support reading TURN secret from a file (turn_secret_file)
Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
parent
73afc1fd8f
commit
e0b2595905
|
@ -845,9 +845,20 @@ allow_profile_lookup_federation_requests = true
|
||||||
|
|
||||||
# vector list of TURN URIs/servers to use
|
# vector list of TURN URIs/servers to use
|
||||||
#
|
#
|
||||||
|
# replace "example.turn.uri" with your TURN domain, such as the coturn "realm".
|
||||||
|
# if using TURN over TLS, replace "turn:" with "turns:"
|
||||||
|
#
|
||||||
# No default
|
# No default
|
||||||
#turn_uris = ["turn:example.turn.uri?transport=udp", "turn:example.turn.uri?transport=tcp"]
|
#turn_uris = ["turn:example.turn.uri?transport=udp", "turn:example.turn.uri?transport=tcp"]
|
||||||
|
|
||||||
|
# TURN secret to use that's read from the file path specified
|
||||||
|
#
|
||||||
|
# this takes priority over "turn_secret" first, and falls back to "turn_secret" if invalid or
|
||||||
|
# failed to open.
|
||||||
|
#
|
||||||
|
# no default
|
||||||
|
#turn_secret_file = "/path/to/secret.txt"
|
||||||
|
|
||||||
# TURN secret to use for generating the HMAC-SHA1 hash apart of username and password generation
|
# TURN secret to use for generating the HMAC-SHA1 hash apart of username and password generation
|
||||||
#
|
#
|
||||||
# this is more secure, but if needed you can use traditional username/password below.
|
# this is more secure, but if needed you can use traditional username/password below.
|
||||||
|
|
|
@ -21,9 +21,9 @@ These same values need to be set in conduwuit. See the [example
|
||||||
config](configuration/examples.md) in the TURN section for configuring these and
|
config](configuration/examples.md) in the TURN section for configuring these and
|
||||||
restart conduwuit after.
|
restart conduwuit after.
|
||||||
|
|
||||||
`turn_secret` must be set to your coturn `static-auth-secret`, or use
|
`turn_secret` or a path to `turn_secret_file` must have a value of your
|
||||||
`turn_username` and `turn_password` if using legacy username:password
|
coturn `static-auth-secret`, or use `turn_username` and `turn_password`
|
||||||
TURN authentication (not preferred).
|
if using legacy username:password TURN authentication (not preferred).
|
||||||
|
|
||||||
`turn_uris` must be the list of TURN URIs you would like to send to the client.
|
`turn_uris` must be the list of TURN URIs you would like to send to the client.
|
||||||
Typically you will just replace the example domain `example.turn.uri` with the
|
Typically you will just replace the example domain `example.turn.uri` with the
|
||||||
|
|
|
@ -24,7 +24,7 @@ pub(crate) async fn turn_server_route(
|
||||||
return Err!(Request(NotFound("Not Found")));
|
return Err!(Request(NotFound("Not Found")));
|
||||||
}
|
}
|
||||||
|
|
||||||
let turn_secret = services.globals.turn_secret().clone();
|
let turn_secret = services.globals.turn_secret.clone();
|
||||||
|
|
||||||
let (username, password) = if !turn_secret.is_empty() {
|
let (username, password) = if !turn_secret.is_empty() {
|
||||||
let expiry = SecondsSinceUnixEpoch::from_system_time(
|
let expiry = SecondsSinceUnixEpoch::from_system_time(
|
||||||
|
|
|
@ -194,6 +194,7 @@ pub struct Config {
|
||||||
pub turn_uris: Vec<String>,
|
pub turn_uris: Vec<String>,
|
||||||
#[serde(default)]
|
#[serde(default)]
|
||||||
pub turn_secret: String,
|
pub turn_secret: String,
|
||||||
|
