From 0d1baf83012b18007fd6b803b2da04297a508dc5 Mon Sep 17 00:00:00 2001 From: netaskd Date: Wed, 11 Dec 2019 18:49:42 +0200 Subject: [PATCH 1/9] turn: add TURN server --- Makefile | 2 +- README.md | 27 ++++++++++++- docker-compose.yml | 9 +++++ env.example | 40 +++++++++++++++++++ prosody/Dockerfile | 4 ++ .../rootfs/defaults/conf.d/jitsi-meet.cfg.lua | 11 +++++ turn.yml | 27 +++++++++++++ turn/Dockerfile | 11 +++++ turn/Makefile | 5 +++ turn/rootfs/defaults/docker-entrypoint.sh | 38 ++++++++++++++++++ web/rootfs/defaults/config.js | 4 +- web/rootfs/etc/cont-init.d/10-config | 13 ++++++ 12 files changed, 187 insertions(+), 4 deletions(-) create mode 100644 turn.yml create mode 100644 turn/Dockerfile create mode 100644 turn/Makefile create mode 100755 turn/rootfs/defaults/docker-entrypoint.sh diff --git a/Makefile b/Makefile index 3324d4bbf0..082e5d87a8 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ FORCE_REBUILD ?= 0 JITSI_RELEASE ?= stable JITSI_BUILD ?= latest JITSI_REPO ?= jitsi -JITSI_SERVICES ?= base base-java web prosody jicofo jvb jigasi etherpad jibri +JITSI_SERVICES ?= base base-java web prosody jicofo jvb jigasi etherpad jibri turn BUILD_ARGS := --build-arg JITSI_REPO=$(JITSI_REPO) ifeq ($(FORCE_REBUILD), 1) diff --git a/README.md b/README.md index f8881d9440..8e5146584a 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,9 @@ If you want to use jibri too, first configure host as described in JItsi BRoadca and then run Docker Compose as follows: ``docker-compose -f docker-compose.yml -f jibri.yml up -d`` or to use jigasi too: ``docker-compose -f docker-compose.yml -f jigasi.yml -f jibri.yml up -d`` +If you want to enable TURN server, configure it and run Docker Compose as +follows: ``docker-compose -f docker-compose.yml -f turn.yml up`` + ## Architecture A Jitsi Meet installation can be broken down into the following components: @@ -76,6 +79,7 @@ several container images are provided. * **jigasi**: [Jigasi], the SIP (audio only) gateway. * **etherpad**: [Etherpad], shared document editing addon. * **jibri**: [Jibri], the brooadcasting infrastructure. +* **turn**: [Coturn], the TURN server. ### Design considerations @@ -344,6 +348,27 @@ Variable | Description | Example For setting `GOOGLE_APPLICATION_CREDENTIALS` please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph. +### TURN(S) server +For enable turn server for P2P and/or JVB connections, please set variables below + +Variable | Description | Default value +--- | --- | --- +`TURN_ENABLE_P2P` | Use TURN for P2P connections | 0 +`TURN_ENABLE_JVB` | Use TURN for JVB (bridge mode) connections | 0 +`TURN_REALM` | Realm to be used for the users with long-term credentials mechanism or with TURN REST API | realm +`TURN_SECRET` | Secret for connect to TURN server | keepthissecret +`TURN_ADMIN_USER` | Username for admin panel | admin +`TURN_ADMIN_SECRET` | Password for admin panel | changeme +`TURN_ADMIN_PORT` | HTTP(s) port for acess to admin panel | 8443 +`TURN_TYPE` | Type of TURN(s) (turn/turns) | turns +`TURN_HOST` | Annonce FQDN or IP address of turn server | 8.8.8.8 +`TURN_PORT` | TLS/TCP/UDP turn port for connection | 5349 +`TURN_TRANSPORT` | transport for turn connection (tcp/udp) | tcp +`TURN_RTP_MIN` | RTP start port for turn/turns connections | 10000 +`TURN_RTP_MAX` | RTP end port for turn/turns connections | 11000 + +And add to the variable `GLOBAL_MODULES` string `turncredentials`. + ### Advanced configuration These configuration options are already set and generally don't need to be changed. @@ -403,7 +428,6 @@ option. ## TODO * Support container replicas (where applicable). -* TURN server. [Jitsi]: https://jitsi.org/ [Jitsi Meet]: https://jitsi.org/jitsi-meet/ @@ -421,3 +445,4 @@ option. [jwt.io]: https://jwt.io/#debugger-io [Etherpad]: https://github.com/ether/etherpad-lite [Jibri]: https://github.com/jitsi/jibri +[Coturn]: https://github.com/coturn/coturn diff --git a/docker-compose.yml b/docker-compose.yml index 589e1a59f9..fa6cbbd100 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -37,6 +37,8 @@ services: - JIBRI_RECORDER_USER - JIBRI_RECORDER_PASSWORD - ENABLE_RECORDING + - TURN_ENABLE_JVB + - TURN_ENABLE_JVB networks: meet.jitsi: aliases: @@ -99,6 +101,13 @@ services: - JWT_TOKEN_AUTH_MODULE - LOG_LEVEL - TZ + - TURN_ENABLE_JVB + - TURN_ENABLE_JVB + - TURN_SECRET + - TURN_TYPE + - TURN_HOST + - TURN_PORT + - TURN_TRANSPORT networks: meet.jitsi: aliases: diff --git a/env.example b/env.example index 69f032b419..00882f42a1 100644 --- a/env.example +++ b/env.example @@ -294,3 +294,43 @@ JIBRI_LOGS_DIR=/config/logs # Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443). #ENABLE_HTTP_REDIRECT=1 +# +## Use TURN for P2P connections +##TURN_ENABLE_P2P=0 +# +## Use TURN for JVB (bridge mode) connections +##TURN_ENABLE_JVB=0 +# +## Realm to be used for the users with long-term credentials mechanism or with TURN REST API +##TURN_REALM=realm +# +## Secret for connect to TURN server +##TURN_SECRET=keepthissecret +# +## Username for admin panel +##TURN_ADMIN_USER=admin +# +## Password for admin panel +##TURN_ADMIN_SECRET=changeme +# +## HTTP(s) port for acess to admin panel +##TURN_ADMIN_PORT=8443 +# +## Type of TURN(s)/STUN. Can be turn or turns. +##TURN_TYPE=turns +# +## Annonce FQDN or IP address of turn server +##TURN_HOST=8.8.8.8 +# +## TLS/TCP/UDP turn port for connection +##TURN_PORT=5349 +# +## Transport for stun/turn connection. Can be tcp or udp. +##TURN_TRANSPORT=tcp +# +## RTP start port for turn/turns connections +##TURN_RTP_MIN=10000 +# +## RTP end port for turn/turns connections +##TURN_RTP_MAX=11000 +# diff --git a/prosody/Dockerfile b/prosody/Dockerfile index dac9fc6dc5..86bcfc0d6c 100644 --- a/prosody/Dockerfile +++ b/prosody/Dockerfile @@ -38,6 +38,10 @@ RUN \ && apt-cleanup \ && rm -rf /tmp/usr /var/cache/apt +RUN \ + curl -4so /prosody-plugins/mod_turncredentials.lua \ + https://raw.githubusercontent.com/netaskd/mod_turncredentials/master/mod_turncredentials.lua + RUN \ sed -i s/hook/hook_global/g /prosody-plugins/mod_auth_token.lua \ && patch -d /usr/lib/prosody/modules/muc -p0 < /prosody-plugins/muc_owner_allow_kick.patch diff --git a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua index ea55fc629b..b39fb865e1 100644 --- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua +++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua @@ -2,6 +2,17 @@ admins = { "{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}" } plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" } http_default_host = "{{ .Env.XMPP_DOMAIN }}" +{{ if or (.Env.TURN_ENABLE_P2P | default "0" | toBool) (.Env.TURN_ENABLE_JVB | default "0" | toBool) }} +turncredentials_secret = "{{ .Env.TURN_SECRET | default "keepthissecret" }}"; +turncredentials = { + { type = "{{ .Env.TURN_TYPE | default "turns" }}", + host = "{{ .Env.TURN_HOST | default "8.8.8.8" }}", + port = {{ .Env.TURN_PORT | default "3478" }}, + transport = "{{ .Env.TURN_TRANSPORT | default "tcp" }}" + } +} +{{ end }} + {{ $ENABLE_AUTH := .Env.ENABLE_AUTH | default "0" | toBool }} {{ $AUTH_TYPE := .Env.AUTH_TYPE | default "internal" }} {{ $JWT_ASAP_KEYSERVER := .Env.JWT_ASAP_KEYSERVER | default "" }} diff --git a/turn.yml b/turn.yml new file mode 100644 index 0000000000..278277ec9d --- /dev/null +++ b/turn.yml @@ -0,0 +1,27 @@ +version: '3' + +services: + # coturn TURN server project + turn: + image: jitsi/turn + restart: always + ports: + - '${TURN_PORT}:${TURN_PORT}/tcp' + - '${TURN_PORT}:${TURN_PORT}/udp' + - '${TURN_RTP_MIN}-${TURN_RTP_MAX}:${TURN_RTP_MIN}-${TURN_RTP_MAX}/udp' + - '${TURN_ADMIN_PORT}:${TURN_ADMIN_PORT}/tcp' + environment: + - TURN_SECRET + - TURN_REALM + - TURN_ADMIN_USER + - TURN_ADMIN_SECRET + - TURN_ADMIN_PORT + - TURN_TYPE + - TURN_HOST + - TURN_PORT + - TURN_TRANSPORT + - TURN_RTP_MIN + - TURN_RTP_MAX + networks: + meet.jitsi: + diff --git a/turn/Dockerfile b/turn/Dockerfile new file mode 100644 index 0000000000..8f53ff7910 --- /dev/null +++ b/turn/Dockerfile @@ -0,0 +1,11 @@ +ARG VERSION +FROM instrumentisto/coturn:${VERSION:-latest} + +RUN apk add --no-cache openssl + +ADD ./rootfs/defaults/docker-entrypoint.sh /docker-entrypoint.sh + +ENTRYPOINT ["/docker-entrypoint.sh"] + +EXPOSE 5349 8443 10000:11000/udp + diff --git a/turn/Makefile b/turn/Makefile new file mode 100644 index 0000000000..7317d86e50 --- /dev/null +++ b/turn/Makefile @@ -0,0 +1,5 @@ +build: + docker build $(BUILD_ARGS) -t $(JITSI_REPO)/turn . + +.PHONY: build + diff --git a/turn/rootfs/defaults/docker-entrypoint.sh b/turn/rootfs/defaults/docker-entrypoint.sh new file mode 100755 index 0000000000..cc54a71871 --- /dev/null +++ b/turn/rootfs/defaults/docker-entrypoint.sh @@ -0,0 +1,38 @@ +#!