SHA256
1
0
forked from pool/coturn
Go to file
2024-06-17 17:29:42 +00:00
.gitattributes Accepting request 793075 from home:weberho:tools 2020-04-11 13:08:03 +00:00
.gitignore Accepting request 793075 from home:weberho:tools 2020-04-11 13:08:03 +00:00
coturn-4.6.2.tar.gz Accepting request 1083916 from home:Kieltux:branches:network:telephony 2023-05-02 08:00:56 +00:00
coturn-apparmor-usr.bin.turnserver Accepting request 1117713 from home:computersalat:devel:tel 2023-10-14 14:37:36 +00:00
coturn-turnserver_conf.patch Accepting request 1117713 from home:computersalat:devel:tel 2023-10-14 14:37:36 +00:00
coturn-user.conf Accepting request 1117713 from home:computersalat:devel:tel 2023-10-14 14:37:36 +00:00
coturn.changes Accepting request 1181044 from home:adamm:branches:network:telephony 2024-06-15 17:58:02 +00:00
coturn.firewalld Accepting request 793075 from home:weberho:tools 2020-04-11 13:08:03 +00:00
coturn.logrotate Accepting request 1117713 from home:computersalat:devel:tel 2023-10-14 14:37:36 +00:00
coturn.service Accepting request 1040008 from home:stroeder:network 2022-12-05 12:21:03 +00:00
coturn.spec Accepting request 1181044 from home:adamm:branches:network:telephony 2024-06-15 17:58:02 +00:00
coturn.sysconfig Accepting request 800058 from home:weberho:branches:network:telephony 2020-05-04 13:08:12 +00:00
coturn.tmpfilesd Accepting request 793075 from home:weberho:tools 2020-04-11 13:08:03 +00:00
coturn@.service Accepting request 915053 from home:jsegitz:branches:systemdhardening:network:telephony 2021-08-30 22:28:45 +00:00
README.SUSE Accepting request 1117713 from home:computersalat:devel:tel 2023-10-14 14:37:36 +00:00

# SUSE coturn information

## Configuration files:

- /etc/coturn/turnserver.conf is the main configuration file
- /etc/sysconfig/coturn can be used to set additional command line parameters

Allow traffic through the firewall:
```
firewall-cmd --zone=<zone> --add-service=coturn [--permanent]
```

## Notes:

- /etc/syconfig/coturn has the option '--no-software-attribute' enabled to hide 
  the software version for production issue.

## Coturn and Let's Encrypt Certificates (certbot)

coturn needs ability to read certificate and key from /etc/letsencrypt/archive as 'coturn' user
(same problem exists with mysql/mariadb)

### Solution proposal (symlinks):

- add system group: 'cert' (or whatever name you prefer)
```
groupadd -r cert
or
groupadd -g 110 -r cert
```

- add 'coturn' user to this 'cert' group
```
usermod -a -G cert coturn
```

- add ACLs to Let's Encrypt 'archive' folder

  - add default ACL
  ```
  setfacl -m default:group:cert:r-x /etc/letsencrypt/archive
  ```

  - add recursive ACL to already existings files
  ```
  setfacl -R -m group:cert:r-x /etc/letsencrypt/archive
  ```

- now place symlinks to Let's Encrypt certificates in /etc/coturn/tls, e.g.:
```
ln -s /etc/letsencrypt/live/turn.example.com/fullchain.pem turn_server_cert.pem
ln -s /etc/letsencrypt/live/turn.example.com/privkey.pem turn_server_pkey.pem
```

### Solution proposal (copy via certbot renewal-hooks)

put the following code to a script in /etc/letsencrypt/renewal-hooks/deploy/coturn-deploy.sh
```
#!/bin/bash -e
#
##############################################################################
#
### VARs
#
scTurnCertDir='/etc/coturn/tls'

##############################################################################
#
# MAIN code
#

if [[ ! -d "${scTurnCertDir}" ]]; then
  install -D -m 0750 -o coturn -g root "${scTurnCertDir}"
fi

for scDomain in ${RENEWED_DOMAINS}; do
  case ${scDomain} in
    'coturn.example.com')
      install -m 0400 -o coturn -g root "${RENEWED_LINEAGE}"/fullchain.pem "${scTurnCertDir}"/turn_server_cert.pem
      install -m 0400 -o coturn -g root "${RENEWED_LINEAGE}"/privkey.pem "${scTurnCertDir}"/turn_server_pkey.pem
      service coturn restart
    ;;
  esac
done
```

Don't forget to replace `coturn.example.com` with your `coturn realm` !


## Coturn and Certificates (not certbot)

copy your cert/key and place them in /etc/coturn/tls, e.g.:
```
install -m 0400 -o coturn -g root /Path/To/Your/certificate.pem /etc/coturn/tls/turn_server_cert.pem
install -m 0400 -o coturn -g root /Path/To/Your/privatekey.pem /etc/coturn/tls/turn_server_pkey.pem
```