Reverse Proxy and TURN Server release notes

This topic provides a summary of the new features and fixed issues in each of the current and previous releases of the Pexip Reverse Proxy and TURN Server.

Note that version 6.x and earlier deployments no longer receive OS security fixes from Canonical. We strongly recommend that all customers should upgrade to version 7.x.

Known limitations in v7.1.0

There are no known limitations in v7.1.0 of the Reverse Proxy and TURN Server.

Version 7.1.0

Version 7.1.0 was released in June 2023 and includes the following changes:

  • (Ref. 61): Resolved an issue where the TURN server had insufficient permissions to run properly (Cannot open SQLite DB connection).
  • (Ref. 60): Resolved an issue where the TCP TURN relay via port 443 (coturn service) failed to listen (Cannot bind listener socket).

Version 7.0.0

Version 7.0.0 was released in June 2023 and includes the following changes:

  • The underlying OS has been upgraded from Ubuntu 18.04 LTS to Ubuntu 22.04 LTS due to 18.04 being End Of Life. Note that the appliance does not support upgrades — you must redeploy to use this new version.
  • The reverse proxy now supports path-based web app branding. As a consequence of this, the URL rewriting logic added in version 6.1.2 no longer applies.

Version 6.2.0

Version 6.2.0 was released in July 2022 and includes the following changes:

  • The TURN server can now either be configured using a restricted configuration mode or a permissive mode via a new step in the installation wizard: "Do you want to configure TURN using the restricted configuration mode?". Permissive mode is required for direct media configuration and it requires the TURN device to be deployed externally (e.g. in a DMZ) as it allows relaying of traffic to any IP address. Permissive mode also requires the use of time-limited credentials as opposed to a static username/password. If you are not using this TURN server for direct media then restricted mode should typically be used (where media connectivity is restricted to the specified Conferencing Nodes for extra security).

Version 6.1.2

Version 6.1.2 was released in February 2021 and includes the following changes:

  • The following Microsoft and Office URLs have been safelisted on the reverse proxy:

    • https://*.microsoft.com
    • https://*.office.com

    This is to address CSP (Content-Security-Policy) issues when using the reverse proxy in conjunction with VMR Scheduling for Exchange.

  • Addresses a security vulnerability (CVE-2020-26262) where Coturn allowed a malicious user to relay packets to the loopback interface.
  • Any URLs in the format https://<reverseproxy>/<alias>/<participant> now get rewritten to the new recommended Pexip Infinity URL structure: https://<conferencingnode>/webapp/?conference=<alias>&name=<participant> when they are forwarded to a Conferencing Node.
  • Any conference PINs are excluded from the nginx logs.

This release of the reverse proxy is only compatible with Pexip Infinity version 25 and later.

Version 6.1.1

Version 6.1.1 was released in July 2020 and addresses a security vulnerability (CVE-2020-4067) where Coturn does not initialize the STUN/TURN response buffer properly.

Note that if you are currently running version 6.1.0, this vulnerability would also be addressed by following Pexip's routine maintenance advice for patching the operating system for the latest security bugs.

Version 6.1.0

Version 6.1.0 was released in April 2020 and includes the following changes:

  • There is a new step in the installation wizard to specify the IP addresses of the Conferencing Nodes that can use the TURN server for media relay. This addresses a security vulnerability (CVE-2020-11805) that allows an unauthenticated remote attacker to send arbitrary UDP traffic to destinations on the same network segment as the Pexip Reverse Proxy and TURN Server, by locking down the IP addresses that the TURN server is allowed (safelisted) to relay to over UDP. As general good practice, we always recommend deploying the TURN server in a suitably secured network segment, such as a DMZ.

Other improvements include:

  • Resolved a minor file permission vulnerability for the default generated SSL certificate.
  • Updated SSL ciphers, disabled TLS1.1 and enabled TLS1.3.
  • Allows presentation images greater than 1 MB to be uploaded (up to a limit of 10 MB).