Changes

Page history
popi created page: home authored by Popi's avatar Popi
Show whitespace changes
Inline Side-by-side
home.md 0 → 100644
View page @ d3f57689
### Why this project
Being a happy user of SOGo, I early on activated Turn configuration with long-term credentials. Problem is: the secret password of my turn user was visible and downloadable from the js script. Not optimal. I learnt that ephemeral credentials was the way to go to solve that issue.
[https://github.com/jsxc/jsxc](JSXC)'s github community helped me understand how to set it up and test it.
There is already a **PHP** script included with jsxc (might not be up-to-date on sjsxc) which enables dynamic creation of ephemeral credentials (timestamp is part of the equation, so it has to be on-demand).
SOGo being objective-C, the server I got it running on has no PHP installed on it.
This was the perfect opportunity to write a little python script and install uwsgi to be able to call that script through nginx.
Some extra info :
* integration of jsxc in SOGo (sjsxc) documentation can be found on jsxc's github Wiki under [https://github.com/jsxc/jsxc/wiki/Install-sjsxc-%28SOGo%29](Install sjsxc (SOGo))
* a coturn server's configuration example can also be found on jsxc's github Wiki [https://github.com/jsxc/jsxc/wiki/WebRTC-how-to](WebRTC How To)
### How it works
The cgi-bin directory contains all python-related files. Actual python files as well as the config files for uswgi and TURN authentication. Once everything is set up, anything reaching `/cgi-bin/*` will invariably result in a call to the python script wsgi.py, which itself is a callable for `getturncredentials.py`.
In the meantime, might be good to protect your config files from outsiders by adding in your nginx SOGo's configuration file :
```
# Turn credentials / config files
location ~ "(.*\.inc|.*\.json)$" { deny all; }
```
Now, install uwsgi, clone repository and start uwsgi daemon with provided config file:
```
apt-get install uwsgi uwsgi-core uwsgi-plugin-python
cd /usr/lib/GNUstep/SOGo/WebServerResources/sjsxc/ajax
git clone https://gitlab.nomagic.fr/popi/jsxc-rtcpeerconfig.git .
mv cgi-bin/sjsxc.json /etc/apps-available/
ln -s /etc/uwsgi/apps-available/sjsxc.json /etc/uwsgi/apps-enabled/sjsxc.json
service uwsgi start sjsxc
```
Now you just have to tell Nginx to send everything addressed to `/cgi-bin` to the uwsgi daemon.
At the end of SOGo's vhost, add:
```
location ~ /cgi-bin
{
uwsgi_pass unix:/tmp/uwsgi.sock;
include uwsgi_params;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
```
Here we use a unix socket to connect to **uwsgi**.
Reload nginx:
```
service nginx configtest
service nginx reload
```
Test via curl or browser:
```
curl https://example.com/SOGo/WebServerResources/sjsxc/ajax/cgi-bin/wsgi
{"iceServers": [{"urls": ["stun:stun.example.com", "stun:stun.example2.com"]}, {"username": "1483455638:userWebrtc", "credential": "wOk4VXXXXXXXXXO90=", "urls": ["turn:turn.example.com", "turn:turn.example2.com"]}], "ttl": 86400}
```
note : here the credential is a _hash_, not the **real** shared secret. The hash is generated from the secret and the username, which itself is a gathering of timestamp and username.
Finally, in you sjsxc/js folder on SOGo's server, modify **sjsxc.js** RTCPeedConfig url's setting.
Go to directory and make a copy:
```
cd /usr/lib/GNUstep/SOGo/WebServerResources/sjsxc/js
cp -p sjsxc.js sjsxc.js.orig
```
Create the patch file **sjsxc.patch** containing:
```
--- sjsxc.js
+++ sjsxc.js
@@ -174 +174 @@
- url: '/SOGo.woa/WebServerResources/sjsxc/ajax/getturncredentials.php'
+ url: '/SOGo.woa/WebServerResources/sjsxc/ajax/cgi-bin/wsgi'
```
Apply patch:
```
patch -u < sjsxc.patch
```
That's it, reload you SOGo login page, you should be all set.
### Conclusion
You should now have a symmetrical NAT-proofed WebRTC visio solution based on ephemeral credentials to authenticate your server on the TURN server.