From 4c9f96722f3f6ed56e73cfeecbbeb6fd88ab2faf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Jan 2023 17:04:04 +0200 Subject: [PATCH] Add no-multicast-peers to Coturn config by default Part of a security hardening provoked by: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/ --- roles/custom/matrix-coturn/defaults/main.yml | 3 +++ roles/custom/matrix-coturn/templates/turnserver.conf.j2 | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 3a125de48..22ad48d65 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -73,6 +73,9 @@ matrix_coturn_denied_peer_ips: [] matrix_coturn_user_quota: null matrix_coturn_total_quota: null +# Controls whether `no-multicast-peers` is added to the configuration +matrix_coturn_no_multicast_peers_enabled: true + # To enable TLS, you need to provide paths to certificates. # Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths. # Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`. diff --git a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 index 1bdf310a2..dc8d96ee7 100644 --- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 @@ -39,6 +39,10 @@ user-quota={{ matrix_coturn_user_quota }} total-quota={{ matrix_coturn_total_quota }} {% endif %} +{% if matrix_coturn_no_multicast_peers_enabled %} +no-multicast-peers +{% endif %} + {% for ip_range in matrix_coturn_denied_peer_ips %} denied-peer-ip={{ ip_range }} {% endfor %}