diff --git a/ChangeLog b/ChangeLog index 8a5767b3..a1a360d4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,45 @@ -27/09/2018 Oleg Moskalenko Mihály Mészáros -Version 4.5.0.9 'dan Eider': +24/11/2018 Oleg Moskalenko Mihály Mészáros +Version 4.5.1.0 'dan Eider': + Consider to change config file after upgrade, because it contains some + not backward compatible breaking changes !! + - Security fixes + Many thanks to Nicolas Edet (Cisco) !! + who reported all of the following issues: + * DB/SQL injection in stun realm. Fix: add extra string validation. + * DB/SQL injection in web-admin interface lack of admin user validation. + Fix: add extra string validation. + * Fix for earlier unsafe default settings: + o HTTPS administrator interface should be disabled by default + It could be enbled with "web-admin" option. + o Default configuration allowed earlier forwarding traffic + from an external interface to loopback interface. Now it + has been changed and option name is also changed! + + !!BREAKING change!! Don't forget to change config!! + "no-loopback-peers" replaced by "allow-loopback-peers" + + o Unauthenticated telnet admin interface runs on the + loopback interface, which can be accessed by exploiting the + loopback relay that was enabled by default. + * Add username string sanity check on web admin interface to + avoid any sql-injection attacks. + - Admin portal does not list TCP session ( reported and fixed by Nicolas Edet ) + - Fix memory leak in read_config_file (by Thibaut Ackermann) + - Add a release helper script. + - Web Admin interface use own listener (it is disableb by default) (by Thibaut ACKERMANN) + + !!BREAKING change!! Don't forget to change/review config!! + + * Add new option "web-admin-ip" to set listener ip. By default (127.0.0.1) + * Add new option "web-admin-port" to set webadmin listen port + * Add new option "web-admin-listen-on-workers" to change back to earlier + behaviour and listen web admin on all worker processes and ports. + - Not allow to start server if "allow-loopback-peers" set without "cli-password" + + !!BREAKING change!! Don't forget to change config!! + + Added a warning if cli-password is empty or missing, but allow-loopback-peers + set, and so loopback allocation is enalbed. 27/09/2018 Oleg Moskalenko Mihály Mészáros Version 4.5.0.8 'dan Eider': diff --git a/Makefile b/Makefile deleted file mode 100644 index a01e8052..00000000 --- a/Makefile +++ /dev/null @@ -1,261 +0,0 @@ -################################# -# Generated by configure script # -################################# -ECHO_CMD = echo -CC = cc -LDFLAGS += -L/usr/local/lib/ -L/usr/local/lib/ -lrt -lintl -pthread -lcrypto -lssl -levent_core -levent_extra -levent_openssl -levent_pthreads -lsqlite3 -Wl,-rpath,/usr/local/lib/ -Wl,-rpath,/usr/local/lib/ -Wl,-rpath,/usr/local/lib/postgresql -Wl,-rpath,/usr/local/lib/postgresql -Wl,-rpath,/usr/local/lib/mysql -Wl,-rpath,/usr/local/lib/mysql -Wl,-rpath,/usr/local/lib -DBLIBS += -lsqlite3 -L/usr/local/lib/ -L/usr/local/lib/ -lrt -lintl -pthread -lcrypto -lssl -levent_core -levent_extra -levent_openssl -levent_pthreads -lsqlite3 -L/usr/local/lib/postgresql -L/usr/local/lib/postgresql -lpq -L/usr/local/lib/ -L/usr/local/lib/ -lrt -lintl -pthread -lcrypto -lssl -levent_core -levent_extra -levent_openssl -levent_pthreads -lsqlite3 -L/usr/local/lib/mysql -L/usr/local/lib/mysql -lmysqlclient -lmongoc-1.0 -lbson-1.0 -lhiredis -CFLAGS += -g -Wall -Wno-deprecated-declarations -Wextra -Wformat-security -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wcast-qual -I/usr/local/include -I/usr/local/include/ -I/usr/local/include -DTURN_HAS_SIN_LEN -DTURN_HAS_DAEMON -DTURN_SCTP_INCLUDE="" -DINSTALL_PREFIX=/usr/local -DTURNDB=/usr/local/var/db/turndb -CPPFLAGS = -DBCFLAGS += -I/usr/local/pgsql/include -I/usr/local/include/pgsql/ -I/usr/local/include/postgres/ -I/usr/local/postgres/include/ -I/usr/local/include/postgresql/ -I/usr/local/postgresql/include/ -I/usr/local/pgsql/include -I/usr/local/include/pgsql/ -I/usr/local/include/postgres/ -I/usr/local/postgres/include/ -I/usr/local/include/postgresql/ -I/usr/local/postgresql/include/ -I/usr/pgsql/include -I/usr/include/pgsql/ -I/usr/include/postgres/ -I/usr/postgres/include/ -I/usr/include/postgresql/ -I/usr/postgresql/include/ -I/usr/local/mysql/include -I/usr/local/include/mysql/ -I/usr/local/mysql/include -I/usr/local/include/mysql/ -I/usr/mysql/include -I/usr/include/mysql/ -I/usr/local/include/libmongoc-1.0 -I/usr/local/include/libbson-1.0 -I/usr/local/include/libmongoc-1.0 -I/usr/local/include/libbson-1.0 -I/usr/local/include/hiredis -I/usr/local/include/hiredis -# -PORTNAME = turnserver -PREFIX = /usr/local -prefix = /usr/local -BINDIR = /usr/local/bin -bindir = /usr/local/bin -LOCALSTATEDIR = /usr/local/var -localstatedir = /usr/local/var -TURNDBDIR = /usr/local/var/db -turndbdir = /usr/local/var/db -CONFDIR = /usr/local/etc -confdir = /usr/local/etc -MANPREFIX = /usr/local -manprefix = /usr/local -EXAMPLESDIR = /usr/local/share/examples/turnserver -examplesdir = /usr/local/share/examples/turnserver -DOCSDIR = /usr/local/share/doc/turnserver -docsdir = /usr/local/share/doc/turnserver -LIBDIR = /usr/local/lib -libdir = /usr/local/lib -SCHEMADIR = /usr/local/share/turnserver -schemadir = /usr/local/share/turnserver -INCLUDEDIR = /usr/local/include -includedir = /usr/local/include -TURNINCLUDEDIR = /usr/local/include/turn -turnincludedir = /usr/local/include/turn -# -ARCHIVERCMD = ar -r -MKDIR = install -d -SQLITE_CMD = sqlite3 -INSTALL_PROGRAM = install -PKILL_PROGRAM = pkill -INSTALL_MAN = install -INSTALL_SCRIPT = install -INSTALL_SHARED_LIB = install -INSTALL_STATIC_LIB = install -INSTALL_DATA = install -INSTALL_DIR = cp -rpf -MKBUILDDIR = mkdir -p -RMCMD = rm -rf -MORECMD = cat -LDCONFIG=ldconfig -m -################################ - - -LIBEVENT_INCLUDE = -I${PREFIX}/include/ -I/usr/local/include/ - -INCFLAGS = -Isrc -Isrc/apps/common -Isrc/server -Isrc/client -Isrc/client++ ${LIBEVENT_INCLUDE} - -CFLAGS += ${INCFLAGS} - -MAKE_DEPS = Makefile - -LIBCLIENTTURN_HEADERS = src/ns_turn_defs.h src/client++/TurnMsgLib.h src/client/ns_turn_ioaddr.h src/client/ns_turn_msg.h src/client/ns_turn_msg_defs.h src/client/ns_turn_msg_defs_experimental.h src/client/ns_turn_msg_addr.h -LIBCLIENTTURN_MODS = src/client/ns_turn_ioaddr.c src/client/ns_turn_msg_addr.c src/client/ns_turn_msg.c -LIBCLIENTTURN_DEPS = ${LIBCLIENTTURN_HEADERS} ${MAKE_DEPS} -LIBCLIENTTURN_OBJS = build/obj/ns_turn_ioaddr.o build/obj/ns_turn_msg_addr.o build/obj/ns_turn_msg.o - -SERVERTURN_HEADERS = src/server/ns_turn_allocation.h src/server/ns_turn_ioalib.h src/server/ns_turn_khash.h src/server/ns_turn_maps_rtcp.h src/server/ns_turn_maps.h src/server/ns_turn_server.h src/server/ns_turn_session.h -SERVERTURN_DEPS = ${LIBCLIENTTURN_HEADERS} ${SERVERTURN_HEADERS} ${MAKE_DEPS} -SERVERTURN_MODS = ${LIBCLIENTTURN_MODS} src/server/ns_turn_allocation.c src/server/ns_turn_maps_rtcp.c src/server/ns_turn_maps.c src/server/ns_turn_server.c - -COMMON_HEADERS = src/apps/common/apputils.h src/apps/common/ns_turn_openssl.h src/apps/common/ns_turn_utils.h src/apps/common/stun_buffer.h -COMMON_MODS = src/apps/common/apputils.c src/apps/common/ns_turn_utils.c src/apps/common/stun_buffer.c -COMMON_DEPS = ${LIBCLIENTTURN_DEPS} ${COMMON_MODS} ${COMMON_HEADERS} - -IMPL_HEADERS = src/apps/relay/ns_ioalib_impl.h src/apps/relay/ns_sm.h src/apps/relay/turn_ports.h -IMPL_MODS = src/apps/relay/ns_ioalib_engine_impl.c src/apps/relay/turn_ports.c src/apps/relay/http_server.c -IMPL_DEPS = ${COMMON_DEPS} ${IMPL_HEADERS} ${IMPL_MODS} - -HIREDIS_HEADERS = src/apps/common/hiredis_libevent2.h -HIREDIS_MODS = src/apps/common/hiredis_libevent2.c - -USERDB_HEADERS = src/apps/relay/dbdrivers/dbdriver.h src/apps/relay/dbdrivers/dbd_sqlite.h src/apps/relay/dbdrivers/dbd_pgsql.h src/apps/relay/dbdrivers/dbd_mysql.h src/apps/relay/dbdrivers/dbd_mongo.h src/apps/relay/dbdrivers/dbd_redis.h -USERDB_MODS = src/apps/relay/dbdrivers/dbdriver.c src/apps/relay/dbdrivers/dbd_sqlite.c src/apps/relay/dbdrivers/dbd_pgsql.c src/apps/relay/dbdrivers/dbd_mysql.c src/apps/relay/dbdrivers/dbd_mongo.c src/apps/relay/dbdrivers/dbd_redis.c - -SERVERAPP_HEADERS = src/apps/relay/userdb.h src/apps/relay/tls_listener.h src/apps/relay/mainrelay.h src/apps/relay/turn_admin_server.h src/apps/relay/dtls_listener.h src/apps/relay/libtelnet.h ${HIREDIS_HEADERS} ${USERDB_HEADERS} -SERVERAPP_MODS = src/apps/relay/mainrelay.c src/apps/relay/netengine.c src/apps/relay/libtelnet.c src/apps/relay/turn_admin_server.c src/apps/relay/userdb.c src/apps/relay/tls_listener.c src/apps/relay/dtls_listener.c ${HIREDIS_MODS} ${USERDB_MODS} -SERVERAPP_DEPS = ${SERVERTURN_MODS} ${SERVERTURN_DEPS} ${SERVERAPP_MODS} ${SERVERAPP_HEADERS} ${COMMON_DEPS} ${IMPL_DEPS} lib/libturnclient.a - -TURN_BUILD_RESULTS = bin/turnutils_oauth bin/turnutils_natdiscovery bin/turnutils_stunclient bin/turnutils_rfc5769check bin/turnutils_uclient bin/turnserver bin/turnutils_peer lib/libturnclient.a include/turn/ns_turn_defs.h sqlite_empty_db - -.PHONY: all test check clean distclean sqlite_empty_db install deinstall uninstall reinstall - -all: ${TURN_BUILD_RESULTS} - -test: check - -check: bin/turnutils_rfc5769check - bin/turnutils_rfc5769check - -include/turn/ns_turn_defs.h: src/ns_turn_defs.h - ${RMCMD} include - ${MKBUILDDIR} include/turn/client - cp -pf src/client/*.h include/turn/client/ - cp -pf src/client++/*.h include/turn/client/ - cp -pf src/ns_turn_defs.h include/turn/ - -bin/turnutils_uclient: ${COMMON_DEPS} src/apps/uclient/session.h lib/libturnclient.a src/apps/uclient/mainuclient.c src/apps/uclient/uclient.c src/apps/uclient/uclient.h src/apps/uclient/startuclient.c src/apps/uclient/startuclient.h - ${MKBUILDDIR} bin - ${CC} ${CPPFLAGS} ${CFLAGS} src/apps/uclient/uclient.c src/apps/uclient/startuclient.c src/apps/uclient/mainuclient.c ${COMMON_MODS} -o $@ -Llib -lturnclient -Llib ${LDFLAGS} - -bin/turnutils_natdiscovery: ${COMMON_DEPS} lib/libturnclient.a src/apps/natdiscovery/natdiscovery.c - pwd - ${MKBUILDDIR} bin - ${CC} ${CPPFLAGS} ${CFLAGS} src/apps/natdiscovery/natdiscovery.c ${COMMON_MODS} -o $@ -Llib -lturnclient -Llib ${LDFLAGS} - -bin/turnutils_oauth: ${COMMON_DEPS} lib/libturnclient.a src/apps/oauth/oauth.c - pwd - ${MKBUILDDIR} bin - ${CC} ${CPPFLAGS} ${CFLAGS} src/apps/oauth/oauth.c ${COMMON_MODS} -o $@ -Llib -lturnclient -Llib ${LDFLAGS} - -bin/turnutils_stunclient: ${COMMON_DEPS} lib/libturnclient.a src/apps/stunclient/stunclient.c - pwd - ${MKBUILDDIR} bin - ${CC} ${CPPFLAGS} ${CFLAGS} src/apps/stunclient/stunclient.c ${COMMON_MODS} -o $@ -Llib -lturnclient -Llib ${LDFLAGS} - -bin/turnutils_rfc5769check: ${COMMON_DEPS} lib/libturnclient.a src/apps/rfc5769/rfc5769check.c - pwd - ${MKBUILDDIR} bin - ${CC} ${CPPFLAGS} ${CFLAGS} src/apps/rfc5769/rfc5769check.c ${COMMON_MODS} -o $@ -Llib -lturnclient -Llib ${LDFLAGS} - -bin/turnserver: ${SERVERAPP_DEPS} - ${MKBUILDDIR} bin - ${RMCMD} bin/turnadmin - ${CC} ${CPPFLAGS} ${CFLAGS} ${DBCFLAGS} ${IMPL_MODS} -Ilib ${SERVERAPP_MODS} ${COMMON_MODS} ${SERVERTURN_MODS} -o $@ ${DBLIBS} ${LDFLAGS} - cd bin; ln -s turnserver turnadmin - -bin/turnutils_peer: ${COMMON_DEPS} ${LIBCLIENTTURN_MODS} ${LIBCLIENTTURN_DEPS} lib/libturnclient.a src/apps/peer/mainudpserver.c src/apps/peer/udpserver.h src/apps/peer/udpserver.c - ${MKBUILDDIR} bin - ${CC} ${CPPFLAGS} ${CFLAGS} src/apps/peer/mainudpserver.c src/apps/peer/udpserver.c ${COMMON_MODS} -o $@ -Llib -lturnclient -Llib ${LDFLAGS} - -### Client Library: - -lib/libturnclient.a: ${LIBCLIENTTURN_OBJS} ${LIBCLIENTTURN_DEPS} - ${MKBUILDDIR} lib - ${ARCHIVERCMD} $@ ${LIBCLIENTTURN_OBJS} - -build/obj/ns_turn_ioaddr.o: src/client/ns_turn_ioaddr.c ${LIBCLIENTTURN_DEPS} - ${MKBUILDDIR} build/obj - ${CC} ${CPPFLAGS} ${CFLAGS} -c src/client/ns_turn_ioaddr.c -o $@ - -build/obj/ns_turn_msg_addr.o: src/client/ns_turn_msg_addr.c ${LIBCLIENTTURN_DEPS} - ${MKBUILDDIR} build/obj - ${CC} ${CPPFLAGS} ${CFLAGS} -c src/client/ns_turn_msg_addr.c -o $@ - -build/obj/ns_turn_msg.o: src/client/ns_turn_msg.c ${LIBCLIENTTURN_DEPS} - ${MKBUILDDIR} build/obj - ${CC} ${CPPFLAGS} ${CFLAGS} -c src/client/ns_turn_msg.c -o $@ - -### Clean all: - -clean: - ${RMCMD} bin build lib obj *bak *~ */*~ */*/*~ */*/*/*~ *core */*core */*/*core include tmp sqlite - -distclean: clean - ${RMCMD} Makefile - -### SQLite empty database: -sqlite_empty_db : sqlite/turndb - -sqlite/turndb : turndb/schema.sql - ${MKDIR} sqlite - ${RMCMD} sqlite/turndb - ${SQLITE_CMD} sqlite/turndb < turndb/schema.sql - -### Install all: - -install: all ${MAKE_DEPS} - ${MKDIR} ${DESTDIR}${PREFIX} - ${MKDIR} ${DESTDIR}${BINDIR} - ${MKDIR} ${DESTDIR}${TURNDBDIR} - ${MKDIR} ${DESTDIR}${MANPREFIX}/man/man1 - ${MKDIR} ${DESTDIR}${CONFDIR} - ${MKDIR} ${DESTDIR}${LIBDIR} - ${MKDIR} ${DESTDIR}${EXAMPLESDIR} - ${MKDIR} ${DESTDIR}${DOCSDIR} - ${MKDIR} ${DESTDIR}${SCHEMADIR} - ${MKDIR} ${DESTDIR}${TURNINCLUDEDIR} - ${INSTALL_PROGRAM} bin/turnserver ${DESTDIR}${BINDIR} - ${INSTALL_PROGRAM} bin/turnadmin ${DESTDIR}${BINDIR} - ${INSTALL_PROGRAM} bin/turnutils_uclient ${DESTDIR}${BINDIR} - ${INSTALL_PROGRAM} bin/turnutils_peer ${DESTDIR}${BINDIR} - ${INSTALL_PROGRAM} bin/turnutils_stunclient ${DESTDIR}${BINDIR} - ${INSTALL_PROGRAM} bin/turnutils_oauth ${DESTDIR}${BINDIR} - ${INSTALL_PROGRAM} bin/turnutils_natdiscovery ${DESTDIR}${BINDIR} - ${INSTALL_MAN} man/man1/turnserver.1 ${DESTDIR}${MANPREFIX}/man/man1/ - ${INSTALL_MAN} man/man1/turnadmin.1 ${DESTDIR}${MANPREFIX}/man/man1/ - ${INSTALL_MAN} man/man1/turnutils.1 ${DESTDIR}${MANPREFIX}/man/man1/ - ${INSTALL_MAN} man/man1/turnutils_uclient.1 ${DESTDIR}${MANPREFIX}/man/man1/ - ${INSTALL_MAN} man/man1/turnutils_stunclient.1 ${DESTDIR}${MANPREFIX}/man/man1/ - ${INSTALL_MAN} man/man1/turnutils_oauth.1 ${DESTDIR}${MANPREFIX}/man/man1/ - ${INSTALL_MAN} man/man1/turnutils_natdiscovery.1 ${DESTDIR}${MANPREFIX}/man/man1/ - ${INSTALL_MAN} man/man1/turnutils_peer.1 ${DESTDIR}${MANPREFIX}/man/man1/ - ${INSTALL_MAN} man/man1/coturn.1 ${DESTDIR}${MANPREFIX}/man/man1/ - ${INSTALL_STATIC_LIB} lib/libturnclient.a ${DESTDIR}${LIBDIR} - ${INSTALL_DATA} LICENSE ${DESTDIR}${DOCSDIR} - ${INSTALL_DATA} README.turnserver ${DESTDIR}${DOCSDIR} - ${INSTALL_DATA} README.turnadmin ${DESTDIR}${DOCSDIR} - ${INSTALL_DATA} README.turnutils ${DESTDIR}${DOCSDIR} - ${INSTALL_DATA} INSTALL ${DESTDIR}${DOCSDIR} - ${INSTALL_DATA} postinstall.txt ${DESTDIR}${DOCSDIR} - ${INSTALL_DATA} turndb/schema.sql ${DESTDIR}${DOCSDIR} - ${INSTALL_DATA} turndb/schema.sql ${DESTDIR}${SCHEMADIR} - ${INSTALL_DATA} turndb/schema.mongo.sh ${DESTDIR}${DOCSDIR} - ${INSTALL_DATA} turndb/schema.mongo.sh ${DESTDIR}${SCHEMADIR} - ${INSTALL_DATA} turndb/testredisdbsetup.sh ${DESTDIR}${SCHEMADIR} - ${INSTALL_DATA} turndb/testmongosetup.sh ${DESTDIR}${SCHEMADIR} - ${INSTALL_DATA} turndb/testsqldbsetup.sql ${DESTDIR}${SCHEMADIR} - ${INSTALL_DATA} turndb/schema.userdb.redis ${DESTDIR}${DOCSDIR} - ${INSTALL_DATA} turndb/schema.userdb.redis ${DESTDIR}${SCHEMADIR} - ${INSTALL_DATA} turndb/schema.stats.redis ${DESTDIR}${DOCSDIR} - ${INSTALL_DATA} turndb/schema.stats.redis ${DESTDIR}${SCHEMADIR} - if [ -f sqlite/turndb ] ; then ${INSTALL_DATA} sqlite/turndb ${DESTDIR}${TURNDBDIR}/turndb; fi - ${INSTALL_DATA} examples/etc/turnserver.conf ${DESTDIR}${CONFDIR}/turnserver.conf.default - ${INSTALL_DIR} examples/etc ${DESTDIR}${EXAMPLESDIR} - ${INSTALL_DIR} examples/scripts ${DESTDIR}${EXAMPLESDIR} - ${RMCMD} ${DESTDIR}${EXAMPLESDIR}/scripts/rfc5769.sh - ${INSTALL_DIR} include/turn/client ${DESTDIR}${TURNINCLUDEDIR} - ${INSTALL_DATA} include/turn/ns_turn_defs.h ${DESTDIR}${TURNINCLUDEDIR} - ${MORECMD} ${DESTDIR}${DOCSDIR}/postinstall.txt - -deinstall: ${MAKE_DEPS} - ${PKILL_PROGRAM} turnserver || ${ECHO_CMD} OK - ${RMCMD} ${DESTDIR}${TURNDBDIR}/turndb - ${RMCMD} ${DESTDIR}${DOCSDIR} - ${RMCMD} ${DESTDIR}${SCHEMADIR} - ${RMCMD} ${DESTDIR}${BINDIR}/turnserver - ${RMCMD} ${DESTDIR}${BINDIR}/turnadmin - ${RMCMD} ${DESTDIR}${BINDIR}/turnutils_peer - ${RMCMD} ${DESTDIR}${BINDIR}/turnutils_uclient - ${RMCMD} ${DESTDIR}${BINDIR}/turnutils_stunclient - ${RMCMD} ${DESTDIR}${BINDIR}/turnutils_oauth - ${RMCMD} ${DESTDIR}${BINDIR}/turnutils_natdiscovery - ${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnserver.1 - ${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnadmin.1 - ${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnutils.1 - ${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnutils_uclient.1 - ${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnutils_stunclient.1 - ${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnutils_oauth.1 - ${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnutils_natdiscovery.1 - ${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnutils_peer.1 - ${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/coturn.1 - ${RMCMD} ${DESTDIR}${LIBDIR}/libturnclient.a - ${RMCMD} ${DESTDIR}${EXAMPLESDIR} - ${RMCMD} ${DESTDIR}${CONFDIR}/turnserver.conf.default - ${RMCMD} ${DESTDIR}${TURNINCLUDEDIR} - -uninstall: deinstall - -reinstall: deinstall install diff --git a/README.turnserver b/README.turnserver index 465fcd0c..cb764c01 100644 --- a/README.turnserver +++ b/README.turnserver @@ -234,7 +234,11 @@ Flags: --no-stun Run as TURN server only, all STUN requests will be ignored. Option to suppress STUN functionality, only TURN requests will be processed. ---no-loopback-peers Disallow peers on the loopback addresses (127.x.x.x and ::1). +--allow-loopback-peers Allow peers on the loopback addresses (127.x.x.x and ::1). + Allow it only for testing in a development environment! + In production it adds a possible security vulnerability, + and so due to security reasons, it is not allowed + using it together with empty cli-password. --no-multicast-peers Disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*). @@ -552,6 +556,15 @@ Options with values: --cli-max-output-sessions Maximum number of output sessions in ps CLI command. This value can be changed on-the-fly in CLI. The default value is 256. +--web-admin Enable Turn Web-admin support. By default it is disabled. + +--web-admin-ip= Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1. + +--web-admin-port= Web-admin server port. Default is 8080. +--web-admin-listen-on-workers Enable for web-admin server to listens on STUN/TURN workers STUN/TURN ports. + By default it is disabled for security resons! + (This beahvior used to be the default bahavior, and was enabled by default.) + --ne=[1|2|3] Set network engine type for the process (for internal purposes). ================================== diff --git a/examples/cpu-mem.sh b/examples/cpu-mem.sh new file mode 100755 index 00000000..567248f3 --- /dev/null +++ b/examples/cpu-mem.sh @@ -0,0 +1,8 @@ +#!/bin/bash +while sleep 1; do + DATE="$(date)"; + PS="$( ps -p `pidof turnserver` -o 'pcpu,pmem,rss,vsz')"; + TOP="$( top -p `pidof turnserver` -n1 -b -H -c )" + OUTPUT=$DATE"\n\n"$TOP"\n\nps\n"$PS"\n"; + echo -e "$OUTPUT" | tee -a cpu-mem.log; +done; diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index 0fcb17cb..84caab8f 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -569,10 +569,17 @@ # The default value is ':'. # rest-api-separator=: -# Flag that can be used to disallow peers on the loopback addresses (127.x.x.x and ::1). +# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1). # This is an extra security measure. # -#no-loopback-peers +# (To avoid any security issue that allowing loopback access may raise, +# the no-loopback-peers option is replaced by allow-loopback-peers.) +# +# Allow it only for testing in a development environment! +# In production it adds a possible security vulnerability, so for security reasons +# it is not allowed using it together with empty cli-password. +# +#allow-loopback-peers # Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*). # This is an extra security measure. @@ -658,6 +665,20 @@ # #cli-password=qwerty +# Enable Web-admin support on https. By default it is Disabled. +# If it is enabled it also enables a http a simple static banner page +# with a small reminder that the admin page is available only on https. +# +#web-admin + +# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1. +# +#web-admin-ip=127.0.0.1 + +# Web-admin server port. Default is 8080. +# +#web-admin-port=8080 + # Server relay. NON-STANDARD AND DANGEROUS OPTION. # Only for those applications when we want to run # server applications on the relay endpoints. diff --git a/examples/run_all_clients.sh b/examples/run_all_clients.sh new file mode 100755 index 00000000..34043ff0 --- /dev/null +++ b/examples/run_all_clients.sh @@ -0,0 +1,6 @@ +#!/bin/bash +for i in secure_udp_client.sh secure_dtls_client.sh secure_tcp_client_c2c_tcp_relay.sh secure_tls_client_c2c_tcp_relay.sh secure_tls_client.sh secure_udp_client.sh secure_sctp_client.sh secure_tcp_client.sh secure_udp_c2c.sh; +do + echo $i + ./scripts/longtermsecure/$i $@ +done diff --git a/examples/scripts/basic/relay.sh b/examples/scripts/basic/relay.sh index 4b3483eb..5b1f8a2d 100755 --- a/examples/scripts/basic/relay.sh +++ b/examples/scripts/basic/relay.sh @@ -14,6 +14,7 @@ # --no-auth means that no authentication to be used, # allow anonymous users. # start TLS and DTLS services. +# --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -23,8 +24,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="bin:../bin:../../bin:${PATH}" turnserver -v --syslog -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --no-tls --no-dtls --no-auth --db="var/db/turndb" $@ - - - - +PATH="bin:../bin:../../bin:${PATH}" turnserver -v --syslog -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --cli-password secred --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --no-tls --no-dtls --no-auth --db="var/db/turndb" $@ diff --git a/examples/scripts/loadbalance/master_relay.sh b/examples/scripts/loadbalance/master_relay.sh index f7d0e016..86e36914 100755 --- a/examples/scripts/loadbalance/master_relay.sh +++ b/examples/scripts/loadbalance/master_relay.sh @@ -25,6 +25,7 @@ # 10) --no-dtls and --no-tls measn that we are not using DTLS & TLS protocols here # (for the sake of simplicity). # 11) --alternate-server options set the "slave" servers. +# 12) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -34,5 +35,5 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -E 127.0.0.1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --log-file=stdout -v --no-dtls --no-tls --alternate-server=127.0.0.1:3333 --alternate-server=127.0.0.1:4444 $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -E 127.0.0.1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --log-file=stdout -v --no-dtls --no-tls --alternate-server=127.0.0.1:3333 --alternate-server=127.0.0.1:4444 --cli-password=secret $@ diff --git a/examples/scripts/loadbalance/slave_relay_1.sh b/examples/scripts/loadbalance/slave_relay_1.sh index f924836b..8c6ab11b 100755 --- a/examples/scripts/loadbalance/slave_relay_1.sh +++ b/examples/scripts/loadbalance/slave_relay_1.sh @@ -25,6 +25,7 @@ # 10) --no-dtls and --no-tls measn that we are not using DTLS & TLS protocols here # (for the sake of simplicity). # 11) -p 3333 means that we are using UDP & TCP listening port 3333. +# 12) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -34,4 +35,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -E 127.0.0.1 --max-bps=3000000 -f -m 3 --min-port=10000 --max-port=19999 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --log-file=stdout -v --no-dtls --no-tls -p 3333 --cli-port=5767 $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -E 127.0.0.1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=10000 --max-port=19999 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --log-file=stdout -v --no-dtls --no-tls -p 3333 --cli-port=5767 --cli-password=secret $@ diff --git a/examples/scripts/loadbalance/slave_relay_2.sh b/examples/scripts/loadbalance/slave_relay_2.sh index f923da9d..16c8b867 100755 --- a/examples/scripts/loadbalance/slave_relay_2.sh +++ b/examples/scripts/loadbalance/slave_relay_2.sh @@ -25,6 +25,7 @@ # 10) --no-dtls and --no-tls measn that we are not using DTLS & TLS protocols here # (for the sake of simplicity). # 11) -p 4444 means that we are using UDP & TCP listening port 4444. +# 12) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -34,4 +35,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -E 127.0.0.1 --max-bps=3000000 -f -m 3 --min-port=20000 --max-port=29999 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --log-file=stdout -v --no-dtls --no-tls -p 4444 --cli-port=5768 $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -E 127.0.0.1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=20000 --max-port=29999 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --log-file=stdout -v --no-dtls --no-tls -p 4444 --cli-port=5768 --cli-password=secret $@ diff --git a/examples/scripts/longtermsecure/secure_relay.sh b/examples/scripts/longtermsecure/secure_relay.sh index 3b3c7fd5..6fd4ae82 100755 --- a/examples/scripts/longtermsecure/secure_relay.sh +++ b/examples/scripts/longtermsecure/secure_relay.sh @@ -23,6 +23,7 @@ # 10) "--log-file=stdout" means that all log output will go to the stdout. # 11) "-v" means normal verbose mode (with some moderate logging). # 12) --cipher-list=ALL means that we support all OpenSSL ciphers +# 13) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -32,4 +33,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --cipher-list=ALL --db=var/db/turndb $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --cipher-list=ALL --cli-password=secret --db=var/db/turndb $@ diff --git a/examples/scripts/longtermsecure/secure_relay_cert.sh b/examples/scripts/longtermsecure/secure_relay_cert.sh index 0df28c25..aa6a90ba 100755 --- a/examples/scripts/longtermsecure/secure_relay_cert.sh +++ b/examples/scripts/longtermsecure/secure_relay_cert.sh @@ -26,6 +26,7 @@ # 11) "--log-file=stdout" means that all log output will go to the stdout. # 12) "-v" means normal verbose mode (with some moderate logging). # 13) --cipher-list="ALL:!eNULL:!aNULL:!NULL" measn "all ciphers, except anonymous". +# 14) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -35,4 +36,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=turn_server_cert.pem --log-file=stdout -v --cipher-list="ALL:!eNULL:!aNULL:!NULL" --db=var/db/turndb $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=turn_server_cert.pem --log-file=stdout -v --cipher-list="ALL:!eNULL:!aNULL:!NULL" --cli-password=secret --db=var/db/turndb $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh index 09d31cbf..b0b6006a 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh @@ -22,6 +22,7 @@ # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers # 11) --oauth - support oAuth security dialog +# 12) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -31,4 +32,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh index 1a30e040..e49bc907 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh @@ -23,6 +23,7 @@ # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers # 11) --oauth - support oAuth security dialog +# 12) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -32,4 +33,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30 read_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30 read_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh index 31085df9..1d984df7 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh @@ -24,6 +24,7 @@ # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers # 11) --oauth - support oAuth security dialog +# 12) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -33,4 +34,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn cipher=DHE-RSA-AES256-SHA connect_timeout=30 read_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn cipher=DHE-RSA-AES256-SHA connect_timeout=30 read_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh index ffc30e0a..d4ce4d23 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh @@ -23,6 +23,7 @@ # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers # 11) --oauth - support oAuth security dialog +# 12) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -32,7 +33,7 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@ # Newer PostgreSQL style connection string example: -# PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb=postgresql://turn:turn@/turn --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +# PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb=postgresql://turn:turn@/turn --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh index 4c4c4df5..b01129f7 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh @@ -26,6 +26,7 @@ # 10) "--log-file=stdout" means that all log output will go to the stdout. # 11) --cipher-list=ALL means that we support all OpenSSL ciphers # 12) --oauth - support oAuth security dialog +# 13) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -35,4 +36,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 ---allow-loopback-peers -max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh index 009fdce6..16556270 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh @@ -22,6 +22,7 @@ # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers # 11) --oauth - support oAuth security dialog +# 12) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -31,5 +32,5 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@ diff --git a/examples/scripts/mobile/mobile_relay.sh b/examples/scripts/mobile/mobile_relay.sh index cab92af6..73169d74 100755 --- a/examples/scripts/mobile/mobile_relay.sh +++ b/examples/scripts/mobile/mobile_relay.sh @@ -24,6 +24,7 @@ # 11) "-v" means normal verbose mode (with some moderate logging). # 12) "--mobility" turns on the Mobile ICE TURN functionality. # 13) --cipher-list=ALL means that we support all OpenSSL ciphers +# 14) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -33,4 +34,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --mobility --cipher-list=ALL $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --mobility --cipher-list=ALL --cli-password=secret $@ diff --git a/examples/scripts/pack.sh b/examples/scripts/pack.sh new file mode 100755 index 00000000..342ac78b --- /dev/null +++ b/examples/scripts/pack.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Run it from the root of the coturn source tree + +V=4.5.1.0 + +PACKDIR=`pwd`/../coturn-releases/ +SRCDIR=`pwd` +DDIR=turnserver-${V} + +cd ${SRCDIR}/ +make distclean +cd ${PACKDIR} +rm -rf tmp +mkdir tmp +cd tmp +mkdir ${DDIR} +cp -R ${SRCDIR}/* ${DDIR}/ +tar cvfz ../${DDIR}.tar.gz ${DDIR} +cd .. +rm -rf tmp + +cp -a ${SRCDIR}/ChangeLog ${PACKDIR} diff --git a/examples/scripts/restapi/secure_relay_secret.sh b/examples/scripts/restapi/secure_relay_secret.sh index 719b293c..88bef482 100755 --- a/examples/scripts/restapi/secure_relay_secret.sh +++ b/examples/scripts/restapi/secure_relay_secret.sh @@ -23,6 +23,7 @@ # 11) "-q 100" means that single user can create no more than 100 sessions # 12) "-Q 300" means that there may be no more than 300 sessions totally # 13) --cipher-list=ALL means that we support all OpenSSL ciphers +# 14) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -32,5 +33,5 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --static-auth-secret=logen --realm=north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -q 100 -Q 300 --cipher-list=ALL $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --static-auth-secret=logen --realm=north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -q 100 -Q 300 --cipher-list=ALL --cli-password=secret $@ diff --git a/examples/scripts/restapi/secure_relay_secret_with_db_mongo.sh b/examples/scripts/restapi/secure_relay_secret_with_db_mongo.sh index fd2f1725..b53ad611 100755 --- a/examples/scripts/restapi/secure_relay_secret_with_db_mongo.sh +++ b/examples/scripts/restapi/secure_relay_secret_with_db_mongo.sh @@ -25,6 +25,7 @@ # 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. # 11) --cipher-list=ALL means that we support all OpenSSL ciphers +# 12) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -34,4 +35,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --cli-password=secret $@ diff --git a/examples/scripts/restapi/secure_relay_secret_with_db_mysql.sh b/examples/scripts/restapi/secure_relay_secret_with_db_mysql.sh index b3d8bd28..9e21bbae 100755 --- a/examples/scripts/restapi/secure_relay_secret_with_db_mysql.sh +++ b/examples/scripts/restapi/secure_relay_secret_with_db_mysql.sh @@ -26,6 +26,7 @@ # 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. # 11) --cipher-list=ALL means that we support all OpenSSL ciphers +# 12) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -35,4 +36,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --cli-password=secret $@ diff --git a/examples/scripts/restapi/secure_relay_secret_with_db_psql.sh b/examples/scripts/restapi/secure_relay_secret_with_db_psql.sh index 2dfa44d7..e0d6cb39 100755 --- a/examples/scripts/restapi/secure_relay_secret_with_db_psql.sh +++ b/examples/scripts/restapi/secure_relay_secret_with_db_psql.sh @@ -26,6 +26,7 @@ # 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. # 11) --cipher-list=ALL means that we support all OpenSSL ciphers +# 12) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -35,4 +36,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --cli-password=secret $@ diff --git a/examples/scripts/restapi/secure_relay_secret_with_db_redis.sh b/examples/scripts/restapi/secure_relay_secret_with_db_redis.sh index ab335e02..4f0d8b1a 100755 --- a/examples/scripts/restapi/secure_relay_secret_with_db_redis.sh +++ b/examples/scripts/restapi/secure_relay_secret_with_db_redis.sh @@ -26,6 +26,7 @@ # 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. # 11) --cipher-list=ALL means that we support all OpenSSL ciphers +# 12) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -35,4 +36,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cipher-list=ALL $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cipher-list=ALL --cli-password=secret $@ diff --git a/examples/scripts/restapi/secure_relay_secret_with_db_sqlite.sh b/examples/scripts/restapi/secure_relay_secret_with_db_sqlite.sh index 3753f28c..8718437c 100755 --- a/examples/scripts/restapi/secure_relay_secret_with_db_sqlite.sh +++ b/examples/scripts/restapi/secure_relay_secret_with_db_sqlite.sh @@ -25,6 +25,7 @@ # 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. # 11) --cipher-list=ALL means that we support all OpenSSL ciphers +# 12) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -34,4 +35,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --cli-password=secret $@ diff --git a/examples/scripts/selfloadbalance/secure_relay.sh b/examples/scripts/selfloadbalance/secure_relay.sh index 077f49ef..d2e05a3c 100755 --- a/examples/scripts/selfloadbalance/secure_relay.sh +++ b/examples/scripts/selfloadbalance/secure_relay.sh @@ -30,6 +30,7 @@ # 12) "--log-file=stdout" means that all log output will go to the stdout. # 13) "-v" means normal verbose mode (with some moderate logging). # 14) --cipher-list=ALL means that we support all OpenSSL ciphers +# 15) --cli-password=secret means that cli password set to "secret" # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -39,4 +40,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --aux-server=127.0.0.1:12345 --aux-server=[::1]:12345 --aux-server=127.0.0.1:12346 --aux-server=[::1]:12346 --udp-self-balance --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --db=var/db/turndb $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --aux-server=127.0.0.1:12345 --aux-server=[::1]:12345 --aux-server=127.0.0.1:12346 --aux-server=[::1]:12346 --udp-self-balance --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --db=var/db/turndb --cli-password=secret $@ diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1 index ea359b05..cdcb4c9c 100644 --- a/man/man1/turnadmin.1 +++ b/man/man1/turnadmin.