openvidu-deployment: ce - improve turn security

2026-03-24 14:18:36 +01:00 · 2026-03-24 14:18:36 +01:00 · 1f7f2ad113
parent 96dd891512
commit 1f7f2ad113
3 changed files with 43 additions and 1 deletions
--- a/openvidu-server/deployments/ce/docker-compose/docker-compose.yml
+++ b/openvidu-server/deployments/ce/docker-compose/docker-compose.yml
@ -70,6 +70,8 @@ services:
    coturn:
        image: openvidu/openvidu-coturn:2.32.1
        restart: on-failure
+        extra_hosts:
+            - "host.docker.internal:host-gateway"
        ports:
            - "${COTURN_PORT:-3478}:${COTURN_PORT:-3478}/tcp"
            - "${COTURN_PORT:-3478}:${COTURN_PORT:-3478}/udp"
@ -87,6 +89,8 @@ services:
            - --verbose
            - --use-auth-secret
            - --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
+            - --no-tcp-relay
+            - --allowed-peer-ip=$$(discover-host-internal-ip.sh)
        logging:
            options:
                max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"
--- a/openvidu-server/docker/openvidu-coturn/Dockerfile
+++ b/openvidu-server/docker/openvidu-coturn/Dockerfile
@ -8,10 +8,12 @@ RUN apk add --no-cache bind-tools grep curl
 COPY ./detect-external-ip.sh /usr/local/bin/detect-external-ip.sh
 COPY ./docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 COPY ./discover-internal-ip.sh /usr/local/bin/discover-internal-ip.sh
+COPY ./discover-host-internal-ip.sh /usr/local/bin/discover-host-internal-ip.sh

 RUN chmod +x /usr/local/bin/detect-external-ip.sh \
        /usr/local/bin/docker-entrypoint.sh \
-        /usr/local/bin/discover-internal-ip.sh && \
+        /usr/local/bin/discover-internal-ip.sh \
+        /usr/local/bin/discover-host-internal-ip.sh && \
    chown -R nobody:nogroup /var/lib/coturn/ && \
    touch /turnserver.conf && chown nobody:nogroup /turnserver.conf

--- a/openvidu-server/docker/openvidu-coturn/discover-host-internal-ip.sh
+++ b/openvidu-server/docker/openvidu-coturn/discover-host-internal-ip.sh
@ -0,0 +1,36 @@
+#!/usr/bin/env sh
+# shellcheck shell=dash
+
+#/ Return the IP address of 'host.docker.internal'.
+#/
+#/ Docker injects 'host.docker.internal' into /etc/hosts when the container
+#/ is started with --add-host=host.docker.internal:host-gateway, which maps
+#/ it to the host machine's gateway IP as seen from inside the container.
+
+
+
+# Shell setup
+# ===========
+
+# Shell options for strict error checking.
+for OPTION in errexit errtrace pipefail nounset; do
+    set -o | grep -wq "$OPTION" && set -o "$OPTION"
+done
+
+# Trace all commands (to stderr).
+#set -o xtrace
+
+
+
+# Discover host.docker.internal IP
+# =================================
+
+IP="$(grep -m1 -E '^[0-9][^#]*[[:space:]]host\.docker\.internal([[:space:]]|$)' /etc/hosts | awk '{print $1}')"
+
+if [ -z "$IP" ]; then
+    echo "[$0] 'host.docker.internal' not found in /etc/hosts" >&2
+    echo "[$0] Make sure the container is started with --add-host=host.docker.internal:host-gateway" >&2
+    exit 1
+fi
+
+echo "$IP"