ambiser
/
openvidu
mirror of https://github.com/OpenVidu/openvidu.git
8
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

openvidu-server, deployment: Generate Coturn shared key instead of using OpenVidu Secret for better security. Remove unused COTURN_REDIS properties

pull/715/head
cruizba 2022-04-12 14:41:20 +02:00
parent 80ab17ff92
commit ad54a3005d
16 changed files with 109 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
openvidu-server/deployments/ce/docker-compose/docker-compose.yml
View File

@ -27,6 +27,7 @@ services:
network_mode: host
entrypoint: ['/usr/local/bin/entrypoint.sh']
volumes:
- ./coturn:/run/secrets/coturn
- /var/run/docker.sock:/var/run/docker.sock
- ${OPENVIDU_RECORDING_PATH}:${OPENVIDU_RECORDING_PATH}
- ${OPENVIDU_RECORDING_CUSTOM_LAYOUT}:${OPENVIDU_RECORDING_CUSTOM_LAYOUT}
@ -37,8 +38,6 @@ services:
- SERVER_SSL_ENABLED=false
- SERVER_PORT=5443
- KMS_URIS=["ws://localhost:8888/kurento"]
- COTURN_REDIS_IP=127.0.0.1
- COTURN_REDIS_PASSWORD=${OPENVIDU_SECRET}
- COTURN_IP=${COTURN_IP:-auto-ipv4}
- COTURN_PORT=${COTURN_PORT:-3478}
logging:
@ -69,17 +68,20 @@ services:
image: openvidu/openvidu-coturn:7.0.0-dev1
restart: on-failure
network_mode: host
env_file:
- .env
volumes:
- ./coturn:/run/secrets/coturn
command:
- --log-file=stdout
- --listening-port=${COTURN_PORT:-3478}
- --fingerprint
- --lt-cred-mech
- --min-port=${COTURN_MIN_PORT:-57001}
- --max-port=${COTURN_MAX_PORT:-65535}
- --realm=openvidu
- --verbose
- --use-auth-secret
- --static-auth-secret=${OPENVIDU_SECRET}
- --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
logging:
options:
max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"

8
openvidu-server/deployments/enterprise/master-node/docker-compose.yml
View File

@ -27,6 +27,7 @@ services:
network_mode: host
entrypoint: ['/usr/local/bin/entrypoint.sh']
volumes:
- ./coturn:/run/secrets/coturn
- /var/run/docker.sock:/var/run/docker.sock
- ${OPENVIDU_RECORDING_PATH}:${OPENVIDU_RECORDING_PATH}
- ${OPENVIDU_RECORDING_CUSTOM_LAYOUT}:${OPENVIDU_RECORDING_CUSTOM_LAYOUT}
@ -42,8 +43,6 @@ services:
- OPENVIDU_WEBHOOK=false
- OPENVIDU_WEBHOOK_ENDPOINT=http://127.0.0.1:7777/webhook
- MULTI_MASTER_REPLICATION_MANAGER_WEBHOOK=http://127.0.0.1:4443/openvidu/replication-manager-webhook?OPENVIDU_SECRET=${OPENVIDU_SECRET}
- COTURN_REDIS_IP=127.0.0.1
- COTURN_REDIS_PASSWORD=${OPENVIDU_SECRET}
- COTURN_IP=${COTURN_IP:-auto-ipv4}
- COTURN_PORT=${COTURN_PORT:-3478}
- OPENVIDU_PRO_CLUSTER=true
@ -89,18 +88,19 @@ services:
network_mode: host
env_file:
- .env
volumes:
- ./coturn:/run/secrets/coturn
command:
- --log-file=stdout
- --external-ip=$$(detect-external-ip)
- --listening-port=${COTURN_PORT:-3478}
- --fingerprint
- --lt-cred-mech
- --min-port=${COTURN_MIN_PORT:-40000}
- --max-port=${COTURN_MAX_PORT:-65535}
- --realm=openvidu
- --verbose
- --use-auth-secret
- --static-auth-secret=${OPENVIDU_SECRET}
- --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
logging:
options:
max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"

8
openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/docker-compose.yml
View File

