From f4039e64664aa1fb735546662a479f24d2caa528 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sun, 6 May 2018 00:35:58 +0200 Subject: [PATCH] Update Turnserver config - Add full relay support (turn) : - Open ports range (49152 - 49192) - Set external-ip (for nat) - Enable stun mode - Improve log management - Improve security --- conf/turnserver.conf | 13 ++++++++++--- scripts/install | 18 ++++++++++++++++++ scripts/remove | 1 + scripts/restore | 1 + scripts/upgrade | 28 ++++++++++++++++++++++++++-- 5 files changed, 56 insertions(+), 5 deletions(-) diff --git a/conf/turnserver.conf b/conf/turnserver.conf index 827571c..5d3eada 100644 --- a/conf/turnserver.conf +++ b/conf/turnserver.conf @@ -2,10 +2,11 @@ lt-cred-mech use-auth-secret static-auth-secret=__TURNPWD__ realm=__DOMAIN__ -no-stun tls-listening-port=__TLS_PORT__ alt-tls-listening-port=__TLS_ALT_PORT__ +min-port=49152 +max-port=49192 cli-port=__CLI_PORT__ cert=/etc/yunohost/certs/__DOMAIN__/crt.pem @@ -14,8 +15,14 @@ dh-file=/etc/matrix-__APP__/dh.pem no-sslv2 no-sslv3 -no-udp -no-tcp +no-tlsv1 + +no-loopback-peers +no-multicast-peers log-file=/var/log/matrix-__APP__/turnserver.log pidfile=/var/run/coturn-__APP__/turnserver.pid +simple-log + +external-ip=__IPV4__,__IPV6__ + diff --git a/scripts/install b/scripts/install index 1bde217..790c0cb 100644 --- a/scripts/install +++ b/scripts/install @@ -76,6 +76,7 @@ cli_port=$(ynh_find_port 5766) yunohost firewall allow TCP $synapse_tls_port > /dev/null 2>&1 yunohost firewall allow Both $turnserver_tls_port > /dev/null 2>&1 yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1 +yunohost firewall allow Both '49152:49192' > /dev/null 2>&1 # Store opened ports ynh_app_setting_set $app synapse_port $port @@ -250,6 +251,23 @@ ynh_replace_string __TLS_PORT__ $turnserver_tls_port "$coturn_config_path" ynh_replace_string __TLS_ALT_PORT__ $turnserver_alt_tls_port "$coturn_config_path" ynh_replace_string __CLI_PORT__ $cli_port "$coturn_config_path" +# Get public IP and set as external IP for coturn +public_ip4="$(curl ip.yunohost.org)" +public_ip6="$(curl ipv6.yunohost.org)" +if ynh_validate_ip4 "$public_ip4" +then + ynh_replace_string '__IPV4__' "$public_ip4" "$coturn_config_path" +else + ynh_replace_string '__IPV4__,' "" "$coturn_config_path" +fi + +if ynh_valide_ip6 "$public_ip6" +then + ynh_replace_string '__IPV6__' "$public_ip6" "$coturn_config_path" +else + ynh_replace_string ',__IPV6__' "" "$coturn_config_path" +fi + ynh_store_file_checksum "$coturn_config_path" #================================================= diff --git a/scripts/remove b/scripts/remove index e3cbf9a..91a68c6 100755 --- a/scripts/remove +++ b/scripts/remove @@ -58,6 +58,7 @@ closeport() { closeport $synapse_tls_port closeport $turnserver_tls_port closeport $turnserver_alt_tls_port +closeport '49152:49192' #================================================= # SETUP SSOWAT diff --git a/scripts/restore b/scripts/restore index 9274f69..b5f2a55 100644 --- a/scripts/restore +++ b/scripts/restore @@ -80,6 +80,7 @@ adduser turnserver ssl-cert yunohost firewall allow TCP $synapse_tls_port > /dev/null 2>&1 yunohost firewall allow Both $turnserver_tls_port > /dev/null 2>&1 yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1 +yunohost firewall allow Both '49152:49192' > /dev/null 2>&1 #================================================= # SETUP SSOWAT diff --git a/scripts/upgrade b/scripts/upgrade index 6773c22..1fca33b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -356,6 +356,15 @@ test -e /etc/matrix-$app/dh.pem || \ cp /etc/yunohost/certs/$domain/dh.pem /etc/matrix-$app/dh.pem || \ openssl dhparam -out /etc/matrix-$app/dh.pem 2048 > /dev/null +#================================================= +# MIGRATION 4 : FIX TURNSERVER CONFIG +#================================================= + +if ! yunohost firewall list | grep -q "\- 49152:49192$" +then + yunohost firewall allow Both 49152:49192 > /dev/null 2>&1 +fi + #================================================= # STANDARD UPGRADE STEPS #================================================= @@ -373,8 +382,6 @@ ynh_add_nginx_config coturn_config_path="/etc/matrix-$app/coturn.conf" -ynh_backup_if_checksum_is_different "$coturn_config_path" - cp ../conf/turnserver.conf "$coturn_config_path" ynh_replace_string __APP__ $app "$coturn_config_path" @@ -384,6 +391,23 @@ ynh_replace_string __TLS_PORT__ $turnserver_tls_port "$coturn_config_path" ynh_replace_string __TLS_ALT_PORT__ $turnserver_alt_tls_port "$coturn_config_path" ynh_replace_string __CLI_PORT__ $cli_port "$coturn_config_path" +# Get public IP and set as external IP for coturn +public_ip4="$(curl ip.yunohost.org)" +public_ip6="$(curl ipv6.yunohost.org)" +if ynh_validate_ip4 "$public_ip4" +then + ynh_replace_string '__IPV4__' "$public_ip4" "$coturn_config_path" +else + ynh_replace_string '__IPV4__,' "" "$coturn_config_path" +fi + +if ynh_valide_ip6 "$public_ip6" +then + ynh_replace_string '__IPV6__' "$public_ip6" "$coturn_config_path" +else + ynh_replace_string ',__IPV6__' "" "$coturn_config_path" +fi + ynh_store_file_checksum "$coturn_config_path" #=================================================