Merge pull request #163 from screego/docker

Add docker docs & remove turn strict auth

config/config.go

@@ -45,9 +45,8 @@ type Config struct {
 	Secret                []byte `split_words:"true"`
 	SessionTimeoutSeconds int    `default:"0" split_words:"true"`
 
-	TurnAddress    string `default:":3478" required:"true" split_words:"true"`
-	TurnStrictAuth bool   `default:"true" split_words:"true"`
-	TurnPortRange  string `split_words:"true"`
+	TurnAddress   string `default:":3478" required:"true" split_words:"true"`
+	TurnPortRange string `split_words:"true"`
 
 	TurnExternalIP     []string `split_words:"true"`
 	TurnExternalPort   string   `default:"3478" split_words:"true"`
@@ -217,10 +216,18 @@ func Get() (Config, []FutureLog) {
 			Msg:   "Less than 40 ports are available for turn. When using multiple TURN connections this may not be enough",
 		})
 	}
+	logs = append(logs, logDeprecated()...)
 
 	return config, logs
 }
 
+func logDeprecated() []FutureLog {
+	if os.Getenv("SCREEGO_TURN_STRICT_AUTH") != "" {
+		return []FutureLog{{Level: zerolog.WarnLevel, Msg: "The setting SCREEGO_TURN_STRICT_AUTH has been removed."}}
+	}
+	return nil
+}
+
 func getExecutableOrWorkDir() (string, *FutureLog) {
 	dir, err := getExecutableDir()
 	// when using `go run main.go` the executable lives in th temp directory therefore the env.development

docs/install.md

@@ -2,7 +2,7 @@
 
 Latest Version: **GITHUB_VERSION**
 
-?> Before starting Screego you may read [Configuration](config.md).
+Before starting Screego you may read [Configuration](config.md).
 
 !> TLS is required for Screego to work. Either enable TLS inside Screego or 
    use a reverse proxy to serve Screego via TLS.
@@ -16,26 +16,16 @@ Setting up Screego with docker is pretty easy, you basically just have to start
 docker images are multi-arch docker images.
 This means the image will work for `amd64`, `i386`, `ppc64le` (power pc), `arm64`, `armv7` (Raspberry PI) and `armv6`.
 
-When using [TURN](nat-traversal.md), Screego will allocate ports for relay
-connections, this currently only works with network mode host inside docker.
-See [#56](https://github.com/screego/server/issues/56)
-
 By default, Screego runs on port 5050.
 
 ?> Replace `EXTERNALIP` with your external IP. One way to find your external ip is with ipify.
-
-   ```bash
-   $ curl 'https://api.ipify.org'
-   ```
-
-### Network Host
+   `curl 'https://api.ipify.org'`
 
 ```bash
 $ docker run --net=host -e SCREEGO_EXTERNAL_IP=EXTERNALIP ghcr.io/screego/server:GITHUB_VERSION
 ```
 
-#### docker-compose.yml
-
+**docker-compose.yml**
 ```yaml
 version: "3.7"
 services:
@@ -46,6 +36,40 @@ services:
       SCREEGO_EXTERNAL_IP: "EXTERNALIP"
 ```
 
+If you don't want to use the host network, then you can configure docker like this:
+
+<details><summary>(Click to expand)</summary>
+<p>
+
+```bash
+$ docker run -it \
+    -e SCREEGO_EXTERNAL_IP=EXTERNALIP \
+    -e SCREEGO_TURN_PORT_RANGE=50000:50200 \
+    -p 5050:5050 \
+    -p 3478:3478 \
+    -p 50000-50100:50000-50200/udp \
+    screego/server:GITHUB_VERSION
+```
+
+#### docker-compose.yml
+
+```yml
+version: "3.7"
+services:
+  screego:
+    image: ghcr.io/screego/server:GITHUB_VERSION
+    ports:
+      - 5050:5050
+      - 3478:3478
+      - 50000-50100:50000-50200/udp
+    environment:
+      SCREEGO_EXTERNAL_IP: "192.168.178.2"
+      SCREEGO_TURN_PORT_RANGE: "50000:50200"
+```
+
+</p>
+</details>
+
 ## Binary
 
 ### Supported Platforms:

screego.config.development

@@ -2,4 +2,3 @@ SCREEGO_SECRET=secure
 SCREEGO_LOG_LEVEL=debug
 SCREEGO_CORS_ALLOWED_ORIGINS=http://localhost:3000
 SCREEGO_USERS_FILE=./users
-SCREEGO_TURN_STRICT_AUTH=false

screego.config.example

@@ -40,12 +40,6 @@ SCREEGO_TURN_ADDRESS=0.0.0.0:3478
 #   50000:55000
 SCREEGO_TURN_PORT_RANGE=
 
-# If true, the TURN server will compare the remote IP of the request with the
-# remote ip of the existing WebSocket connection and deny access if it doesn't
-# match. Disable this feature, if you use some kind of proxy which changes the
-# remote ip.
-SCREEGO_TURN_STRICT_AUTH=true
-
 # If set, screego will not start TURN server and instead use an external TURN server.
 # When using a dual stack setup define both IPv4 & IPv6 separated by a comma.
 # Execute the following command on the server where you host TURN server

turn/server.go

@@ -22,9 +22,8 @@ type Server interface {
 }
 
 type InternalServer struct {
-	lock       sync.RWMutex
-	strictAuth bool
-	lookup     map[string]Entry
+	lock   sync.RWMutex
+	lookup map[string]Entry
 }
 
 type ExternalServer struct {
@@ -92,10 +91,7 @@ func newInternalServer(conf config.Config) (Server, error) {
 		return nil, fmt.Errorf("tcp: could not listen on %s: %s", conf.TurnAddress, err)
 	}
 
-	svr := &InternalServer{
-		lookup:     map[string]Entry{},
-		strictAuth: conf.TurnStrictAuth,
-	}
+	svr := &InternalServer{lookup: map[string]Entry{}}
 
 	gen := &Generator{
 		RelayAddressGenerator: generator(conf),
@@ -153,16 +149,6 @@ func (a *InternalServer) authenticate(username, realm string, addr net.Addr) ([]
 	a.lock.RLock()
 	defer a.lock.RUnlock()
 
-	var connectedIP net.IP
-	switch addr := addr.(type) {
-	case *net.UDPAddr:
-		connectedIP = addr.IP
-	case *net.TCPAddr:
-		connectedIP = addr.IP
-	default:
-		log.Error().Interface("type", fmt.Sprintf("%T", addr)).Msg("unknown addr type")
-		return nil, false
-	}
 	entry, ok := a.lookup[username]
 
 	if !ok {
@@ -170,13 +156,6 @@ func (a *InternalServer) authenticate(username, realm string, addr net.Addr) ([]
 		return nil, false
 	}
 
-	authIP := entry.addr
-
-	if a.strictAuth && !connectedIP.Equal(authIP) {
-		log.Debug().Interface("allowedIp", addr.String()).Interface("connectingIp", entry.addr.String()).Msg("TURN strict auth check failed")
-		return nil, false
-	}
-
 	log.Debug().Interface("addr", addr.String()).Str("realm", realm).Msg("TURN authenticated")
 	return entry.password, true
 }