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "27 September 2018" "" "" +.TH TURN 1 "31 October 2018" "" "" .SH GENERAL INFORMATION \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index e898593c..183256d3 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "27 September 2018" "" "" +.TH TURN 1 "31 October 2018" "" "" .SH GENERAL INFORMATION The \fBTURN Server\fP project contains the source code of a TURN server and TURN client @@ -358,8 +358,12 @@ Run as TURN server only, all STUN requests will be ignored. Option to suppress STUN functionality, only TURN requests will be processed. .TP .B -\fB\-\-no\-loopback\-peers\fP -Disallow peers on the loopback addresses (127.x.x.x and ::1). +\fB\-\-allow\-loopback\-peers\fP +Allow peers on the loopback addresses (127.x.x.x and ::1). +Allow it only for testing in a development environment! +In production it adds a possible security vulnerability, +and so due to security reasons, it is not allowed +using it together with empty cli\-password. .TP .B \fB\-\-no\-multicast\-peers\fP @@ -794,6 +798,24 @@ Maximum number of output sessions in ps CLI command. This value can be changed on\-the\-fly in CLI. The default value is 256. .TP .B +\fB\-\-web\-admin\fP +Enable Turn Web\-admin support. By default it is disabled. +.TP +.B +\fB\-\-web\-admin\-ip\fP= +Local system IP address to be used for Web\-admin server endpoint. Default value is 127.0.0.1. +.TP +.B +\fB\-\-web\-admin\-port\fP= +Web\-admin server port. Default is 8080. +.TP +.B +\fB\-\-web\-admin\-listen\-on\-workers\fP +Enable for web\-admin server to listens on STUN/TURN workers STUN/TURN ports. +By default it is disabled for security resons! +(This beahvior used to be the default bahavior, and was enabled by default.) +.TP +.B \fB\-\-ne\fP=[1|2|3] Set network engine type for the process (for internal purposes). .PP diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1 index f52dfb0e..b9808795 100644 --- a/man/man1/turnutils.1 +++ b/man/man1/turnutils.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "27 September 2018" "" "" +.TH TURN 1 "31 October 2018" "" "" .SH GENERAL INFORMATION A set of turnutils_* programs provides some utility functionality to be used diff --git a/rpm/build.settings.sh b/rpm/build.settings.sh index 0ae0ad32..e9742e4a 100755 --- a/rpm/build.settings.sh +++ b/rpm/build.settings.sh @@ -2,7 +2,7 @@ # Common settings script. -TURNVERSION=4.5.0.8 +TURNVERSION=4.5.1.0 BUILDDIR=~/rpmbuild ARCH=`uname -p` TURNSERVER_GIT_URL=https://github.com/coturn/coturn.git diff --git a/rpm/turnserver.spec b/rpm/turnserver.spec index 77a03ae1..0db6b202 100644 --- a/rpm/turnserver.spec +++ b/rpm/turnserver.spec @@ -1,5 +1,5 @@ Name: turnserver -Version: 4.5.0.8 +Version: 4.5.1.0 Release: 0%{dist} Summary: Coturn TURN Server @@ -295,6 +295,8 @@ fi %{_includedir}/turn/client/TurnMsgLib.h %changelog +* Thu Dec 6 2018 Mészáros Mihály + - Sync to 4.5.1.0 * Thu Sep 27 2018 Oleg Moskalenko - Sync to 4.5.0.8 * Sun Dec 10 2017 Oleg Moskalenko diff --git a/src/apps/common/ns_turn_utils.c b/src/apps/common/ns_turn_utils.c index 85a1aead..c51bc6b4 100644 --- a/src/apps/common/ns_turn_utils.c +++ b/src/apps/common/ns_turn_utils.c @@ -867,11 +867,11 @@ char *turn_strdup_func(const char* s, const char* function, int line) { //////////////////////////////// -int is_secure_username(const u08bits *username) +int is_secure_string(const u08bits *string, int sanitizesql) { int ret = 0; - if(username) { - unsigned char *s0 = (unsigned char*)turn_strdup((const char*)username); + if(string) { + unsigned char *s0 = (unsigned char*)turn_strdup((const char*)string); unsigned char *s = s0; while(*s) { *s = (unsigned char)tolower((int)*s); @@ -880,7 +880,7 @@ int is_secure_username(const u08bits *username) s = s0; if(strstr((char*)s," ")||strstr((char*)s,"\t")||strstr((char*)s,"'")||strstr((char*)s,"\"")||strstr((char*)s,"\n")||strstr((char*)s,"\r")||strstr((char*)s,"\\")) { ; - } else if(strstr((char*)s,"union")&&strstr((char*)s,"select")) { + } else if(sanitizesql && strstr((char*)s,"union")&&strstr((char*)s,"select")) { ; } else { ret = 1; @@ -891,4 +891,3 @@ int is_secure_username(const u08bits *username) } ////////////////////////////////////////////////////////////////// - diff --git a/src/apps/common/ns_turn_utils.h b/src/apps/common/ns_turn_utils.h index 809a04c4..da3b777e 100644 --- a/src/apps/common/ns_turn_utils.h +++ b/src/apps/common/ns_turn_utils.h @@ -78,7 +78,7 @@ void rollover_logfile(void); /////////////////////////////////////////////////////// -int is_secure_username(const u08bits *username); +int is_secure_string(const u08bits *string, int sanitizesql); /////////////////////////////////////////////////////// diff --git a/src/apps/relay/http_server.c b/src/apps/relay/http_server.c index e32b0bc1..53c65df9 100644 --- a/src/apps/relay/http_server.c +++ b/src/apps/relay/http_server.c @@ -64,7 +64,7 @@ static void write_http_echo(ioa_socket_handle s) char content_http[1025]; const char* title = "TURN Server"; snprintf(content_http,sizeof(content_http)-1,"\r\n\r\n \r\n %s\r\n \r\n \r\n %s
use https connection for the admin session\r\n \r\n\r\n",title,title); - snprintf(data_http,sizeof(data_http)-1,"HTTP/1.0 200 OK\r\nServer: %s\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: %d\r\n\r\n%s",TURN_SOFTWARE,(int)strlen(content_http),content_http); + snprintf(data_http,sizeof(data_http)-1,"HTTP/1.0 200 OK\r\nServer: %s\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: %d\r\n\r\n%.906s",TURN_SOFTWARE,(int)strlen(content_http),content_http); len_http = strlen(data_http); ns_bcopy(data_http,data,len_http); ioa_network_buffer_set_size(nbh_http,len_http); diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 66e2bab5..ffc3a018 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -106,7 +106,8 @@ DH_1066, "", "", "", NULL, PTHREAD_MUTEX_INITIALIZER, -TURN_VERBOSE_NONE,0,0,0, +//////////////// Common params //////////////////// +TURN_VERBOSE_NONE,0,0,0,0, "/var/run/turnserver.pid", DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,1, 0,0,0,0, @@ -430,7 +431,7 @@ static char Usage[] = "Usage: turnserver [options]\n" " In more complex case when more than one IP address is involved,\n" " that option must be used several times in the command line, each entry must\n" " have form \"-X public-ip/private-ip\", to map all involved addresses.\n" -" --no-loopback-peers Disallow peers on the loopback addresses (127.x.x.x and ::1).\n" +" --allow-loopback-peers Allow peers on the loopback addresses (127.x.x.x and ::1).\n" " --no-multicast-peers Disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).\n" " -m, --relay-threads Number of relay threads to handle the established connections\n" " (in addition to authentication thread and the listener thread).\n" @@ -614,7 +615,6 @@ static char Usage[] = "Usage: turnserver [options]\n" " After the initialization, the turnserver process\n" " will make an attempt to change the current group ID to that group.\n" " --mobility Mobility with ICE (MICE) specs support.\n" -" --no-http Turn OFF the HTTP-Admin-Interface. By default it is always ON.\n" " -K, --keep-address-family TURN server allocates address family according TURN\n" " Client <=> Server communication address family. \n" " !! It breaks RFC6156 section-4.2 (violates default IPv4) !!\n" @@ -626,6 +626,13 @@ static char Usage[] = "Usage: turnserver [options]\n" " For the security reasons, it is recommended to use the encrypted\n" " for of the password (see the -P command in the turnadmin utility).\n" " The dollar signs in the encrypted form must be escaped.\n" +" --web-admin Enable Turn Web-admin support. By default it is disabled.