forked from extern/docker
74 lines
2.9 KiB
Plaintext
74 lines
2.9 KiB
Plaintext
|
# Example coturn configuration for BigBlueButton
|
||
|
|
||
|
# These are the two network ports used by the TURN server which the client
|
||
|
# may connect to. We enable the standard unencrypted port 3478 for STUN,
|
||
|
listening-port=3478
|
||
|
|
||
|
# and since TLS over SMTP port (465) is now blocked by major browser vendors,
|
||
|
# we reverted to the most common coturn TLS port 5349, which has limitations
|
||
|
# in restrictive firewall environments. For maximum client support run
|
||
|
# coturn on a dedicated host on port 443.
|
||
|
tls-listening-port=5349
|
||
|
|
||
|
# If the server has multiple IP addresses, you may wish to limit which
|
||
|
# addresses coturn is using. Do that by setting this option (it can be
|
||
|
# specified multiple times). The default is to listen on all addresses.
|
||
|
# You do not normally need to set this option.
|
||
|
#listening-ip=172.17.19.101
|
||
|
|
||
|
# If the server is behind NAT, you need to specify the external IP address.
|
||
|
# If there is only one external address, specify it like this:
|
||
|
#external-ip=172.17.19.120
|
||
|
# If you have multiple external addresses, you have to specify which
|
||
|
# internal address each corresponds to, like this. The first address is the
|
||
|
# external ip, and the second address is the corresponding internal IP.
|
||
|
#external-ip=172.17.19.131/10.0.0.11
|
||
|
#external-ip=172.17.18.132/10.0.0.12
|
||
|
|
||
|
# Fingerprints in TURN messages are required for WebRTC
|
||
|
fingerprint
|
||
|
|
||
|
# The long-term credential mechanism is required for WebRTC
|
||
|
lt-cred-mech
|
||
|
|
||
|
# Configure coturn to use the "TURN REST API" method for validating time-
|
||
|
# limited credentials. BigBlueButton will generate credentials in this
|
||
|
# format. Note that the static-auth-secret value specified here must match
|
||
|
# the configuration in BigBlueButton's turn-stun-servers.xml
|
||
|
# You can generate a new random value by running the command:
|
||
|
# openssl rand -hex 16
|
||
|
use-auth-secret
|
||
|
# static-auth-secret=<random value>
|
||
|
|
||
|
# If the realm value is unspecified, it defaults to the TURN server hostname.
|
||
|
# You probably want to configure it to a domain name that you control to
|
||
|
# improve log output. There is no functional impact.
|
||
|
realm=example.com
|
||
|
|
||
|
# Configure TLS support.
|
||
|
# Adjust these paths to match the locations of your certificate files
|
||
|
cert=/tmp/cert.pem
|
||
|
pkey=/tmp/key.pem
|
||
|
# Limit the allowed ciphers to improve security
|
||
|
# Based on https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
||
|
cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
|
||
|
|
||
|
# Enable longer DH TLS key to improve security
|
||
|
dh2066
|
||
|
|
||
|
# All WebRTC-compatible web browsers support TLS 1.2 or later, so disable
|
||
|
# older protocols
|
||
|
no-tlsv1
|
||
|
no-tlsv1_1
|
||
|
|
||
|
# To enable single filename logs you need to enable the simple-log flag
|
||
|
syslog
|
||
|
#verbose
|
||
|
|
||
|
# Allocate Address Family according
|
||
|
# If enabled then TURN server allocates address family according the TURN
|
||
|
# Client <=> Server communication address family.
|
||
|
# (By default Coturn works according RFC 6156.)
|
||
|
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
|
||
|
keep-address-family
|