@ -27,6 +27,7 @@ services:
network_mode: host
entrypoint: ['/usr/local/bin/entrypoint.sh']
volumes:
- ./coturn:/run/secrets/coturn
- /var/run/docker.sock:/var/run/docker.sock
- ${OPENVIDU_RECORDING_PATH}:${OPENVIDU_RECORDING_PATH}
- ${OPENVIDU_RECORDING_CUSTOM_LAYOUT}:${OPENVIDU_RECORDING_CUSTOM_LAYOUT}
@ -39,8 +40,6 @@ services:
- SERVER_SSL_ENABLED=false
- SERVER_PORT=5443
- KMS_URIS=[]
- COTURN_REDIS_IP=127.0.0.1
- COTURN_REDIS_PASSWORD=${OPENVIDU_SECRET}
- COTURN_IP=${COTURN_IP:-auto-ipv4}
- COTURN_PORT=${COTURN_PORT:-3478}
- OPENVIDU_PRO_CLUSTER=true
@ -58,18 +57,19 @@ services:
network_mode: host
env_file:
- .env
volumes:
- ./coturn:/run/secrets/coturn
command:
- --log-file=stdout
- --external-ip=$$(detect-external-ip)
- --listening-port=${COTURN_PORT:-3478}
- --fingerprint
- --lt-cred-mech
- --min-port=${COTURN_MIN_PORT:-40000}
- --max-port=${COTURN_MAX_PORT:-65535}
- --realm=openvidu
- --verbose
- --use-auth-secret
- --static-auth-secret=${OPENVIDU_SECRET}
- --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
logging:
options:
max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"

16
openvidu-server/docker/openvidu-coturn/docker-entrypoint.sh
View File

@ -1,5 +1,21 @@
#!/bin/sh
# Get automatically generated secret by OpenVidu Server if COTURN_SHARED_SECRET_KEY is not defined
if [ -z "${COTURN_SHARED_SECRET_KEY}" ]; then
# Check if random sahred key is generated and with value
if [ ! -f /run/secrets/coturn/shared-secret-key ]; then
echo "Error: shared-secret-key not found."
exit 1
fi
# Read value
export "$(grep -v '#' /run/secrets/coturn/shared-secret-key | grep COTURN_SHARED_SECRET_KEY |
sed 's/\r$//' | awk '/=/ {print $1}')"
fi
echo "Defined COTURN_SHARED_SECRET_KEY: ${COTURN_SHARED_SECRET_KEY}"
# If command starts with an option, prepend with turnserver binary.
if [ "${1:0:1}" == '-' ]; then
set -- turnserver "$@"

1
openvidu-server/docker/openvidu-server-pro/Dockerfile
View File

@ -17,6 +17,7 @@ RUN mkdir -p /opt/openvidu /usr/local/bin/
COPY openvidu-server.jar /opt/openvidu/openvidu-server.jar
COPY ./entrypoint.sh /usr/local/bin
COPY ./discover_my_public_ip.sh /usr/local/bin
COPY ./coturn-shared-key.template /usr/local
RUN mkdir -p /opt/openvidu/recordings && \
chmod +x /usr/local/bin/entrypoint.sh && \

3
openvidu-server/docker/openvidu-server-pro/create_image.sh
View File

@ -1,8 +1,11 @@
#!/bin/bash
VERSION=$1
if [[ ! -z $VERSION ]]; then
cp ../utils/discover_my_public_ip.sh ./discover_my_public_ip.sh
cp ../utils/coturn-shared-key.template ./coturn-shared-key.template
docker build --pull --no-cache --rm=true -t openvidu/openvidu-server-pro:$VERSION .
rm ./discover_my_public_ip.sh
rm ./coturn-shared-key.template
else
echo "Error: You need to specify a version as first argument"
fi

