40566233e0
Some fixes and Improvements OBS-URL: https://build.opensuse.org/request/show/1117713 OBS-URL: https://build.opensuse.org/package/show/network:telephony/coturn?expand=0&rev=30
97 lines
2.5 KiB
Plaintext
97 lines
2.5 KiB
Plaintext
# SUSE coturn information
|
|
|
|
## Configuration files:
|
|
|
|
- /etc/coturn/turnserver.conf is the main configuration file
|
|
- /etc/sysconfig/coturn can be used to set additional command line parameters
|
|
|
|
Allow traffic through the firewall:
|
|
```
|
|
firewall-cmd --zone=<zone> --add-service=coturn [--permanent]
|
|
```
|
|
|
|
## Notes:
|
|
|
|
- /etc/syconfig/coturn has the option '--no-software-attribute' enabled to hide
|
|
the software version for production issue.
|
|
|
|
## Coturn and Let's Encrypt Certificates (certbot)
|
|
|
|
coturn needs ability to read certificate and key from /etc/letsencrypt/archive as 'coturn' user
|
|
(same problem exists with mysql/mariadb)
|
|
|
|
### Solution proposal (symlinks):
|
|
|
|
- add system group: 'cert' (or whatever name you prefer)
|
|
```
|
|
groupadd -r cert
|
|
or
|
|
groupadd -g 110 -r cert
|
|
```
|
|
|
|
- add 'coturn' user to this 'cert' group
|
|
```
|
|
usermod -a -G cert coturn
|
|
```
|
|
|
|
- add ACLs to Let's Encrypt 'archive' folder
|
|
|
|
- add default ACL
|
|
```
|
|
setfacl -m default:group:cert:r-x /etc/letsencrypt/archive
|
|
```
|
|
|
|
- add recursive ACL to already existings files
|
|
```
|
|
setfacl -R -m group:cert:r-x /etc/letsencrypt/archive
|
|
```
|
|
|
|
- now place symlinks to Let's Encrypt certificates in /etc/coturn/tls, e.g.:
|
|
```
|
|
ln -s /etc/letsencrypt/live/turn.example.com/fullchain.pem turn_server_cert.pem
|
|
ln -s /etc/letsencrypt/live/turn.example.com/privkey.pem turn_server_pkey.pem
|
|
```
|
|
|
|
### Solution proposal (copy via certbot renewal-hooks)
|
|
|
|
put the following code to a script in /etc/letsencrypt/renewal-hooks/deploy/coturn-deploy.sh
|
|
```
|
|
#!/bin/bash -e
|
|
#
|
|
##############################################################################
|
|
#
|
|
### VARs
|
|
#
|
|
scTurnCertDir='/etc/coturn/tls'
|
|
|
|
##############################################################################
|
|
#
|
|
# MAIN code
|
|
#
|
|
|
|
if [[ ! -d "${scTurnCertDir}" ]]; then
|
|
install -D -m 0750 -o coturn -g root "${scTurnCertDir}"
|
|
fi
|
|
|
|
for scDomain in ${RENEWED_DOMAINS}; do
|
|
case ${scDomain} in
|
|
'coturn.example.com')
|
|
install -m 0400 -o coturn -g root "${RENEWED_LINEAGE}"/fullchain.pem "${scTurnCertDir}"/turn_server_cert.pem
|
|
install -m 0400 -o coturn -g root "${RENEWED_LINEAGE}"/privkey.pem "${scTurnCertDir}"/turn_server_pkey.pem
|
|
service coturn restart
|
|
;;
|
|
esac
|
|
done
|
|
```
|
|
|
|
Don't forget to replace `coturn.example.com` with your `coturn realm` !
|
|
|
|
|
|
## Coturn and Certificates (not certbot)
|
|
|
|
copy your cert/key and place them in /etc/coturn/tls, e.g.:
|
|
```
|
|
install -m 0400 -o coturn -g root /Path/To/Your/certificate.pem /etc/coturn/tls/turn_server_cert.pem
|
|
install -m 0400 -o coturn -g root /Path/To/Your/privatekey.pem /etc/coturn/tls/turn_server_pkey.pem
|
|
```
|