/bin/ash +# make certs if not exist +if [[ ! -f /etc/ssl/cert.crt || ! -f /etc/ssl/cert.key ]]; then + openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 3650 -out certificate.pem -subj "/C=US/ST=NY/L=NY/O=IT/CN=${TURN_HOST}" +fi + +# set coturn admin user +turnadmin -A -u ${TURN_ADMIN_USER:-admin} -p ${TURN_ADMIN_SECRET:-changeme} + +# run coturn server with API auth method enabled. +turnserver -n \ +--verbose \ +--prod \ +--no-tlsv1 \ +--no-tlsv1_1 \ +--log-file=stdout \ +--listening-port=${TURN_PORT:-5349} \ +--tls-listening-port=${TURN_PORT:-5349} \ +--alt-listening-port=${TURN_PORT:-5349} \ +--alt-tls-listening-port=${TURN_PORT:-5349} \ +--cert=/etc/ssl/cert.crt \ +--pkey=/etc/ssl/cert.key \ +--min-port=${TURN_RTP_MIN:-10000} \ +--max-port=${TURN_RTP_MAX:-11000} \ +--no-stun \ +--use-auth-secret \ +--static-auth-secret=${TURN_SECRET:-keepthissecret} \ +--no-multicast-peers \ +--realm=${TURN_REALM:-realm} \ +--external-ip=$(curl -4k https://icanhazip.com 2>/dev/null) \ +--relay-ip=$(hostname -i) \ +--listening-ip=$(hostname -i) \ +--web-admin \ +--web-admin-ip=$(hostname -i) \ +--web-admin-port=${TURN_ADMIN_PORT:-8443} \ +--no-cli \ +--cli-password=${TURN_ADMIN_SECRET:-changeme} + diff --git a/web/rootfs/defaults/config.js b/web/rootfs/defaults/config.js index 17f0ad545d..c38194dbc6 100644 --- a/web/rootfs/defaults/config.js +++ b/web/rootfs/defaults/config.js @@ -227,7 +227,7 @@ var config = { // minParticipants: 2, // Use XEP-0215 to fetch STUN and TURN servers. - // useStunTurn: true, + // useStunTurn: true, //jvb // Enable IPv6 support. // useIPv6: true, @@ -329,7 +329,7 @@ var config = { enabled: true, // Use XEP-0215 to fetch STUN and TURN servers. - // useStunTurn: true, + // useStunTurn: true, //p2p // The STUN servers that will be used in the peer to peer connections stunServers: [ diff --git a/web/rootfs/etc/cont-init.d/10-config b/web/rootfs/etc/cont-init.d/10-config index 5bf08a6432..da41c0c96d 100644 --- a/web/rootfs/etc/cont-init.d/10-config +++ b/web/rootfs/etc/cont-init.d/10-config @@ -92,6 +92,19 @@ if [[ ! -f /config/config.js ]]; then -e "s#// transcribingEnabled:.*#transcribingEnabled: true,#" \ /config/config.js fi + + if [[ $TURN_ENABLE_JVB -eq 1 || "$TURN_ENABLE_JVB" == "true" ]]; then + sed -i \ + -e "s#// useStunTurn:.*, //jvb#useStunTurn: true, //jvb#" \ + /config/config.js + fi + + if [[ $TURN_ENABLE_P2P -eq 1 || "$TURN_ENABLE_P2P" == "true" ]]; then + sed -i \ + -e "s#// useStunTurn:.*, //p2p#useStunTurn: true, //p2p#" \ + /config/config.js + fi + fi if [[ ! -f /config/interface_config.js ]]; then From 854753fc7e3aea0cda36fccc43467dd4bb3d03dd Mon Sep 17 00:00:00 2001 From: netaskd Date: Thu, 12 Dec 2019 18:42:10 +0200 Subject: [PATCH 2/9] turn: the fist review changes --- README.md | 21 +++-- docker-compose.yml | 6 +- env.example | 84 ++++++++++--------- .../rootfs/defaults/conf.d/jitsi-meet.cfg.lua | 4 +- turn.yml | 1 + turn/rootfs/defaults/docker-entrypoint.sh | 34 ++++---- web/rootfs/defaults/config.js | 4 +- web/rootfs/etc/cont-init.d/10-config | 10 +-- 8 files changed, 86 insertions(+), 78 deletions(-) diff --git a/README.md b/README.md index 8e5146584a..d512e239cc 100644 --- a/README.md +++ b/README.md @@ -349,25 +349,30 @@ Variable | Description | Example For setting `GOOGLE_APPLICATION_CREDENTIALS` please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph. ### TURN(S) server -For enable turn server for P2P and/or JVB connections, please set variables below +For enable turn server for P2P and JVB connections, please add to the variable `GLOBAL_MODULES` string `turncredentials` and set variables below Variable | Description | Default value --- | --- | --- -`TURN_ENABLE_P2P` | Use TURN