finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Isolate Coturn from services in the default Docker network

Browse Source 
Most (all?) of our Matrix services are running in the `matrix` network,
so they were safe -- not accessible from Coturn to begin with.

Isolating Coturn into its own network is a security improvement
for people who were starting other services in the default
Docker network. Those services were potentially reachable over the
private Docker network from Coturn.

Discussed in #120 (Github Pull Request)
This commit is contained in:
Slavi Pantaleev
2019-03-18 17:36:00 +02:00
parent c6858d2a08
commit 24cf27c60c
4 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
View File

@ -15,6 +15,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
--cap-drop=ALL \
--read-only \
--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
--network={{ matrix_coturn_docker_network }} \
-p 3478:3478 \
-p 3478:3478/udp \
-p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \