From 6202025877ca272df57933ed5c1e1debfb94743c Mon Sep 17 00:00:00 2001
From: Jannis Mattheis <contact@jmattheis.de>
Date: Sat, 29 Jul 2023 18:00:39 +0200
Subject: [PATCH 1/2] Remove turn strict auth

Screego already secures the turn connections via credentials that are
generated on demand. The strict auth can cause problems when screego is
deployed via docker or some other container deployment.
---
 config/config.go           | 13 ++++++++++---
 screego.config.development |  1 -
 screego.config.example     |  6 ------
 turn/server.go             | 27 +++------------------------
 4 files changed, 13 insertions(+), 34 deletions(-)

diff --git a/config/config.go b/config/config.go
index bad81c23..2d7e4e05 100644
--- a/config/config.go
+++ b/config/config.go
@@ -45,9 +45,8 @@ type Config struct {
 	Secret                []byte `split_words:"true"`
 	SessionTimeoutSeconds int    `default:"0" split_words:"true"`
 
-	TurnAddress    string `default:":3478" required:"true" split_words:"true"`
-	TurnStrictAuth bool   `default:"true" split_words:"true"`
-	TurnPortRange  string `split_words:"true"`
+	TurnAddress   string `default:":3478" required:"true" split_words:"true"`
+	TurnPortRange string `split_words:"true"`
 
 	TurnExternalIP     []string `split_words:"true"`
 	TurnExternalPort   string   `default:"3478" split_words:"true"`
@@ -217,10 +216,18 @@ func Get() (Config, []FutureLog) {
 			Msg:   "Less than 40 ports are available for turn. When using multiple TURN connections this may not be enough",
 		})
 	}
+	logs = append(logs, logDeprecated()...)
 
 	return config, logs
 }
 
+func logDeprecated() []FutureLog {
+	if os.Getenv("SCREEGO_TURN_STRICT_AUTH") != "" {
+		return []FutureLog{{Level: zerolog.WarnLevel, Msg: "The setting SCREEGO_TURN_STRICT_AUTH has been removed."}}
+	}
+	return nil
+}
+
 func getExecutableOrWorkDir() (string, *FutureLog) {
 	dir, err := getExecutableDir()
 	// when using `go run main.go` the executable lives in th temp directory therefore the env.development
diff --git a/screego.config.development b/screego.config.development
index 665167d9..b49c8c56 100644
--- a/screego.config.development
+++ b/screego.config.development
@@ -2,4 +2,3 @@ SCREEGO_SECRET=secure
 SCREEGO_LOG_LEVEL=debug
 SCREEGO_CORS_ALLOWED_ORIGINS=http://localhost:3000
 SCREEGO_USERS_FILE=./users
-SCREEGO_TURN_STRICT_AUTH=false
diff --git a/screego.config.example b/screego.config.example
index 61f9b05f..7dae46be 100644
--- a/screego.config.example
+++ b/screego.config.example
@@ -40,12 +40,6 @@ SCREEGO_TURN_ADDRESS=0.0.0.0:3478
 #   50000:55000
 SCREEGO_TURN_PORT_RANGE=
 
-# If true, the TURN server will compare the remote IP of the request with the
-# remote ip of the existing WebSocket connection and deny access if it doesn't
-# match. Disable this feature, if you use some kind of proxy which changes the
-# remote ip.
-SCREEGO_TURN_STRICT_AUTH=true
-
 # If set, screego will not start TURN server and instead use an external TURN server.
 # When using a dual stack setup define both IPv4 & IPv6 separated by a comma.
 # Execute the following command on the server where you host TURN server
diff --git a/turn/server.go b/turn/server.go
index bdb95eef..d89b7a1a 100644
--- a/turn/server.go
+++ b/turn/server.go
@@ -22,9 +22,8 @@ type Server interface {
 }
 
 type InternalServer struct {
-	lock       sync.RWMutex
-	strictAuth bool
-	lookup     map[string]Entry
+	lock   sync.RWMutex
+	lookup map[string]Entry
 }
 
 type ExternalServer struct {
@@ -92,10 +91,7 @@ func newInternalServer(conf config.Config) (Server, error) {
 		return nil, fmt.Errorf("tcp: could not listen on %s: %s", conf.TurnAddress, err)
 	}
 
