-
-
Notifications
You must be signed in to change notification settings - Fork 845
/
Copy pathturnserver_install.sh.sample
210 lines (176 loc) · 5.91 KB
/
turnserver_install.sh.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
#!/bin/bash
if [ "$EUID" -ne 0 ]; then
echo "Please run as root or with sudo"
exit 1
fi
setup_permissions() {
local DOMAIN=$1
# Create secure directory for coturn certs
mkdir -p /etc/coturn/certs
# Copy certificates with proper permissions
cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem /etc/coturn/certs/
cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/coturn/certs/
# Set proper ownership and permissions
chown -R turnserver:turnserver /etc/coturn/certs
chmod 600 /etc/coturn/certs/*.pem
}
configure_ssl() {
local DOMAIN=$1
# Check if port 80 is in use
if netstat -tuln | grep ':80 '; then
echo "Warning: Port 80 is in use. Stopping potentially conflicting services..."
systemctl stop nginx 2>/dev/null || true
systemctl stop apache2 2>/dev/null || true
fi
# Install certbot if needed
if ! command -v certbot >/dev/null; then
apt-get install certbot -y
fi
# Verify domain points to this server
LOCAL_IP=$(curl -s https://api.ipify.org)
DOMAIN_IP=$(dig +short "$DOMAIN")
echo "Verifying domain configuration..."
echo "Server IP: $LOCAL_IP"
echo "Domain IP: $DOMAIN_IP"
if [ "$LOCAL_IP" != "$DOMAIN_IP" ]; then
echo "Warning: Domain $DOMAIN does not point to this server's IP ($LOCAL_IP)"
read -p "Continue anyway? (y/N): " CONTINUE
if [ "${CONTINUE,,}" != "y" ]; then
return 1
fi
fi
# Try to get the cert
if ! certbot certonly --standalone --preferred-challenges http -d "$DOMAIN"; then
echo "Failed to obtain SSL certificate. Trying alternative method..."
if ! certbot certonly --standalone --preferred-challenges tls-alpn-01 -d "$DOMAIN"; then
return 1
fi
fi
# Update turnserver.conf with SSL settings
cat >> /etc/turnserver.conf << EOL
cert=/etc/coturn/certs/fullchain.pem
pkey=/etc/coturn/certs/privkey.pem
tls-listening-port=443
EOL
# Setup permissions after getting certificates
setup_permissions "$DOMAIN"
# Update the renewal hook to copy new certs
mkdir -p /etc/letsencrypt/renewal-hooks/deploy
cat > /etc/letsencrypt/renewal-hooks/deploy/coturn-reload << EOL
#!/bin/bash
cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem /etc/coturn/certs/
cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/coturn/certs/
chown turnserver:turnserver /etc/coturn/certs/*.pem
chmod 600 /etc/coturn/certs/*.pem
systemctl --signal=SIGUSR2 kill coturn
EOL
chmod +x /etc/letsencrypt/renewal-hooks/deploy/coturn-reload
# Restart coturn to apply SSL configuration
systemctl restart coturn
return 0
}
# Main installation function
install_coturn() {
local DOMAIN=$1
local USERNAME=$2
local PASSWORD=$3
# Install required packages
apt-get update
apt-get install coturn curl dnsutils -y
# Configure system limits
echo "fs.file-max = 65535" >> /etc/sysctl.conf
sudo sysctl -p
# Add permanent ulimit settings
echo "* soft nofile 65535" >> /etc/security/limits.conf
echo "* hard nofile 65535" >> /etc/security/limits.conf
echo "root soft nofile 65535" >> /etc/security/limits.conf
echo "root hard nofile 65535" >> /etc/security/limits.conf
# Enable TURN server
echo "TURNSERVER_ENABLED=1" > /etc/default/coturn
# Generate base turnserver configuration
cat > /etc/turnserver.conf << EOL
listening-port=3478
alt-listening-port=0
fingerprint
lt-cred-mech
min-port=49152
max-port=65535
user=${USERNAME}:${PASSWORD}
stale-nonce=600
realm=${DOMAIN}
server-name=${DOMAIN}
no-multicast-peers
no-stdout-log
EOL
# Set proper permissions for binding to privileged ports
setcap cap_net_bind_service=+ep /usr/bin/turnserver
# Configure journald log limits
mkdir -p /etc/systemd/journald.conf.d/
cat > /etc/systemd/journald.conf.d/coturn.conf << EOL
[Journal]
SystemMaxUse=50M
RuntimeMaxUse=50M
EOL
# Restart journald to apply changes
systemctl restart systemd-journald
# Start services
systemctl daemon-reload
systemctl enable coturn
systemctl start coturn
}
# Swap setup
echo "Increasing swap memory to 16GB"
if [ -f /swapfile ]; then
sudo swapoff -a
sudo rm /swapfile
fi
sudo fallocate -l 16G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
if ! grep -q '/swapfile none swap sw 0 0' /etc/fstab; then
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
fi
# Main script execution
echo "TURN Server Installation and Configuration"
echo "----------------------------------------"
# Get or verify domain
while true; do
read -p "Enter your domain (e.g., turn.example.com): " DOMAIN
echo "Verifying domain..."
if dig +short "$DOMAIN" >/dev/null; then
break
else
echo "Warning: Domain $DOMAIN does not appear to be configured. Please verify DNS settings."
read -p "Try a different domain? (Y/n): " RETRY
if [ "${RETRY,,}" = "n" ]; then
break
fi
fi
done
read -p "Enter username for TURN: " USERNAME
read -s -p "Enter password for TURN: " PASSWORD
echo
# Install base TURN server
install_coturn "$DOMAIN" "$USERNAME" "$PASSWORD"
# Configure SSL if desired
read -p "Do you want to enable SSL/TLS support? (y/N): " ENABLE_SSL
if [ "${ENABLE_SSL,,}" = "y" ]; then
if ! configure_ssl "$DOMAIN"; then
echo "SSL configuration failed. You can retry SSL setup later by running:"
echo "certbot delete"
echo "certbot certonly --standalone -d $DOMAIN"
echo "Then restart coturn: systemctl restart coturn"
fi
fi
# Display status
systemctl status coturn
echo "Installation complete!"
echo "----------------------------------------"
echo "Domain: $DOMAIN"
echo "Username: $USERNAME"
echo "STUN/TURN ports: 3478 (default)"
if [ "${ENABLE_SSL,,}" = "y" ]; then
echo "TLS enabled on port 443"
echo "SSL certificates will automatically renew via certbot"
fi