mirror of https://github.com/OpenVidu/openvidu.git
openvidu-server, deployment: Generate Coturn shared key instead of using OpenVidu Secret for better security. Remove unused COTURN_REDIS properties
parent
80ab17ff92
commit
ad54a3005d
|
@ -27,6 +27,7 @@ services:
|
|||
network_mode: host
|
||||
entrypoint: ['/usr/local/bin/entrypoint.sh']
|
||||
volumes:
|
||||
- ./coturn:/run/secrets/coturn
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- ${OPENVIDU_RECORDING_PATH}:${OPENVIDU_RECORDING_PATH}
|
||||
- ${OPENVIDU_RECORDING_CUSTOM_LAYOUT}:${OPENVIDU_RECORDING_CUSTOM_LAYOUT}
|
||||
|
@ -37,8 +38,6 @@ services:
|
|||
- SERVER_SSL_ENABLED=false
|
||||
- SERVER_PORT=5443
|
||||
- KMS_URIS=["ws://localhost:8888/kurento"]
|
||||
- COTURN_REDIS_IP=127.0.0.1
|
||||
- COTURN_REDIS_PASSWORD=${OPENVIDU_SECRET}
|
||||
- COTURN_IP=${COTURN_IP:-auto-ipv4}
|
||||
- COTURN_PORT=${COTURN_PORT:-3478}
|
||||
logging:
|
||||
|
@ -69,17 +68,20 @@ services:
|
|||
image: openvidu/openvidu-coturn:7.0.0-dev1
|
||||
restart: on-failure
|
||||
network_mode: host
|
||||
env_file:
|
||||
- .env
|
||||
volumes:
|
||||
- ./coturn:/run/secrets/coturn
|
||||
command:
|
||||
- --log-file=stdout
|
||||
- --listening-port=${COTURN_PORT:-3478}
|
||||
- --fingerprint
|
||||
- --lt-cred-mech
|
||||
- --min-port=${COTURN_MIN_PORT:-57001}
|
||||
- --max-port=${COTURN_MAX_PORT:-65535}
|
||||
- --realm=openvidu
|
||||
- --verbose
|
||||
- --use-auth-secret
|
||||
- --static-auth-secret=${OPENVIDU_SECRET}
|
||||
- --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
|
||||
logging:
|
||||
options:
|
||||
max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"
|
||||
|
|
|
@ -27,6 +27,7 @@ services:
|
|||
network_mode: host
|
||||
entrypoint: ['/usr/local/bin/entrypoint.sh']
|
||||
volumes:
|
||||
- ./coturn:/run/secrets/coturn
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- ${OPENVIDU_RECORDING_PATH}:${OPENVIDU_RECORDING_PATH}
|
||||
- ${OPENVIDU_RECORDING_CUSTOM_LAYOUT}:${OPENVIDU_RECORDING_CUSTOM_LAYOUT}
|
||||
|
@ -42,8 +43,6 @@ services:
|
|||
- OPENVIDU_WEBHOOK=false
|
||||
- OPENVIDU_WEBHOOK_ENDPOINT=http://127.0.0.1:7777/webhook
|
||||
- MULTI_MASTER_REPLICATION_MANAGER_WEBHOOK=http://127.0.0.1:4443/openvidu/replication-manager-webhook?OPENVIDU_SECRET=${OPENVIDU_SECRET}
|
||||
- COTURN_REDIS_IP=127.0.0.1
|
||||
- COTURN_REDIS_PASSWORD=${OPENVIDU_SECRET}
|
||||
- COTURN_IP=${COTURN_IP:-auto-ipv4}
|
||||
- COTURN_PORT=${COTURN_PORT:-3478}
|
||||
- OPENVIDU_PRO_CLUSTER=true
|
||||
|
@ -89,18 +88,19 @@ services:
|
|||
network_mode: host
|
||||
env_file:
|
||||
- .env
|
||||
volumes:
|
||||
- ./coturn:/run/secrets/coturn
|
||||
