From 7da2b68dbd6bfa367ae6701277f5d0d36f64207b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Fri, 8 Mar 2024 17:42:09 +0100 Subject: [PATCH 1/8] Fix upgrade with old 3pids_email values --- scripts/upgrade | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 6a4c882..37cba84 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -113,12 +113,12 @@ then registrations_require_3pid=email ynh_app_setting_set --app=$app --key=registrations_require_3pid --value=$registrations_require_3pid fi -if [ -z "${allowed_local_3pids_email:-}" ] || [[ "${allowed_local_3pids_email}" =~ "'.*'" ]] # Also remove shit value from previous config panel +if [ -z "${allowed_local_3pids_email:-}" ] || [[ "${allowed_local_3pids_email}" =~ \'.*\' ]] # Also remove shit value from previous config panel then allowed_local_3pids_email='' ynh_app_setting_set --app=$app --key=allowed_local_3pids_email --value=$allowed_local_3pids_email fi -if [ -z "${allowed_local_3pids_msisdn:-}" ] || [[ "${allowed_local_3pids_msisdn}" =~ "'.*'" ]] # Also remove shit value from previous config panel +if [ -z "${allowed_local_3pids_msisdn:-}" ] || [[ "${allowed_local_3pids_msisdn}" =~ \'.*\' ]] # Also remove shit value from previous config panel then allowed_local_3pids_msisdn='' ynh_app_setting_set --app=$app --key=allowed_local_3pids_msisdn --value=$allowed_local_3pids_msisdn From 81c42cd99a70494393ff26f94bcb481b5e6fc60b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Fri, 8 Mar 2024 23:48:43 +0100 Subject: [PATCH 2/8] Fix arm archive --- manifest.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/manifest.toml b/manifest.toml index adc4ae6..6cca2ee 100644 --- a/manifest.toml +++ b/manifest.toml @@ -63,13 +63,13 @@ ram.runtime = "200M" [resources] [resources.sources.synapse_prebuilt_armv7_bookworm] prefetch = false - armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.102.0/matrix-synapse_1.102.0-bookworm-bin1_armv7l.tar.gz" - armhf.sha256 = "5fd5296d76675cd7a109115e1eb035758c16b095cd953a65fc8cc840fb449e40" + armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.102.0/matrix-synapse_1.102.0-bookworm-bin2_armv7l.tar.gz" + armhf.sha256 = "4027b8e41950aeec151dfa19eda2402e7974de56d33abb9eee3879e211227eef" [resources.sources.synapse_prebuilt_armv7_bullseye] prefetch = false - armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.102.0/matrix-synapse_1.102.0-bullseye-bin1_armv7l.tar.gz" - armhf.sha256 = "4027b8e41950aeec151dfa19eda2402e7974de56d33abb9eee3879e211227eef" + armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.102.0/matrix-synapse_1.102.0-bullseye-bin2_armv7l.tar.gz" + armhf.sha256 = "5fd5296d76675cd7a109115e1eb035758c16b095cd953a65fc8cc840fb449e40" [resources.system_user] allow_email = true From 47ece1765c64e34f63607fe5e36c308964a2b737 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Fri, 8 Mar 2024 23:50:47 +0100 Subject: [PATCH 3/8] Fix auto update --- auto_update/auto_update.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_update/auto_update.sh b/auto_update/auto_update.sh index 4ed5b0d..5edf5a6 100644 --- a/auto_update/auto_update.sh +++ b/auto_update/auto_update.sh @@ -78,7 +78,7 @@ upgrade_synapse() { push_armv7_build() { ## Make a draft release json with a markdown body local release='"tag_name": "v'$synapse_version'", "target_commitish": "master", "name": "v'$synapse_version'", ' - local body="Synapse prebuilt bin for synapse_ynh\\n=========\\nPlease refer to upstream project for the change : https://github.com/element-hq/synapse/releases\\n\\nSha256sum for $debian_version_name_1 : $(cat $build_result_path_deb_1/SUM_matrix-synapse_${synapse_version}-$debian_version_name_1-bin1_armv7l.tar.gz)\\nSha256sum for $debian_version_name_2 : $(cat $build_result_path_deb_2/SUM_matrix-synapse_${synapse_version}-$debian_version_name_2-bin1_armv7l.tar.gz)" + local body="Synapse prebuilt bin for synapse_ynh\\n=========\\nPlease refer to upstream project for the change : https://github.com/element-hq/synapse/releases\\n\\nSha256sum for $debian_version_name_1 : $(cat $build_result_path_deb_1/${result_prefix_name_deb_1}-bin1_armv7l-sha256.txt)\\nSha256sum for $debian_version_name_2 : $(cat $build_result_path_deb_2/${result_prefix_name_deb_2}-bin1_armv7l-sha256.txt)" release+='"body": "'$body'",' release+='"draft": true, "prerelease": false' release='{'$release'}' From 0b7649c42c0413ef2ea5f37167c328d6739a3bda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sat, 9 Mar 2024 00:02:58 +0100 Subject: [PATCH 4/8] Update doc about domain requirement --- doc/ADMIN.md | 2 +- scripts/upgrade | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index fc6a23d..7e2187d 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -129,7 +129,7 @@ Then, to log in the API with your credentials, you need to set your user as admi ### Change url -Synapse give the possibility to change the domain of the instance. Note that this will only change the domain on which the synapse server will run. **This won't change the domain name of the account which an other thing.** +Synapse give the possibility to change the domain of the instance. Note that this will only change the domain on which the synapse server will run. **This won't change the domain name of the account which is an other thing.