Open MichaelOultram-pexip opened 1 year ago
Option 1 or 3... By using a RP, customers are able to avoid the need for DNS/Certs for nodes which are potentially just internally-facing. We should not cut off this benefit.
I guess the real questions are:
The choice of solution should probably fall out of the answers to those (noting also that if internally-facing nodes are directly addressed from other systems on the internal network, then the same considerations would apply).
With a client <-> reverse proxy <-> MITM <-> conference node, an sufficient attacker could:
Whilst this is quite a bad outcome, there should be a very low chance of an attacker being able to gain enough access to MITM inside the customers internal network.
I'm propose that the installwizard should accept both FQDN and ip addresses to relay to. If a FQDN is given, then the TLS verification will be turned on, otherwise it won't.
Note that WebRTC media uses DTLS-SRTP for key generation (i.e. it does not use SDES-SRTP where the keys are sent verbatim in the SDP). Exploiting this, if you are a MITM requires:
Further, if ICE is involved, you'll need to jump through the hoops to make that work, too. None of this is impossible, of course.
Re-opening as we've backed the changes out in https://github.com/pexip/rp-turn/commit/673f1a9fa8e735fba881cc235be43b3bce6fb6ed due to #54
Helpfully, nginx defaults to not verifying TLS certificates on connections to upstream servers. Thus, this needs to be explicitly enabled with (at least):
Note, however, that the reverse proxy also configures nginx with the IP addresses of upstream servers, thus enabling certificate verification is guaranteed to break this scheme.
Therefore, either: