Skip to content

Commit

Permalink
Merge pull request #163 from screego/docker
Browse files Browse the repository at this point in the history
Add docker docs & remove turn strict auth
  • Loading branch information
jmattheis authored Jul 29, 2023
2 parents f3898e7 + d025652 commit 2242880
Show file tree
Hide file tree
Showing 5 changed files with 50 additions and 47 deletions.
13 changes: 10 additions & 3 deletions config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,8 @@ type Config struct {
Secret []byte `split_words:"true"`
SessionTimeoutSeconds int `default:"0" split_words:"true"`

TurnAddress string `default:":3478" required:"true" split_words:"true"`
TurnStrictAuth bool `default:"true" split_words:"true"`
TurnPortRange string `split_words:"true"`
TurnAddress string `default:":3478" required:"true" split_words:"true"`
TurnPortRange string `split_words:"true"`

TurnExternalIP []string `split_words:"true"`
TurnExternalPort string `default:"3478" split_words:"true"`
Expand Down Expand Up @@ -217,10 +216,18 @@ func Get() (Config, []FutureLog) {
Msg: "Less than 40 ports are available for turn. When using multiple TURN connections this may not be enough",
})
}
logs = append(logs, logDeprecated()...)

return config, logs
}

func logDeprecated() []FutureLog {
if os.Getenv("SCREEGO_TURN_STRICT_AUTH") != "" {
return []FutureLog{{Level: zerolog.WarnLevel, Msg: "The setting SCREEGO_TURN_STRICT_AUTH has been removed."}}
}
return nil
}

func getExecutableOrWorkDir() (string, *FutureLog) {
dir, err := getExecutableDir()
// when using `go run main.go` the executable lives in th temp directory therefore the env.development
Expand Down
50 changes: 37 additions & 13 deletions docs/install.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Latest Version: **GITHUB_VERSION**

?> Before starting Screego you may read [Configuration](config.md).
Before starting Screego you may read [Configuration](config.md).

!> TLS is required for Screego to work. Either enable TLS inside Screego or
use a reverse proxy to serve Screego via TLS.
Expand All @@ -16,26 +16,16 @@ Setting up Screego with docker is pretty easy, you basically just have to start
docker images are multi-arch docker images.
This means the image will work for `amd64`, `i386`, `ppc64le` (power pc), `arm64`, `armv7` (Raspberry PI) and `armv6`.

When using [TURN](nat-traversal.md), Screego will allocate ports for relay
connections, this currently only works with network mode host inside docker.
See [#56](https://github.com/screego/server/issues/56)

By default, Screego runs on port 5050.

?> Replace `EXTERNALIP` with your external IP. One way to find your external ip is with ipify.

```bash
$ curl 'https://api.ipify.org'
```

### Network Host
`curl 'https://api.ipify.org'`

```bash
$ docker run --net=host -e SCREEGO_EXTERNAL_IP=EXTERNALIP ghcr.io/screego/server:GITHUB_VERSION
```

#### docker-compose.yml

**docker-compose.yml**
```yaml
version: "3.7"
services:
Expand All @@ -46,6 +36,40 @@ services:
SCREEGO_EXTERNAL_IP: "EXTERNALIP"
```
If you don't want to use the host network, then you can configure docker like this:
<details><summary>(Click to expand)</summary>
<p>
```bash
$ docker run -it \
-e SCREEGO_EXTERNAL_IP=EXTERNALIP \
-e SCREEGO_TURN_PORT_RANGE=50000:50200 \
-p 5050:5050 \
-p 3478:3478 \
-p 50000-50100:50000-50200/udp \
screego/server:GITHUB_VERSION
```

#### docker-compose.yml

```yml
version: "3.7"
services:
screego:
image: ghcr.io/screego/server:GITHUB_VERSION
ports:
- 5050:5050
- 3478:3478
- 50000-50100:50000-50200/udp
environment:
SCREEGO_EXTERNAL_IP: "192.168.178.2"
SCREEGO_TURN_PORT_RANGE: "50000:50200"
```
</p>
</details>
## Binary
### Supported Platforms:
Expand Down
1 change: 0 additions & 1 deletion screego.config.development
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,3 @@ SCREEGO_SECRET=secure
SCREEGO_LOG_LEVEL=debug
SCREEGO_CORS_ALLOWED_ORIGINS=http://localhost:3000
SCREEGO_USERS_FILE=./users
SCREEGO_TURN_STRICT_AUTH=false
6 changes: 0 additions & 6 deletions screego.config.example
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,6 @@ SCREEGO_TURN_ADDRESS=0.0.0.0:3478
# 50000:55000
SCREEGO_TURN_PORT_RANGE=

# If true, the TURN server will compare the remote IP of the request with the
# remote ip of the existing WebSocket connection and deny access if it doesn't
# match. Disable this feature, if you use some kind of proxy which changes the
# remote ip.
SCREEGO_TURN_STRICT_AUTH=true

# If set, screego will not start TURN server and instead use an external TURN server.
# When using a dual stack setup define both IPv4 & IPv6 separated by a comma.
# Execute the following command on the server where you host TURN server
Expand Down
27 changes: 3 additions & 24 deletions turn/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,8 @@ type Server interface {
}

type InternalServer struct {
lock sync.RWMutex
strictAuth bool
lookup map[string]Entry
lock sync.RWMutex
lookup map[string]Entry
}

type ExternalServer struct {
Expand Down Expand Up @@ -92,10 +91,7 @@ func newInternalServer(conf config.Config) (Server, error) {
return nil, fmt.Errorf("tcp: could not listen on %s: %s", conf.TurnAddress, err)
}

svr := &InternalServer{
lookup: map[string]Entry{},
strictAuth: conf.TurnStrictAuth,
}
svr := &InternalServer{lookup: map[string]Entry{}}

gen := &Generator{
RelayAddressGenerator: generator(conf),
Expand Down Expand Up @@ -153,30 +149,13 @@ func (a *InternalServer) authenticate(username, realm string, addr net.Addr) ([]
a.lock.RLock()
defer a.lock.RUnlock()

var connectedIP net.IP
switch addr := addr.(type) {
case *net.UDPAddr:
connectedIP = addr.IP
case *net.TCPAddr:
connectedIP = addr.IP
default:
log.Error().Interface("type", fmt.Sprintf("%T", addr)).Msg("unknown addr type")
return nil, false
}
entry, ok := a.lookup[username]

if !ok {
log.Debug().Interface("addr", addr).Str("username", username).Msg("TURN username not found")
return nil, false
}

authIP := entry.addr

if a.strictAuth && !connectedIP.Equal(authIP) {
log.Debug().Interface("allowedIp", addr.String()).Interface("connectingIp", entry.addr.String()).Msg("TURN strict auth check failed")
return nil, false
}

log.Debug().Interface("addr", addr.String()).Str("realm", realm).Msg("TURN authenticated")
return entry.password, true
}
Expand Down

0 comments on commit 2242880

Please sign in to comment.