Update for Coturn rootless (changed to slirp4netns driver).
This commit is contained in:
parent
e96bcc0904
commit
7056cc80df
12 changed files with 39 additions and 30 deletions
|
@ -4,11 +4,16 @@ services:
|
||||||
image: coturn/coturn:alpine
|
image: coturn/coturn:alpine
|
||||||
restart: always
|
restart: always
|
||||||
user: '666:666'
|
user: '666:666'
|
||||||
network_mode: host
|
|
||||||
command:
|
command:
|
||||||
- "--log-file=stdout"
|
- "--log-file=stdout"
|
||||||
- "-c"
|
- "-c"
|
||||||
- "/tmp/turnserver.conf"
|
- "/tmp/turnserver.conf"
|
||||||
|
ports:
|
||||||
|
- 3478:3478
|
||||||
|
- 3478:3478/udp
|
||||||
|
- 5349:5349
|
||||||
|
- 5349:5349/udp
|
||||||
|
- 49152-49172:49152-49172/udp
|
||||||
tmpfs:
|
tmpfs:
|
||||||
- /var/lib/coturn
|
- /var/lib/coturn
|
||||||
volumes:
|
volumes:
|
||||||
|
|
|
@ -1,14 +1,19 @@
|
||||||
#verbose
|
# Required behind NAT
|
||||||
fingerprint
|
external-ip=167.235.49.84
|
||||||
|
#external-ip=2a01:4f8:c0c:a25a::1
|
||||||
use-auth-secret
|
|
||||||
realm=turn.viyurz.fr
|
|
||||||
|
|
||||||
# Lower and upper bounds of the UDP relay endpoints:
|
# Lower and upper bounds of the UDP relay endpoints:
|
||||||
# (default values are 49152 and 65535)
|
# (default values are 49152 and 65535)
|
||||||
#
|
|
||||||
min-port=49152
|
min-port=49152
|
||||||
max-port=49652
|
max-port=49172
|
||||||
|
|
||||||
|
#verbose
|
||||||
|
fingerprint
|
||||||
|
|
||||||
|
# Credentials in secrets.conf (static-auth-secret)
|
||||||
|
use-auth-secret
|
||||||
|
|
||||||
|
realm=turn.viyurz.fr
|
||||||
|
|
||||||
# TLS certificates, including intermediate certs.
|
# TLS certificates, including intermediate certs.
|
||||||
# For Let's Encrypt certificates, use `fullchain.pem` here.
|
# For Let's Encrypt certificates, use `fullchain.pem` here.
|
||||||
|
@ -18,20 +23,27 @@ cert=/etc/coturn/cert.pem
|
||||||
pkey=/etc/coturn/pkey.pem
|
pkey=/etc/coturn/pkey.pem
|
||||||
|
|
||||||
# Do not allow an TLS/DTLS version of protocol
|
# Do not allow an TLS/DTLS version of protocol
|
||||||
#
|
|
||||||
no-tlsv1
|
no-tlsv1
|
||||||
no-tlsv1_1
|
no-tlsv1_1
|
||||||
#no-tlsv1_2
|
|
||||||
|
# Disable RFC5780 (NAT behavior discovery).
|
||||||
|
no-rfc5780
|
||||||
|
no-stun-backward-compatibility
|
||||||
|
response-origin-only-with-rfc5780
|
||||||
|
no-cli
|
||||||
|
|
||||||
# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
|
# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
|
||||||
no-tcp-relay
|
no-tcp-relay
|
||||||
|
|
||||||
|
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
|
||||||
|
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
|
||||||
|
total-quota=1200
|
||||||
|
|
||||||
# don't let the relay ever try to connect to private IP address ranges within your network (if any)
|
# don't let the relay ever try to connect to private IP address ranges within your network (if any)
|
||||||
# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
|
# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
|
||||||
denied-peer-ip=10.0.0.0-10.255.255.255
|
denied-peer-ip=10.0.0.0-10.255.255.255
|
||||||
denied-peer-ip=192.168.0.0-192.168.255.255
|
denied-peer-ip=192.168.0.0-192.168.255.255
|
||||||
denied-peer-ip=172.16.0.0-172.31.255.255
|
denied-peer-ip=172.16.0.0-172.31.255.255
|
||||||
|
|
||||||
# recommended additional local peers to block, to mitigate external access to internal services.
|
# recommended additional local peers to block, to mitigate external access to internal services.
|
||||||
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
|
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
|
||||||
no-multicast-peers
|
no-multicast-peers
|
||||||
|
@ -54,11 +66,3 @@ denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
|
|
||||||
# special case the turn server itself so that client->TURN->TURN->client flows work
|
|
||||||
# this should be one of the turn server's listening IPs
|
|
||||||
#allowed-peer-ip=10.0.0.1
|
|
||||||
|
|
||||||
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
|
|
||||||
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
|
|
||||||
total-quota=1200
|
|
||||||
|
|
|
@ -4,6 +4,6 @@ services:
|
||||||
image: vectorim/element-web:latest
|
image: vectorim/element-web:latest
|
||||||
