Merge pull request 'Configure STUN/TURN for ejabberd and nginx proxy' (#407) from feature/ejabberd_stun_n_turn into new_ldap_server
Reviewed-on: #407
This commit is contained in:
commit
5c31531357
|
@ -1,37 +1,44 @@
|
|||
{
|
||||
"id": "ejabberd",
|
||||
"5apps_ldap_password": {
|
||||
"encrypted_data": "+sg4xj4nVTepvCOQ+Nupln+Ni2zkpxEHyJxj8IQqug==\n",
|
||||
"iv": "38KjEZZbI9rNfsA1\n",
|
||||
"auth_tag": "O3onB3RmxU09fBsQO9h5OA==\n",
|
||||
"encrypted_data": "3o0jv/jKAIVR/FcyLH5JfDlbqsEYC1LnN2qK25b47Q==\n",
|
||||
"iv": "6YTMw9vMiDANQDVP\n",
|
||||
"auth_tag": "hIfhn4fHcuV34TLt0o4BLg==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"kosmos_ldap_password": {
|
||||
"encrypted_data": "GFTIbthhsiVnkRk8C8cqvyBTCnSQ7JgqM1djR63BYg==\n",
|
||||
"iv": "07hmbipcLzslZT81\n",
|
||||
"auth_tag": "yCSwv9oI/eDY5ATXn5oFmQ==\n",
|
||||
"encrypted_data": "3DuaEKmfnBycnPHtOPX59i1Iu2MiDsUv2NhHMLVRVA==\n",
|
||||
"iv": "XC2igt4I4qNNgCYD\n",
|
||||
"auth_tag": "cRKNVa+dgIeKtMJbV26fMQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"uploads_secret": {
|
||||
"encrypted_data": "QMY6QnL/hxGAxG4hQBFSsM7sRR3izZO62EjZAIV2F165\n",
|
||||
"iv": "Swez2eH4b11G/exT\n",
|
||||
"auth_tag": "zKsX7IYoMKPOmdGxZcfMPQ==\n",
|
||||
"encrypted_data": "Hsa0CNxtxgSeqcConNMINdNHnq8Nb4FTokRg3yZB2Fw5\n",
|
||||
"iv": "fWjiwhJ7NZIvUHyt\n",
|
||||
"auth_tag": "BS7TfOFSLeozLtuD6pRr6g==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"admins": {
|
||||
"encrypted_data": "NMmjCdV3H/cg3G2/gToqxj0iq1UpOBwjaK8eya46doNOC77AlOdV5uPTJvqI\nJYmy31RUFPtjQUfCsidPpsbdx3k6sQjiPSRZDEA9u6S35w9hNBXHz1PLCDKb\nCfEtwM30xhmcDSFEllpXFE+0Bh1lUF/cHFt9/z5ZjSPYKSQg5cM2h89nMScJ\n",
|
||||
"iv": "9TlJYq79eQy6T1l/\n",
|
||||
"auth_tag": "E8KMY1uIVWtnAFmdiP1R5g==\n",
|
||||
"encrypted_data": "5Nr8AHUFlFCjjG/OtLXcJIfvAF0MLbiGYgmG3ck8Da+duGMLz35Kh/BT4ZCd\nOK/7ID35whjRm0CbaanzfffDiTaa8Bo/DI+2rZDdaFyiaOeGvOXv21YwC7IT\nIZkH6pphbxzR86kfxtPB9bqhkA7rq9toCU1TU3TCXlNG6flR0c02j6t3Nwu7\n",
|
||||
"iv": "vFjSjzaEiZJB4lAo\n",
|
||||
"auth_tag": "3DEcFQSC1H7q/o9EiAwS3A==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"erlang_cookie": {
|
||||
"encrypted_data": "YKCUrV/vEH2zWXlZJWIQkYhK+uwBaHvSpYmdVQwQgQTxege7HtTs\n",
|
||||
"iv": "c7SINIqy8p+yMlQ+\n",
|
||||
"auth_tag": "b7OyWy3QFaQLENmiNqaFPg==\n",
|
||||
"encrypted_data": "+W8iX2Ye1QL6Tqy4J5DyBIQ8oPEaIWONV1tsoTEZT+YjqqTfFgqo\n",
|
||||
"iv": "2fYgOBtGmqFTFddy\n",
|
||||
"auth_tag": "6tfWx9FA/oD7c4THW7cQlQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"stun_secret": {
|
||||
"encrypted_data": "bgLeWgPdI3LQTlxZI2Wcn2/NY+zyumxUPJUFqUrZn7MEEXQOl1Dd2W0Vzks=\n",
|
||||
"iv": "xevLfSR+wqEk5jVw\n",
|
||||
"auth_tag": "7Jvcaq2UlLJVIX7TqSX2OQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
}
|
||||
|
|
|
@ -24,6 +24,7 @@
|
|||
"kosmos_gitea::nginx",
|
||||
"kosmos_website",
|
||||
"kosmos_website::default",
|
||||
"kosmos-ejabberd::nginx",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
|
|
|
@ -6,6 +6,7 @@ default_run_list = %w(
|
|||
kosmos_drone::nginx
|
||||
kosmos_gitea::nginx
|
||||
kosmos_website::default
|
||||
kosmos-ejabberd::nginx
|
||||
)
|
||||
