docker/mod/coturn/turnserver.conf

# Example coturn configuration for BigBlueButton

# These are the two network ports used by the TURN server which the client
# may connect to. We enable the standard unencrypted port 3478 for STUN,
# as well as port 443 for TURN over TLS, which can bypass firewalls.
listening-port=3478

# we use the SMTP over TLS Port, since 443 is already used for HTTPS
tls-listening-port=465

# If the server has multiple IP addresses, you may wish to limit which
# addresses coturn is using. Do that by setting this option (it can be
# specified multiple times). The default is to listen on all addresses.
# You do not normally need to set this option.
#listening-ip=172.17.19.101

# If the server is behind NAT, you need to specify the external IP address.
# If there is only one external address, specify it like this:
#external-ip=172.17.19.120
# If you have multiple external addresses, you have to specify which
# internal address each corresponds to, like this. The first address is the
# external ip, and the second address is the corresponding internal IP.
#external-ip=172.17.19.131/10.0.0.11
#external-ip=172.17.18.132/10.0.0.12

# Fingerprints in TURN messages are required for WebRTC
fingerprint

# The long-term credential mechanism is required for WebRTC
lt-cred-mech

# Configure coturn to use the "TURN REST API" method for validating time-
# limited credentials. BigBlueButton will generate credentials in this
# format. Note that the static-auth-secret value specified here must match
# the configuration in BigBlueButton's turn-stun-servers.xml
# You can generate a new random value by running the command:
#   openssl rand -hex 16
use-auth-secret
# static-auth-secret=<random value>

# If the realm value is unspecified, it defaults to the TURN server hostname.
# You probably want to configure it to a domain name that you control to
# improve log output. There is no functional impact.
realm=example.com

# Configure TLS support.
# Adjust these paths to match the locations of your certificate files
cert=/tmp/cert.pem
pkey=/tmp/key.pem
# Limit the allowed ciphers to improve security
# Based on https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"

# Enable longer DH TLS key to improve security
dh2066

# All WebRTC-compatible web browsers support TLS 1.2 or later, so disable
# older protocols
no-tlsv1
no-tlsv1_1

# To enable single filename logs you need to enable the simple-log flag
syslog
coturn integration 2020-06-07 13:58:56 +02:00			`# Example coturn configuration for BigBlueButton`

			`# These are the two network ports used by the TURN server which the client`
			`# may connect to. We enable the standard unencrypted port 3478 for STUN,`
			`# as well as port 443 for TURN over TLS, which can bypass firewalls.`
			`listening-port=3478`

			`# we use the SMTP over TLS Port, since 443 is already used for HTTPS`
			`tls-listening-port=465`

			`# If the server has multiple IP addresses, you may wish to limit which`
			`# addresses coturn is using. Do that by setting this option (it can be`
			`# specified multiple times). The default is to listen on all addresses.`
			`# You do not normally need to set this option.`
			`#listening-ip=172.17.19.101`

			`# If the server is behind NAT, you need to specify the external IP address.`
			`# If there is only one external address, specify it like this:`
			`#external-ip=172.17.19.120`
			`# If you have multiple external addresses, you have to specify which`
			`# internal address each corresponds to, like this. The first address is the`
			`# external ip, and the second address is the corresponding internal IP.`
			`#external-ip=172.17.19.131/10.0.0.11`
			`#external-ip=172.17.18.132/10.0.0.12`

			`# Fingerprints in TURN messages are required for WebRTC`
			`fingerprint`

			`# The long-term credential mechanism is required for WebRTC`
			`lt-cred-mech`

			`# Configure coturn to use the "TURN REST API" method for validating time-`
			`# limited credentials. BigBlueButton will generate credentials in this`
			`# format. Note that the static-auth-secret value specified here must match`
			`# the configuration in BigBlueButton's turn-stun-servers.xml`
			`# You can generate a new random value by running the command:`
			`# openssl rand -hex 16`
			`use-auth-secret`
			`# static-auth-secret=<random value>`

			`# If the realm value is unspecified, it defaults to the TURN server hostname.`
			`# You probably want to configure it to a domain name that you control to`
			`# improve log output. There is no functional impact.`
			`realm=example.com`

			`# Configure TLS support.`
			`# Adjust these paths to match the locations of your certificate files`
			`cert=/tmp/cert.pem`
			`pkey=/tmp/key.pem`
			`# Limit the allowed ciphers to improve security`
			`# Based on https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/`
			`cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"`

			`# Enable longer DH TLS key to improve security`
			`dh2066`

			`# All WebRTC-compatible web browsers support TLS 1.2 or later, so disable`
			`# older protocols`
			`no-tlsv1`
			`no-tlsv1_1`

			`# To enable single filename logs you need to enable the simple-log flag`
			`syslog`