Add TLS support to Coturn

This commit is contained in:
Slavi Pantaleev 2019-03-19 10:24:39 +02:00
parent 018aeed5e9
commit 59e37105e8
8 changed files with 95 additions and 6 deletions

View File

@ -1,3 +1,26 @@
# 2019-03-19
## TLS support for Coturn
We've added TLS support to the Coturn TURN server installed by the playbook by default.
The certificates from the Matrix domain will be used for the Coturn server.
This feature is enabled by default for new installations.
To make use of TLS support for your existing Matrix server's Coturn, make sure to rebuild both Coturn and Synapse:
```bash
ansible-playbook -i inventory/hosts setup.yml --tags=setup-coturn,setup-synapse,start
```
People who have an extra firewall (besides the iptables firewall, which Docker manages automatically), will need to open these additional firewall ports: `5349/tcp` (TURN over TCP) and `5349/udp` (TURN over UDP).
People who build their own custom playbook from our roles should be aware that:
- the `matrix-coturn` role and actually starting Coturn (e.g. `--tags=start`), requires that certificates are already put in place. For this reason, it's usually a good idea to have the `matrix-coturn` role execute after `matrix-nginx-proxy` (which retrieves the certificates).
- there are a few variables that can help you enable TLS support for Coturn. See the `matrix-coturn` section in [group_vars/matrix-servers](./group_vars/matrix-servers).
# 2019-03-12
## matrix-nginx-proxy support for serving the base domain

View File

@ -12,6 +12,6 @@
- properly configured DNS records for `<your-domain>` (details in [Configuring DNS](configuring-dns.md))
- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (STUN over TCP), `3478/udp` (STUN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP).
- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP).
When ready to proceed, continue with [Configuring DNS](configuring-dns.md).

View File

@ -93,6 +93,14 @@ matrix_coturn_enabled: true
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
matrix_coturn_tls_enabled: true
matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem"
matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem"
matrix_coturn_container_additional_volumes:
- src: "{{ matrix_ssl_config_dir_path }}"
dst: "{{ matrix_ssl_config_dir_path }}"
options: ro
######################################################################
#
# /matrix-coturn
@ -351,11 +359,15 @@ matrix_synapse_email_smtp_require_transport_security: false
matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"
matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}"
# Even if TURN doesn't support TLS (it does by default),
# it doesn't hurt to try a secure connection anyway.
matrix_synapse_turn_uris: |
{{
[
'turn:' + matrix_server_fqn_matrix + ':3478?transport=udp',
'turn:' + matrix_server_fqn_matrix + ':3478?transport=tcp',
'turns:' + matrix_server_fqn_matrix + '?transport=udp',
'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
'turn:' + matrix_server_fqn_matrix + '?transport=udp',
'turn:' + matrix_server_fqn_matrix + '?transport=tcp',
]
if matrix_coturn_enabled
else []

View File

@ -38,3 +38,10 @@ matrix_coturn_allowed_peer_ips: []
matrix_coturn_denied_peer_ips: []
matrix_coturn_user_quota: null
matrix_coturn_total_quota: null
# To enable TLS, you need to provide paths to certificates.
# Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.
# Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`.
matrix_coturn_tls_enabled: false
matrix_coturn_tls_cert_path: ~
matrix_coturn_tls_key_path: ~

View File

@ -61,15 +61,40 @@
immediate: yes
permanent: yes
with_items:
- '3478/tcp' # STUN
- '3478/udp' # STUN
- '3478/tcp'
- '3478/udp'
- '5349/tcp'
- '5349/udp'
- "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN
when: "matrix_coturn_enabled and ansible_os_family == 'RedHat'"
# This may be unnecessary when more long-lived certificates are used.
# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
- name: Ensure periodic reloading of matrix-coturn is configured for SSL renewal (matrix-coturn-reload)
cron:
user: root
cron_file: matrix-coturn-ssl-reload
name: matrix-coturn-ssl-reload
state: present
hour: 4
minute: 20
day: "*/5"
job: /bin/systemctl reload matrix-coturn.service
when: matrix_coturn_enabled and matrix_coturn_tls_enabled
#
# Tasks related to getting rid of Coturn (if it was previously enabled)
#
- name: Ensure matrix-coturn-ssl-reload cronjob removed
cron:
user: root
cron_file: matrix-coturn-ssl-reload
state: absent
when: "not matrix_coturn_enabled or not matrix_coturn_tls_enabled"
- name: Check existence of matrix-coturn service
stat:
path: "/etc/systemd/system/matrix-coturn.service"

View File

@ -9,15 +9,19 @@ After={{ service }}
Type=simple
ExecStartPre=-/usr/bin/docker kill matrix-coturn
ExecStartPre=-/usr/bin/docker rm matrix-coturn
ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--entrypoint=turnserver \
--read-only \
--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
--network={{ matrix_coturn_docker_network }} \
-p 3478:3478 \
-p 3478:3478/udp \
-p 5349:5349 \
-p 5349:5349/udp \
-p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
-v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \
{% for volume in matrix_coturn_container_additional_volumes %}
@ -25,8 +29,14 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
{% endfor %}
{{ matrix_coturn_docker_image }} \
-c /turnserver.conf
ExecStop=-/usr/bin/docker kill matrix-coturn
ExecStop=-/usr/bin/docker rm matrix-coturn
# This only reloads certificates (not other configuration).
# See: https://github.com/coturn/coturn/pull/236
ExecReload=/usr/bin/docker exec matrix-coturn kill -USR2 1
Restart=always
RestartSec=30

View File

@ -1,23 +1,35 @@
use-auth-secret
static-auth-secret={{ matrix_coturn_turn_static_auth_secret }}
realm=turn.{{ matrix_server_fqn_matrix }}
min-port={{ matrix_coturn_turn_udp_min_port }}
max-port={{ matrix_coturn_turn_udp_max_port }}
external-ip={{ matrix_coturn_turn_external_ip_address }}
log-file=stdout
pidfile=/var/tmp/turnserver.pid
userdb=/var/tmp/turnserver.db
no-cli
{% if matrix_coturn_tls_enabled %}
cert={{ matrix_coturn_tls_cert_path }}
pkey={{ matrix_coturn_tls_key_path }}
{% else %}
no-tls
no-dtls
{% endif %}
prod
no-tcp-relay
{% if matrix_coturn_user_quota != None %}
user-quota={{ matrix_coturn_user_quota }}
{% endif %}
{% if matrix_coturn_total_quota != None %}
total-quota={{ matrix_coturn_total_quota }}
{% endif %}
{% for ip_range in matrix_coturn_denied_peer_ips %}
denied-peer-ip={{ ip_range }}
{% endfor %}

View File

@ -6,7 +6,6 @@
roles:
- matrix-base
- matrix-mailer
- matrix-coturn
- matrix-postgres
- matrix-corporal
- matrix-synapse
@ -14,4 +13,5 @@
- matrix-mxisd
- matrix-dimension
- matrix-nginx-proxy
- matrix-coturn
- matrix-common-after