This commit changes the server's default behavior to omit STUN error
reason phrases in responses. A new option, `--send-error-reason` (and
corresponding config file setting `send-error-reason`), is introduced
to enable the inclusion of these reason phrases if desired.
This change aims to reduce response size by default, while still
allowing you to enable more verbose error messages for debugging.
Changes include:
- Renamed `no_error_reason` to `send_error_reason` in `turn_params_t`.
- Default for `send_error_reason` is now `false` (reasons omitted).
- Command-line option changed to `--send-error-reason` to enable reasons.
- Updated `mainrelay.c` for new option name, logic, and usage string.
- Updated all `turnserver.conf` files (`examples/etc/turnserver.conf`,
`docker/coturn/turnserver.conf`) to reflect the new option and default.
- Adjusted conceptual test cases for the new default behavior.
- Partially updated `ns_turn_server.c` to use the new
`send_error_reason` flag. Due to some limitations I encountered, a full update
to `ns_turn_server.c` could not be reliably completed and will
require your manual review and completion to ensure all error generation
sites correctly adhere to the `send_error_reason` flag (sending
reasons only when it's true).
This commit introduces a new configuration option, `no-error-reason`.
When enabled, the TURN server will send STUN error responses with an
empty reason phrase. This can be useful in environments where minimizing
response size is critical, at the cost of slightly harder debugging.
Changes include:
- Added `no_error_reason` to the `turn_params_t` struct.
- Modified `mainrelay.c` to parse the `--no-error-reason` command-line
option and corresponding configuration file setting.
- Updated `ns_turn_server.c` to check this flag and conditionally
omit the reason phrase when constructing error responses.
- Added the new option to the example `turnserver.conf` file.
- Conceptually outlined test cases for this new functionality.
Set new release version to 4.7.0
Updating minor version due to some breaking changes in options to enable
more secure/robust configuration without additional flags (or relying on
recommended conf file which people seem to skip during updates)
TLSv1 and TLSv1.1 can be enabled using `--tlsv1` and `--tlsv1_1`
arguments accordingly
That assumes openssl version being used has these versions enabled
(which as of openssl-3.5 is not by default)
Deprecate `--no-stun-backward-compatibility` and set it to true by
default
Add new option `--stun-backward-compatibility`, off by default
Update example/recommended configuration files
This is a breaking change as passing `--no-stun-backward-compatibility`
will be rejected as invalid argument
Invert `--no-rfc5780` option to be true by default
Make it `--rfc5780` to enable it
Update example/recommended configuration files
Passing `--no-rfc5780` will have no effect as this is the default
behavior now
The `#allocation-default-address-family="ipv4"` line is repeated twice
in the example config, changed the second one to be `"ipv6"` which I
assume it was intended to be.
Add a `--prometheus-path` parameter which allows users to specify at
what
path the metrics should be exposed.
This simplifies serving metrics on a specific path behind some
restrictive reverse proxies that expect the upstream server to serve
URLs with paths matching the requested path.
Co-authored-by: Pavel Punsky <eakraly@users.noreply.github.com>
Some actions do not build with prometheus - adding prometheus tests
fails the jobs
cmake build tests did not run due to different target folder (while
reporting success) - now the bin folder is detected
Implement a custom prometheus http handler in order to:
1. Support listening on a specified address as opposed to any
2. Remove the requirement on the unmaintained promhttp library
This feature comes with one limitation: if an IPv4 address is used, the
server will not listen on the IPv6-mapped address, even if IPv6 is
available. That is, dual-stacking does not work.
Solves: #1475
---------
Co-authored-by: Pavel Punsky <eakraly@users.noreply.github.com>
I believe that many users, like myself, prefer to reference the
`turn.conf` file when deploying the TURN server with Docker, rather than
the `Readme.turnserver`. Additionally, I think it's important to
synchronize the Prometheus settings from the README into the` turn.conf`
file for better clarity. This way, users won't overlook any essential
options.
Co-authored-by: Ben Chang <ben_chang@htc.com>
Fixes#1533 and #1534
Memsetting `turn_params.default_users_db` before reading conf file, not
after.
Because auth is read in first iteration so secret was wiped out.
# test plan
Add new test script that uses config file to setup turnserver instead of
cli arguments and confirm it works (fails without the change)
For our deployment, it is useful if coturn returns a valid HTTP response to an HTTP request. To do this on the same port as STUN/TURN and without enabling the admin site, I have extended `read_client_connection()` to return a canned HTTP response, in response to an HTTP request, rather than immediately closing the connection.
Fixes https://github.com/coturn/coturn/issues/1239
https to web ui freeze in browser if no_tls option used, because no tls
stuff initialized.
This PR add warning about this and comment aboute this in default config
Similar to #989, use a single SSL context for all versions of DTLS
protocol
- Add support for modern API (protocol version independent APIs)
- Add DTLS test to the CI test
- Removing calls to `SSL_CTX_set_read_ahead` in DTLS context (does
nothing as DTLS is datagram protocol - we always get the whole datagram
so this call has no impact)
Fixes#924
openssl allows multiple TLS version support through a single SSL_CTX
object.
This PR replaces 4 per-version SSL_CTX objects with a single object
(DTLS is not yet changed).
SSL context initialization code for openssl with modern API (>=1.1.0)
uses `TLS_server_method` and `SSL_CTX_set_min_proto_version` instead of
enabling specific TLS version. Byproduct of this is TLSv1_3 support when
used with openssl-1.1.1 and above
TLS 1.2 and TLS 1.3 cannot be disabled (as before)
Test plan:
- run_tests.sh script now runs turnserver with SSL certificate (which
enables TLS support)
- run_tests.sh now has one more basic test that uses TLS protocol
Co-authored-by: Pavel Punsky <pavel.punsky@epicgames.com>
