turn: add TURN server

Makefile

@@ -2,7 +2,7 @@ FORCE_REBUILD ?= 0
 JITSI_RELEASE ?= stable
 JITSI_BUILD ?= latest
 JITSI_REPO ?= jitsi
-JITSI_SERVICES ?= base base-java web prosody jicofo jvb jigasi etherpad jibri
+JITSI_SERVICES ?= base base-java web prosody jicofo jvb jigasi etherpad jibri turn
 
 BUILD_ARGS := --build-arg JITSI_REPO=$(JITSI_REPO)
 ifeq ($(FORCE_REBUILD), 1)

README.md

@@ -47,6 +47,9 @@ If you want to use jibri too, first configure host as described in JItsi BRoadca
 and then run Docker Compose as follows: ``docker-compose -f docker-compose.yml -f jibri.yml up -d``
 or to use jigasi too: ``docker-compose -f docker-compose.yml -f jigasi.yml -f jibri.yml up -d``
 
+If you want to enable TURN server, configure it and run Docker Compose as
+follows: ``docker-compose -f docker-compose.yml -f turn.yml up``
+
 ## Architecture
 
 A Jitsi Meet installation can be broken down into the following components:
@@ -76,6 +79,7 @@ several container images are provided.
 * **jigasi**: [Jigasi], the SIP (audio only) gateway.
 * **etherpad**: [Etherpad], shared document editing addon.
 * **jibri**: [Jibri], the brooadcasting infrastructure.
+* **turn**: [Coturn], the TURN server.
 
 ### Design considerations
 
@@ -344,6 +348,27 @@ Variable | Description | Example
 
 For setting `GOOGLE_APPLICATION_CREDENTIALS` please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph.
 
+### TURN(S) server
+For enable turn server for P2P and/or JVB connections, please set variables below
+
+Variable | Description | Default value
+--- | --- | ---
+`TURN_ENABLE_P2P` | Use TURN for P2P connections | 0
+`TURN_ENABLE_JVB` | Use TURN for JVB (bridge mode) connections | 0
+`TURN_REALM` | Realm to be used for the users with long-term credentials mechanism or with TURN REST API | realm
+`TURN_SECRET` | Secret for connect to TURN server | keepthissecret
+`TURN_ADMIN_USER` | Username for admin panel | admin
+`TURN_ADMIN_SECRET` | Password for admin panel | changeme
+`TURN_ADMIN_PORT` | HTTP(s) port for acess to admin panel | 8443
+`TURN_TYPE` | Type of TURN(s) (turn/turns) | turns
+`TURN_HOST` | Annonce FQDN or IP address of turn server | 8.8.8.8
+`TURN_PORT` | TLS/TCP/UDP turn port for connection | 5349
+`TURN_TRANSPORT` | transport for turn connection (tcp/udp) | tcp
+`TURN_RTP_MIN` | RTP start port for turn/turns connections | 10000
+`TURN_RTP_MAX` | RTP end port for turn/turns connections | 11000
+
+And add to the variable `GLOBAL_MODULES` string `turncredentials`.
+
 ### Advanced configuration
 
 These configuration options are already set and generally don't need to be changed.
@@ -403,7 +428,6 @@ option.
 ## TODO
 
 * Support container replicas (where applicable).
-* TURN server.
 
 [Jitsi]: https://jitsi.org/
 [Jitsi Meet]: https://jitsi.org/jitsi-meet/
@@ -421,3 +445,4 @@ option.
 [jwt.io]: https://jwt.io/#debugger-io
 [Etherpad]: https://github.com/ether/etherpad-lite
 [Jibri]: https://github.com/jitsi/jibri
+[Coturn]: https://github.com/coturn/coturn

docker-compose.yml

@@ -37,6 +37,8 @@ services:
             - JIBRI_RECORDER_USER
             - JIBRI_RECORDER_PASSWORD
             - ENABLE_RECORDING
+            - TURN_ENABLE_JVB
+            - TURN_ENABLE_JVB
         networks:
             meet.jitsi:
                 aliases:
@@ -99,6 +101,13 @@ services:
             - JWT_TOKEN_AUTH_MODULE
             - LOG_LEVEL
             - TZ
+            - TURN_ENABLE_JVB
+            - TURN_ENABLE_JVB
+            - TURN_SECRET
+            - TURN_TYPE
+            - TURN_HOST
+            - TURN_PORT
+            - TURN_TRANSPORT
         networks:
             meet.jitsi:
                 aliases:

