diff --git a/config/config.go b/config/config.go index bad81c23..2d7e4e05 100644 --- a/config/config.go +++ b/config/config.go @@ -45,9 +45,8 @@ type Config struct { Secret []byte `split_words:"true"` SessionTimeoutSeconds int `default:"0" split_words:"true"` - TurnAddress string `default:":3478" required:"true" split_words:"true"` - TurnStrictAuth bool `default:"true" split_words:"true"` - TurnPortRange string `split_words:"true"` + TurnAddress string `default:":3478" required:"true" split_words:"true"` + TurnPortRange string `split_words:"true"` TurnExternalIP []string `split_words:"true"` TurnExternalPort string `default:"3478" split_words:"true"` @@ -217,10 +216,18 @@ func Get() (Config, []FutureLog) { Msg: "Less than 40 ports are available for turn. When using multiple TURN connections this may not be enough", }) } + logs = append(logs, logDeprecated()...) return config, logs } +func logDeprecated() []FutureLog { + if os.Getenv("SCREEGO_TURN_STRICT_AUTH") != "" { + return []FutureLog{{Level: zerolog.WarnLevel, Msg: "The setting SCREEGO_TURN_STRICT_AUTH has been removed."}} + } + return nil +} + func getExecutableOrWorkDir() (string, *FutureLog) { dir, err := getExecutableDir() // when using `go run main.go` the executable lives in th temp directory therefore the env.development diff --git a/docs/install.md b/docs/install.md index 128a5641..bddc58d8 100644 --- a/docs/install.md +++ b/docs/install.md @@ -2,7 +2,7 @@ Latest Version: **GITHUB_VERSION** -?> Before starting Screego you may read [Configuration](config.md). +Before starting Screego you may read [Configuration](config.md). !> TLS is required for Screego to work. Either enable TLS inside Screego or use a reverse proxy to serve Screego via TLS. @@ -16,26 +16,16 @@ Setting up Screego with docker is pretty easy, you basically just have to start docker images are multi-arch docker images. This means the image will work for `amd64`, `i386`, `ppc64le` (power pc), `arm64`, `armv7` (Raspberry PI) and `armv6`. -When using [TURN](nat-traversal.md), Screego will allocate ports for relay -connections, this currently only works with network mode host inside docker. -See [#56](https://github.com/screego/server/issues/56) - By default, Screego runs on port 5050. ?> Replace `EXTERNALIP` with your external IP. One way to find your external ip is with ipify. - - ```bash - $ curl 'https://api.ipify.org' - ``` - -### Network Host + `curl 'https://api.ipify.org'` ```bash $ docker run --net=host -e SCREEGO_EXTERNAL_IP=EXTERNALIP ghcr.io/screego/server:GITHUB_VERSION ``` -#### docker-compose.yml - +**docker-compose.yml** ```yaml version: "3.7" services: @@ -46,6 +36,40 @@ services: SCREEGO_EXTERNAL_IP: "EXTERNALIP" ``` +If you don't want to use the host network, then you can configure docker like this: + +
(Click to expand) +

+ +```bash +$ docker run -it \ + -e SCREEGO_EXTERNAL_IP=EXTERNALIP \ + -e SCREEGO_TURN_PORT_RANGE=50000:50200 \ + -p 5050:5050 \ + -p 3478:3478 \ + -p 50000-50100:50000-50200/udp \ + screego/server:GITHUB_VERSION +``` + +#### docker-compose.yml + +```yml +version: "3.7" +services: + screego: + image: ghcr.io/screego/server:GITHUB_VERSION + ports: + - 5050:5050 + - 3478:3478 + - 50000-50100:50000-50200/udp + environment: + SCREEGO_EXTERNAL_IP: "192.168.178.2" + SCREEGO_TURN_PORT_RANGE: "50000:50200" +``` + +

+
+ ## Binary ### Supported Platforms: diff --git a/screego.config.development b/screego.config.development index 665167d9..b49c8c56 100644 --- a/screego.config.development +++ b/screego.config.development @@ -2,4 +2,3 @@ SCREEGO_SECRET=secure SCREEGO_LOG_LEVEL=debug SCREEGO_CORS_ALLOWED_ORIGINS=http://localhost:3000 SCREEGO_USERS_FILE=./users -SCREEGO_TURN_STRICT_AUTH=false diff --git a/screego.config.example b/screego.config.example index 61f9b05f..7dae46be 100644 --- a/screego.config.example +++ b/screego.config.example @@ -40,12 +40,6 @@ SCREEGO_TURN_ADDRESS=0.0.0.0:3478 # 50000:55000 SCREEGO_TURN_PORT_RANGE= -# If true, the TURN server will compare the remote IP of the request with the -# remote ip of the existing WebSocket connection and deny access if it doesn't -# match. Disable this feature, if you use some kind of proxy which changes the -# remote ip. -SCREEGO_TURN_STRICT_AUTH=true - # If set, screego will not start TURN server and instead use an external TURN server. # When using a dual stack setup define both IPv4 & IPv6 separated by a comma. # Execute the following command on the server where you host TURN server diff --git a/turn/server.go b/turn/server.go index bdb95eef..d89b7a1a 100644 --- a/turn/server.go +++ b/turn/server.go @@ -22,9 +22,8 @@ type Server interface { } type InternalServer struct { - lock sync.RWMutex - strictAuth bool - lookup map[string]Entry + lock sync.RWMutex + lookup map[string]Entry } type ExternalServer struct { @@ -92,10 +91,7 @@ func newInternalServer(conf config.Config) (Server, error) { return nil, fmt.Errorf("tcp: could not listen on %s: %s", conf.TurnAddress, err) } - svr := &InternalServer{ - lookup: map[string]Entry{}, - strictAuth: conf.TurnStrictAuth, - } + svr := &InternalServer{lookup: map[string]Entry{}} gen := &Generator{ RelayAddressGenerator: generator(conf), @@ -153,16 +149,6 @@ func (a *InternalServer) authenticate(username, realm string, addr net.Addr) ([] a.lock.RLock() defer a.lock.RUnlock() - var connectedIP net.IP - switch addr := addr.(type) { - case *net.UDPAddr: - connectedIP = addr.IP - case *net.TCPAddr: - connectedIP = addr.IP - default: - log.Error().Interface("type", fmt.Sprintf("%T", addr)).Msg("unknown addr type") - return nil, false - } entry, ok := a.lookup[username] if !ok { @@ -170,13 +156,6 @@ func (a *InternalServer) authenticate(username, realm string, addr net.Addr) ([] return nil, false } - authIP := entry.addr - - if a.strictAuth && !connectedIP.Equal(authIP) { - log.Debug().Interface("allowedIp", addr.String()).Interface("connectingIp", entry.addr.String()).Msg("TURN strict auth check failed") - return nil, false - } - log.Debug().Interface("addr", addr.String()).Str("realm", realm).Msg("TURN authenticated") return entry.password, true }