Find it...

    RP/TURN updates and housekeeping

    Follow

    Background:

    Version 3 of the Pexip RP/TURN appliance is based on Ubuntu Server 12.04. To ensure that the RP/TURN appliance is up to date with relevant security patches, it is necessary to always stay on the current LTS release version of Ubuntu Server, which at time of writing is 14.04.

    Upgrading to 14.04 will ensure that the appliance is no longer vulnerable to the GHOST attack (http://www.ubuntu.com/usn/usn-2485-1/).

    This document provides instructions on how to upgrade the release software of the RP/TURN appliance to the current latest version of Ubuntu Server.

    Note: All commands and actions described in this guide should be done in the VMware console of the appliance - SSH should not be used as the SSH connection might get interrupted during the release upgrade.

    Step 1 - Perform release upgrade

    This upgrade process will typically take 15-30 minutes, depending on network speed (for downloading packages) and the hardware spec of the RP/TURN VM.

    1. Create a VMware snapshot of the RP/TURN appliance before starting the release upgrade, in case a rollback is needed.

    2. Log into the VMware console of the RP/TURN appliance and run command 'sudo do-release-upgrade'. Enter the password for user 'pexip when prompted:

    3. A prompt will appear asking 'Do you want to start the upgrade?'

    -> Answer 'y' followed by <ENTER> to start the upgrade.

    4. A prompt will appear asking 'Restart services during package upgrades without asking?'

    -> Answer 'Yes' followed by <ENTER>

     5. IMPORTANT: During the upgrade, multiple prompts will appear asking to keep or replace certain configuration files:

    • File /etc/sysctl.conf: Choose 'Y' followed by <ENTER> to install the updated configuration file
    • File /etc/turnserver.conf: Choose 'N' followed by <ENTER> to keep the currently-installed version
    • File /etc/munin/munin-node.conf: Choose 'N' followed by <ENTER> to keep the currently-installed version
    • File /etc/syslog-ng/syslog-ng.conf: Choose 'Y' followed by <ENTER> to install the updated configuration file
    • After the above 4 steps, you will be asked to remove obsolete packages, answer 'Y' followed by <ENTER> to proceed with the upgrade

    6. Restart the RP/TURN appliance once the upgrade is complete by choosing 'Y' followed by <ENTER> when prompted 'System upgrade is complete. Restart required':

    Step 2 (Optional) - Install open-vm-tools

    1. The RP/TURN appliance does not have VMware tools installed. For users that wish to install this on the appliance, this can be done by running the following command from a console/SSH shell:

    sudo apt-get install open-vm-tools

    2. When prompted to install additional packages, as well as keep or replace existing configuration files (Similar to during the upgrade procedure), choose 'Y' followed by <ENTER> for packages and all configuration files (So that all existing configuration files are updated to the current version).

     

    Step 3 (Optional) - Disable SSLv3 for the Reverse Proxy

    In order to protect the reverse proxy application against the POODLE attack (CVE-2014-3566), SSLv3 must be disabled within nginx.

    For more information on this CVE, refer to http://nginx.com/blog/nginx-poodle-ssl/.

    1. Using command 'sudo nano /etc/nginx/sites-enabled/pexapp', edit the 'pexapp' nginx configuration file (/etc/nginx/sites-enabled/pexapp) and find the line stating

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

    Change this to

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    and press Control + X to exit the editor, choosing to save the edited file as 'pexapp':

    2. Once the 'pexapp' file has been saved, reload the nginx configuration using command 'sudo service nginx reload':

    This concludes this guide. Once you have verified that the RP/TURN appliance is operating normally after the upgrade, the VMware snapshot can be removed.

    Questions and feedback can be directed to your Pexip support representative.

    Was this article helpful?
    1 out of 1 found this helpful

    Comments

    • Avatar
      Krzysztof Mroczkowski

      Very useful article, thanks. I have few questions though. This was written in Sep 2015 but it's Apr 2016 now. Is the reverse proxy still vulnerable to the POODLE attack?
      Also, is it safe to run apt-get update and upgrade on the reverse proxy?