openvidu-deployment: ce - improve turn security

2026-03-24 14:18:36 +01:00 · 2026-03-24 14:18:36 +01:00 · 1f7f2ad113
parent 96dd891512
commit 1f7f2ad113
3 changed files with 43 additions and 1 deletions
--- a/openvidu-server/deployments/ce/docker-compose/docker-compose.yml
+++ b/openvidu-server/deployments/ce/docker-compose/docker-compose.yml
@ -70,6 +70,8 @@ services:
    coturn:
        image: openvidu/openvidu-coturn:2.32.1
        restart: on-failure
        extra_hosts:
            - "host.docker.internal:host-gateway"
        ports:
            - "${COTURN_PORT:-3478}:${COTURN_PORT:-3478}/tcp"
            - "${COTURN_PORT:-3478}:${COTURN_PORT:-3478}/udp"
@ -87,6 +89,8 @@ services:
            - --verbose
            - --use-auth-secret
            - --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
            - --no-tcp-relay
            - --allowed-peer-ip=$$(discover-host-internal-ip.sh)
        logging:
            options:
                max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"
--- a/openvidu-server/docker/openvidu-coturn/Dockerfile
+++ b/openvidu-server/docker/openvidu-coturn/Dockerfile
@ -8,10 +8,12 @@ RUN apk add --no-cache bind-tools grep curl
 COPY ./detect-external-ip.sh /usr/local/bin/detect-external-ip.sh
 COPY ./docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 COPY ./discover-internal-ip.sh /usr/local/bin/discover-internal-ip.sh
 COPY ./discover-host-internal-ip.sh /usr/local/bin/discover-host-internal-ip.sh
 RUN chmod +x /usr/local/bin/detect-external-ip.sh \
        /usr/local/bin/docker-entrypoint.sh \
-        /usr/local/bin/discover-internal-ip.sh && \
+        /usr/local/bin/discover-internal-ip.sh \
        /usr/local/bin/discover-host-internal-ip.sh && \
    chown -R nobody:nogroup /var/lib/coturn/ && \
    touch /turnserver.conf && chown nobody:nogroup /turnserver.conf
--- a/openvidu-server/docker/openvidu-coturn/discover-host-internal-ip.sh
+++ b/openvidu-server/docker/openvidu-coturn/discover-host-internal-ip.sh
@ -0,0 +1,36 @@
 #!/usr/bin/env sh
 # shellcheck shell=dash
 #/ Return the IP address of 'host.docker.internal'.
 #/
 #/ Docker injects 'host.docker.internal' into /etc/hosts when the container
 #/ is started with --add-host=host.docker.internal:host-gateway, which maps
 #/ it to the host machine's gateway IP as seen from inside the container.
 # Shell setup
 # ===========
 # Shell options for strict error checking.
 for OPTION in errexit errtrace pipefail nounset; do
    set -o | grep -wq "$OPTION" && set -o "$OPTION"
 done
 # Trace all commands (to stderr).
 #set -o xtrace
 # Discover host.docker.internal IP
 # =================================
 IP="$(grep -m1 -E '^[0-9][^#]*[[:space:]]host\.docker\.internal([[:space:]]|$)' /etc/hosts | awk '{print $1}')"
 if [ -z "$IP" ]; then
    echo "[$0] 'host.docker.internal' not found in /etc/hosts" >&2
    echo "[$0] Make sure the container is started with --add-host=host.docker.internal:host-gateway" >&2
    exit 1
 fi
 echo "$IP"