14
openvidu-server/docker/openvidu-server-pro/entrypoint.sh
View File

@ -1,5 +1,19 @@
#!/bin/bash
# Generate Coturn shared secret key, if COTURN_SHARED_SECRET_KEY is not defined
if [[ -z "${COTURN_SHARED_SECRET_KEY}" ]]; then
# Check if random sahred key is generated and with value
if [[ ! -f /run/secrets/coturn/shared-secret-key ]]; then
RANDOM_COTURN_SECRET="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 35 ; echo '')"
sed "s|{{COTURN_SHARED_SECRET_KEY}}|${RANDOM_COTURN_SECRET}|g" \
/usr/local/coturn-shared-key.template > /run/secrets/coturn/shared-secret-key
fi
# Read value
export "$(grep -v '#' /run/secrets/coturn/shared-secret-key | grep COTURN_SHARED_SECRET_KEY |
sed 's/\r$//' | awk '/=/ {print $1}')"
fi
# Wait for kibana
if [ ! -z "${WAIT_KIBANA_URL}" ]; then
printf "\n"

1
openvidu-server/docker/openvidu-server/Dockerfile
View File

@ -13,6 +13,7 @@ RUN apt-get update && apt-get install -y \
COPY openvidu-server.jar /
COPY ./entrypoint.sh /usr/local/bin
COPY ./discover_my_public_ip.sh /usr/local/bin
COPY ./coturn-shared-key.template /usr/local
RUN chmod +x /usr/local/bin/entrypoint.sh && \
chmod +x /usr/local/bin/discover_my_public_ip.sh

3
openvidu-server/docker/openvidu-server/create_image.sh
View File

@ -1,12 +1,15 @@
#!/bin/bash
VERSION=$1
if [[ ! -z $VERSION ]]; then
cp ../../target/openvidu-server-*.jar ./openvidu-server.jar
cp ../utils/discover_my_public_ip.sh ./discover_my_public_ip.sh
cp ../utils/coturn-shared-key.template ./coturn-shared-key.template
docker build --pull --no-cache --rm=true -t openvidu/openvidu-server:$VERSION .
rm ./openvidu-server.jar
rm ./discover_my_public_ip.sh
rm ./coturn-shared-key.template
else
echo "Error: You need to specify a version as first argument"
fi

14
openvidu-server/docker/openvidu-server/entrypoint.sh
View File

@ -6,6 +6,20 @@ printf "\n = LAUNCH OPENVIDU-SERVER ="
printf "\n ======================================="
printf "\n"
# Generate Coturn shared secret key, if COTURN_SHARED_SECRET_KEY is not defined
if [[ -z "${COTURN_SHARED_SECRET_KEY}" ]]; then
# Check if random sahred key is generated and with value
if [[ ! -f /run/secrets/coturn/shared-secret-key ]]; then
RANDOM_COTURN_SECRET="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 35 ; echo '')"
sed "s|{{COTURN_SHARED_SECRET_KEY}}|${RANDOM_COTURN_SECRET}|g" \
/usr/local/coturn-shared-key.template > /run/secrets/coturn/shared-secret-key
fi
# Read value
export "$(grep -v '#' /run/secrets/coturn/shared-secret-key | grep COTURN_SHARED_SECRET_KEY |
sed 's/\r$//' | awk '/=/ {print $1}')"
fi
# Get coturn public ip
[[ -z "${COTURN_IP}" ]] && export COTURN_IP=auto-ipv4
if [[ "${COTURN_IP}" == "auto-ipv4" ]]; then

17
openvidu-server/docker/utils/coturn-shared-key.template Normal file
View File

@ -0,0 +1,17 @@
# ------------------------------------------------------------------------------
#
# This file was genereated automatically
#
# The value of COTURN_SHARED_SECRET_KEY is generated randomly and represents shared key
# by Coturn and OpenVidu Server to generate users for TURN server dinamically.
#
#
# Read more about it:
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
#
# If you want to change this value, you can change the value in this file or define COTURN_SHARED_SECRET_KEY
# at the .env file of OpenVidu Server deployment
#
# ------------------------------------------------------------------------------
COTURN_SHARED_SECRET_KEY={{COTURN_SHARED_SECRET_KEY}}

47
openvidu-server/src/main/java/io/openvidu/server/config/OpenviduConfig.java
View File

