apps/screego
1
0
Fork 0
mirror of https://github.com/screego/server.git synced 2026-04-22 23:47:03 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add SCREEGO_TURN_STRICT_AUTH

Browse Source
This commit is contained in:
Jannis Mattheis
2020-10-23 12:22:33 +02:00
parent 718e6f2e83
commit 74a37fc591
2 changed files with 19 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
screego.config.example
+6
View File
@@ -27,6 +27,12 @@ SCREEGO_TURN_ADDRESS=0.0.0.0:3478
# 50000:55000
SCREEGO_TURN_PORT_RANGE=
# If true, the TURN server will compare the remote IP of the request with the
# remote ip of the existing WebSocket connection and deny access if it doesn't
# match. Disable this feature, if you use some kind of proxy which changes the
# remote ip.
SCREEGO_TURN_STRICT_AUTH=true
# If reverse proxy headers should be trusted.
# Screego uses ip whitelisting for authentication
# of TURN connections. When behind a proxy the ip is always the proxy server.
turn/server.go
+13 -22
View File
@@ -12,11 +12,11 @@ import (
)
type Server struct {
TurnAddress string
StunAddress string
lock sync.RWMutex
strictIPCheck bool
lookup map[string]Entry
TurnAddress string
StunAddress string
lock sync.RWMutex
strictAuth bool
lookup map[string]Entry
}
type Entry struct {
@@ -50,10 +50,10 @@ func Start(conf config.Config) (*Server, error) {
split := strings.SplitN(conf.TurnAddress, ":", 2)
svr := &Server{
TurnAddress: fmt.Sprintf("turn:%s:%s", conf.ExternalIP, split[1]),
StunAddress: fmt.Sprintf("stun:%s:%s", conf.ExternalIP, split[1]),
lookup: map[string]Entry{},
strictIPCheck: conf.TurnStrictAuth,
TurnAddress: fmt.Sprintf("turn:%s:%s", conf.ExternalIP, split[1]),
StunAddress: fmt.Sprintf("stun:%s:%s", conf.ExternalIP, split[1]),
lookup: map[string]Entry{},
strictAuth: conf.TurnStrictAuth,
}
loggedGenerator := &LoggedGenerator{RelayAddressGenerator: generator(conf)}
@@ -132,20 +132,11 @@ func (a *Server) authenticate(username, realm string, addr net.Addr) ([]byte, bo
authIP := entry.addr
if !connectedIp.Equal(authIP) {
if a.strictIPCheck {
log.Debug().Interface("allowedIp", addr.String()).Interface("connectingIp", entry.addr.String()).Msg("TURN strict ip check failed")
return nil, false
}
conIPIsV4 := connectedIp.To4() != nil
authIPIsV4 := authIP.To4() != nil
if authIPIsV4 == conIPIsV4 {
log.Debug().Interface("allowedIp", addr.String()).Interface("connectingIp", entry.addr.String()).Msg("TURN ip check failed")
return nil, false
}
if a.strictAuth && !connectedIp.Equal(authIP) {
log.Debug().Interface("allowedIp", addr.String()).Interface("connectingIp", entry.addr.String()).Msg("TURN strict auth check failed")
return nil, false
}
log.Debug().Interface("addr", addr.String()).Str("realm", realm).Msg("TURN authenticated")
return entry.password, true
}