Skip to content

Commit

Permalink
Merge pull request #202 from screego/deny
Browse files Browse the repository at this point in the history 
feat: add `SCREEGO_TURN_DENY_PEERS`
  • Loading branch information
@jmattheis
jmattheis authored Sep 28, 2024
2 parents e5864f3 + 5fda00e commit 54f9fb6
Show file tree
Hide file tree
Showing 4 changed files with 43 additions and 2 deletions.
20 changes: 20 additions & 0 deletions config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"crypto/rand"
"errors"
"fmt"
"net"
"os"
"path/filepath"
"regexp"
Expand Down Expand Up @@ -63,6 +64,9 @@ type Config struct {
TurnIPProvider ipdns.Provider `ignored:"true"`
TurnPort string `ignored:"true"`

TurnDenyPeers []string `default:"0.0.0.0/8,127.0.0.1/8,::/128,::1/128,fe80::/10" split_words:"true"`
TurnDenyPeersParsed []*net.IPNet `ignored:"true"`

CloseRoomWhenOwnerLeaves bool `default:"true" split_words:"true"`
}

Expand Down Expand Up @@ -218,6 +222,22 @@ func Get() (Config, []FutureLog) {
}
logs = append(logs, logDeprecated()...)

for _, cidrString := range config.TurnDenyPeers {
_, cidr, err := net.ParseCIDR(cidrString)
if err != nil {
logs = append(logs, FutureLog{
Level: zerolog.FatalLevel,
Msg: fmt.Sprintf("Invalid SCREEGO_TURN_DENY_PEERS %q: %s", cidrString, err),
})
} else {
config.TurnDenyPeersParsed = append(config.TurnDenyPeersParsed, cidr)
}
}
logs = append(logs, FutureLog{
Level: zerolog.InfoLevel,
Msg: fmt.Sprintf("Deny turn peers within %q", config.TurnDenyPeersParsed),
})

return config, logs
}

Expand Down
1 change: 1 addition & 0 deletions screego.config.development
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@ SCREEGO_SECRET=secure
SCREEGO_LOG_LEVEL=debug
SCREEGO_CORS_ALLOWED_ORIGINS=http://localhost:3000
SCREEGO_USERS_FILE=./users
SCREEGO_TURN_DENY_PEERS=
10 changes: 10 additions & 0 deletions screego.config.example
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,16 @@ SCREEGO_TURN_EXTERNAL_PORT=3478
# Authentication secret for the external TURN server.
SCREEGO_TURN_EXTERNAL_SECRET=

# Deny/ban peers within specific CIDRs to prevent TURN server users from
# accessing machines reachable by the TURN server but not from the internet,
# useful when the server is behind a NAT.
#
# Disallow internal ip addresses: https://en.wikipedia.org/wiki/Reserved_IP_addresses
# SCREEGO_TURN_DENY_PEERS=0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,127.0.0.1/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,224.0.0.0/4,239.0.0.0/8,255.255.255.255/32,::/128,::1/128,64:ff9b:1::/48,100::/64,2001::/32,2002::/16,fc00::/7,fe80::/10
#
# By default denies local addresses.
SCREEGO_TURN_DENY_PEERS=0.0.0.0/8,127.0.0.1/8,::/128,::1/128,fe80::/10

# If reverse proxy headers should be trusted.
# Screego uses ip whitelisting for authentication
# of TURN connections. When behind a proxy the ip is always the proxy server.
Expand Down
14 changes: 12 additions & 2 deletions turn/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,14 +98,24 @@ func newInternalServer(conf config.Config) (Server, error) {
IPProvider: conf.TurnIPProvider,
}

var permissions turn.PermissionHandler = func(clientAddr net.Addr, peerIP net.IP) bool {
for _, cidr := range conf.TurnDenyPeersParsed {
if cidr.Contains(peerIP) {
return false
}
}

return true
}

_, err = turn.NewServer(turn.ServerConfig{
Realm: Realm,
AuthHandler: svr.authenticate,
ListenerConfigs: []turn.ListenerConfig{
{Listener: tcpListener, RelayAddressGenerator: gen},
{Listener: tcpListener, RelayAddressGenerator: gen, PermissionHandler: permissions},
},
PacketConnConfigs: []turn.PacketConnConfig{
{PacketConn: udpListener, RelayAddressGenerator: gen},
{PacketConn: udpListener, RelayAddressGenerator: gen, PermissionHandler: permissions},
},
})
if err != nil {
Expand Down

0 comments on commit 54f9fb6

Please sign in to comment.