mirror of
https://github.com/bigbluebutton/docker.git
synced 2024-11-26 01:53:22 +01:00
63 lines
2.5 KiB
Plaintext
63 lines
2.5 KiB
Plaintext
# Example coturn configuration for BigBlueButton
|
|
|
|
# These are the two network ports used by the TURN server which the client
|
|
# may connect to. We enable the standard unencrypted port 3478 for STUN,
|
|
# as well as port 443 for TURN over TLS, which can bypass firewalls.
|
|
listening-port=3478
|
|
|
|
# we use the SMTP over TLS Port, since 443 is already used for HTTPS
|
|
tls-listening-port=465
|
|
|
|
# If the server has multiple IP addresses, you may wish to limit which
|
|
# addresses coturn is using. Do that by setting this option (it can be
|
|
# specified multiple times). The default is to listen on all addresses.
|
|
# You do not normally need to set this option.
|
|
#listening-ip=172.17.19.101
|
|
|
|
# If the server is behind NAT, you need to specify the external IP address.
|
|
# If there is only one external address, specify it like this:
|
|
#external-ip=172.17.19.120
|
|
# If you have multiple external addresses, you have to specify which
|
|
# internal address each corresponds to, like this. The first address is the
|
|
# external ip, and the second address is the corresponding internal IP.
|
|
#external-ip=172.17.19.131/10.0.0.11
|
|
#external-ip=172.17.18.132/10.0.0.12
|
|
|
|
# Fingerprints in TURN messages are required for WebRTC
|
|
fingerprint
|
|
|
|
# The long-term credential mechanism is required for WebRTC
|
|
lt-cred-mech
|
|
|
|
# Configure coturn to use the "TURN REST API" method for validating time-
|
|
# limited credentials. BigBlueButton will generate credentials in this
|
|
# format. Note that the static-auth-secret value specified here must match
|
|
# the configuration in BigBlueButton's turn-stun-servers.xml
|
|
# You can generate a new random value by running the command:
|
|
# openssl rand -hex 16
|
|
use-auth-secret
|
|
# static-auth-secret=<random value>
|
|
|
|
# If the realm value is unspecified, it defaults to the TURN server hostname.
|
|
# You probably want to configure it to a domain name that you control to
|
|
# improve log output. There is no functional impact.
|
|
realm=example.com
|
|
|
|
# Configure TLS support.
|
|
# Adjust these paths to match the locations of your certificate files
|
|
cert=/tmp/cert.pem
|
|
pkey=/tmp/key.pem
|
|
# Limit the allowed ciphers to improve security
|
|
# Based on https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
|
cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
|
|
|
|
# Enable longer DH TLS key to improve security
|
|
dh2066
|
|
|
|
# All WebRTC-compatible web browsers support TLS 1.2 or later, so disable
|
|
# older protocols
|
|
no-tlsv1
|
|
no-tlsv1_1
|
|
|
|
# To enable single filename logs you need to enable the simple-log flag
|
|
syslog |