command:
|
||||
- --log-file=stdout
|
||||
- --external-ip=$$(detect-external-ip)
|
||||
- --listening-port=${COTURN_PORT:-3478}
|
||||
- --fingerprint
|
||||
- --lt-cred-mech
|
||||
- --min-port=${COTURN_MIN_PORT:-40000}
|
||||
- --max-port=${COTURN_MAX_PORT:-65535}
|
||||
- --realm=openvidu
|
||||
- --verbose
|
||||
- --use-auth-secret
|
||||
- --static-auth-secret=${OPENVIDU_SECRET}
|
||||
- --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
|
||||
logging:
|
||||
options:
|
||||
max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"
|
||||
|
|
|
@ -27,6 +27,7 @@ services:
|
|||
network_mode: host
|
||||
entrypoint: ['/usr/local/bin/entrypoint.sh']
|
||||
volumes:
|
||||
- ./coturn:/run/secrets/coturn
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- ${OPENVIDU_RECORDING_PATH}:${OPENVIDU_RECORDING_PATH}
|
||||
- ${OPENVIDU_RECORDING_CUSTOM_LAYOUT}:${OPENVIDU_RECORDING_CUSTOM_LAYOUT}
|
||||
|
@ -39,8 +40,6 @@ services:
|
|||
- SERVER_SSL_ENABLED=false
|
||||
- SERVER_PORT=5443
|
||||
- KMS_URIS=[]
|
||||
- COTURN_REDIS_IP=127.0.0.1
|
||||
- COTURN_REDIS_PASSWORD=${OPENVIDU_SECRET}
|
||||
- COTURN_IP=${COTURN_IP:-auto-ipv4}
|
||||
- COTURN_PORT=${COTURN_PORT:-3478}
|
||||
- OPENVIDU_PRO_CLUSTER=true
|
||||
|
@ -58,18 +57,19 @@ services:
|
|||
network_mode: host
|
||||
env_file:
|
||||
- .env
|
||||
volumes:
|
||||
- ./coturn:/run/secrets/coturn
|
||||
command:
|
||||
- --log-file=stdout
|
||||
- --external-ip=$$(detect-external-ip)
|
||||
- --listening-port=${COTURN_PORT:-3478}
|
||||
- --fingerprint
|
||||
- --lt-cred-mech
|
||||
- --min-port=${COTURN_MIN_PORT:-40000}
|
||||
- --max-port=${COTURN_MAX_PORT:-65535}
|
||||
- --realm=openvidu
|
||||
- --verbose
|
||||
- --use-auth-secret
|
||||
- --static-auth-secret=${OPENVIDU_SECRET}
|
||||
- --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
|
||||
logging:
|
||||
options:
|
||||
max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"
|
||||
|
|
|
@ -1,5 +1,21 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Get automatically generated secret by OpenVidu Server if COTURN_SHARED_SECRET_KEY is not defined
|
||||
if [ -z "${COTURN_SHARED_SECRET_KEY}" ]; then
|
||||
# Check if random sahred key is generated and with value
|
||||
if [ ! -f /run/secrets/coturn/shared-secret-key ]; then
|
||||
echo "Error: shared-secret-key not found."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Read value
|
||||
export "$(grep -v '#' /run/secrets/coturn/shared-secret-key | grep COTURN_SHARED_SECRET_KEY |
|
||||
sed 's/\r$//' | awk '/=/ {print $1}')"
|
||||
|
||||
fi
|
||||
|
||||
echo "Defined COTURN_SHARED_SECRET_KEY: ${COTURN_SHARED_SECRET_KEY}"