@ -163,7 +163,7 @@ public class OpenviduConfig {
private int coturnPort;
private String coturnRedisIp;
private String coturnSharedSecretKey;
// If true, coturn relay ips will come with the private IP of the machine
private boolean coturnInternalRelay;
@ -188,12 +188,6 @@ public class OpenviduConfig {
private String openviduRecordingComposedUrl;
private String coturnRedisDbname;
private String coturnRedisPassword;
private String coturnRedisConnectTimeout;
private String certificateType;
protected int openviduSessionsGarbageInterval;
@ -228,14 +222,6 @@ public class OpenviduConfig {
// Plain config properties getters
public String getCoturnDatabaseDbname() {
return this.coturnRedisDbname;
}
public String getCoturnDatabasePassword() {
return this.coturnRedisPassword;
}
public boolean isCoturnUsingInternalRelay() {
return this.coturnInternalRelay;
}
@ -356,6 +342,10 @@ public class OpenviduConfig {
return this.coturnPort;
}
public String getCoturnSharedSecretKey() {
return this.coturnSharedSecretKey;
}
public RecordingNotification getOpenViduRecordingNotification() {
return this.openviduRecordingNotification;
}
@ -447,11 +437,6 @@ public class OpenviduConfig {
return secret.equals(this.getOpenViduSecret());
}
public String getCoturnDatabaseString() {
return "\"ip=" + this.coturnRedisIp + " dbname=" + this.coturnRedisDbname + " password="
+ this.coturnRedisPassword + " connect_timeout=" + this.coturnRedisConnectTimeout + "\"";
}
public boolean openviduRecordingCustomLayoutChanged(String path) {
return !"/opt/openvidu/custom-layout".equals(path);
}
@ -560,9 +545,8 @@ public class OpenviduConfig {
}
protected List<String> getNonUserProperties() {
return Arrays.asList("server.port", "SERVER_PORT", "DOTENV_PATH", "COTURN_IP", "COTURN_PORT", "COTURN_REDIS_IP",
"COTURN_REDIS_DBNAME", "COTURN_REDIS_PASSWORD", "COTURN_REDIS_CONNECT_TIMEOUT", "COTURN_INTERNAL_RELAY",
"OPENVIDU_RECORDING_IMAGE", "OPENVIDU_RECORDING_ENABLE_GPU");
return Arrays.asList("server.port", "SERVER_PORT", "DOTENV_PATH", "COTURN_IP", "COTURN_PORT",
"COTURN_INTERNAL_RELAY", "COTURN_SHARED_SECRET_KEY", "OPENVIDU_RECORDING_IMAGE", "OPENVIDU_RECORDING_ENABLE_GPU");
}
protected List<String> getNonPrintablePropertiesIfEmpty() {
@ -582,12 +566,6 @@ public class OpenviduConfig {
checkDomainOrPublicIp();
populateSpringServerPort();
coturnRedisDbname = getValue("COTURN_REDIS_DBNAME");
coturnRedisPassword = getValue("COTURN_REDIS_PASSWORD");
coturnRedisConnectTimeout = getValue("COTURN_REDIS_CONNECT_TIMEOUT");
// If true, coturn is using private IPs as relay IPs to enable relay connections
// pass through internal network
coturnInternalRelay = asBoolean("COTURN_INTERNAL_RELAY");
@ -595,6 +573,15 @@ public class OpenviduConfig {
openviduSecret = asNonEmptyAlphanumericString("OPENVIDU_SECRET",
"Cannot be empty and must contain only alphanumeric characters [a-zA-Z0-9], hypens (\"-\") and underscores (\"_\")");
// Read coturn shared key
coturnSharedSecretKey = asOptionalString("COTURN_SHARED_SECRET_KEY");
if (coturnSharedSecretKey == null || coturnSharedSecretKey.isEmpty()) {
log.warn("COTURN_SHARED_SECRET_KEY is not defined. Using OPENVIDU_SECRET");
this.coturnSharedSecretKey = this.openviduSecret;
} else {
log.info("COTURN_SHARED_SECRET_KEY used to generate TURN users: {}", this.coturnSharedSecretKey);
}
openviduCdr = asBoolean("OPENVIDU_CDR");
openviduCdrPath = openviduCdr ? asWritableFileSystemPath("OPENVIDU_CDR_PATH")
: asFileSystemPath("OPENVIDU_CDR_PATH");
@ -633,8 +620,6 @@ public class OpenviduConfig {
checkCoturnPort();
coturnRedisIp = asOptionalInetAddress("COTURN_REDIS_IP");
checkWebhook();
checkCertificateType();