\n" +" --web-admin-ip= Local system IP address to be used for Web-admin server endpoint. Default value\n" +" is 127.0.0.1.\n" +" --web-admin-port= Web-admin server port. Default is 8080.\n" +" --web-admin-listen-on-workers Enable for web-admin server to listens on STUN/TURN workers STUN/TURN ports.\n" +" By default it is disabled for security resons!\n" +" (This beahvior used to be the default bahavior, and was enabled by default.)\n" " --server-relay Server relay. NON-STANDARD AND DANGEROUS OPTION. Only for those applications\n" " when we want to run server applications on the relay endpoints.\n" " This option eliminates the IP permissions check on the packets\n" @@ -733,7 +740,7 @@ enum EXTRA_OPTS { ALTERNATE_SERVER_OPT, TLS_ALTERNATE_SERVER_OPT, NO_MULTICAST_PEERS_OPT, - NO_LOOPBACK_PEERS_OPT, + ALLOW_LOOPBACK_PEERS_OPT, MAX_ALLOCATE_TIMEOUT_OPT, ALLOWED_PEER_IPS, DENIED_PEER_IPS, @@ -750,6 +757,10 @@ enum EXTRA_OPTS { CLI_IP_OPT, CLI_PORT_OPT, CLI_PASSWORD_OPT, + WEB_ADMIN_OPT, + WEB_ADMIN_IP_OPT, + WEB_ADMIN_PORT_OPT, + WEB_ADMIN_LISTEN_ON_WORKERS_OPT, SERVER_RELAY_OPT, CLI_MAX_SESSIONS_OPT, EC_CURVE_NAME_OPT, @@ -861,7 +872,7 @@ static const struct myoption long_options[] = { { "rest-api-separator", required_argument, NULL, 'C' }, { "max-allocate-timeout", required_argument, NULL, MAX_ALLOCATE_TIMEOUT_OPT }, { "no-multicast-peers", optional_argument, NULL, NO_MULTICAST_PEERS_OPT }, - { "no-loopback-peers", optional_argument, NULL, NO_LOOPBACK_PEERS_OPT }, + { "allow-loopback-peers", optional_argument, NULL, ALLOW_LOOPBACK_PEERS_OPT }, { "allowed-peer-ip", required_argument, NULL, ALLOWED_PEER_IPS }, { "denied-peer-ip", required_argument, NULL, DENIED_PEER_IPS }, { "cipher-list", required_argument, NULL, CIPHER_LIST_OPT }, @@ -876,7 +887,10 @@ static const struct myoption long_options[] = { { "cli-ip", required_argument, NULL, CLI_IP_OPT }, { "cli-port", required_argument, NULL, CLI_PORT_OPT }, { "cli-password", required_argument, NULL, CLI_PASSWORD_OPT }, - { "no-http", optional_argument, NULL, NO_HTTP_OPT }, + { "web-admin", optional_argument, NULL, WEB_ADMIN_OPT }, + { "web-admin-ip", required_argument, NULL, WEB_ADMIN_IP_OPT }, + { "web-admin-port", required_argument, NULL, WEB_ADMIN_PORT_OPT }, + { "web-admin-listen-on-workers", optional_argument, NULL, WEB_ADMIN_LISTEN_ON_WORKERS_OPT }, { "server-relay", optional_argument, NULL, SERVER_RELAY_OPT }, { "cli-max-output-sessions", required_argument, NULL, CLI_MAX_SESSIONS_OPT }, { "ec-curve-name", required_argument, NULL, EC_CURVE_NAME_OPT }, @@ -1166,9 +1180,6 @@ static void set_option(int c, char *value) case NO_CLI_OPT: use_cli = !get_bool_value(value); break; - case NO_HTTP_OPT: - use_http = !get_bool_value(value); - break; case CLI_IP_OPT: if(make_ioa_addr((const u08bits*)value,0,&cli_addr)<0) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,"Cannot set cli address: %s\n",value); @@ -1182,6 +1193,22 @@ static void set_option(int c, char *value) case CLI_PASSWORD_OPT: STRCPY(cli_password,value); break; + case WEB_ADMIN_OPT: + use_web_admin = get_bool_value(value); + break; + case WEB_ADMIN_IP_OPT: + if(make_ioa_addr((const u08bits*)value, 0, &web_admin_addr) < 0) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot set web-admin address: %s\n", value); + } else { + web_admin_addr_set = 1; + } + break; + case WEB_ADMIN_PORT_OPT: + web_admin_port = atoi(value); + break; + case WEB_ADMIN_LISTEN_ON_WORKERS_OPT: + turn_params.web_admin_listen_on_workers = get_bool_value(value); + break; case PROC_USER_OPT: { struct passwd* pwd = getpwnam(value); if(!pwd) { @@ -1250,8 +1277,8 @@ static void set_option(int c, char *value) case NO_MULTICAST_PEERS_OPT: turn_params.no_multicast_peers = get_bool_value(value); break; - case NO_LOOPBACK_PEERS_OPT: - turn_params.no_loopback_peers = get_bool_value(value); + case ALLOW_LOOPBACK_PEERS_OPT: + turn_params.allow_loopback_peers = get_bool_value(value); break; case STALE_NONCE_OPT: turn_params.stale_nonce = get_int_value(value, STUN_DEFAULT_NONCE_EXPIRATION_TIME); @@ -1604,7 +1631,7 @@ static void read_config_file(int argc, char **argv, int pass) if (full_path_to_config_file) f = fopen(full_path_to_config_file, "r"); - if (f && full_path_to_config_file) { + if (f) { char sbuf[1025]; char sarg[1035]; @@ -1653,6 +1680,11 @@ static void read_config_file(int argc, char **argv, int pass) } else TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: Cannot find config file: %s. Default and command-line settings will be used.\n", config_file); + + if (full_path_to_config_file) { + turn_free(full_path_to_config_file, strlen(full_path_to_config_file)+1); + full_path_to_config_file = NULL; + } } } @@ -1791,7 +1823,7 @@ static int adminmain(int argc, char **argv) #endif case 'u': STRCPY(user,optarg); - if(!is_secure_username((u08bits*)user)) { + if(!is_secure_string((u08bits*)user,1)) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong user name structure or symbols, choose another name: %s\n",user); exit(-1); } @@ -1836,7 +1868,9 @@ static int adminmain(int argc, char **argv) } else{ fseek (fptr, 0, SEEK_SET); - fread (generated_key, sizeof(char), 16, fptr); + if( fread(generated_key, sizeof(char), 16, fptr) !=0 ){ + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: Secret-Key file is empty\n",__FUNCTION__); + } fclose (fptr); } break; @@ -2201,11 +2235,24 @@ int main(int argc, char **argv) exit(-1); } - if(use_ltc && use_tltc) { + if(use_ltc && use_tltc) { TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "\nCONFIGURATION ALERT: You specified --lt-cred-mech and --use-auth-secret in the same time.\n" "Be aware that you could not mix the username/password and the shared secret based auth methohds. \n" "Shared secret overrides username/password based auth method. Check your configuration!\n"); - } + } + + if(turn_params.allow_loopback_peers) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "CONFIG WARNING: allow_loopback_peers opens a possible security vulnerability. Do not use in production!!\n"); + if(cli_password[0]==0) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: allow_loopback_peers and empty cli password cannot be used together.\n"); + exit(-1); + } + } + + if(cli_password[0]==0) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!\n"); + use_cli = 0; + } if(!use_lt_credentials && !anon_credentials) { if(turn_params.default_users_db.ram_db.users_number) { @@ -2861,7 +2908,9 @@ static void set_ctx(SSL_CTX** out, const char *protocol, const SSL_METHOD* metho perror("Cannot open Secret-Key file"); } else { fseek (f, 0, SEEK_SET); - fread (turn_params.secret_key, sizeof(char), 16, f); + if ( fread(turn_params.secret_key, sizeof(char), 16, f) != 0 ){ + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: Secret-Key file is empty\n",__FUNCTION__); + } fclose (f); } } diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index 21375d58..b679ad93 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -214,6 +214,7 @@ typedef struct _turn_params_ { int verbose; int turn_daemon; int prod; + int web_admin_listen_on_workers; int do_not_use_config_file; @@ -254,7 +255,7 @@ typedef struct _turn_params_ { vint check_origin; vint no_multicast_peers; - vint no_loopback_peers; + vint allow_loopback_peers; char relay_ifname[1025]; @@ -352,6 +353,9 @@ void del_tls_alternate_server(const char *saddr); void add_listener_addr(const char* addr); int add_relay_addr(const char* addr); +////////// SSL CTX //////////////////// +void set_ssl_ctx(ioa_engine_handle e, turn_params_t *params); + ///////// Auth //////////////// void send_auth_message_to_auth_server(struct auth_message *am); diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c index bf0eecf8..e32857d4 100644 --- a/src/apps/relay/netengine.c +++ b/src/apps/relay/netengine.c @@ -334,7 +334,7 @@ static void update_ssl_ctx(evutil_socket_t sock, short events, update_ssl_ctx_cb UNUSED_ARG(events); } -static void set_ssl_ctx(ioa_engine_handle e, turn_params_t *params) +void set_ssl_ctx(ioa_engine_handle e, turn_params_t *params) { update_ssl_ctx_cb_args_t *args = (update_ssl_ctx_cb_args_t *)turn_malloc(sizeof(update_ssl_ctx_cb_args_t)); args->engine = e; @@ -1655,11 +1655,12 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int &turn_params.stun_only, &turn_params.no_stun, &turn_params.prod, + &turn_params.web_admin_listen_on_workers, &turn_params.alternate_servers_list, &turn_params.tls_alternate_servers_list, &turn_params.aux_servers_list, turn_params.udp_self_balance, - &turn_params.no_multicast_peers, &turn_params.no_loopback_peers, + &turn_params.no_multicast_peers, &turn_params.allow_loopback_peers, &turn_params.ip_whitelist, &turn_params.ip_blacklist, send_socket_to_relay, &turn_params.secure_stun, &turn_params.mobility, @@ -1669,7 +1670,6 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int allocate_bps, turn_params.oauth, turn_params.oauth_server_name, - use_http, turn_params.keep_address_family); if(to_set_rfc5780) { diff --git a/src/apps/relay/turn_admin_server.c b/src/apps/relay/turn_admin_server.c index 6c68c47f..8c42aa2b 100644 --- a/src/apps/relay/turn_admin_server.c +++ b/src/apps/relay/turn_admin_server.c @@ -71,14 +71,14 @@ #include "dbdrivers/dbdriver.h" +#include "tls_listener.h" + /////////////////////////////// struct admin_server adminserver; int use_cli = 1; -int use_http = 1; - ioa_addr cli_addr; int cli_addr_set = 0; @@ -88,6 +88,14 @@ char cli_password[CLI_PASSWORD_LENGTH] = ""; int cli_max_output_sessions = DEFAULT_CLI_MAX_OUTPUT_SESSIONS; + +int use_web_admin = 0; + +ioa_addr web_admin_addr; +int web_admin_addr_set = 0; + +int web_admin_port = WEB_ADMIN_DEFAULT_PORT; + /////////////////////////////// struct cli_session { @@ -181,7 +189,7 @@ struct toggleable_command tcmds[] = { {"no-udp-relay",&turn_params.no_udp_relay}, {"no-tcp-relay",&turn_params.no_tcp_relay}, {"no-multicast-peers",&turn_params.no_multicast_peers}, - {"no-loopback-peers",&turn_params.no_loopback_peers}, + {"allow-loopback-peers",&turn_params.allow_loopback_peers}, {"mobility",&turn_params.mobility}, {NULL,NULL} }; @@ -434,13 +442,13 @@ static int print_session(ur_map_key_type key, ur_map_value_type value, void *arg const char *pn=csarg->pname; if(pn[0]) { if(!strcmp(pn,"TLS") || !strcmp(pn,"tls") || !strcmp(pn,"Tls")) { - if((tsi->client_protocol != TLS_SOCKET)||(tsi->client_protocol != TLS_SCTP_SOCKET)) + if((tsi->client_protocol != TLS_SOCKET)&&(tsi->client_protocol != TLS_SCTP_SOCKET)) return 0; } else if(!strcmp(pn,"DTLS") || !strcmp(pn,"dtls") || !strcmp(pn,"Dtls")) { if(tsi->client_protocol != DTLS_SOCKET) return 0; } else if(!strcmp(pn,"TCP") || !strcmp(pn,"tcp") || !strcmp(pn,"Tcp")) { - if((tsi->client_protocol != TCP_SOCKET)||(tsi->client_protocol != SCTP_SOCKET)) + if((tsi->client_protocol != TCP_SOCKET)&&(tsi->client_protocol != SCTP_SOCKET)) return 0; } else if(!strcmp(pn,"UDP") || !strcmp(pn,"udp") || !strcmp(pn,"Udp")) { if(tsi->client_protocol != UDP_SOCKET) @@ -750,7 +758,7 @@ static void cli_print_configuration(struct cli_session* cs) } cli_print_flag(cs,turn_params.no_multicast_peers,"no-multicast-peers",1); - cli_print_flag(cs,turn_params.no_loopback_peers,"no-loopback-peers",1); + cli_print_flag(cs,turn_params.allow_loopback_peers,"allow-loopback-peers",1); myprintf(cs,"\n"); @@ -1188,6 +1196,115 @@ static void cliserver_input_handler(struct evconnlistener *l, evutil_socket_t fd } } +static void web_admin_input_handler(ioa_socket_handle s, int event_type, + ioa_net_data *in_buffer, void *arg, int can_resume) { + UNUSED_ARG(event_type); + UNUSED_ARG(can_resume); + UNUSED_ARG(arg); + + int to_be_closed = 0; + + int buffer_size = (int)ioa_network_buffer_get_size(in_buffer->nbh); + if (buffer_size > 0) { + + SOCKET_TYPE st = get_ioa_socket_type(s); + + if(is_stream_socket(st)) { + if(is_http((char*)ioa_network_buffer_data(in_buffer->nbh), buffer_size)) { + const char *proto = "HTTP"; + ioa_network_buffer_data(in_buffer->nbh)[buffer_size] = 0; + if(st == TLS_SOCKET) { + proto = "HTTPS"; + set_ioa_socket_app_type(s, HTTPS_CLIENT_SOCKET); + + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: %s (%s %s) request: %s\n", __FUNCTION__, proto, get_ioa_socket_cipher(s), get_ioa_socket_ssl_method(s), (char*)ioa_network_buffer_data(in_buffer->nbh)); + + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s socket to be detached: 0x%lx, st=%d, sat=%d\n", __FUNCTION__,(long)s, get_ioa_socket_type(s), get_ioa_socket_app_type(s)); + + ioa_socket_handle new_s = detach_ioa_socket(s); + if(new_s) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s new detached socket: 0x%lx, st=%d, sat=%d\n", __FUNCTION__,(long)new_s, get_ioa_socket_type(new_s), get_ioa_socket_app_type(new_s)); + + send_https_socket(new_s); + } + to_be_closed = 1; + + } else { + set_ioa_socket_app_type(s, HTTP_CLIENT_SOCKET); + if(adminserver.verbose) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: %s request: %s\n", __FUNCTION__, proto, (char*)ioa_network_buffer_data(in_buffer->nbh)); + } + handle_http_echo(s); + } + } + } + } + + if (to_be_closed) { + if(adminserver.verbose) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, + "%s: web-admin socket to be closed in client handler: s=0x%lx\n", __FUNCTION__, (long)s); + } + set_ioa_socket_tobeclosed(s); + } +} + +static int send_socket_to_admin_server(ioa_engine_handle e, struct message_to_relay *sm) +{ + // sm->relay_server is null for us. + + sm->t = RMT_SOCKET; + + if (sm->m.sm.s->defer_nbh) { + if (!sm->m.sm.nd.nbh) { + sm->m.sm.nd.nbh = sm->m.sm.s->defer_nbh; + sm->m.sm.s->defer_nbh = NULL; + } else { + ioa_network_buffer_delete(e, sm->m.sm.s->defer_nbh); + sm->m.sm.s->defer_nbh = NULL; + } + } + + ioa_socket_handle s = sm->m.sm.s; + + if (!s) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: web-admin socket EMPTY\n", __FUNCTION__); + + } else if (s->read_event || s->bev) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, + "%s: web-admin socket wrongly preset: 0x%lx : 0x%lx\n", + __FUNCTION__, (long) s->read_event, (long) s->bev); + + IOA_CLOSE_SOCKET(s); + sm->m.sm.s = NULL; + } else { + s->e = e; + + struct socket_message *msg = &(sm->m.sm); + + if(register_callback_on_ioa_socket(e, msg->s, IOA_EV_READ, + web_admin_input_handler, NULL, 0) < 0) { + + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: Failed to register callback on web-admin ioa socket\n", __FUNCTION__); + IOA_CLOSE_SOCKET(s); + sm->m.sm.s = NULL; + + } else { + + if(msg->nd.nbh) { + web_admin_input_handler(msg->s, IOA_EV_READ, &(msg->nd), NULL, msg->can_resume); + ioa_network_buffer_delete(e, msg->nd.nbh); + msg->nd.nbh = NULL; + } + } + } + + ioa_network_buffer_delete(e, sm->m.sm.nd.nbh); + sm->m.sm.nd.nbh = NULL; + + return 0; +} + void setup_admin_thread(void) { adminserver.event_base = turn_event_base_new(); @@ -1199,6 +1316,12 @@ void setup_admin_thread(void) #endif ); + if(use_web_admin) { + // Support encryption on this ioa engine + // because the web-admin needs HTTPS + set_ssl_ctx(adminserver.e, &turn_params); + } + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"IO method (admin thread): %s\n",event_base_get_method(adminserver.event_base)); { @@ -1212,7 +1335,8 @@ void setup_admin_thread(void) bufferevent_setcb(adminserver.in_buf, admin_server_receive_message, NULL, NULL, &adminserver); bufferevent_enable(adminserver.in_buf, EV_READ); } - if (use_http) { + + { struct bufferevent *pair[2]; bufferevent_pair_new(adminserver.event_base, TURN_BUFFEREVENTS_OPTIONS, pair); @@ -1224,6 +1348,31 @@ void setup_admin_thread(void) bufferevent_enable(adminserver.https_in_buf, EV_READ); } + + // Setup the web-admin server + if(use_web_admin) { + if(!web_admin_addr_set) { + if(make_ioa_addr((const u08bits*)WEB_ADMIN_DEFAULT_IP, 0, &web_admin_addr) < 0) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot set web-admin address %s\n", WEB_ADMIN_DEFAULT_IP); + return; + } + } + + addr_set_port(&web_admin_addr, web_admin_port); + + char saddr[129]; + addr_to_string_no_port(&web_admin_addr,(u08bits*)saddr); + + tls_listener_relay_server_type *tls_service = create_tls_listener_server(turn_params.listener_ifname, saddr, web_admin_port, turn_params.verbose, adminserver.e, send_socket_to_admin_server, NULL); + + if (tls_service == NULL) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,"Cannot create web-admin listener\n"); + return; + } + + addr_debug_print(adminserver.verbose, &web_admin_addr, "web-admin listener opened on "); + } + if(use_cli) { if(!cli_addr_set) { if(make_ioa_addr((const u08bits*)CLI_DEFAULT_IP,0,&cli_addr)<0) { @@ -2002,7 +2151,7 @@ static void write_pc_page(ioa_socket_handle s) https_print_uint(sb,(unsigned long)turn_params.max_port,"max-port",0); https_print_flag(sb,turn_params.no_multicast_peers,"no-multicast-peers","no-multicast-peers"); - https_print_flag(sb,turn_params.no_loopback_peers,"no-loopback-peers","no-loopback-peers"); + https_print_flag(sb,turn_params.allow_loopback_peers,"allow-loopback-peers","allow-loopback-peers"); https_print_empty_row(sb,2); @@ -2157,13 +2306,13 @@ static int https_print_session(ur_map_key_type key, ur_map_value_type value, voi const char *pn=csarg->client_protocol; if(pn[0]) { if(!strcmp(pn,"TLS") || !strcmp(pn,"tls") || !strcmp(pn,"Tls")) { - if((tsi->client_protocol != TLS_SOCKET)||(tsi->client_protocol != TLS_SCTP_SOCKET)) + if((tsi->client_protocol != TLS_SOCKET)&&(tsi->client_protocol != TLS_SCTP_SOCKET)) return 0; } else if(!strcmp(pn,"DTLS") || !strcmp(pn,"dtls") || !strcmp(pn,"Dtls")) { if(tsi->client_protocol != DTLS_SOCKET) return 0; } else if(!strcmp(pn,"TCP") || !strcmp(pn,"tcp") || !strcmp(pn,"Tcp")) { - if((tsi->client_protocol != TCP_SOCKET)||(tsi->client_protocol != SCTP_SOCKET)) + if((tsi->client_protocol != TCP_SOCKET)&&(tsi->client_protocol != SCTP_SOCKET)) return 0; } else if(!strcmp(pn,"UDP") || !strcmp(pn,"udp") || !strcmp(pn,"Udp")) { if(tsi->client_protocol != UDP_SOCKET) @@ -3146,7 +3295,7 @@ static void handle_logon_request(ioa_socket_handle s, struct http_request* hr) s->special_session_size = sizeof(struct admin_session); } - if(!