|
||||
|
||||
# If command starts with an option, prepend with turnserver binary.
|
||||
if [ "${1:0:1}" == '-' ]; then
|
||||
set -- turnserver "$@"
|
||||
|
|
|
@ -17,6 +17,7 @@ RUN mkdir -p /opt/openvidu /usr/local/bin/
|
|||
COPY openvidu-server.jar /opt/openvidu/openvidu-server.jar
|
||||
COPY ./entrypoint.sh /usr/local/bin
|
||||
COPY ./discover_my_public_ip.sh /usr/local/bin
|
||||
COPY ./coturn-shared-key.template /usr/local
|
||||
|
||||
RUN mkdir -p /opt/openvidu/recordings && \
|
||||
chmod +x /usr/local/bin/entrypoint.sh && \
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
#!/bin/bash
|
||||
VERSION=$1
|
||||
if [[ ! -z $VERSION ]]; then
|
||||
cp ../utils/discover_my_public_ip.sh ./discover_my_public_ip.sh
|
||||
cp ../utils/coturn-shared-key.template ./coturn-shared-key.template
|
||||
docker build --pull --no-cache --rm=true -t openvidu/openvidu-server-pro:$VERSION .
|
||||
rm ./discover_my_public_ip.sh
|
||||
rm ./coturn-shared-key.template
|
||||
else
|
||||
echo "Error: You need to specify a version as first argument"
|
||||
fi
|
|
@ -1,5 +1,19 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Generate Coturn shared secret key, if COTURN_SHARED_SECRET_KEY is not defined
|
||||
if [[ -z "${COTURN_SHARED_SECRET_KEY}" ]]; then
|
||||
# Check if random sahred key is generated and with value
|
||||
if [[ ! -f /run/secrets/coturn/shared-secret-key ]]; then
|
||||
RANDOM_COTURN_SECRET="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 35 ; echo '')"
|
||||
sed "s|{{COTURN_SHARED_SECRET_KEY}}|${RANDOM_COTURN_SECRET}|g" \
|
||||
/usr/local/coturn-shared-key.template > /run/secrets/coturn/shared-secret-key
|
||||
fi
|
||||
|
||||
# Read value
|
||||
export "$(grep -v '#' /run/secrets/coturn/shared-secret-key | grep COTURN_SHARED_SECRET_KEY |
|
||||
sed 's/\r$//' | awk '/=/ {print $1}')"
|
||||
fi
|
||||
|
||||
# Wait for kibana
|
||||
if [ ! -z "${WAIT_KIBANA_URL}" ]; then
|
||||
printf "\n"
|
||||
|
|
|
@ -13,6 +13,7 @@ RUN apt-get update && apt-get install -y \
|
|||
COPY openvidu-server.jar /
|
||||
COPY ./entrypoint.sh /usr/local/bin
|
||||
COPY ./discover_my_public_ip.sh /usr/local/bin
|
||||
COPY ./coturn-shared-key.template /usr/local
|
||||
RUN chmod +x /usr/local/bin/entrypoint.sh && \
|
||||
chmod +x /usr/local/bin/discover_my_public_ip.sh
|
||||
|
||||
|
|
|
@ -1,12 +1,15 @@
|
|||
#!/bin/bash
|
||||
VERSION=$1
|
||||
if [[ ! -z $VERSION ]]; then
|
||||
cp ../../target/openvidu-server-*.jar ./openvidu-server.jar
|
||||
cp ../utils/discover_my_public_ip.sh ./discover_my_public_ip.sh
|
||||
cp ../utils/coturn-shared-key.template ./coturn-shared-key.template
|
||||
|
||||
docker build --pull --no-cache --rm=true -t openvidu/openvidu-server:$VERSION .
