schlagmichdoch · xundeenergie · Apr 22, 2023 · Apr 22, 2023 · Apr 22, 2023 · Apr 22, 2023
diff --git a/.dockerignore b/.dockerignore
@@ -2,4 +2,4 @@ node_modules
 .github
 .git*
 
-*.md
+*.md
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,6 @@ node_modules
 fqdn.env
 /docker/certs
 qrcode-svg/
+rtc_config.json
+turnserver.conf
+ssl/*
diff --git a/docker-compose-coturn.yml b/docker-compose-coturn.yml
@@ -10,10 +10,18 @@ services:
     restart: unless-stopped
     ports:
       - "3000:3000"
+    environment:
+      - RTC_CONFIG=/home/node/app/rtc_config.json
+      - WS_FALLBACK=false # Set to true to enable websocket fallback if the peer to peer WebRTC connection is not available to the client.
+      - RATE_LIMIT=false # Set to true to limit clients to 1000 requests per 5 min.
+      - TZ=Europa/Vienna # Time Zone
+    # you need to copy rtc_config_example.json to rtc_config.json and specify domain, IP address, user and password
   coturn_server:
     image: "coturn/coturn"
     restart: always
     network_mode: "host"
     volumes:
       - ./turnserver.conf:/etc/coturn/turnserver.conf
-    #you need to copy turnserver_example.conf to turnserver.conf and specify domain, IP address, user and password
+      - ./ssl/:/etc/coturn/ssl/
+    # you need to copy turnserver_example.conf to turnserver.conf and specify domain, IP address, user and password
+    # create dhparams.pem with `openssl dhparam -out ssl/dhparams.pem 4096` it takes a very long time!!!
diff --git a/docs/host-your-own.md b/docs/host-your-own.md
@@ -397,9 +397,28 @@ Now point your browser to `http://localhost:8080`.
 - To stop the containers run `docker-compose stop`.
 - To debug the NodeJS server run `docker logs pairdrop_node_1`.
 
-
 <br>
 
+# Coturn
+## docker-compose
+
+- generate or retrieve certificates for your <DOMAIN> (f.e. letsencrypt)
+- copy your ssl-certificates and privkey to `./ssl` and `chown -R nobody:nogroup ./ssl`
+- create a dh-params file with `openssl dhparam -out ./ssl/dhparams.pem 4096`
+- copy `rtc_config_example-coturn.json` to `rtc_config.json`
+- copy `turnserver_example.conf` to `turnserver.conf`
+- change <DOMAIN> in all 2 files to the domain, where your pairdrop is running
+- change user and password for turn-server in `turnserver.conf` and `rtc-config.json`
+- To start the container including coturn run `docker-compose -f docker-compose-coturn.yml up -d`
+- To restart the container including coturn run `docker-compose -f docker-compose-coturn.yml restart`
+- To stop the container including coturn run `docker-compose -f docker-compose-coturn.yml stop`
+
+## Firewall
+To run PairDrop including its own coturn-server you need to punch holes in the firewall. These ports must be opened additionally:
+- 3478 tcp/udp
+- 5349 tcp/udp
+- 10000:20000 tcp/udp
+
 ## Testing PWA related features
 PWAs require that the app is served under a correctly set up and trusted TLS endpoint.
 

diff --git a/rtc_config_example-coturn.json b/rtc_config_example-coturn.json
@@ -0,0 +1,13 @@
+{
+  "sdpSemantics": "unified-plan",
+  "iceServers": [
+    {
+        "urls": "stuns:<DOMAIN>:5349"
+    },
+    {
+        "urls": "turns:<DOMAIN>:5349",
+        "username": "user",
+        "credential": "password"
+    }
+  ]
+}
diff --git a/turnserver_example.conf b/turnserver_example.conf
@@ -1,16 +1,25 @@
 # TURN server name and realm
+# realm can be domain or <IP-ADDRESS>
 realm=<DOMAIN>
 server-name=pairdrop
 
 # IPs the TURN server listens to
 listening-ip=0.0.0.0
 
 # External IP-Address of the TURN server
-external-ip=<IP_ADDRESS>
+# only needed, if coturn is behind a NAT
+#external-ip=<IP_ADDRESS>
+
+# relay-ip is needed for tls turns connections
+# it can be set multiple times. A local IP is sufficient (not 127.0.0.1!!)
+relay-ip=<SOME_LOCAL_IP_ADDRESS>
 
 # Main listening port
 listening-port=3478
 
+# 443 for TURN over TLS, which can bypass firewalls
+tls-listening-port=5349
+
 # Further ports that are open for communication
 min-port=10000
 max-port=20000
@@ -19,7 +28,8 @@ max-port=20000
 fingerprint
 
 # Log file path
-log-file=/var/log/turnserver.log
+# - is logging to STDOUT, so it's visible in docker-compose logs 
+log-file=-
 
 # Enable verbose logging
 verbose
@@ -31,8 +41,13 @@ user=user:password
 lt-cred-mech
 
 # SSL certificates
-cert=/etc/letsencrypt/live/<DOMAIN>/cert.pem
-pkey=/etc/letsencrypt/live/<DOMAIN>/privkey.pem
+cert=/etc/letsencrypt/fullchain.pem
+pkey=/etc/letsencrypt/privkey.pem
+dh-file=/etc/dhparam.pem
 
-# 443 for TURN over TLS, which can bypass firewalls
-tls-listening-port=443
+# For security-reasons disable old ssl and tls-protocols
+no-sslv3
+no-tlsv1
+no-tlsv1_1
+
+stale-nonce=600
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,4 +2,4 @@ node_modules @@
     .github
     .git*
-    *.md
+    *.md