Closed radu-at closed 2 years ago
jech
commented
2 years ago Yes, this is normal. The client is able to contact the server through the TURN server, hence it has access to the TURN credentials.
The workaround is to use short-lived TURN credentials (TURN credentials that are only valid for a short length of time). Two solutions:
use-auth-secret option and configure the secret in Galene using the credentialType field set to hmac-sha1.
radu-at
commented
2 years ago I think the best way is is necessary to use a TURN server with credentials, this credentials should be set it up on Client side, It was unexpected to have the "./data/ice-servers.json" exposed into the JS, "data/ice-servers.json" should be available only for Galene server communicating with a TURN server.
If we need to expose predefined TURN servers then we should have "./static/ice-servers.json" at least this show us clear that content will be exposed to any client.
jech
commented
2 years ago The contents of the ice-servers file is only exposed to the client after it has logged in. It's not exported over the static web server.
radu-at
commented
2 years ago For me It was unexpected, you should document this on TURN server configuration. /data/ folder should be safe as "/.ssh/" when I see "key.pem" stored in "/data/" makes me think /data/ folder is the most safe place from Galene server. Thanks.
If I don't set username/credential for turn server I get: "Perhaps you didn't configure a TURN server?" If I set username & credential I get: "Relay test successful in 1.692434453s, RTT = 66.043179ms" But on the browser this "server side" configuration is exposed to a regular user. Should be like that? See attached screenshot
.