mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-11-10 04:37:36 +01:00
Add TLS support to Coturn
This commit is contained in:
parent
018aeed5e9
commit
59e37105e8
23
CHANGELOG.md
23
CHANGELOG.md
@ -1,3 +1,26 @@
|
||||
# 2019-03-19
|
||||
|
||||
## TLS support for Coturn
|
||||
|
||||
We've added TLS support to the Coturn TURN server installed by the playbook by default.
|
||||
The certificates from the Matrix domain will be used for the Coturn server.
|
||||
|
||||
This feature is enabled by default for new installations.
|
||||
To make use of TLS support for your existing Matrix server's Coturn, make sure to rebuild both Coturn and Synapse:
|
||||
|
||||
```bash
|
||||
ansible-playbook -i inventory/hosts setup.yml --tags=setup-coturn,setup-synapse,start
|
||||
```
|
||||
|
||||
People who have an extra firewall (besides the iptables firewall, which Docker manages automatically), will need to open these additional firewall ports: `5349/tcp` (TURN over TCP) and `5349/udp` (TURN over UDP).
|
||||
|
||||
People who build their own custom playbook from our roles should be aware that:
|
||||
|
||||
- the `matrix-coturn` role and actually starting Coturn (e.g. `--tags=start`), requires that certificates are already put in place. For this reason, it's usually a good idea to have the `matrix-coturn` role execute after `matrix-nginx-proxy` (which retrieves the certificates).
|
||||
|
||||
- there are a few variables that can help you enable TLS support for Coturn. See the `matrix-coturn` section in [group_vars/matrix-servers](./group_vars/matrix-servers).
|
||||
|
||||
|
||||
# 2019-03-12
|
||||
|
||||
## matrix-nginx-proxy support for serving the base domain
|
||||
|
@ -12,6 +12,6 @@
|
||||
|
||||
- properly configured DNS records for `<your-domain>` (details in [Configuring DNS](configuring-dns.md))
|
||||
|
||||
- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (STUN over TCP), `3478/udp` (STUN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP).
|
||||
- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP).
|
||||
|
||||
When ready to proceed, continue with [Configuring DNS](configuring-dns.md).
|
||||
|
@ -93,6 +93,14 @@ matrix_coturn_enabled: true
|
||||
|
||||
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
|
||||
|
||||
matrix_coturn_tls_enabled: true
|
||||
matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem"
|
||||
matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem"
|
||||
matrix_coturn_container_additional_volumes:
|
||||
- src: "{{ matrix_ssl_config_dir_path }}"
|
||||
dst: "{{ matrix_ssl_config_dir_path }}"
|
||||
options: ro
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# /matrix-coturn
|
||||
@ -351,11 +359,15 @@ matrix_synapse_email_smtp_require_transport_security: false
|
||||
matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"
|
||||
matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}"
|
||||
|
||||
# Even if TURN doesn't support TLS (it does by default),
|
||||
# it doesn't hurt to try a secure connection anyway.
|
||||
matrix_synapse_turn_uris: |
|
||||
{{
|
||||
[
|
||||
'turn:' + matrix_server_fqn_matrix + ':3478?transport=udp',
|
||||
'turn:' + matrix_server_fqn_matrix + ':3478?transport=tcp',
|
||||
'turns:' + matrix_server_fqn_matrix + '?transport=udp',
|
||||
'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
|
||||
'turn:' + matrix_server_fqn_matrix + '?transport=udp',
|
||||
'turn:' + matrix_server_fqn_matrix + '?transport=tcp',
|
||||
]
|
||||
if matrix_coturn_enabled
|
||||
else []
|
||||
|
@ -38,3 +38,10 @@ matrix_coturn_allowed_peer_ips: []
|
||||
matrix_coturn_denied_peer_ips: []
|
||||
matrix_coturn_user_quota: null
|
||||
matrix_coturn_total_quota: null
|
||||
|
||||
# To enable TLS, you need to provide paths to certificates.
|
||||
# Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.
|
||||
# Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`.