for P2P connections | 0 -`TURN_ENABLE_JVB` | Use TURN for JVB (bridge mode) connections | 0 +`TURN_ENABLE` | Use TURN for P2P and JVB (bridge mode) connections | 0 `TURN_REALM` | Realm to be used for the users with long-term credentials mechanism or with TURN REST API | realm `TURN_SECRET` | Secret for connect to TURN server | keepthissecret -`TURN_ADMIN_USER` | Username for admin panel | admin -`TURN_ADMIN_SECRET` | Password for admin panel | changeme -`TURN_ADMIN_PORT` | HTTP(s) port for acess to admin panel | 8443 `TURN_TYPE` | Type of TURN(s) (turn/turns) | turns -`TURN_HOST` | Annonce FQDN or IP address of turn server | 8.8.8.8 +`TURN_HOST` | Annonce FQDN/IP address of the turn server via XMPP (XEP-0215) | 192.168.1.1 +`TURN_PUBLIC_IP` | Public IP address for an instance of turn server | set dynamically `TURN_PORT` | TLS/TCP/UDP turn port for connection | 5349 `TURN_TRANSPORT` | transport for turn connection (tcp/udp) | tcp `TURN_RTP_MIN` | RTP start port for turn/turns connections | 10000 `TURN_RTP_MAX` | RTP end port for turn/turns connections | 11000 -And add to the variable `GLOBAL_MODULES` string `turncredentials`. + +For enable web-admin panel for turn, please set variables below + +Variable | Description | Default value +--- | --- | --- +`TURN_ADMIN_ENABLE` | Enable web-admin panel | 0 +`TURN_ADMIN_USER` | Username for admin panel | admin +`TURN_ADMIN_SECRET` | Password for admin panel | changeme +`TURN_ADMIN_PORT` | HTTP(s) port for acess to admin panel | 8443 ### Advanced configuration diff --git a/docker-compose.yml b/docker-compose.yml index fa6cbbd100..e0d49c9b6d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -37,8 +37,7 @@ services: - JIBRI_RECORDER_USER - JIBRI_RECORDER_PASSWORD - ENABLE_RECORDING - - TURN_ENABLE_JVB - - TURN_ENABLE_JVB + - TURN_ENABLE networks: meet.jitsi: aliases: @@ -101,8 +100,7 @@ services: - JWT_TOKEN_AUTH_MODULE - LOG_LEVEL - TZ - - TURN_ENABLE_JVB - - TURN_ENABLE_JVB + - TURN_ENABLE - TURN_SECRET - TURN_TYPE - TURN_HOST diff --git a/env.example b/env.example index 00882f42a1..984fb14a01 100644 --- a/env.example +++ b/env.example @@ -294,43 +294,47 @@ JIBRI_LOGS_DIR=/config/logs # Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443). #ENABLE_HTTP_REDIRECT=1 -# -## Use TURN for P2P connections -##TURN_ENABLE_P2P=0 -# -## Use TURN for JVB (bridge mode) connections -##TURN_ENABLE_JVB=0 -# -## Realm to be used for the users with long-term credentials mechanism or with TURN REST API -##TURN_REALM=realm -# -## Secret for connect to TURN server -##TURN_SECRET=keepthissecret -# -## Username for admin panel -##TURN_ADMIN_USER=admin -# -## Password for admin panel -##TURN_ADMIN_SECRET=changeme -# -## HTTP(s) port for acess to admin panel -##TURN_ADMIN_PORT=8443 -# -## Type of TURN(s)/STUN. Can be turn or turns. -##TURN_TYPE=turns -# -## Annonce FQDN or IP address of turn server -##TURN_HOST=8.8.8.8 -# -## TLS/TCP/UDP turn port for connection -##TURN_PORT=5349 -# -## Transport for stun/turn connection. Can be tcp or udp. -##TURN_TRANSPORT=tcp -# -## RTP start port for turn/turns connections -##TURN_RTP_MIN=10000 -# -## RTP end port for turn/turns connections -##TURN_RTP_MAX=11000 -# + +# Use TURN for P2P and JVB (bridge mode) connections +#TURN_ENABLE=0 + +# Realm to be used for the users with long-term credentials mechanism or with TURN REST API +#TURN_REALM=realm + +# Secret for connect to TURN server +#TURN_SECRET=keepthissecret + +# Type of TURN(s)/STUN. Can be turn or turns. +#TURN_TYPE=turns + +# Annonce FQDN/IP address of the turn server via XMPP server (XEP-0215). +# If empty or not set, variable DOCKER_HOST_ADDRESS will be used by default. +#TURN_HOST=turn.example.com + +# Public IP address for an instance of turn server. +# If empty or not set, will be detected and set dynamically when a container start. +#TURN_PUBIC_IP=144.144.144.144 + +# TLS/TCP/UDP turn port for connection +#TURN_PORT=5349 + +# Transport for stun/turn connection. Can be tcp or udp. +#TURN_TRANSPORT=tcp + +# RTP start port for turn/turns connections +#TURN_RTP_MIN=10000 + +# RTP end port for turn/turns connections +#TURN_RTP_MAX=11000 + +# Enable admin web access. If enabled, please set variables below. +#TURN_ADMIN_ENABLE=0 + +# Username for admin panel +#TURN_ADMIN_USER=admin + +# Password for admin panel +#TURN_ADMIN_SECRET=changeme + +# HTTP(s) port for acess to admin panel +#TURN_ADMIN_PORT=8443 diff --git a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua index b39fb865e1..8f4df8c31e 100644 --- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua +++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua @@ -2,11 +2,11 @@ admins = { "{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}" } plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" } http_default_host = "{{ .Env.XMPP_DOMAIN }}" -{{ if or (.Env.TURN_ENABLE_P2P | default "0" | toBool) (.Env.TURN_ENABLE_JVB | default "0" | toBool) }} +{{ if .Env.TURN_ENABLE | default "0" | toBool }} turncredentials_secret = "{{ .Env.TURN_SECRET | default "keepthissecret" }}"; turncredentials = { { type = "{{ .Env.TURN_TYPE | default "turns" }}", - host = "{{ .Env.TURN_HOST | default "8.8.8.8" }}", + host = "{{ .Env.TURN_HOST | default .Env.DOCKER_HOST_ADDRESS }}", port = {{ .Env.TURN_PORT | default "3478" }}, transport = "{{ .Env.TURN_TRANSPORT | default "tcp" }}" } diff --git a/turn.yml b/turn.yml index 278277ec9d..d267921f6e 100644 --- a/turn.yml +++ b/turn.yml @@ -11,6 +11,7 @@ services: - '${TURN_RTP_MIN}-${TURN_RTP_MAX}:${TURN_RTP_MIN}-${TURN_RTP_MAX}/udp' - '${TURN_ADMIN_PORT}:${TURN_ADMIN_PORT}/tcp' environment: + - DOCKER_HOST_ADDRESS - TURN_SECRET - TURN_REALM - TURN_ADMIN_USER diff --git a/turn/rootfs/defaults/docker-entrypoint.sh b/turn/rootfs/defaults/docker-entrypoint.sh index cc54a71871..08e406c795 100755 --- a/turn/rootfs/defaults/docker-entrypoint.sh +++ b/turn/rootfs/defaults/docker-entrypoint.sh @@ -1,14 +1,24 @@ #!/bin/ash +# create config dir if not exists +[ ! -d /config ] && mkdir /config + # make certs if not exist -if [[ ! -f /etc/ssl/cert.crt || ! -f /etc/ssl/cert.key ]]; then - openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 3650 -out certificate.pem -subj "/C=US/ST=NY/L=NY/O=IT/CN=${TURN_HOST}" +if [[ ! -f /config/cert.crt || ! -f /config/cert.key ]]; then + openssl req -newkey rsa:2048 -nodes -keyout /config/cert.key -x509 -days 3650 -out /config/cert.crt -subj "/C=US/ST=NY/L=NY/O=IT/CN=${TURN_HOST}" fi -# set coturn admin user -turnadmin -A -u ${TURN_ADMIN_USER:-admin} -p ${TURN_ADMIN_SECRET:-changeme} +# use non empty TURN_PUBLIC_IP variable, othervise set it dynamically. +[ -z "${TURN_PUBLIC_IP}" ] && export TURN_PUBLIC_IP=$(curl -4ks https://icanhazip.com) +[ -z "${TURN_PUBLIC_IP}" ] && echo "ERROR: variable TURN_PUBLIC_IP is not set and can not be set dynamically!" && kill 1 + +# set coturn web-admin access +if [[ "${TURN_ADMIN_ENABLE}" == "1" || "${TURN_ADMIN_ENABLE}" == "true" ]]; then + turnadmin -A -u ${TURN_ADMIN_USER:-admin} -p ${TURN_ADMIN_SECRET:-changeme} + export TURN_ADMIN_OPTIONS="--web-admin --web-admin-ip=$(hostname -i) --web-admin-port=${TURN_ADMIN_PORT:-8443}" +fi # run coturn server with API auth method enabled. -turnserver -n \ +turnserver -n ${TURN_ADMIN_OPTIONS} \ --verbose \ --prod \ --no-tlsv1 \ @@ -18,8 +28,8 @@ turnserver -n \ --tls-listening-port=${TURN_PORT:-5349} \ --alt-listening-port=${TURN_PORT:-5349} \ --alt-tls-listening-port=${TURN_PORT:-5349} \ ---cert=/etc/ssl/cert.crt \ ---pkey=/etc/ssl/cert.key \ +--cert=/config/cert.crt \ +--pkey=/config/cert.key \ --min-port=${TURN_RTP_MIN:-10000} \ --max-port=${TURN_RTP_MAX:-11000} \ --no-stun \ @@ -27,12 +37,8 @@ turnserver -n \ --static-auth-secret=${TURN_SECRET:-keepthissecret} \ --no-multicast-peers \ --realm=${TURN_REALM:-realm} \ ---external-ip=$(curl -4k https://icanhazip.com 2>/dev/null) \ ---relay-ip=$(hostname -i) \ --listening-ip=$(hostname -i) \ ---web-admin \ ---web-admin-ip=$(hostname -i) \ ---web-admin-port=${TURN_ADMIN_PORT:-8443} \ ---no-cli \ ---cli-password=${TURN_ADMIN_SECRET:-changeme} +--external-ip=${TURN_PUBLIC_IP} \ +--cli-password=NotReallyCliUs3d \ +--no-cli diff --git a/web/rootfs/defaults/config.js b/web/rootfs/defaults/config.js index c38194dbc6..17f0ad545d 100644 --- a/web/rootfs/defaults/config.js +++ b/web/rootfs/defaults/config.js @@ -227,7 +227,7 @@ var config = { // minParticipants: 2, // Use XEP-0215 to fetch STUN and TURN servers. - // useStunTurn: true, //jvb + // useStunTurn: true, // Enable IPv6 support. // useIPv6: true, @@ -329,7 +329,7 @@ var config = { enabled: true, // Use XEP-0215 to fetch STUN and TURN servers. - // useStunTurn: true, //p2p + // useStunTurn: true, // The STUN servers that will be used in the peer to peer connections stunServers: [ diff --git a/web/rootfs/etc/cont-init.d/10-config b/web/rootfs/etc/cont-init.d/10-config index da41c0c96d..93c27fd36e 100644 --- a/web/rootfs/etc/cont-init.d/10-config +++ b/web/rootfs/etc/cont-init.d/10-config @@ -93,15 +93,9 @@ if [[ ! -f /config/config.js ]]; then /config/config.js fi - if [[ $TURN_ENABLE_JVB -eq 1 || "$TURN_ENABLE_JVB" == "true" ]]; then + if [[ $TURN_ENABLE -eq 1 || "$TURN_ENABLE" == "true" ]]; then sed -i \ - -e "s#// useStunTurn:.*, //jvb#useStunTurn: true, //jvb#" \ - /config/config.js - fi - - if [[ $TURN_ENABLE_P2P -eq 1 || "$TURN_ENABLE_P2P" == "true" ]]; then - sed -i \ - -e "s#// useStunTurn:.*, //p2p#useStunTurn: true, //p2p#" \ + -e "s#// useStunTurn:.*,#useStunTurn: true,#" \ /config/config.js fi From 6c6df2c093e508ccbc462e49fe34077687e2e6fb Mon Sep 17 00:00:00 2001 From: netaskd Date: Thu, 12 Dec 2019 18:48:42 +0200 Subject: [PATCH 3/9] turn: add forgotten variable TURN_ADMIN_ENABLE --- turn.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/turn.yml b/turn.yml index d267921f6e..32839bb282 100644 --- a/turn.yml +++ b/turn.yml @@ -14,15 +14,16 @@ services: - DOCKER_HOST_ADDRESS - TURN_SECRET - TURN_REALM - - TURN_ADMIN_USER - - TURN_ADMIN_SECRET - - TURN_ADMIN_PORT - TURN_TYPE - TURN_HOST - TURN_PORT - TURN_TRANSPORT - TURN_RTP_MIN - TURN_RTP_MAX + - TURN_ADMIN_ENABLE + - TURN_ADMIN_USER + - TURN_ADMIN_SECRET + - TURN_ADMIN_PORT networks: meet.jitsi: From 656d48bb210330b70aa58dc0aa99bc922556a51f Mon Sep 17 00:00:00 2001 From: netaskd Date: Fri, 13 Dec 2019 18:37:44 +0200 Subject: [PATCH 4/9] turn: the second review --- README.md | 3 +-- docker-compose.yml | 1 - env.example | 3 --- prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua | 2 +- prosody/rootfs/etc/cont-init.d/10-config | 6 ++++++ turn.yml | 3 ++- turn/Dockerfile | 2 ++ turn/rootfs/defaults/docker-entrypoint.sh | 2 -- 8 files changed, 12 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index d512e239cc..e3778e60c1 100644 --- a/README.md +++ b/README.md @@ -349,14 +349,13 @@ Variable | Description | Example For setting `GOOGLE_APPLICATION_CREDENTIALS` please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph. ### TURN(S) server -For enable turn server for P2P and JVB connections, please add to the variable `GLOBAL_MODULES` string `turncredentials` and set variables below +For enable turn server for P2P and JVB connections, please set variables below Variable | Description | Default value --- | --- | --- `TURN_ENABLE` | Use TURN for P2P and JVB (bridge mode) connections | 0 `TURN_REALM` | Realm to be used for the users with long-term credentials mechanism or with TURN REST API | realm `TURN_SECRET` | Secret for connect to TURN server | keepthissecret -`TURN_TYPE` | Type of TURN(s) (turn/turns) | turns `TURN_HOST` | Annonce FQDN/IP address of the turn server via XMPP (XEP-0215) | 192.168.1.1 `TURN_PUBLIC_IP` | Public IP address for an instance of turn server | set dynamically `TURN_PORT` | TLS/TCP/UDP turn port for connection | 5349 diff --git a/docker-compose.yml b/docker-compose.yml index e0d49c9b6d..1126680947 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -102,7 +102,6 @@ services: - TZ - TURN_ENABLE - TURN_SECRET - - TURN_TYPE - TURN_HOST - TURN_PORT - TURN_TRANSPORT diff --git a/env.example b/env.example index 984fb14a01..17cd90de7d 100644 --- a/env.example +++ b/env.example @@ -304,9 +304,6 @@ JIBRI_LOGS_DIR=/config/logs # Secret for connect to TURN server #TURN_SECRET=keepthissecret -# Type of TURN(s)/STUN. Can be turn or turns. -#TURN_TYPE=turns - # Annonce FQDN/IP address of the turn server via XMPP server (XEP-0215). # If empty or not set, variable