diff --git a/plans/coturn/habitat/config/turnserver.conf b/plans/coturn/habitat/config/turnserver.conf index a638f87..405f7c7 100644 --- a/plans/coturn/habitat/config/turnserver.conf +++ b/plans/coturn/habitat/config/turnserver.conf @@ -711,7 +711,7 @@ max-allocate-timeout={{ cfg.general.max_allocate_timeout }} # # See: https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/ no-multicast-peers -denied-peer-ip=0.0.0.0-0.255.255.255 +denied-peer-ip=0.0.0.1-0.255.255.255 denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=100.64.0.0-100.127.255.255 denied-peer-ip=127.0.0.0-127.255.255.255 diff --git a/terraform/modules/janus/main.tf b/terraform/modules/janus/main.tf index d59c162..c11f1e3 100644 --- a/terraform/modules/janus/main.tf +++ b/terraform/modules/janus/main.tf @@ -219,7 +219,7 @@ EOTOML sudo cat > /hab/user/coturn/config/user.toml << EOTOML [general] -listening_ip = "$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)" +listening_ip = "0.0.0.0" external_ip = "$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)" relay_ip = "$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)" allowed_peer_ip = "$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)" @@ -241,6 +241,9 @@ aws s3 cp s3://${aws_s3_bucket.janus-bucket.id}/coturn-files.tar.gz.gpg . gpg2 -d --pinentry-mode=loopback --passphrase-file=/hab/svc/coturn/files/gpg-file-key.txt coturn-files.tar.gz.gpg | tar xz -C /hab/svc/coturn/files rm coturn-files.tar.gz.gpg +chown -R hab:hab /hab/svc/janus-gateway/files +chown -R hab:hab /hab/svc/coturn/files + sudo /usr/bin/hab svc load mozillareality/janus-gateway --strategy ${var.janus_restart_strategy} --url https://bldr.habitat.sh --channel ${var.janus_channel} sudo /usr/bin/hab svc load mozillareality/coturn --strategy ${var.coturn_restart_strategy} --url https://bldr.habitat.sh --channel ${var.janus_channel} sudo /usr/bin/hab svc load mozillareality/telegraf --strategy at-once --url https://bldr.habitat.sh --channel stable @@ -299,7 +302,7 @@ EOTOML sudo cat > /hab/user/coturn/config/user.toml << EOTOML [general] -listening_ip = "$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)" +listening_ip = "0.0.0.0" external_ip = "$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)" relay_ip = "$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)" allowed_peer_ip = "$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)" @@ -321,6 +324,9 @@ aws s3 cp s3://${aws_s3_bucket.janus-bucket.id}/coturn-files.tar.gz.gpg . gpg2 -d --pinentry-mode=loopback --passphrase-file=/hab/svc/coturn/files/gpg-file-key.txt coturn-files.tar.gz.gpg | tar xz -C /hab/svc/coturn/files rm coturn-files.tar.gz.gpg +chown -R hab:hab /hab/svc/janus-gateway/files +chown -R hab:hab /hab/svc/coturn/files + sudo /usr/bin/hab svc load mozillareality/janus-gateway --strategy ${var.janus_restart_strategy} --url https://bldr.habitat.sh --channel ${var.janus_channel} sudo /usr/bin/hab svc load mozillareality/coturn --strategy ${var.coturn_restart_strategy} --url https://bldr.habitat.sh --channel ${var.janus_channel} sudo /usr/bin/hab svc load mozillareality/telegraf --strategy at-once --url https://bldr.habitat.sh --channel stable