2
openvidu-server/src/main/java/io/openvidu/server/coturn/CoturnCredentialsService.java
View File

@ -37,7 +37,7 @@ public class CoturnCredentialsService {
public TurnCredentials createUser() {
IceServerProperties iceServerProperties = new IceServerProperties.Builder()
.ignoreEmptyUrl(true)
.staticAuthSecret(openviduConfig.getOpenViduSecret())
.staticAuthSecret(openviduConfig.getCoturnSharedSecretKey())
.build();
return new TurnCredentials(iceServerProperties.getUsername(), iceServerProperties.getCredential());
}

29
openvidu-server/src/main/resources/META-INF/additional-spring-configuration-metadata.json
View File

@ -182,30 +182,6 @@
"type": "java.lang.String",
"description": "Coturn IP of a deployed coturn server"
},
{
"name": "COTURN_REDIS_IP",
"type": "java.lang.String",
"description": "Redis IP where OpenVidu Server should connect to store TURN credentials",
"defaultValue": "127.0.0.1"
},
{
"name": "COTURN_REDIS_DBNAME",
"type": "java.lang.String",
"description": "Redis database where to store TURN credentials",
"defaultValue": "0"
},
{
"name": "COTURN_REDIS_PASSWORD",
"type": "java.lang.String",
"description": "Password to connect OpenVidu Server to Redis database to store TURN credentials",
"defaultValue": "turn"
},
{
"name": "COTURN_REDIS_CONNECT_TIMEOUT",
"type": "java.lang.Integer",
"description": "Timeout in seconds when OpenVidu Server is connecting to Redis database to store TURN credentials",
"defaultValue": 30
},
{
"name": "CERTIFICATE_TYPE",
"type": "java.lang.String",
@ -221,6 +197,11 @@
"type": "java.lang.String",
"description": "If true, coturn is returning the private IP on relayed candidates. This can be useful to know which candidates must be sent when MEDIA_NODES_PUBLIC_IPS is defined"
},
{
"name": "COTURN_SHARED_SECRET_KEY",
"type": "java.lang.String",
"description": "If defined, COTURN_SHARED_SECRET_KEY will be used to generate TURN valid users. The same secret should be configured at 'static-auth-secret' to be valid. If empty, OpenVidu Secret is used. (For security, in official deployments for CE/PRO/ENTERPRISE a random string is generated)"
},
{
"name": "jsonRpcClientWebSocket.reconnectionDelay",
"type": "java.lang.Integer",

4
openvidu-server/src/main/resources/application.properties
View File

@ -48,10 +48,6 @@ OPENVIDU_STREAMS_ALLOW_TRANSCODING=false
OPENVIDU_SESSIONS_GARBAGE_INTERVAL=900
OPENVIDU_SESSIONS_GARBAGE_THRESHOLD=3600
COTURN_REDIS_IP=127.0.0.1
COTURN_REDIS_DBNAME=0
COTURN_REDIS_PASSWORD=turn
COTURN_REDIS_CONNECT_TIMEOUT=30
COTURN_INTERNAL_RELAY=false
COTURN_PORT=3478
MEDIA_NODES_PUBLIC_IPS=[]

5
openvidu-server/src/test/resources/integration-test.properties
View File

@ -41,8 +41,3 @@ OPENVIDU_STREAMS_ALLOW_TRANSCODING=false
OPENVIDU_SESSIONS_GARBAGE_INTERVAL=900
OPENVIDU_SESSIONS_GARBAGE_THRESHOLD=3600
COTURN_REDIS_IP=127.0.0.1
COTURN_REDIS_DBNAME=0
COTURN_REDIS_PASSWORD=turn
COTURN_REDIS_CONNECT_TIMEOUT=30