DOCKER_HOST_ADDRESS will be used by default. #TURN_HOST=turn.example.com diff --git a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua index 8f4df8c31e..99f92b85bd 100644 --- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua +++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua @@ -5,7 +5,7 @@ http_default_host = "{{ .Env.XMPP_DOMAIN }}" {{ if .Env.TURN_ENABLE | default "0" | toBool }} turncredentials_secret = "{{ .Env.TURN_SECRET | default "keepthissecret" }}"; turncredentials = { - { type = "{{ .Env.TURN_TYPE | default "turns" }}", + { type = "turns", host = "{{ .Env.TURN_HOST | default .Env.DOCKER_HOST_ADDRESS }}", port = {{ .Env.TURN_PORT | default "3478" }}, transport = "{{ .Env.TURN_TRANSPORT | default "tcp" }}" diff --git a/prosody/rootfs/etc/cont-init.d/10-config b/prosody/rootfs/etc/cont-init.d/10-config index 701efcdd93..83e9d6ecd0 100644 --- a/prosody/rootfs/etc/cont-init.d/10-config +++ b/prosody/rootfs/etc/cont-init.d/10-config @@ -31,6 +31,12 @@ fi if [[ ! -f $PROSODY_CFG ]]; then cp -r /defaults/* /config + + if [[ "${TURN_ENABLE}" == "1" || "${TURN_ENABLE}" == "true" ]]; then + [ -z "${GLOBAL_MODULES}" ] && export GLOBAL_MODULES="turncredentials" \ + || export GLOBAL_MODULES="${GLOBAL_MODULES},turncredentials" + fi + tpl /defaults/prosody.cfg.lua > $PROSODY_CFG tpl /defaults/conf.d/jitsi-meet.cfg.lua > /config/conf.d/jitsi-meet.cfg.lua diff --git a/turn.yml b/turn.yml index 32839bb282..d52d44c2f9 100644 --- a/turn.yml +++ b/turn.yml @@ -5,6 +5,8 @@ services: turn: image: jitsi/turn restart: always + volumes: + - ${CONFIG}/turn:/config ports: - '${TURN_PORT}:${TURN_PORT}/tcp' - '${TURN_PORT}:${TURN_PORT}/udp' @@ -14,7 +16,6 @@ services: - DOCKER_HOST_ADDRESS - TURN_SECRET - TURN_REALM - - TURN_TYPE - TURN_HOST - TURN_PORT - TURN_TRANSPORT diff --git a/turn/Dockerfile b/turn/Dockerfile index 8f53ff7910..da62b7148a 100644 --- a/turn/Dockerfile +++ b/turn/Dockerfile @@ -7,5 +7,7 @@ ADD ./rootfs/defaults/docker-entrypoint.sh /docker-entrypoint.sh ENTRYPOINT ["/docker-entrypoint.sh"] +VOLUME ["/config"] + EXPOSE 5349 8443 10000:11000/udp diff --git a/turn/rootfs/defaults/docker-entrypoint.sh b/turn/rootfs/defaults/docker-entrypoint.sh index 08e406c795..28e397fb5a 100755 --- a/turn/rootfs/defaults/docker-entrypoint.sh +++ b/turn/rootfs/defaults/docker-entrypoint.sh @@ -1,6 +1,4 @@ #!/bin/ash -# create config dir if not exists -[ ! -d /config ] && mkdir /config # make certs if not exist if [[ ! -f /config/cert.crt || ! -f /config/cert.key ]]; then From 575321391a6aa6b78dafc75eb715de5cd7e29658 Mon Sep 17 00:00:00 2001 From: netaskd Date: Thu, 23 Apr 2020 15:06:40 +0300 Subject: [PATCH 5/9] base: add curl as necessary for getting mod_turncredentials.lua in prosody --- base/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/base/Dockerfile b/base/Dockerfile index f1a0e9e239..f00f5b6a54 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -12,7 +12,7 @@ RUN \ tar xfz /tmp/s6-overlay.tar.gz -C / && \ rm -f /tmp/*.tar.gz && \ apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y apt-transport-https apt-utils ca-certificates gnupg && \ + apt-dpkg-wrap apt-get install -y apt-transport-https apt-utils ca-certificates gnupg curl && \ apt-key add /tmp/jitsi.key && \ rm -f /tmp/jitsi.key && \ echo "deb https://download.jitsi.org $JITSI_RELEASE/" > /etc/apt/sources.list.d/jitsi.list && \ @@ -25,7 +25,7 @@ RUN \ RUN \ [ "$JITSI_RELEASE" = "unstable" ] && \ apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y jq procps curl vim iputils-ping net-tools && \ + apt-dpkg-wrap apt-get install -y jq procps vim iputils-ping net-tools && \ apt-cleanup || \ true From cb8552a0bacd5c64464a42a57fb250049c9a2144 Mon Sep 17 00:00:00 2001 From: netaskd Date: Thu, 23 Apr 2020 15:07:32 +0300 Subject: [PATCH 6/9] misc: fix typo in a turn variable --- env.