From 69b2df629b5020a13c1c14ee7d98d0f9beefd1d8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Mar 2023 08:04:25 +0200 Subject: [PATCH] Enable some recommended Coturn options in an effort to lower DDoS amplification factor Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2592 --- roles/custom/matrix-coturn/defaults/main.yml | 14 ++++++++++++++ .../matrix-coturn/templates/turnserver.conf.j2 | 12 ++++++++++++ 2 files changed, 26 insertions(+) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 9922f1d01..ee662b25d 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -112,11 +112,25 @@ matrix_coturn_user_quota: null matrix_coturn_total_quota: null # Controls whether `no-tcp-relay` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L419-L422 matrix_coturn_no_tcp_relay_enabled: true # Controls whether `no-multicast-peers` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L629-L632 matrix_coturn_no_multicast_peers_enabled: true +# Controls whether `no-rfc5780` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L770-L781 +matrix_coturn_no_rfc5780_enabled: true + +# Controls whether `no-stun-backward-compatibility` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L783-L789 +matrix_coturn_no_stun_backward_compatibility_enabled: true + +# Controls whether `response-origin-only-with-rfc5780` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L791-L796 +matrix_coturn_response_origin_only_with_rfc5780_enabled: true + # Additional configuration to be passed to turnserver.conf # Example: # matrix_coturn_additional_configuration: | diff --git a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 index dfc3a87d5..3ed7b99fa 100644 --- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 @@ -35,6 +35,18 @@ prod no-tcp-relay {% endif %} +{% if matrix_coturn_no_rfc5780_enabled %} +no-rfc5780 +{% endif %} + +{% if matrix_coturn_no_stun_backward_compatibility_enabled %} +no-stun-backward-compatibility +{% endif %} + +{% if matrix_coturn_response_origin_only_with_rfc5780_enabled %} +response-origin-only-with-rfc5780 +{% endif %} + {% if matrix_coturn_user_quota != None %} user-quota={{ matrix_coturn_user_quota }} {% endif %}