env.example

@@ -294,3 +294,43 @@ JIBRI_LOGS_DIR=/config/logs
 
 # Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443).
 #ENABLE_HTTP_REDIRECT=1
+#
+## Use TURN for P2P connections
+##TURN_ENABLE_P2P=0
+#
+## Use TURN for JVB (bridge mode) connections
+##TURN_ENABLE_JVB=0
+#
+## Realm to be used for the users with long-term credentials mechanism or with TURN REST API
+##TURN_REALM=realm
+#
+## Secret for connect to TURN server
+##TURN_SECRET=keepthissecret
+#
+## Username for admin panel
+##TURN_ADMIN_USER=admin
+#
+## Password for admin panel
+##TURN_ADMIN_SECRET=changeme
+#
+## HTTP(s) port for acess to admin panel
+##TURN_ADMIN_PORT=8443
+#
+## Type of TURN(s)/STUN. Can be turn or turns.
+##TURN_TYPE=turns
+#
+## Annonce FQDN or IP address of turn server
+##TURN_HOST=8.8.8.8
+#
+## TLS/TCP/UDP turn port for connection
+##TURN_PORT=5349
+#
+## Transport for stun/turn connection. Can be tcp or udp.
+##TURN_TRANSPORT=tcp
+#
+## RTP start port for turn/turns connections
+##TURN_RTP_MIN=10000
+#
+## RTP end port for turn/turns connections
+##TURN_RTP_MAX=11000
+#

prosody/Dockerfile

@@ -38,6 +38,10 @@ RUN \
     && apt-cleanup \
     && rm -rf /tmp/usr /var/cache/apt
 
+RUN \
+    curl -4so /prosody-plugins/mod_turncredentials.lua \
+    https://raw.githubusercontent.com/netaskd/mod_turncredentials/master/mod_turncredentials.lua
+
 RUN \
     sed -i s/hook/hook_global/g /prosody-plugins/mod_auth_token.lua \
     && patch -d /usr/lib/prosody/modules/muc -p0 < /prosody-plugins/muc_owner_allow_kick.patch

prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua

@@ -2,6 +2,17 @@ admins = { "{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}" }
 plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
 http_default_host = "{{ .Env.XMPP_DOMAIN }}"
 
+{{ if or (.Env.TURN_ENABLE_P2P | default "0" | toBool) (.Env.TURN_ENABLE_JVB | default "0" | toBool) }}
+turncredentials_secret = "{{ .Env.TURN_SECRET | default "keepthissecret" }}";
+turncredentials = {
+  { type = "{{ .Env.TURN_TYPE | default "turns" }}",
+    host = "{{ .Env.TURN_HOST | default "8.8.8.8" }}",
+    port = {{ .Env.TURN_PORT | default "3478" }},
+    transport = "{{ .Env.TURN_TRANSPORT | default "tcp" }}"
+  }
+}
+{{ end }}
+
 {{ $ENABLE_AUTH := .Env.ENABLE_AUTH | default "0" | toBool }}
 {{ $AUTH_TYPE := .Env.AUTH_TYPE | default "internal" }}
 {{ $JWT_ASAP_KEYSERVER := .Env.JWT_ASAP_KEYSERVER | default "" }}

turn.yml

@@ -0,0 +1,27 @@
+version: '3'
+
+services:
+    # coturn TURN server project
+    turn:
+        image: jitsi/turn
+        restart: always
+        ports:
+            - '${TURN_PORT}:${TURN_PORT}/tcp'
+            - '${TURN_PORT}:${TURN_PORT}/udp'
+            - '${TURN_RTP_MIN}-${TURN_RTP_MAX}:${TURN_RTP_MIN}-${TURN_RTP_MAX}/udp'
+            - '${TURN_ADMIN_PORT}:${TURN_ADMIN_PORT}/tcp'
+        environment:
+            - TURN_SECRET
+            - TURN_REALM
+            - TURN_ADMIN_USER
+            - TURN_ADMIN_SECRET
+            - TURN_ADMIN_PORT
+            - TURN_TYPE
+            - TURN_HOST
+            - TURN_PORT
+            - TURN_TRANSPORT
+            - TURN_RTP_MIN
+            - TURN_RTP_MAX
+        networks:
+            meet.jitsi:
+