|
||||
env_run_lists(
|
||||
|
|
|
@ -1,7 +1,9 @@
|
|||
node.default["kosmos-ejabberd"]["version"] = "20.12"
|
||||
node.default["kosmos-ejabberd"]["checksum"] = "3d2a4e9d1aa2d189017f4f310eff4d0b6c6d7cd911209cfbcca7b0ec5b577b65"
|
||||
node.default["kosmos-ejabberd"]["turn_ip_address"] = "148.251.83.201"
|
||||
node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478
|
||||
node.default["kosmos-ejabberd"]["turn_min_port"] = 50000
|
||||
node.default["kosmos-ejabberd"]["turn_max_port"] = 55000
|
||||
node.default["kosmos-ejabberd"]["turn_max_port"] = 50050
|
||||
|
||||
node.override["tor"]["HiddenServices"]["ejabberd"] = {
|
||||
"HiddenServicePorts" => [
|
||||
|
|
|
@ -161,7 +161,9 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
|
|||
variables hosts: hosts,
|
||||
admin_users: admin_users,
|
||||
stun_auth_realm: "kosmos.org",
|
||||
turn_ip_address: node["knife_zero"]["host"],
|
||||
stun_secret: ejabberd_credentials['stun_secret'],
|
||||
turn_ip_address: node["kosmos-ejabberd"]["turn_ip_address"],
|
||||
stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
|
||||
turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
|
||||
turn_max_port: node["kosmos-ejabberd"]["turn_max_port"],
|
||||
akkounts_ip_addresses: akkounts_ip_addresses
|
||||
|
|
|
@ -25,13 +25,13 @@ firewall_rule 'erlang_cluster' do
|
|||
end
|
||||
|
||||
firewall_rule 'ejabberd_stun_turn' do
|
||||
port 3478
|
||||
protocol :tcp
|
||||
port node["kosmos-ejabberd"]["stun_turn_port"]
|
||||
protocol :udp
|
||||
command :allow
|
||||
end
|
||||
|
||||
firewall_rule 'ejabberd_turn' do
|
||||
port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
|
||||
protocol :tcp
|
||||
protocol :udp
|
||||
command :allow
|
||||
end
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
#
|
||||
# Cookbook:: kosmos-ejabberd
|
||||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
include_recipe "kosmos-base::firewall"
|
||||
|
||||
ejabberd_hosts = []
|
||||
search(:node, "role:ejabberd").each do |node|
|
||||
ejabberd_hosts << node["knife_zero"]["host"]
|
||||
end
|
||||
|
||||
ejabberd_hosts.each do |ip_address|
|
||||
IPAddr.new ip_address
|
||||
rescue IPAddr::InvalidAddressError
|
||||
ejabberd_hosts.delete ip_address
|
||||
next
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/streams-available/ejabberd" do
|
||||
source "nginx_conf_streams.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
# variables ejabberd_hosts: ejabberd_hosts
|
||||
variables ejabberd_hosts: ["10.1.1.113"],
|
||||
stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
|
||||
turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
|
||||
turn_max_port: node["kosmos-ejabberd"]["turn_max_port"]
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_stream "ejabberd" do
|
||||
action :enable
|
||||
end
|
||||
|
||||
firewall_rule "ejabberd" do
|
||||
port [5222, 5223, 5269, 5443]
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
||||
firewall_rule 'ejabberd_stun_turn' do
|
||||
port node["kosmos-ejabberd"]["stun_turn_port"]
|
||||
protocol :udp
|
||||
command :allow
|
||||
end
|
||||