(as->as_ok) && uname && pwd) { + if(!(as->as_ok) && uname && is_secure_string((const u08bits*)uname,1)) { const turn_dbdriver_t * dbd = get_dbdriver(); if (dbd && dbd->get_admin_user) { password_t password; diff --git a/src/apps/relay/turn_admin_server.h b/src/apps/relay/turn_admin_server.h index eb8e877f..7edb47f7 100644 --- a/src/apps/relay/turn_admin_server.h +++ b/src/apps/relay/turn_admin_server.h @@ -81,8 +81,6 @@ extern struct admin_server adminserver; extern int use_cli; -extern int use_http; - #define CLI_DEFAULT_IP ("127.0.0.1") extern ioa_addr cli_addr; extern int cli_addr_set; @@ -96,6 +94,16 @@ extern char cli_password[CLI_PASSWORD_LENGTH]; #define DEFAULT_CLI_MAX_OUTPUT_SESSIONS (256) extern int cli_max_output_sessions; + +extern int use_web_admin; + +#define WEB_ADMIN_DEFAULT_IP ("127.0.0.1") +extern ioa_addr web_admin_addr; +extern int web_admin_addr_set; + +#define WEB_ADMIN_DEFAULT_PORT (8080) +extern int web_admin_port; + //////////////////////////////////////////// void setup_admin_thread(void); diff --git a/src/client/ns_turn_ioaddr.c b/src/client/ns_turn_ioaddr.c index 685b8755..138de18c 100644 --- a/src/client/ns_turn_ioaddr.c +++ b/src/client/ns_turn_ioaddr.c @@ -340,7 +340,7 @@ int addr_to_string(const ioa_addr* addr, u08bits* saddr) if (addr && saddr) { - s08bits addrtmp[MAX_IOA_ADDR_STRING]; + s08bits addrtmp[INET6_ADDRSTRLEN]; if (addr->ss.sa_family == AF_INET) { inet_ntop(AF_INET, &addr->s4.sin_addr, addrtmp, INET_ADDRSTRLEN); diff --git a/src/ns_turn_defs.h b/src/ns_turn_defs.h index 5b50d945..99fe587e 100644 --- a/src/ns_turn_defs.h +++ b/src/ns_turn_defs.h @@ -31,7 +31,7 @@ #ifndef __IOADEFS__ #define __IOADEFS__ -#define TURN_SERVER_VERSION "4.5.0.8" +#define TURN_SERVER_VERSION "4.5.1.0" #define TURN_SERVER_VERSION_NAME "dan Eider" #define TURN_SOFTWARE "Coturn-" TURN_SERVER_VERSION " '" TURN_SERVER_VERSION_NAME "'" diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c index 5eaf6172..5790b7f5 100644 --- a/src/server/ns_turn_server.c +++ b/src/server/ns_turn_server.c @@ -271,7 +271,7 @@ static int good_peer_addr(turn_turnserver *server, const char* realm, ioa_addr * if(server && peer_addr) { if(*(server->no_multicast_peers) && ioa_addr_is_multicast(peer_addr)) return 0; - if(*(server->no_loopback_peers) && ioa_addr_is_loopback(peer_addr)) + if( !*(server->allow_loopback_peers) && ioa_addr_is_loopback(peer_addr)) return 0; { @@ -1029,7 +1029,7 @@ static int handle_turn_allocate(turn_turnserver *server, } ns_bcopy(value,username,ulen); username[ulen]=0; - if(!is_secure_username(username)) { + if(!is_secure_string(username,1)) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: wrong username: %s\n", __FUNCTION__, (char*)username); username[0]=0; *err_code = 400; @@ -3346,6 +3346,13 @@ static int check_stun_auth(turn_turnserver *server, ns_bcopy(stun_attr_get_value(sar),realm,alen); realm[alen]=0; + if(!is_secure_string(realm,0)) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: wrong realm: %s\n", __FUNCTION__, (char*)realm); + realm[0]=0; + *err_code = 400; + return -1; + } + if(method == STUN_METHOD_CONNECTION_BIND) { get_realm_options_by_name((char *)realm, &(ss->realm_options)); @@ -3381,7 +3388,7 @@ static int check_stun_auth(turn_turnserver *server, ns_bcopy(stun_attr_get_value(sar),usname,alen); usname[alen]=0; - if(!is_secure_username(usname)) { + if(!is_secure_string(usname,1)) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: wrong username: %s\n", __FUNCTION__, (char*)usname); usname[0]=0; *err_code = 400; @@ -4563,14 +4570,13 @@ static int read_client_connection(turn_turnserver *server, ioa_network_buffer_delete(server->e, nbh); return 0; } - } else { - if (server->use_http) { - SOCKET_TYPE st = get_ioa_socket_type(ss->client_socket); - if(is_stream_socket(st)) { - if(is_http((char*)ioa_network_buffer_data(in_buffer->nbh), ioa_network_buffer_get_size(in_buffer->nbh))) { - const char *proto = "HTTP"; - ioa_network_buffer_data(in_buffer->nbh)[ioa_network_buffer_get_size(in_buffer->nbh)] = 0; + SOCKET_TYPE st = get_ioa_socket_type(ss->client_socket); + if(is_stream_socket(st)) { + if(is_http((char*)ioa_network_buffer_data(in_buffer->nbh), ioa_network_buffer_get_size(in_buffer->nbh))) { + const char *proto = "HTTP"; + ioa_network_buffer_data(in_buffer->nbh)[ioa_network_buffer_get_size(in_buffer->nbh)] = 0; + if (*server->web_admin_listen_on_workers) { if(st==TLS_SOCKET) { proto = "HTTPS"; set_ioa_socket_app_type(ss->client_socket,HTTPS_CLIENT_SOCKET); @@ -4592,11 +4598,14 @@ static int read_client_connection(turn_turnserver *server, handle_http_echo(ss->client_socket); } return 0; + } else { + ss->to_be_closed = 1; + return 0; } } } } - + //Unrecognized message received, ignore it FUNCEND; @@ -4838,11 +4847,12 @@ void init_turn_server(turn_turnserver* server, vintp stun_only, vintp no_stun, vintp prod, + vintp web_admin_listen_on_workers, turn_server_addrs_list_t *alternate_servers_list, turn_server_addrs_list_t *tls_alternate_servers_list, turn_server_addrs_list_t *aux_servers_list, int self_udp_balance, - vintp no_multicast_peers, vintp no_loopback_peers, + vintp no_multicast_peers, vintp allow_loopback_peers, ip_range_list_t* ip_whitelist, ip_range_list_t* ip_blacklist, send_socket_to_relay_cb send_socket_to_relay, vintp secure_stun, vintp mobility, int server_relay, @@ -4851,7 +4861,6 @@ void init_turn_server(turn_turnserver* server, allocate_bps_cb allocate_bps_func, int oauth, const char* oauth_server_name, - int use_http, int keep_address_family) { if (!server) @@ -4870,7 +4879,7 @@ void init_turn_server(turn_turnserver* server, server->chquotacb = chquotacb; server->raqcb = raqcb; server->no_multicast_peers = no_multicast_peers; - server->no_loopback_peers = no_loopback_peers; + server->allow_loopback_peers = allow_loopback_peers; server->secure_stun = secure_stun; server->mobility = mobility; server->server_relay = server_relay; @@ -4900,6 +4909,7 @@ void init_turn_server(turn_turnserver* server, server->stun_only = stun_only; server->no_stun = no_stun; server->prod = prod; + server-> web_admin_listen_on_workers = web_admin_listen_on_workers; server->dont_fragment = dont_fragment; server->fingerprint = fingerprint; @@ -4919,8 +4929,6 @@ void init_turn_server(turn_turnserver* server, server->allocate_bps_func = allocate_bps_func; - server->use_http = use_http; - server->keep_address_family = keep_address_family; set_ioa_timer(server->e, 1, 0, timer_timeout_handler, server, 1, "timer_timeout_handler"); diff --git a/src/server/ns_turn_server.h b/src/server/ns_turn_server.h index 1f21d3f6..60d352e4 100644 --- a/src/server/ns_turn_server.h +++ b/src/server/ns_turn_server.h @@ -121,6 +121,7 @@ struct _turn_turnserver { vintp stun_only; vintp no_stun; vintp prod; + vintp web_admin_listen_on_workers; vintp secure_stun; turn_credential_type ct; get_alt_addr_cb alt_addr_cb; @@ -132,7 +133,7 @@ struct _turn_turnserver { release_allocation_quota_cb raqcb; int external_ip_set; ioa_addr external_ip; - vintp no_loopback_peers; + vintp allow_loopback_peers; vintp no_multicast_peers; send_turn_session_info_cb send_turn_session_info; send_https_socket_cb send_https_socket; @@ -170,9 +171,6 @@ struct _turn_turnserver { int oauth; const char* oauth_server_name; - /* HTTP-Admin-Server: */ - int use_http; - /* Keep Address Family */ int keep_address_family; }; @@ -202,12 +200,13 @@ void init_turn_server(turn_turnserver* server, vintp stun_only, vintp no_stun, vintp prod, + vintp web_admin_listen_on_workers, turn_server_addrs_list_t *alternate_servers_list, turn_server_addrs_list_t *tls_alternate_servers_list, turn_server_addrs_list_t *aux_servers_list, int self_udp_balance, vintp no_multicast_peers, - vintp no_loopback_peers, + vintp allow_loopback_peers, ip_range_list_t* ip_whitelist, ip_range_list_t* ip_blacklist, send_socket_to_relay_cb send_socket_to_relay, @@ -219,7 +218,6 @@ void init_turn_server(turn_turnserver* server, allocate_bps_cb allocate_bps_func, int oauth, const char* oauth_server_name, - int use_http, int keep_address_family); ioa_engine_handle turn_server_get_engine(turn_turnserver *s);