|
||||
|
||||
rm ./openvidu-server.jar
|
||||
rm ./discover_my_public_ip.sh
|
||||
rm ./coturn-shared-key.template
|
||||
else
|
||||
echo "Error: You need to specify a version as first argument"
|
||||
fi
|
|
@ -6,6 +6,20 @@ printf "\n = LAUNCH OPENVIDU-SERVER ="
|
|||
printf "\n ======================================="
|
||||
printf "\n"
|
||||
|
||||
# Generate Coturn shared secret key, if COTURN_SHARED_SECRET_KEY is not defined
|
||||
if [[ -z "${COTURN_SHARED_SECRET_KEY}" ]]; then
|
||||
# Check if random sahred key is generated and with value
|
||||
if [[ ! -f /run/secrets/coturn/shared-secret-key ]]; then
|
||||
RANDOM_COTURN_SECRET="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 35 ; echo '')"
|
||||
sed "s|{{COTURN_SHARED_SECRET_KEY}}|${RANDOM_COTURN_SECRET}|g" \
|
||||
/usr/local/coturn-shared-key.template > /run/secrets/coturn/shared-secret-key
|
||||
fi
|
||||
|
||||
# Read value
|
||||
export "$(grep -v '#' /run/secrets/coturn/shared-secret-key | grep COTURN_SHARED_SECRET_KEY |
|
||||
sed 's/\r$//' | awk '/=/ {print $1}')"
|
||||
fi
|
||||
|
||||
# Get coturn public ip
|
||||
[[ -z "${COTURN_IP}" ]] && export COTURN_IP=auto-ipv4
|
||||
if [[ "${COTURN_IP}" == "auto-ipv4" ]]; then
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
# ------------------------------------------------------------------------------
|
||||
#
|
||||
# This file was genereated automatically
|
||||
#
|
||||
# The value of COTURN_SHARED_SECRET_KEY is generated randomly and represents shared key
|
||||
# by Coturn and OpenVidu Server to generate users for TURN server dinamically.
|
||||
#
|
||||
#
|
||||
# Read more about it:
|
||||
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
|
||||
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
|
||||
#
|
||||
# If you want to change this value, you can change the value in this file or define COTURN_SHARED_SECRET_KEY
|
||||
# at the .env file of OpenVidu Server deployment
|
||||
#
|
||||
# ------------------------------------------------------------------------------
|
||||
COTURN_SHARED_SECRET_KEY={{COTURN_SHARED_SECRET_KEY}}
|
|
@ -163,7 +163,7 @@ public class OpenviduConfig {
|
|||
|
||||
private int coturnPort;
|
||||
|
||||
private String coturnRedisIp;
|
||||
private String coturnSharedSecretKey;
|
||||
|
||||
// If true, coturn relay ips will come with the private IP of the machine
|
||||
private boolean coturnInternalRelay;
|
||||
|
@ -188,12 +188,6 @@ public class OpenviduConfig {
|
|||
|
||||
private String openviduRecordingComposedUrl;
|
||||
|
||||
private String coturnRedisDbname;
|
||||
|
||||
private String coturnRedisPassword;
|
||||
|
||||
private String coturnRedisConnectTimeout;
|
||||
|
||||
private String certificateType;
|
||||
|
||||
protected int openviduSessionsGarbageInterval;
|
||||
|
@ -228,14 +222,6 @@ public class OpenviduConfig {
|
|||
|
||||
// Plain config properties getters
|
||||
|
||||
public String getCoturnDatabaseDbname() {
|
||||
return this.coturnRedisDbname;
|
||||
}
|
||||
|
||||
public String getCoturnDatabasePassword() {
|
||||
return this.coturnRedisPassword;
|
||||
}
|
||||
|
||||
public boolean isCoturnUsingInternalRelay() {
|
||||
return this.coturnInternalRelay;