|
||||
firewall_rule 'ejabberd_turn' do
|
||||
port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
|
||||
protocol :udp
|
||||
command :allow
|
||||
end
|
|
@ -78,12 +78,13 @@ listen:
|
|||
## register: true
|
||||
captcha: false
|
||||
-
|
||||
port: 3478
|
||||
transport: tcp
|
||||
port: <%= @stun_turn_port %>
|
||||
transport: udp
|
||||
module: ejabberd_stun
|
||||
auth_realm: <%= @stun_auth_realm %>
|
||||
use_turn: true
|
||||
turn_ip: <%= @turn_ip_address %>
|
||||
tls: false
|
||||
turn_ipv4_address: <%= @turn_ip_address %>
|
||||
turn_min_port: <%= @turn_min_port %>
|
||||
turn_max_port: <%= @turn_max_port %>
|
||||
|
||||
|
@ -230,7 +231,21 @@ modules:
|
|||
versioning: true
|
||||
store_current_id: true
|
||||
mod_shared_roster: {}
|
||||
mod_stun_disco: {}
|
||||
mod_stun_disco:
|
||||
secret: <%= @stun_secret %>
|
||||
services:
|
||||
-
|
||||
host: <%= @turn_ip_address %>
|
||||
port: <%= @stun_turn_port %>
|
||||
type: stun
|
||||
transport: udp
|
||||
restricted: false
|
||||
-
|
||||
host: <%= @turn_ip_address %>
|
||||
port: <%= @stun_turn_port %>
|
||||
type: turn
|
||||
transport: udp
|
||||
restricted: true
|
||||
mod_vcard:
|
||||
search: false
|
||||
mod_vcard_xupdate: {}
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
log_format proxy '$remote_addr [$time_local] '
|
||||
'$protocol $status $bytes_sent $bytes_received '
|
||||
'$session_time "$upstream_addr" '
|
||||
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
|
||||
|
||||
access_log /var/log/nginx/streams.log proxy buffer=32k flush=1m;
|
||||
|
||||
upstream ejabberd_c2s {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5222;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_c2s_tls {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5223;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_s2s {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5269;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_https {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5443;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_stun_turn {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:<%= @stun_turn_port %>;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_turn {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
<% (@turn_min_port..@turn_max_port).each do |port| %>
|
||||
server <%= "#{ip_address}:#{port.to_s}" %>;
|
||||
<% end %>
|
||||
<% end %>
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5222;
|
||||
proxy_pass ejabberd_c2s;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5223;
|
||||
proxy_pass ejabberd_c2s;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5269;
|
||||
proxy_pass ejabberd_s2s;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5443;
|
||||
proxy_pass ejabberd_https;
|
||||
}
|
||||
|
||||
server {
|
||||
listen <%= @stun_turn_port %> udp;
|
||||
proxy_pass ejabberd_stun_turn;
|
||||
}
|
||||
|
||||
server {
|
||||
listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp;
|
||||
proxy_pass 10.1.1.113:$server_port;
|
||||
#proxy_pass ejabberd_turn;
|
||||
}
|
Loading…
Reference in New Issue