-	svr := &InternalServer{
-		lookup:     map[string]Entry{},
-		strictAuth: conf.TurnStrictAuth,
-	}
+	svr := &InternalServer{lookup: map[string]Entry{}}
 
 	gen := &Generator{
 		RelayAddressGenerator: generator(conf),
@@ -153,16 +149,6 @@ func (a *InternalServer) authenticate(username, realm string, addr net.Addr) ([]
 	a.lock.RLock()
 	defer a.lock.RUnlock()
 
-	var connectedIP net.IP
-	switch addr := addr.(type) {
-	case *net.UDPAddr:
-		connectedIP = addr.IP
-	case *net.TCPAddr:
-		connectedIP = addr.IP
-	default:
-		log.Error().Interface("type", fmt.Sprintf("%T", addr)).Msg("unknown addr type")
-		return nil, false
-	}
 	entry, ok := a.lookup[username]
 
 	if !ok {
@@ -170,13 +156,6 @@ func (a *InternalServer) authenticate(username, realm string, addr net.Addr) ([]
 		return nil, false
 	}
 
-	authIP := entry.addr
-
-	if a.strictAuth && !connectedIP.Equal(authIP) {
-		log.Debug().Interface("allowedIp", addr.String()).Interface("connectingIp", entry.addr.String()).Msg("TURN strict auth check failed")
-		return nil, false
-	}
-
 	log.Debug().Interface("addr", addr.String()).Str("realm", realm).Msg("TURN authenticated")
 	return entry.password, true
 }

From d02565245ec0d7b2016549689451f81d47c5adc6 Mon Sep 17 00:00:00 2001
From: Jannis Mattheis <contact@jmattheis.de>
Date: Sat, 29 Jul 2023 18:03:55 +0200
Subject: [PATCH 2/2] Add docs for deploying screego in docker without
 network_mode: host

---
 docs/install.md | 50 ++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 37 insertions(+), 13 deletions(-)

diff --git a/docs/install.md b/docs/install.md
index 128a5641..bddc58d8 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -2,7 +2,7 @@
 
 Latest Version: **GITHUB_VERSION**
 
-?> Before starting Screego you may read [Configuration](config.md).
+Before starting Screego you may read [Configuration](config.md).
 
 !> TLS is required for Screego to work. Either enable TLS inside Screego or 
    use a reverse proxy to serve Screego via TLS.
@@ -16,26 +16,16 @@ Setting up Screego with docker is pretty easy, you basically just have to start
 docker images are multi-arch docker images.
 This means the image will work for `amd64`, `i386`, `ppc64le` (power pc), `arm64`, `armv7` (Raspberry PI) and `armv6`.
 
-When using [TURN](nat-traversal.md), Screego will allocate ports for relay
-connections, this currently only works with network mode host inside docker.
-See [#56](https://github.com/screego/server/issues/56)
-
 By default, Screego runs on port 5050.
 
 ?> Replace `EXTERNALIP` with your external IP. One way to find your external ip is with ipify.
-
-   ```bash
-   $ curl 'https://api.ipify.org'
-   ```
-
-### Network Host
+   `curl 'https://api.ipify.org'`
 
 ```bash
 $ docker run --net=host -e SCREEGO_EXTERNAL_IP=EXTERNALIP ghcr.io/screego/server:GITHUB_VERSION
 ```
 
-#### docker-compose.yml
-
+**docker-compose.yml**
 ```yaml
 version: "3.7"
 services:
@@ -46,6 +36,40 @@ services:
       SCREEGO_EXTERNAL_IP: "EXTERNALIP"
 ```
 
+If you don't want to use the host network, then you can configure docker like this:
+
+<details><summary>(Click to expand)</summary>
+<p>
+
+```bash
+$ docker run -it \
+    -e SCREEGO_EXTERNAL_IP=EXTERNALIP \
+    -e SCREEGO_TURN_PORT_RANGE=50000:50200 \
+    -p 5050:5050 \
+    -p 3478:3478 \
+    -p 50000-50100:50000-50200/udp \
+    screego/server:GITHUB_VERSION
+```
+
+#### docker-compose.yml
+
+```yml
+version: "3.7"
+services:
+  screego:
+    image: ghcr.io/screego/server:GITHUB_VERSION
+    ports:
+      - 5050:5050
+      - 3478:3478
+      - 50000-50100:50000-50200/udp
+    environment:
+      SCREEGO_EXTERNAL_IP: "192.168.178.2"
+      SCREEGO_TURN_PORT_RANGE: "50000:50200"
+```
+
+</p>
+</details>
+
 ## Binary
 
 ### Supported Platforms: