fixes lol

2026-01-07 03:29:05 -05:00 · 2026-01-07 03:29:05 -05:00 · c358db55aa
commit c358db55aa
parent 1a3930dd87
6 changed files with 55 additions and 22 deletions
--- a/terraform/modules/app_server/cloud-init.yaml.tpl
+++ b/terraform/modules/app_server/cloud-init.yaml.tpl
@ -85,10 +85,10 @@ write_files:
      # Inbound: Streaming ports
      ufw allow in 1935/tcp comment 'RTMP'
      ufw allow in 9999/udp comment 'SRT'
-      ufw allow in 3333/tcp comment 'WebRTC TCP'
-      ufw allow in 3333/udp comment 'WebRTC UDP'
-      ufw allow in 3334/tcp comment 'WebRTC TCP fallback'
      ufw allow in 8088/tcp comment 'HLS/LLHLS streaming'
+      # WebRTC signaling now proxied through nginx (443), only need media ports
+      ufw allow in 3478/udp comment 'WebRTC STUN/TURN'
+      ufw allow in 10000:10009/udp comment 'WebRTC ICE candidates'

      # Inbound: VPC traffic (includes system SSH)
      ufw allow in from ${vpc_ip_range} comment 'VPC internal'
--- a/terraform/modules/app_server/main.tf
+++ b/terraform/modules/app_server/main.tf
@ -71,23 +71,17 @@ resource "digitalocean_firewall" "app" {
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

-  # WebRTC (ICE candidates)
-  inbound_rule {
-    protocol         = "tcp"
-    port_range       = "3333"
-    source_addresses = ["0.0.0.0/0", "::/0"]
-  }
-
+  # WebRTC STUN/TURN (NAT traversal)
  inbound_rule {
    protocol         = "udp"
-    port_range       = "3333"
+    port_range       = "3478"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

-  # WebRTC TCP (fallback)
+  # WebRTC ICE candidates (media transport)
  inbound_rule {
-    protocol         = "tcp"
-    port_range       = "3334"
+    protocol         = "udp"
+    port_range       = "10000-10009"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }