-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Coturn #667
base: master
Are you sure you want to change the base?
Coturn #667
Conversation
Oh, great. Maybe this has a better chance to succeed than the previous PR! |
Really hope this one will be merged. We will be testing this on our infrastructure ASAP and let u know |
@saghul any reason not to merge ? |
I have two questions about this PR. First, why aren't we adding the turncredentials and turncredentials_secret to jitsi-meet.cfg.lua?, I do not see how mod_turncredentials could work without this. Second, is out of the scope of this PR implementing some kind of multiplexing base on dns (or protocol) so the turn can work with firewalls that only allow 80 and 443? I'm talking about sth like https://jitsi.github.io/handbook/docs/devops-guide/turn#use-turn-server-on-port-443 |
Well this way it works, but maybe possible to make it work in another way, I didn't test.
I miss this, very interresting. Some work to do to implement. |
About the dns multiplexing. I had to update nginx in the web container for ssl_preread_module to work. Executing this in the container should be enough:
Then something activate it with something like this in
And change |
Could you implement it based on this PR ? |
I'll certainly try but unfortunately in the short term I'm too busy to dedicate enough time to it :( |
@saghul : when TURN will be merged, ENABLE_STUN_TURN need be false by default |
No way. Why do you think that is the case? |
My bad, I'm rebasing this PR and indeed, it is not the case. |
@saghul : is there a chance that is PR will be merged ? |
Sure thing! I just need to find the time to properly test it, which I haven't managed to do yet. Btw, did you add Let's Encrypt support to the TURN setup? |
prosody/Dockerfile
Outdated
@@ -48,6 +48,9 @@ RUN \ | |||
&& rm -rf /tmp/pkg /var/cache/apt | |||
|
|||
RUN patch -d /usr/lib/prosody/modules/muc -p0 < /prosody-plugins/muc_owner_allow_kick.patch | |||
RUN \ | |||
curl -4so /prosody-plugins/mod_turncredentials.lua \ | |||
https://raw.githubusercontent.com/netaskd/mod_turncredentials/master/mod_turncredentials.lua |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this needed prosody-plugins package already contains mod_turncredentials?
https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_turncredentials.lua
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well exact, I can now remove this
Hi, We have faced many situations with only 80 and 443 ports allowed, so we followed this guide[0] with nginx in front of containers. |
I considere that turn run in another port that the one use by jisti-meet web. |
Done |
OK. I can work on it. |
@nestorconde (see earlier msg) post about handle web and coturn on the same nginx and so same port |
* a81ad73 prosody: add support for lobby * baed605 web: fix removing closed captions button if transcription is enabled * edecacd etherpad: add ability to use a external server * a7563d4 jvb: use JVB_TCP_PORT for exposing the port * b235ea1 prosody: disable s2s module * 1d428a8 prosody: use a 2-stage build * 613c26c misc: working on latest * 4d72ee3 release: stable-4627-1 * 22b7063 examples: update Traefik v1 example * 1381b08 prosody: fix installing dependdencies * 2900c11 misc: add extra line to tag message * c57a84b misc: working on latest
* 5ceaf5f web: add IPv6 support * aff3775 xmpp: allow recorders to bypass lobby * ad5625b jvb: switch to WebSocket based bridge channels * 8110336 web: add ability to configure the nginx resolver * 2f47518 jicofo: no auth URL in JWT auth mode * c149463 web: build config.js on each boot * c792bbc base: update frep * bec928c prosody: configure lobby on the guest domain is necessary * bcbd977 jicofo: pass XMPP_MUC_DOMAIN through docker-compose.yml * 8f9caa4 jicofo: set XMPP_MUC_COMPONENT_PREFIX * 2a0120d web: set security headers also for non HTTPS * e6586f2 jvb: set LOCAL_ADDRESS to the correct local IP (jitsi#630) * 97f5e75 base: optimize size * b78c89e misc: minor Dockerfile Improvements * a754519 misc: working on latest
* a81ad73 prosody: add support for lobby * baed605 web: fix removing closed captions button if transcription is enabled * edecacd etherpad: add ability to use a external server * a7563d4 jvb: use JVB_TCP_PORT for exposing the port * b235ea1 prosody: disable s2s module * 1d428a8 prosody: use a 2-stage build * 613c26c misc: working on latest * 4d72ee3 release: stable-4627-1 * 22b7063 examples: update Traefik v1 example * 1381b08 prosody: fix installing dependdencies * 2900c11 misc: add extra line to tag message * c57a84b misc: working on latest
* 5ceaf5f web: add IPv6 support * aff3775 xmpp: allow recorders to bypass lobby * ad5625b jvb: switch to WebSocket based bridge channels * 8110336 web: add ability to configure the nginx resolver * 2f47518 jicofo: no auth URL in JWT auth mode * c149463 web: build config.js on each boot * c792bbc base: update frep * bec928c prosody: configure lobby on the guest domain is necessary * bcbd977 jicofo: pass XMPP_MUC_DOMAIN through docker-compose.yml * 8f9caa4 jicofo: set XMPP_MUC_COMPONENT_PREFIX * 2a0120d web: set security headers also for non HTTPS * e6586f2 jvb: set LOCAL_ADDRESS to the correct local IP (jitsi#630) * 97f5e75 base: optimize size * b78c89e misc: minor Dockerfile Improvements * a754519 misc: working on latest
@saghul is there something I can do to help merge it |
Long awaited PR, I always hope it is merged asap. But maybe Jitsi team forget it now. |
A couple of quick observations:
|
@goacid do you need help with the change? |
Yes ! not a lot of time at this moment, any help is welcome |
turn/Dockerfile
Outdated
ARG VERSION | ||
FROM instrumentisto/coturn:${VERSION:-latest} | ||
|
||
RUN apk add --no-cache openssl | ||
RUN apk add --no-cache certbot | ||
RUN apk add --no-cache bash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ARG JITSI_REPO=jitsi
ARG BASE_TAG=latest
FROM ${JITSI_REPO}/base:${BASE_TAG}
RUN
apt-dpkg-wrap apt-get update &&
apt-dpkg-wrap apt-get install -y coturn &&
apt-cleanup
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thansk !
@saghul ask
Use a different domain for Let's Encrypt, and SNI on the web container to direct traffic at the TURN server, so we can run it on port 443.
@nestorconde I think you work on that ?
I've started out work on the Let's Encrypt part with the attached patch file. Unfortunately I don't quite understand all the details reading the docs. Especially the prosody configuration and let's encrypt hook. I'll add what else I spot via review. 0001-Add-TURN-configuration-to-web-container.txt Hope this is of any help. |
{{ if .Env.TURN_HOST }} | ||
{ type = "{{ .Env.TURN_PROTO | default "turns" }}", | ||
host = "{{ .Env.TURN_HOST }}", | ||
port = {{ .Env.TURN_PORT | default "3478" }}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
port = {{ .Env.TURN_PORT | default "3478" }}, | |
{{ if not (.Env.DISABLE_HTTPS | default "0" | toBool) }} | |
port = "443", | |
{{ else }} | |
port = {{ .Env.TURN_PORT | default "3478" }}, | |
{{ end }} |
We can hard code the 443
port here if TLS / Let's Encrypt is enabled / used
ubuntu based.
# run coturn server with API auth method enabled. | ||
turnserver -n \ | ||
--verbose \ | ||
--prod \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--no-software-attribute Production mode: hide the software version.
Based on PR163 from netaskd : #163