Merge pull request #6 from snikket-im/coturn

Add STUN/TURN support

ansible/files/bin/snikket-turn-addresses

@@ -0,0 +1,24 @@
+#!/usr/bin/env lua
+
+package.path = package.path:gsub("([^;]*)(?[^;]*)","%1prosody/%2;%1%2");
+package.cpath = package.cpath:gsub("([^;]*)(?[^;]*)","%1prosody/%2;%1%2");
+
+package.loaded["net.server"] = require "net.server_epoll";
+local net = require "util.net";
+local ip = require "util.ip";
+local dns = require "net.dns";
+
+local addresses = net.local_addresses();
+
+local ip_addr = ip.new_ip(addresses[1]);
+
+if not ip_addr.private then
+	-- Not a private address, no mapping needed
+	print(ip_addr);
+else
+	local dns_record = dns.lookup(arg[1], ip_addr.proto == "IPv6" and "AAAA" or "A");
+	if #dns_record == 0 then
+		os.exit(1);
+	end
+	print(dns_record[1].a.."/"..tostring(ip_addr));
+end

ansible/files/bin/start-coturn.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+CERTFILE="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/fullchain.pem";
+KEYFILE="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/privkey.pem";
+
+echo "Waiting for certificates to become available..."
+while ! test -f "$CERTFILE" -a -f "$KEYFILE"; do
+  sleep 1;
+  echo ".";
+done
+
+TURN_EXTERNAL_IP="$(snikket-turn-addresses "$SNIKKET_DOMAIN")"
+
+
+exec /usr/bin/turnserver -c /etc/turnserver.conf --prod \
+     --static-auth-secret="$(cat /snikket/prosody/turn-auth-secret)" \
+     --cert="$CERTFILE" --pkey "$KEYFILE" -r "$SNIKKET_DOMAIN" \
+     -X "$TURN_EXTERNAL_IP"

ansible/files/prosody.cfg.lua

@@ -51,6 +51,7 @@ modules_enabled = {
 		"default_bookmarks";
 		"roster_allinall";
 		"update_check";
+		"turncredentials";
 
 	-- TODO...
 		--"groups"; -- Shared roster support
@@ -74,6 +75,9 @@ registration_notification = "New user registered: $username"
 
 reload_global_modules = { "http" }
 
+http_ports  = { ENV_SNIKKET_TWEAK_HTTP_PORT or 80 }
+https_ports = { ENV_SNIKKET_TWEAK_HTTPS_PORT or 443 }
+
 legacy_ssl_ports = { 5223 }
 
 allow_registration = true
@@ -110,6 +114,9 @@ update_check_dns = "_{branch}.update.snikket.net"
 http_host = DOMAIN
 http_external_url = "https://"..DOMAIN.."/"
 
+turncredentials_host = DOMAIN
+turncredentials_secret = assert(io.open("/snikket/prosody/turn-auth-secret")):read("*a");
+
 VirtualHost (DOMAIN)
 	authentication = "internal_hashed"
 

ansible/files/supervisord.conf

@@ -23,3 +23,13 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 redirect_stderr=true
 umask=002
+
+[program:coturn]
+command=start-coturn.sh
+startsecs=0
+autorestart=true
+stopwaitsecs=30
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+umask=002

ansible/files/turnserver.conf

@@ -0,0 +1,99 @@
+# Coturn TURN SERVER configuration file
+#
+# Boolean values note: where boolean value is supposed to be used,
+# you can use '0', 'off', 'no', 'false', 'f' as 'false, 
+# and you can use '1', 'on', 'yes', 'true', 't' as 'true' 
+# If the value is missed, then it means 'true'.
+#
+
+# TURN listener port for UDP and TCP (Default: 3478).
+# Note: actually, TLS & DTLS sessions can connect to the 
+# "plain" TCP & UDP port(s), too - if allowed by configuration.
+#
+listening-port=3478
+
+# TURN listener port for TLS (Default: 5349).
+# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
+# port(s), too - if allowed by configuration. The TURN server 
+# "automatically" recognizes the type of traffic. Actually, two listening
+# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
+# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
+# For secure TCP connections, we currently support SSL version 3 and 
+# TLS version 1.0, 1.1 and 1.2.
+# For secure UDP connections, we support DTLS version 1.
+#
+tls-listening-port=5349
+
+# Alternative listening port for UDP and TCP listeners;
+# default (or zero) value means "listening port plus one". 
+# This is needed for RFC 5780 support
+# (STUN extension specs, NAT behavior discovery). The TURN Server 
+# supports RFC 5780 only if it is started with more than one 
+# listening IP address of the same family (IPv4 or IPv6).
+# RFC 5780 is supported only by UDP protocol, other protocols
+# are listening to that endpoint only for "symmetry".
+#
+alt-listening-port=0
+							 
+# Alternative listening port for TLS and DTLS protocols.
+# Default (or zero) value means "TLS listening port plus one".
+#
+alt-tls-listening-port=0
+	
+# Lower and upper bounds of the UDP relay endpoints:
+# (default values are 49152 and 65535)
+#
+min-port=49152
+max-port=65535
+	
+# TURN REST API flag.
+# Flag that sets a special authorization option that is based upon authentication secret.
+# This feature can be used with the long-term authentication mechanism, only.
+# This feature purpose is to support "TURN Server REST API", see
+# "TURN REST API" link in the project's page 
+# https://github.com/coturn/coturn/
+#
+# This option is used with timestamp:
+# 
+# usercombo -> "timestamp:userid"
+# turn user -> usercombo
+# turn password -> base64(hmac(secret key, usercombo))
+#
+# This allows TURN credentials to be accounted for a specific user id.
+# If you don't have a suitable id, the timestamp alone can be used.
+# This option is just turning on secret-based authentication.
+# The actual value of the secret is defined either by option static-auth-secret,
+# or can be found in the turn_secret table in the database (see below).
+# 
+use-auth-secret
+
+# Option to set the log file name.
+# By default, the turnserver tries to open a log file in
+# /var/log, /var/tmp, /tmp and current directories directories
+# (which open operation succeeds first that file will be used).
+# With this option you can set the definite log file name.
+# The special names are "stdout" and "-" - they will force everything
+# to the stdout. Also, the "syslog" name will force everything to
+# the system log (syslog).
+# In the runtime, the logfile can be reset with the SIGHUP signal
+# to the turnserver process.
+#
+log-file=stdout
+
+# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
+# This is an extra security measure.
+#
+no-multicast-peers
+
+# Turn OFF the CLI support.
+# By default it is always ON.
+# See also options cli-ip and cli-port.
+#
+no-cli
+
+# SQLite database file name.
+#
+# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
+# /var/lib/turn/turndb.
+#
+userdb=/snikket/prosody/turndb

ansible/snikket.yml

@@ -10,4 +10,5 @@
     - import_tasks: tasks/cron.yml
     - import_tasks: tasks/certs.yml
     - import_tasks: tasks/mail.yml
+    - import_tasks: tasks/coturn.yml
     - import_tasks: tasks/scripts.yml

ansible/tasks/coturn.yml

@@ -0,0 +1,26 @@
+---
+
+- name: "Install coturn package"
+  apt:
+    name: coturn
+    state: present
+    install_recommends: yes
+
+- name: "Install dnsutils package"
+  apt:
+    name: dnsutils
+    state: present
+    install_recommends: no
+
+- name: "Disable coturn service"
+  service:
+    name: coturn
+    enabled: no
+- name: "Stop coturn if running"
+  service:
+    name: coturn
+    state: stopped
+- name: Configure coturn
+  copy:
+    src: ../files/turnserver.conf
+    dest: /etc/turnserver.conf

ansible/tasks/prosody.yml

@@ -46,6 +46,8 @@
   service:
     name: prosody
     state: stopped
+- name: "Allow Prosody to bind service ports"
+  command: setcap 'cap_net_bind_service=+ep' /usr/bin/lua5.1
 
 - name: Install Mercurial
   apt:
@@ -87,6 +89,7 @@
     - mod_default_bookmarks
     - mod_muc_defaults
     - mod_firewall
+    - mod_turncredentials
 
 
 - name: Install Bootstrap and JS libs

docker-compose.yml

@@ -3,18 +3,7 @@ version: "3.3"
 services:
   snikket:
     image: snikket:latest
-    ports:
-      # HTTP port
-      - "80:5280"
-      # HTTPS port
-      - "443:5281"
-      # XMPP client connections (STARTTLS and Direct TLS)
-      - "5222:5222"
-      - "5223:5223"
-      # XMPP server-to-server connections
-      - "5269:5269"
-      # Mail viewer (dev only)
-      - "8025:8025"
+    network_mode: host
     volumes:
       - type: "volume"
         source: snikket_data

docker/Dockerfile

@@ -23,6 +23,7 @@ RUN apt-get update \
         software-properties-common \
         gpg gpg-agent \
         ansible python-passlib python3-passlib \
+        libcap2-bin \
     && rm -rf /var/lib/apt/lists/* \
     && ansible-playbook -c local -i localhost, --extra-vars "ansible_python_interpreter=/usr/bin/python2" /opt/ansible/snikket.yml \
     && apt-get remove -y \
@@ -30,7 +31,7 @@ RUN apt-get update \
          software-properties-common \
          gpg gpg-agent \
          python-passlib python3-passlib \
-         mercurial \
+         mercurial libcap2-bin \
     && apt-get autoremove -y \
     && rm -rf /var/cache/*
 

docker/entrypoint.sh

@@ -9,6 +9,10 @@ if [ -z "$SNIKKET_SMTP_URL" ]; then
 	SNIKKET_SMTP_URL="smtp://localhost:1025/;no-tls"
 fi
 
+if [ -z "$SNIKKET_EXTERNAL_IP" ]; then
+	SNIKKET_EXTERNAL_IP="$(dig +short $SNIKKET_DOMAIN)"
+fi
+
 echo "$SNIKKET_SMTP_URL" | smtp-url-to-msmtp > /etc/msmtprc
 
 echo "from snikket@$SNIKKET_DOMAIN" >> /etc/msmtprc
@@ -42,4 +46,9 @@ install -o letsencrypt -g letsencrypt -m 755 -d /var/www/.well-known/acme-challe
 
 chown -R letsencrypt:letsencrypt /snikket/letsencrypt
 
+## Generate secret for coturn auth if necessary
+if ! test -f /snikket/prosody/turn-auth-secret; then
+	head -c 32 /dev/urandom | sha256sum > /snikket/prosody/turn-auth-secret;
+fi
+
 exec supervisord -c /etc/supervisor/supervisord.conf