diff --git a/config/config.go b/config/config.go index bad81c23..2d7e4e05 100644 --- a/config/config.go +++ b/config/config.go @@ -45,9 +45,8 @@ type Config struct { Secret []byte `split_words:"true"` SessionTimeoutSeconds int `default:"0" split_words:"true"` - TurnAddress string `default:":3478" required:"true" split_words:"true"` - TurnStrictAuth bool `default:"true" split_words:"true"` - TurnPortRange string `split_words:"true"` + TurnAddress string `default:":3478" required:"true" split_words:"true"` + TurnPortRange string `split_words:"true"` TurnExternalIP []string `split_words:"true"` TurnExternalPort string `default:"3478" split_words:"true"` @@ -217,10 +216,18 @@ func Get() (Config, []FutureLog) { Msg: "Less than 40 ports are available for turn. When using multiple TURN connections this may not be enough", }) } + logs = append(logs, logDeprecated()...) return config, logs } +func logDeprecated() []FutureLog { + if os.Getenv("SCREEGO_TURN_STRICT_AUTH") != "" { + return []FutureLog{{Level: zerolog.WarnLevel, Msg: "The setting SCREEGO_TURN_STRICT_AUTH has been removed."}} + } + return nil +} + func getExecutableOrWorkDir() (string, *FutureLog) { dir, err := getExecutableDir() // when using `go run main.go` the executable lives in th temp directory therefore the env.development diff --git a/screego.config.development b/screego.config.development index 665167d9..b49c8c56 100644 --- a/screego.config.development +++ b/screego.config.development @@ -2,4 +2,3 @@ SCREEGO_SECRET=secure SCREEGO_LOG_LEVEL=debug SCREEGO_CORS_ALLOWED_ORIGINS=http://localhost:3000 SCREEGO_USERS_FILE=./users -SCREEGO_TURN_STRICT_AUTH=false diff --git a/screego.config.example b/screego.config.example index 61f9b05f..7dae46be 100644 --- a/screego.config.example +++ b/screego.config.example @@ -40,12 +40,6 @@ SCREEGO_TURN_ADDRESS=0.0.0.0:3478 # 50000:55000 SCREEGO_TURN_PORT_RANGE= -# If true, the TURN server will compare the remote IP of the request with the -# remote ip of the existing WebSocket connection and deny access if it doesn't -# match. Disable this feature, if you use some kind of proxy which changes the -# remote ip. -SCREEGO_TURN_STRICT_AUTH=true - # If set, screego will not start TURN server and instead use an external TURN server. # When using a dual stack setup define both IPv4 & IPv6 separated by a comma. # Execute the following command on the server where you host TURN server diff --git a/turn/server.go b/turn/server.go index bdb95eef..d89b7a1a 100644 --- a/turn/server.go +++ b/turn/server.go @@ -22,9 +22,8 @@ type Server interface { } type InternalServer struct { - lock sync.RWMutex - strictAuth bool - lookup map[string]Entry + lock sync.RWMutex + lookup map[string]Entry } type ExternalServer struct { @@ -92,10 +91,7 @@ func newInternalServer(conf config.Config) (Server, error) { return nil, fmt.Errorf("tcp: could not listen on %s: %s", conf.TurnAddress, err) } - svr := &InternalServer{ - lookup: map[string]Entry{}, - strictAuth: conf.TurnStrictAuth, - } + svr := &InternalServer{lookup: map[string]Entry{}} gen := &Generator{ RelayAddressGenerator: generator(conf), @@ -153,16 +149,6 @@ func (a *InternalServer) authenticate(username, realm string, addr net.Addr) ([] a.lock.RLock() defer a.lock.RUnlock() - var connectedIP net.IP - switch addr := addr.(type) { - case *net.UDPAddr: - connectedIP = addr.IP - case *net.TCPAddr: - connectedIP = addr.IP - default: - log.Error().Interface("type", fmt.Sprintf("%T", addr)).Msg("unknown addr type") - return nil, false - } entry, ok := a.lookup[username] if !ok { @@ -170,13 +156,6 @@ func (a *InternalServer) authenticate(username, realm string, addr net.Addr) ([] return nil, false } - authIP := entry.addr - - if a.strictAuth && !connectedIP.Equal(authIP) { - log.Debug().Interface("allowedIp", addr.String()).Interface("connectingIp", entry.addr.String()).Msg("TURN strict auth check failed") - return nil, false - } - log.Debug().Interface("addr", addr.String()).Str("realm", realm).Msg("TURN authenticated") return entry.password, true }