turn/Dockerfile

@@ -0,0 +1,11 @@
+ARG VERSION
+FROM instrumentisto/coturn:${VERSION:-latest}
+
+RUN apk add --no-cache openssl
+
+ADD ./rootfs/defaults/docker-entrypoint.sh /docker-entrypoint.sh
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+EXPOSE 5349 8443 10000:11000/udp
+

turn/Makefile

@@ -0,0 +1,5 @@
+build:
+	docker build $(BUILD_ARGS) -t $(JITSI_REPO)/turn .
+
+.PHONY: build
+

turn/rootfs/defaults/docker-entrypoint.sh

@@ -0,0 +1,38 @@
+#!/bin/ash
+# make certs if not exist
+if [[ ! -f /etc/ssl/cert.crt || ! -f /etc/ssl/cert.key  ]]; then
+  openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 3650 -out certificate.pem -subj "/C=US/ST=NY/L=NY/O=IT/CN=${TURN_HOST}"
+fi
+
+# set coturn admin user
+turnadmin -A -u ${TURN_ADMIN_USER:-admin} -p ${TURN_ADMIN_SECRET:-changeme}
+
+# run coturn server with API auth method enabled.
+turnserver -n \
+--verbose \
+--prod \
+--no-tlsv1 \
+--no-tlsv1_1 \
+--log-file=stdout \
+--listening-port=${TURN_PORT:-5349} \
+--tls-listening-port=${TURN_PORT:-5349} \
+--alt-listening-port=${TURN_PORT:-5349} \
+--alt-tls-listening-port=${TURN_PORT:-5349} \
+--cert=/etc/ssl/cert.crt \
+--pkey=/etc/ssl/cert.key \
+--min-port=${TURN_RTP_MIN:-10000} \
+--max-port=${TURN_RTP_MAX:-11000} \
+--no-stun \
+--use-auth-secret \
+--static-auth-secret=${TURN_SECRET:-keepthissecret} \
+--no-multicast-peers \
+--realm=${TURN_REALM:-realm} \
+--external-ip=$(curl -4k https://icanhazip.com 2>/dev/null) \
+--relay-ip=$(hostname -i) \
+--listening-ip=$(hostname -i) \
+--web-admin \
+--web-admin-ip=$(hostname -i) \
+--web-admin-port=${TURN_ADMIN_PORT:-8443} \
+--no-cli \
+--cli-password=${TURN_ADMIN_SECRET:-changeme}
+

web/rootfs/defaults/config.js

@@ -227,7 +227,7 @@ var config = {
     // minParticipants: 2,
 
     // Use XEP-0215 to fetch STUN and TURN servers.
-    // useStunTurn: true,
+    // useStunTurn: true, //jvb
 
     // Enable IPv6 support.
     // useIPv6: true,
@@ -329,7 +329,7 @@ var config = {
         enabled: true,
 
         // Use XEP-0215 to fetch STUN and TURN servers.
-        // useStunTurn: true,
+        // useStunTurn: true, //p2p
 
         // The STUN servers that will be used in the peer to peer connections
         stunServers: [

web/rootfs/etc/cont-init.d/10-config

@@ -92,6 +92,19 @@ if [[ ! -f /config/config.js ]]; then
              -e "s#// transcribingEnabled:.*#transcribingEnabled: true,#" \
              /config/config.js
     fi
+
+    if [[ $TURN_ENABLE_JVB -eq 1 || "$TURN_ENABLE_JVB" == "true" ]]; then
+        sed -i \
+             -e "s#// useStunTurn:.*, //jvb#useStunTurn: true, //jvb#" \
+             /config/config.js
+    fi
+
+    if [[ $TURN_ENABLE_P2P -eq 1 || "$TURN_ENABLE_P2P" == "true" ]]; then
+        sed -i \
+             -e "s#// useStunTurn:.*, //p2p#useStunTurn: true, //p2p#" \
+             /config/config.js
+    fi
+
 fi
 
 if [[ ! -f /config/interface_config.js ]]; then