5432:22000/tcp - 5432:22000/tcp
@ -30,7 +30,7 @@ services:
networks: networks:
- disco - disco
ports: ports:
- "[::1]:8443:8443" - 8443:8443
networks: networks:
disco: disco:

View file

@ -9,6 +9,6 @@ services:
- SIGNUPS_ALLOWED=false - SIGNUPS_ALLOWED=false
- INVITATIONS_ALLOWED=false - INVITATIONS_ALLOWED=false
ports: ports:
- "[::1]:8081:80" - 8081:80
volumes: volumes:
- /mnt/vwdata:/data - /mnt/vwdata:/data