Find new way to integrate TURN server

[alangecker]

In some restrictive networks UDP is blocked, why we need a TURN server. Because sometimes also most TCP ports except them HTTP and Mailing are blocked as well.

To traverse these firewalls we used so far the TLS mail port 465, but firefox and chromium started blocking almost all TCP ports below 1024 for TURN Server, which basically means there is only port 443 for TURN left, but already in use by HTTPS.

Currently I see no way to automatically integrate coturn without an second IP.

Important

Existing bbb-docker instances with enabled coturn on our default port 465 will gradually throw more and more 1006 errors with recent browser updates become more spread.

Best option: get a cheap VM and setup a TURN server there on port 443. This guide is helpful:
https://docs.bigbluebutton.org/2.2/setup-turn-server.html
Minimal step: disable the TURN server with commenting out TURN_SERVER in .env

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1699175
https://webrtc.googlesource.com/src/+/master/p2p/base/turn_port.cc#947
https://searchfox.org/mozilla-central/source/netwerk/base/nsIOService.cpp#98

[lonesomewalker]

It would be possible... remapping ports.

[alangecker]

@lonesomewalker I'm not sure what you mean? :)

[cjhille]

I remember someone from Jitsi suggested to use nginx's preread and coturn ALPN to forward traffic from nginx to coturn and have both services behind port 443 on a reverse proxy.
jitsi/docker-jitsi-meet#22 (comment)

[cjhille]

They seem to have tried and deprecated that approach.
https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.conf#L10

Instead they now seem to be multiplexing 443 connections based on DNS/host names
https://jitsi.github.io/handbook/docs/devops-guide/turn#use-turn-server-on-port-443

@alangecker Could this approach be applied to this docker setup?

stream {
    map $ssl_preread_server_name $name {
        jitsi-meet.example.com web_backend;
        turn-jitsi-meet.example.com turn_backend;
    }

    upstream web_backend {
        server 127.0.0.1:4444;
    }

    upstream turn_backend {
        server __your_public_ip__:5349;
    }

    server {
        listen 443;
        listen [::]:443;

        # since 1.11.5
        ssl_preread on;

        proxy_pass $name;

        # Increase buffer to serve video
        proxy_buffer_size 10m;
    }
}

[alangecker]

I really like that idea!

maybe one could even avoid the need of two domains by detecting the protocol?

   map $ssl_preread_alpn_protocols $upstream {
        ~\bh2\b         web;
        ~\bhttp/1\.     web;
        default         turn;
    }

Difficult is, that this must be part of the nginx config, which also does the auto certificate retrieval (currently valian/docker-nginx-auto-ssl).
With redoing that anyway we could also use that moment to switch to nginx-proxy as proposed by you (@cjhille) in alangecker#92 (comment) :)

I don't now whether I will find time during the next weeks, but I would be really happy to see anyone working on that :)

[alangecker]

#126 brings back turn support :)