# Example coturn configuration for BigBlueButton # These are the two network ports used by the TURN server which the client # may connect to. We enable the standard unencrypted port 3478 for STUN, listening-port=3478 # and since TLS over SMTP port (465) is now blocked by major browser vendors, # we reverted to the most common coturn TLS port 5349, which has limitations # in restrictive firewall environments. For maximum client support run # coturn on a dedicated host on port 443. tls-listening-port=5349 # If the server has multiple IP addresses, you may wish to limit which # addresses coturn is using. Do that by setting this option (it can be # specified multiple times). The default is to listen on all addresses. # You do not normally need to set this option. #listening-ip=172.17.19.101 # If the server is behind NAT, you need to specify the external IP address. # If there is only one external address, specify it like this: #external-ip=172.17.19.120 # If you have multiple external addresses, you have to specify which # internal address each corresponds to, like this. The first address is the # external ip, and the second address is the corresponding internal IP. #external-ip=172.17.19.131/10.0.0.11 #external-ip=172.17.18.132/10.0.0.12 # Fingerprints in TURN messages are required for WebRTC fingerprint # The long-term credential mechanism is required for WebRTC lt-cred-mech # Configure coturn to use the "TURN REST API" method for validating time- # limited credentials. BigBlueButton will generate credentials in this # format. Note that the static-auth-secret value specified here must match # the configuration in BigBlueButton's turn-stun-servers.xml # You can generate a new random value by running the command: # openssl rand -hex 16 use-auth-secret # static-auth-secret= # If the realm value is unspecified, it defaults to the TURN server hostname. # You probably want to configure it to a domain name that you control to # improve log output. There is no functional impact. realm=example.com # Configure TLS support. # Adjust these paths to match the locations of your certificate files cert=/tmp/cert.pem pkey=/tmp/key.pem # Limit the allowed ciphers to improve security # Based on https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS" # Enable longer DH TLS key to improve security dh2066 # All WebRTC-compatible web browsers support TLS 1.2 or later, so disable # older protocols no-tlsv1 no-tlsv1_1 # To enable single filename logs you need to enable the simple-log flag syslog #verbose # Allocate Address Family according # If enabled then TURN server allocates address family according the TURN # Client <=> Server communication address family. # (By default Coturn works according RFC 6156.) # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!! keep-address-family