|
||||
}
|
||||
|
@ -356,6 +342,10 @@ public class OpenviduConfig {
|
|||
return this.coturnPort;
|
||||
}
|
||||
|
||||
public String getCoturnSharedSecretKey() {
|
||||
return this.coturnSharedSecretKey;
|
||||
}
|
||||
|
||||
public RecordingNotification getOpenViduRecordingNotification() {
|
||||
return this.openviduRecordingNotification;
|
||||
}
|
||||
|
@ -447,11 +437,6 @@ public class OpenviduConfig {
|
|||
return secret.equals(this.getOpenViduSecret());
|
||||
}
|
||||
|
||||
public String getCoturnDatabaseString() {
|
||||
return "\"ip=" + this.coturnRedisIp + " dbname=" + this.coturnRedisDbname + " password="
|
||||
+ this.coturnRedisPassword + " connect_timeout=" + this.coturnRedisConnectTimeout + "\"";
|
||||
}
|
||||
|
||||
public boolean openviduRecordingCustomLayoutChanged(String path) {
|
||||
return !"/opt/openvidu/custom-layout".equals(path);
|
||||
}
|
||||
|
@ -560,9 +545,8 @@ public class OpenviduConfig {
|
|||
}
|
||||
|
||||
protected List<String> getNonUserProperties() {
|
||||
return Arrays.asList("server.port", "SERVER_PORT", "DOTENV_PATH", "COTURN_IP", "COTURN_PORT", "COTURN_REDIS_IP",
|
||||
"COTURN_REDIS_DBNAME", "COTURN_REDIS_PASSWORD", "COTURN_REDIS_CONNECT_TIMEOUT", "COTURN_INTERNAL_RELAY",
|
||||
"OPENVIDU_RECORDING_IMAGE", "OPENVIDU_RECORDING_ENABLE_GPU");
|
||||
return Arrays.asList("server.port", "SERVER_PORT", "DOTENV_PATH", "COTURN_IP", "COTURN_PORT",
|
||||
"COTURN_INTERNAL_RELAY", "COTURN_SHARED_SECRET_KEY", "OPENVIDU_RECORDING_IMAGE", "OPENVIDU_RECORDING_ENABLE_GPU");
|
||||
}
|
||||
|
||||
protected List<String> getNonPrintablePropertiesIfEmpty() {
|
||||
|
@ -582,12 +566,6 @@ public class OpenviduConfig {
|
|||
checkDomainOrPublicIp();
|
||||
populateSpringServerPort();
|
||||
|
||||
coturnRedisDbname = getValue("COTURN_REDIS_DBNAME");
|
||||
|
||||
coturnRedisPassword = getValue("COTURN_REDIS_PASSWORD");
|
||||
|
||||
coturnRedisConnectTimeout = getValue("COTURN_REDIS_CONNECT_TIMEOUT");
|
||||
|
||||
// If true, coturn is using private IPs as relay IPs to enable relay connections
|
||||
// pass through internal network
|
||||
coturnInternalRelay = asBoolean("COTURN_INTERNAL_RELAY");
|
||||
|
@ -595,6 +573,15 @@ public class OpenviduConfig {
|
|||
openviduSecret = asNonEmptyAlphanumericString("OPENVIDU_SECRET",
|
||||
"Cannot be empty and must contain only alphanumeric characters [a-zA-Z0-9], hypens (\"-\") and underscores (\"_\")");
|
||||
|
||||
// Read coturn shared key
|
||||
coturnSharedSecretKey = asOptionalString("COTURN_SHARED_SECRET_KEY");
|
||||
if (coturnSharedSecretKey == null || coturnSharedSecretKey.isEmpty()) {
|
||||
log.warn("COTURN_SHARED_SECRET_KEY is not defined. Using OPENVIDU_SECRET");
|
||||
this.coturnSharedSecretKey = this.openviduSecret;
|
||||
} else {
|
||||
log.info("COTURN_SHARED_SECRET_KEY used to generate TURN users: {}", this.coturnSharedSecretKey);
|
||||
}
|
||||
|
||||
openviduCdr = asBoolean("OPENVIDU_CDR");
|
||||
openviduCdrPath = openviduCdr ? asWritableFileSystemPath("OPENVIDU_CDR_PATH")
|
||||
: asFileSystemPath("OPENVIDU_CDR_PATH");
|
||||
|
@ -633,8 +620,6 @@ public class OpenviduConfig {
|
|||
|
||||
checkCoturnPort();
|
||||
|
||||
coturnRedisIp = asOptionalInetAddress("COTURN_REDIS_IP");