pub turn_secret_file: Option<PathBuf>,
|
||||||
#[serde(default = "default_turn_ttl")]
|
#[serde(default = "default_turn_ttl")]
|
||||||
pub turn_ttl: u64,
|
pub turn_ttl: u64,
|
||||||
|
|
||||||
|
@ -681,12 +682,17 @@ impl fmt::Display for Config {
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
line("TURN secret", {
|
line("TURN secret", {
|
||||||
if self.turn_secret.is_empty() {
|
if self.turn_secret.is_empty() && self.turn_secret_file.is_none() {
|
||||||
"not set"
|
"not set"
|
||||||
} else {
|
} else {
|
||||||
"set"
|
"set"
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
line("TURN secret file path", {
|
||||||
|
self.turn_secret_file
|
||||||
|
.as_ref()
|
||||||
|
.map_or("", |path| path.to_str().unwrap_or_default())
|
||||||
|
});
|
||||||
line("Turn TTL", &self.turn_ttl.to_string());
|
line("Turn TTL", &self.turn_ttl.to_string());
|
||||||
line("Turn URIs", {
|
line("Turn URIs", {
|
||||||
let mut lst = vec![];
|
let mut lst = vec![];
|
||||||
|
|
|
@ -40,6 +40,7 @@ pub struct Service {
|
||||||
pub stateres_mutex: Arc<Mutex<()>>,
|
pub stateres_mutex: Arc<Mutex<()>>,
|
||||||
pub server_user: OwnedUserId,
|
pub server_user: OwnedUserId,
|
||||||
pub admin_alias: OwnedRoomAliasId,
|
pub admin_alias: OwnedRoomAliasId,
|
||||||
|
pub turn_secret: String,
|
||||||
}
|
}
|
||||||
|
|
||||||
type RateLimitState = (Instant, u32); // Time if last failed try, number of failed tries
|
type RateLimitState = (Instant, u32); // Time if last failed try, number of failed tries
|
||||||
|
@ -84,6 +85,17 @@ impl crate::Service for Service {
|
||||||
.collect::<Result<_, String>>()
|
.collect::<Result<_, String>>()
|
||||||
.map_err(|e| err!(Config("ip_range_denylist", e)))?;
|
.map_err(|e| err!(Config("ip_range_denylist", e)))?;
|
||||||
|
|
||||||
|
let turn_secret = config
|
||||||
|
.turn_secret_file
|
||||||
|
.as_ref()
|
||||||
|
.map_or(config.turn_secret.clone(), |path| {
|
||||||
|
std::fs::read_to_string(path).unwrap_or_else(|e| {
|
||||||
|
error!("Failed to read the TURN secret file: {e}");
|
||||||
|
|
||||||
|
config.turn_secret.clone()
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
let mut s = Self {
|
let mut s = Self {
|
||||||
db,
|
db,
|
||||||
config: config.clone(),
|
config: config.clone(),
|
||||||
|
@ -99,6 +111,7 @@ impl crate::Service for Service {
|
||||||
.expect("#admins:server_name is valid alias name"),
|
.expect("#admins:server_name is valid alias name"),
|
||||||
server_user: UserId::parse_with_server_name(String::from("conduit"), &config.server_name)
|
server_user: UserId::parse_with_server_name(String::from("conduit"), &config.server_name)
|
||||||
.expect("@conduit:server_name is valid"),
|
.expect("@conduit:server_name is valid"),
|
||||||
|
turn_secret,
|
||||||
};
|
};
|
||||||
|
|
||||||
if !s
|
if !s
|
||||||
|
@ -207,8 +220,6 @@ impl Service {
|
||||||
|
|
||||||
pub fn turn_username(&self) -> &String { &self.config.turn_username }
|
pub fn turn_username(&self) -> &String { &self.config.turn_username }
|
||||||
|
|
||||||
pub fn turn_secret(&self) -> &String { &self.config.turn_secret }
|
|
||||||
|
|
||||||
pub fn allow_profile_lookup_federation_requests(&self) -> bool {
|
pub fn allow_profile_lookup_federation_requests(&self) -> bool {
|
||||||
self.config.allow_profile_lookup_federation_requests
|
self.config.allow_profile_lookup_federation_requests
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue