overmind
/
matrix-docker-ansible-deploy
peilaus alkaen https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Fork 0
Koodi Ongelmat 0 Julkaisut 0 Wiki Toiminta
Selaa lähdekoodia

Re-enable STUN/UDP by default so that old Element mobile clients can work 

Partially reverts ac26cc1cb0.

The configurability introduced there is still available, so people can
easily disable this, if necessary.
pull/4095/head
Slavi Pantaleev 1 vuosi sitten
vanhempi
ee431798a6
commit
0d137db283
3 muutettua tiedostoa jossa 29 lisäystä ja 2 poistoa
Jaettu näkymä
Diff Options
Show Stats Download Patch File Download Diff File
  1. +25
    -0
      CHANGELOG.md
  2. +1
    -0
      docs/prerequisites.md
  3. +3
    -2
      roles/custom/matrix-coturn/defaults/main.yml

+ 25
- 0
CHANGELOG.md Näytä tiedosto

@@ -1,3 +1,28 @@
# 2025-02-23

## The playbook defaults to exposing the Coturn STUN port (3478) over UDP once again

Recently, we made the playbook [default to exposing the Coturn STUN port (3478) only over TCP](#the-playbook-now-defaults-to-exposing-the-coturn-stun-port-3478-only-over-tcp) to reduce the severity of DDoS amplification/reflection attacks.

It seems like old Element clients on mobile devices only support talking to the STUN port over UDP, not TCP.
To accommodate such ancient clients, we're now **reversing this change** and **defaulting to exposing the Coturn STUN port (3478) over UDP once again**.

In light of this new information, you have 2 options:

1. **If you already adapted to the previous change and would like to adapt to this change one again**:

- make sure the `3478/udp` port is whitelisted in your external firewall (if you have one) once again.

2. **If you don't care about old Element clients and wish to reduce the severity of DDoS amplification/reflection attacks**:

- Consider closing the STUN/UDP port with the following configuration:

```yaml
matrix_coturn_container_stun_plain_host_bind_port_udp: ""
```

- Consider keeping `3478/udp` blocked in your external firewall (if you have one)

# 2025-02-21

## Docker daemon options are no longer adjusted when IPv6 is enabled


+ 1
- 0
docs/prerequisites.md Näytä tiedosto

@@ -60,6 +60,7 @@ We will be using `example.com` as the domain in the following instruction. Pleas
- `80/tcp`: HTTP webserver
- `443/tcp` and `443/udp`: HTTPS webserver
- `3478/tcp`: STUN/TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md))
- `3478/udp`: STUN/TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md))
- `5349/tcp`: TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md))
- `5349/udp`: TURN over UDP (used by [coturn](./docs/configuring-playbook-turn.md))
- `8448/tcp` and `8448/udp`: Matrix Federation API HTTPS webserver. Some components like [Matrix User Verification Service](configuring-playbook-user-verification-service.md#open-matrix-federation-port) require this port to be opened **even with federation disabled**.


+ 3
- 2
roles/custom/matrix-coturn/defaults/main.yml Näytä tiedosto

@@ -60,9 +60,10 @@ matrix_coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if matrix_cotu
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
#
# This is not done by default to decrease the risk of DDoS amplification attacks.
# Ideally, we'd like to set this to "" to avoid exposing this port and decrease the risk of DDoS amplification attacks.
# See: https://stormwall.network/resources/blog/protect-against-ddos-based-on-stun-exploit
matrix_coturn_container_stun_plain_host_bind_port_udp: ""
# In practice, old Element clients only support talking to the STUN port over UDP, not TCP, so we need to keep this enabled for now.
matrix_coturn_container_stun_plain_host_bind_port_udp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"

# Controls whether the coturn container exposes its TLS STUN port (tcp/5349 in the container) over TCP.
#


Kirjoita Esikatselu
Ladataan…
Peruuta
Tallenna