|
||||
|
||||
checkWebhook();
|
||||
|
||||
checkCertificateType();
|
||||
|
|
|
@ -37,7 +37,7 @@ public class CoturnCredentialsService {
|
|||
public TurnCredentials createUser() {
|
||||
IceServerProperties iceServerProperties = new IceServerProperties.Builder()
|
||||
.ignoreEmptyUrl(true)
|
||||
.staticAuthSecret(openviduConfig.getOpenViduSecret())
|
||||
.staticAuthSecret(openviduConfig.getCoturnSharedSecretKey())
|
||||
.build();
|
||||
return new TurnCredentials(iceServerProperties.getUsername(), iceServerProperties.getCredential());
|
||||
}
|
||||
|
|
|
@ -182,30 +182,6 @@
|
|||
"type": "java.lang.String",
|
||||
"description": "Coturn IP of a deployed coturn server"
|
||||
},
|
||||
{
|
||||
"name": "COTURN_REDIS_IP",
|
||||
"type": "java.lang.String",
|
||||
"description": "Redis IP where OpenVidu Server should connect to store TURN credentials",
|
||||
"defaultValue": "127.0.0.1"
|
||||
},
|
||||
{
|
||||
"name": "COTURN_REDIS_DBNAME",
|
||||
"type": "java.lang.String",
|
||||
"description": "Redis database where to store TURN credentials",
|
||||
"defaultValue": "0"
|
||||
},
|
||||
{
|
||||
"name": "COTURN_REDIS_PASSWORD",
|
||||
"type": "java.lang.String",
|
||||
"description": "Password to connect OpenVidu Server to Redis database to store TURN credentials",
|
||||
"defaultValue": "turn"
|
||||
},
|
||||
{
|
||||
"name": "COTURN_REDIS_CONNECT_TIMEOUT",
|
||||
"type": "java.lang.Integer",
|
||||
"description": "Timeout in seconds when OpenVidu Server is connecting to Redis database to store TURN credentials",
|
||||
"defaultValue": 30
|
||||
},
|
||||
{
|
||||
"name": "CERTIFICATE_TYPE",
|
||||
"type": "java.lang.String",
|
||||
|
@ -221,6 +197,11 @@
|
|||
"type": "java.lang.String",
|
||||
"description": "If true, coturn is returning the private IP on relayed candidates. This can be useful to know which candidates must be sent when MEDIA_NODES_PUBLIC_IPS is defined"
|
||||
},
|
||||
{
|
||||
"name": "COTURN_SHARED_SECRET_KEY",
|
||||
"type": "java.lang.String",
|
||||
"description": "If defined, COTURN_SHARED_SECRET_KEY will be used to generate TURN valid users. The same secret should be configured at 'static-auth-secret' to be valid. If empty, OpenVidu Secret is used. (For security, in official deployments for CE/PRO/ENTERPRISE a random string is generated)"
|
||||
},
|
||||
{
|
||||
"name": "jsonRpcClientWebSocket.reconnectionDelay",
|
||||
"type": "java.lang.Integer",
|
||||
|
|
|
@ -48,10 +48,6 @@ OPENVIDU_STREAMS_ALLOW_TRANSCODING=false
|
|||
OPENVIDU_SESSIONS_GARBAGE_INTERVAL=900
|
||||
OPENVIDU_SESSIONS_GARBAGE_THRESHOLD=3600
|
||||
|
||||
COTURN_REDIS_IP=127.0.0.1
|
||||
COTURN_REDIS_DBNAME=0
|
||||
COTURN_REDIS_PASSWORD=turn
|
||||
COTURN_REDIS_CONNECT_TIMEOUT=30
|
||||
COTURN_INTERNAL_RELAY=false
|
||||
COTURN_PORT=3478
|
||||
MEDIA_NODES_PUBLIC_IPS=[]
|
||||
|
|
|
@ -41,8 +41,3 @@ OPENVIDU_STREAMS_ALLOW_TRANSCODING=false
|
|||
|
||||
OPENVIDU_SESSIONS_GARBAGE_INTERVAL=900
|
||||
OPENVIDU_SESSIONS_GARBAGE_THRESHOLD=3600
|
||||
|
||||
COTURN_REDIS_IP=127.0.0.1
|
||||
COTURN_REDIS_DBNAME=0
|
||||
COTURN_REDIS_PASSWORD=turn
|
||||
COTURN_REDIS_CONNECT_TIMEOUT=30
|
||||
|
|
Loading…
Reference in New Issue