restart: always
|
restart: always
|
||||||
ports:
|
ports:
|
||||||
- "[::1]:8084:80"
|
- 8084:80
|
||||||
volumes:
|
volumes:
|
||||||
- ./config.json:/app/config.json
|
- ./config.json:/app/config.json
|
||||||
|
|
|
@ -10,6 +10,6 @@ services:
|
||||||
SUPER_USER: v444599a8zJUBud60fu9uk9Vo3xXHinp
|
SUPER_USER: v444599a8zJUBud60fu9uk9Vo3xXHinp
|
||||||
AUTO_UPDATE: 'true'
|
AUTO_UPDATE: 'true'
|
||||||
ports:
|
ports:
|
||||||
- "[::1]:3735:3735"
|
- 3735:3735
|
||||||
volumes:
|
volumes:
|
||||||
- /mnt/etebasedata:/data
|
- /mnt/etebasedata:/data
|
||||||
|
|
|
@ -9,7 +9,7 @@ services:
|
||||||
- NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
|
- NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
|
||||||
- WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock
|
- WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock
|
||||||
ports:
|
ports:
|
||||||
- "[::1]:8080:8080"
|
- 8080:8080
|
||||||
volumes:
|
volumes:
|
||||||
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
|
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
|
||||||
- $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
|
- $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
|
||||||
|
|
|
@ -20,7 +20,7 @@ table inet filter {
|
||||||
|
|
||||||
# TURN
|
# TURN
|
||||||
tcp dport { 3478, 5349 } limit rate 5/second accept
|
tcp dport { 3478, 5349 } limit rate 5/second accept
|
||||||
udp dport { 3478, 5349, 49152-49652 } limit rate 5/second accept
|
udp dport { 3478, 5349, 49152-49172 } limit rate 5/second accept
|
||||||
|
|
||||||
# Allow ICMP
|
# Allow ICMP
|
||||||
meta l4proto icmp limit rate 1/second accept
|
meta l4proto icmp limit rate 1/second accept
|
||||||
|
|
|
@ -5,7 +5,7 @@ services:
|
||||||
container_name: nginx-www
|
container_name: nginx-www
|
||||||
user: '101:101'
|
user: '101:101'
|
||||||
ports:
|
ports:
|
||||||
- "[::1]:8082:80"
|
- 8082:80
|
||||||
volumes:
|
volumes:
|
||||||
- ./nginx.conf:/etc/nginx/nginx.conf
|
- ./nginx.conf:/etc/nginx/nginx.conf
|
||||||
- ./index:/mnt/index
|
- ./index:/mnt/index
|
||||||
|
|
|
@ -26,7 +26,7 @@ services:
|
||||||
networks:
|
networks:
|
||||||
- searxng
|
- searxng
|
||||||
ports:
|
ports:
|
||||||
- "[::1]:8083:8080"
|
- 8083:8080
|
||||||
volumes:
|
volumes:
|
||||||
- ./settings.yml:/etc/searxng/settings.yml
|
- ./settings.yml:/etc/searxng/settings.yml
|
||||||
- ./limiter.toml:/etc/searxng/limiter.toml
|
- ./limiter.toml:/etc/searxng/limiter.toml
|
||||||
|
|
|
@ -32,7 +32,7 @@ services:
|
||||||
networks:
|
networks:
|
||||||
- synapse
|
- synapse
|
||||||
ports:
|
ports:
|
||||||
- "[::1]:8008:8008"
|
- 8008:8008
|
||||||
volumes:
|
volumes:
|
||||||
- /mnt/synapsedata:/data
|
- /mnt/synapsedata:/data
|
||||||
- ./homeserver.yaml:/data/homeserver.yaml
|
- ./homeserver.yaml:/data/homeserver.yaml
|
||||||
|
|
|
@ -70,7 +70,7 @@ url_preview_accept_language:
|
||||||
|
|
||||||
|
|
||||||
# TURN
|
# TURN
|
||||||
turn_uris: ["turn:turns.viyurz.fr?transport=udp", "turn:turns.viyurz.fr?transport=tcp"]
|
turn_uris: ["turn:turn.viyurz.fr?transport=udp", "turn:turn.viyurz.fr?transport=tcp"]
|
||||||
turn_user_lifetime: 86400000
|
turn_user_lifetime: 86400000
|
||||||
turn_allow_guests: true
|
turn_allow_guests: true
|
||||||
|
|
||||||
|
|
|
@ -8,7 +8,7 @@ services:
|
||||||
- PUID=1001
|
- PUID=1001
|
||||||
- PGID=1001
|
- PGID=1001
|
||||||
ports:
|
ports:
|
||||||
- "[::1]:8384:8384" # Web UI
|
- 8384:8384 # Web UI
|
||||||
- 22000:22000/tcp # TCP file transfers
|
- 22000:22000/tcp # TCP file transfers
|
||||||
- 22000:22000/udp # QUIC file transfers
|
- 22000:22000/udp # QUIC file transfers
|
||||||
- 5432:22000/tcp
|
- 5432:22000/tcp
|
||||||
|
@ -30,7 +30,7 @@ services:
|
||||||
networks:
|
networks:
|
||||||
- disco
|
- disco
|
||||||
ports:
|
ports:
|
||||||
- "[::1]:8443:8443"
|
- 8443:8443
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
disco:
|
disco:
|
||||||
|
|
|
@ -9,6 +9,6 @@ services:
|
||||||
- SIGNUPS_ALLOWED=false
|
- SIGNUPS_ALLOWED=false
|
||||||
- INVITATIONS_ALLOWED=false
|
- INVITATIONS_ALLOWED=false
|
||||||
ports:
|
ports:
|
||||||
- "[::1]:8081:80"
|
- 8081:80
|
||||||
volumes:
|
volumes:
|
||||||
- /mnt/vwdata:/data
|
- /mnt/vwdata:/data
|
||||||
|
|
Loading…
Reference in a new issue