** The advantage of this is that you can put the app on a specific domain without impacting the domain name of the accounts. For instance you can have the synapse app on `matrix.yolo.net` and the user account will be something like that `@michu:yolo.net`. Note that it's the main difference between the domain of the app (which is `matrix.yolo.net`) and the "server name" which is `yolo.net`. diff --git a/scripts/upgrade b/scripts/upgrade index 37cba84..5940aff 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -334,7 +334,8 @@ if yunohost app map -r --output-as json | jq -r '."'$domain'" | select( . != nul ynh_print_warn 'An other app is installed on this domain. Now synapse require to be alone on the domain.' ynh_print_warn 'To solve this you can:' ynh_print_warn " - Remove or move all other app which use '$domain'" - ynh_print_warn ' - Change the domain of synapse. You can find more informations here: https://github.com/YunoHost-Apps/synapse_ynh/blob/ce38d582ea379f60574a438056893cac79525808/doc/ADMIN.md#change-url' + ynh_print_warn ' - Change the domain of synapse. You can find more informations here: https://github.com/YunoHost-Apps/synapse_ynh/tree/testing/doc/ADMIN.md#change-url' + ynh_print_warn 'For more information you can see this issue: https://github.com/YunoHost-Apps/synapse_ynh/issues/443' fi #================================================= From 3a1f0b13c9335f28785f37255d623c7f1900690d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sat, 9 Mar 2024 01:19:38 +0100 Subject: [PATCH 5/8] Disable DTLS by default for call as it don't work well --- scripts/install | 2 +- scripts/upgrade | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install b/scripts/install index 8aa7a78..4f7789d 100644 --- a/scripts/install +++ b/scripts/install @@ -43,7 +43,7 @@ notif_for_new_users="true" enable_group_creation="true" push_include_content="true" enable_3pid_lookup=false -enable_dtls_for_audio_video_turn_call=true +enable_dtls_for_audio_video_turn_call=false if [ "$is_free_registration" -eq 0 ] then diff --git a/scripts/upgrade b/scripts/upgrade index 5940aff..b63fd6d 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -201,7 +201,7 @@ then fi if [ -z "${enable_dtls_for_audio_video_turn_call:-}" ] then - enable_dtls_for_audio_video_turn_call="true" + enable_dtls_for_audio_video_turn_call=false ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call fi From 3b20f1320a42d2c6c67eb72a3593706214a58c69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sat, 9 Mar 2024 01:51:57 +0100 Subject: [PATCH 6/8] Improve coturn config --- conf/turnserver.conf | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/conf/turnserver.conf b/conf/turnserver.conf index 35ee0ae..e665a57 100644 --- a/conf/turnserver.conf +++ b/conf/turnserver.conf @@ -13,15 +13,16 @@ cert=/etc/yunohost/certs/__DOMAIN__/crt.pem pkey=/etc/yunohost/certs/__DOMAIN__/key.pem dh-file=/etc/ssl/private/dh2048.pem +# Block clear communication +no-udp +no-tcp + +# Block old protocols no-sslv2 no-sslv3 no-tlsv1 no-tlsv1_1 -no-multicast-peers - -no-cli - log-file=/var/log/matrix-__APP__/turnserver.log pidfile=/run/coturn-__APP__/turnserver.pid simple-log @@ -30,6 +31,12 @@ simple-log user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. total-quota=1200 +# recommended additional local peers to block, to mitigate external access to internal services. +# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability +no-multicast-peers +denied-peer-ip=0.0.0.0-0.255.255.255 +denied-peer-ip=127.0.0.0-127.255.255.255 + # Max time 12h max-allocate-lifetime=43200 From df94197dd82c3629d4a6ea4b5318f85d2f95b76b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sat, 9 Mar 2024 02:17:10 +0100 Subject: [PATCH 7/8] fix turns call with android --- scripts/_common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 5294183..b6aeab5 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -97,9 +97,9 @@ configure_synapse() { fi local turn_server_config="" if $enable_dtls_for_audio_video_turn_call; then - turn_server_config='turn_uris: [ "stuns:'$domain:$port_turnserver_tls'?transport=dtls", "stuns:'$domain:$port_turnserver_tls'?transport=tls", "turns:'$domain:$port_turnserver_tls'?transport=dtls", "turns:'$domain:$port_turnserver_tls'?transport=tls" ]' + turn_server_config='turn_uris: [ "turns:'$domain:$port_turnserver_tls'", "turns:'$domain:$port_turnserver_alt_tls'" ]' else - turn_server_config='turn_uris: [ "turn:'$domain:$port_turnserver_tls'?transport=udp", "turn:'$domain:$port_turnserver_tls'?transport=tcp" ]' + turn_server_config='turn_uris: [ "turn:'$domain:$port_turnserver_tls'", "turn:'$domain:$port_turnserver_alt_tls'" ]' fi ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" From 3d6b4e998c07a64d3e2a2b64ed417d93c8424452 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sat, 9 Mar 2024 02:17:33 +0100 Subject: [PATCH 8/8] Enable again tdls as it look like working now --- scripts/install | 2 +- scripts/upgrade | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install b/scripts/install index 4f7789d..8aa7a78 100644 --- a/scripts/install +++ b/scripts/install @@ -43,7 +43,7 @@ notif_for_new_users="true" enable_group_creation="true" push_include_content="true" enable_3pid_lookup=false -enable_dtls_for_audio_video_turn_call=false +enable_dtls_for_audio_video_turn_call=true if [ "$is_free_registration" -eq 0 ] then diff --git a/scripts/upgrade b/scripts/upgrade index b63fd6d..ada47aa 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -201,7 +201,7 @@ then fi if [ -z "${enable_dtls_for_audio_video_turn_call:-}" ] then - enable_dtls_for_audio_video_turn_call=false + enable_dtls_for_audio_video_turn_call=true ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call fi