|
||||
matrix_coturn_tls_enabled: false
|
||||
matrix_coturn_tls_cert_path: ~
|
||||
matrix_coturn_tls_key_path: ~
|
||||
|
@ -61,15 +61,40 @@
|
||||
immediate: yes
|
||||
permanent: yes
|
||||
with_items:
|
||||
- '3478/tcp' # STUN
|
||||
- '3478/udp' # STUN
|
||||
- '3478/tcp'
|
||||
- '3478/udp'
|
||||
- '5349/tcp'
|
||||
- '5349/udp'
|
||||
- "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN
|
||||
when: "matrix_coturn_enabled and ansible_os_family == 'RedHat'"
|
||||
|
||||
# This may be unnecessary when more long-lived certificates are used.
|
||||
# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
|
||||
# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
|
||||
- name: Ensure periodic reloading of matrix-coturn is configured for SSL renewal (matrix-coturn-reload)
|
||||
cron:
|
||||
user: root
|
||||
cron_file: matrix-coturn-ssl-reload
|
||||
name: matrix-coturn-ssl-reload
|
||||
state: present
|
||||
hour: 4
|
||||
minute: 20
|
||||
day: "*/5"
|
||||
job: /bin/systemctl reload matrix-coturn.service
|
||||
when: matrix_coturn_enabled and matrix_coturn_tls_enabled
|
||||
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of Coturn (if it was previously enabled)
|
||||
#
|
||||
|
||||
- name: Ensure matrix-coturn-ssl-reload cronjob removed
|
||||
cron:
|
||||
user: root
|
||||
cron_file: matrix-coturn-ssl-reload
|
||||
state: absent
|
||||
when: "not matrix_coturn_enabled or not matrix_coturn_tls_enabled"
|
||||
|
||||
- name: Check existence of matrix-coturn service
|
||||
stat:
|
||||
path: "/etc/systemd/system/matrix-coturn.service"
|
||||
|
@ -9,15 +9,19 @@ After={{ service }}
|
||||
Type=simple
|
||||
ExecStartPre=-/usr/bin/docker kill matrix-coturn
|
||||
ExecStartPre=-/usr/bin/docker rm matrix-coturn
|
||||
|
||||
ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--entrypoint=turnserver \
|
||||
--read-only \
|
||||
--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
|
||||
--network={{ matrix_coturn_docker_network }} \
|
||||
-p 3478:3478 \
|
||||
-p 3478:3478/udp \
|
||||
-p 5349:5349 \
|
||||
-p 5349:5349/udp \
|
||||
-p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
|
||||
-v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \
|
||||
{% for volume in matrix_coturn_container_additional_volumes %}
|
||||
@ -25,8 +29,14 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
|
||||
{% endfor %}
|
||||
{{ matrix_coturn_docker_image }} \
|
||||
-c /turnserver.conf
|
||||
|
||||
ExecStop=-/usr/bin/docker kill matrix-coturn
|
||||
ExecStop=-/usr/bin/docker rm matrix-coturn
|
||||
|
||||
# This only reloads certificates (not other configuration).
|
||||
# See: https://github.com/coturn/coturn/pull/236
|
||||
ExecReload=/usr/bin/docker exec matrix-coturn kill -USR2 1
|
||||
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
|
||||
|
@ -1,23 +1,35 @@
|
||||
use-auth-secret
|
||||
static-auth-secret={{ matrix_coturn_turn_static_auth_secret }}
|
||||
realm=turn.{{ matrix_server_fqn_matrix }}
|
||||
|
||||
min-port={{ matrix_coturn_turn_udp_min_port }}
|
||||
max-port={{ matrix_coturn_turn_udp_max_port }}
|
||||
external-ip={{ matrix_coturn_turn_external_ip_address }}
|
||||
|
||||
log-file=stdout
|
||||
pidfile=/var/tmp/turnserver.pid
|
||||
userdb=/var/tmp/turnserver.db
|
||||
|
||||
no-cli
|
||||
|
||||
{% if matrix_coturn_tls_enabled %}
|
||||
cert={{ matrix_coturn_tls_cert_path }}
|
||||
pkey={{ matrix_coturn_tls_key_path }}
|
||||
{% else %}
|
||||
no-tls
|
||||
no-dtls
|
||||
{% endif %}
|
||||
|
||||
prod
|
||||
no-tcp-relay
|
||||
|
||||
{% if matrix_coturn_user_quota != None %}
|
||||
user-quota={{ matrix_coturn_user_quota }}
|
||||
{% endif %}
|
||||
{% if matrix_coturn_total_quota != None %}
|
||||
total-quota={{ matrix_coturn_total_quota }}
|
||||
{% endif %}
|
||||
|
||||
{% for ip_range in matrix_coturn_denied_peer_ips %}
|
||||
denied-peer-ip={{ ip_range }}
|
||||
{% endfor %}
|
||||
|
Loading…
Reference in New Issue
Block a user