finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Allow STUN/TURN exposure over TCP/UDP to be controlled separately & disable STUN over UDP by default

Browse Source
This commit is contained in:
Slavi Pantaleev
2025-02-19 11:48:12 +02:00
parent 1c61a3d332
commit ac26cc1cb0
6 changed files with 60 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
roles/custom/matrix-coturn/defaults/main.yml
View File

@ -51,15 +51,32 @@ matrix_coturn_container_additional_volumes: []
# A list of extra arguments to pass to the container
matrix_coturn_container_extra_arguments: []
# Controls whether the coturn container exposes its plain STUN port (tcp/3478 and udp/3478 in the container).
# Controls whether the coturn container exposes its plain STUN port (tcp/3478 in the container) over TCP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
matrix_coturn_container_stun_plain_host_bind_port: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"
matrix_coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its TLS STUN port (tcp/5349 and udp/5349 in the container).
# Controls whether the coturn container exposes its plain STUN port (udp/3478 in the container) over UDP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
#
# This is not done by default to decrease the risk of DDoS amplification attacks.
# See: https://stormwall.network/resources/blog/protect-against-ddos-based-on-stun-exploit
matrix_coturn_container_stun_plain_host_bind_port_udp: ""
# Controls whether the coturn container exposes its TLS STUN port (tcp/5349 in the container) over TCP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
matrix_coturn_container_stun_tls_host_bind_port: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"
matrix_coturn_container_stun_tls_host_bind_port_tcp: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its TLS STUN port (udp/5349 in the container) over UDP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
#
# This is enabled by default, unlike `matrix_coturn_container_stun_plain_host_bind_port_udp`,
# because the risk of DDoS amplification attacks is lower for TLS
# due to the handshake requiring two-way authentication and being generally more expensive.
matrix_coturn_container_stun_tls_host_bind_port_udp: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its TURN UDP port range and which interface to do it on.
#