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/env.example b/env.example index 17cd90de7d..d5dacf72c5 100644 --- a/env.example +++ b/env.example @@ -310,7 +310,7 @@ JIBRI_LOGS_DIR=/config/logs # Public IP address for an instance of turn server. # If empty or not set, will be detected and set dynamically when a container start. -#TURN_PUBIC_IP=144.144.144.144 +#TURN_PUBLIC_IP=144.144.144.144 # TLS/TCP/UDP turn port for connection #TURN_PORT=5349 From d9835789acae1d866716eee6609a2b5d40eb2848 Mon Sep 17 00:00:00 2001 From: netaskd Date: Thu, 23 Apr 2020 15:10:06 +0300 Subject: [PATCH 7/9] misc: update default port min/max for turn service --- README.md | 4 ++-- env.example | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index e3778e60c1..f8ab5b5379 100644 --- a/README.md +++ b/README.md @@ -360,8 +360,8 @@ Variable | Description | Default value `TURN_PUBLIC_IP` | Public IP address for an instance of turn server | set dynamically `TURN_PORT` | TLS/TCP/UDP turn port for connection | 5349 `TURN_TRANSPORT` | transport for turn connection (tcp/udp) | tcp -`TURN_RTP_MIN` | RTP start port for turn/turns connections | 10000 -`TURN_RTP_MAX` | RTP end port for turn/turns connections | 11000 +`TURN_RTP_MIN` | RTP start port for turn/turns connections | 16000 +`TURN_RTP_MAX` | RTP end port for turn/turns connections | 17000 For enable web-admin panel for turn, please set variables below diff --git a/env.example b/env.example index d5dacf72c5..9397d56cfc 100644 --- a/env.example +++ b/env.example @@ -319,10 +319,10 @@ JIBRI_LOGS_DIR=/config/logs #TURN_TRANSPORT=tcp # RTP start port for turn/turns connections -#TURN_RTP_MIN=10000 +#TURN_RTP_MIN=16000 # RTP end port for turn/turns connections -#TURN_RTP_MAX=11000 +#TURN_RTP_MAX=17000 # Enable admin web access. If enabled, please set variables below. #TURN_ADMIN_ENABLE=0 From e0e0d8192926cfe6bf71d41db2d09b96f8929feb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Vorburger=20=E2=9B=91=EF=B8=8F?= Date: Sun, 15 Mar 2020 21:36:42 +0100 Subject: [PATCH 8/9] doc: add tip re. ports to open on firewall to README --- README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.md b/README.md index f8ab5b5379..b60b962e04 100644 --- a/README.md +++ b/README.md @@ -67,6 +67,27 @@ The diagram shows a typical deployment in a host running Docker. This project separates each of the components above into interlinked containers. To this end, several container images are provided. +### External Ports + +The following external ports must be opened on a firweall: + +* 80/tcp for Web UI HTTP (really just to redirect, after uncommenting ENABLE_HTTP_REDIRECT=1 in .env) +* 443/tcp for Web UI HTTPS +* 4443/tcp for RTP media over TCP +* 10000/udp for RTP media over UDP + +Also 20000-20050/udp for jigasi, in case you choose to deploy that to facilitate SIP acces. + +E.g. on a CentOS/Fedora server this would be done like this (without SIP access): + +```shell + $ sudo firewall-cmd --permanent --add-port=80/tcp + $ sudo firewall-cmd --permanent --add-port=443/tcp + $ sudo firewall-cmd --permanent --add-port=4443/tcp + $ sudo firewall-cmd --permanent --add-port=10000/udp + $ sudo firewall-cmd --reload +``` + ### Images * **base**: Debian stable base image with the [S6 Overlay] for process control and the From 14d717c5e279fc7bf29e1fe00f5b4d3934dda86d Mon Sep 17 00:00:00 2001 From: netaskd Date: Thu, 23 Apr 2020 19:50:49 +0300 Subject: [PATCH 9/9] turn: add ports that need to open additionally --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index b60b962e04..296678024b 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,9 @@ The following external ports must be opened on a firweall: * 443/tcp for Web UI HTTPS * 4443/tcp for RTP media over TCP * 10000/udp for RTP media over UDP +* 5349/tcp for TURN data over TCP +* 5349/udp for TURN data over UDP +* 16000-17000/udp for TURN RTP media over UDP Also 20000-20050/udp for jigasi, in case you choose to deploy that to facilitate SIP acces. @@ -85,6 +88,9 @@ E.g. on a CentOS/Fedora server this would be done like this (without SIP access) $ sudo firewall-cmd --permanent --add-port=443/tcp $ sudo firewall-cmd --permanent --add-port=4443/tcp $ sudo firewall-cmd --permanent --add-port=10000/udp + $ sudo firewall-cmd --permanent --add-port=5349/tcp + $ sudo firewall-cmd --permanent --add-port=5349/udp + $ sudo firewall-cmd --permanent --add-port=16000-17000/udp $ sudo firewall-cmd --reload ```