|
@@ -1,7 +1,7 @@
|
|
# Coturn TURN SERVER configuration file
|
|
# Coturn TURN SERVER configuration file
|
|
#
|
|
#
|
|
# Boolean values note: where a boolean value is supposed to be used,
|
|
# Boolean values note: where a boolean value is supposed to be used,
|
|
-# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
|
|
|
|
|
|
+# you can use '0', 'off', 'no', 'false', or 'f' as 'false',
|
|
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
|
|
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
|
|
# If the value is missing, then it means 'true' by default.
|
|
# If the value is missing, then it means 'true' by default.
|
|
#
|
|
#
|
|
@@ -125,7 +125,7 @@ tls-listening-port=5349
|
|
#
|
|
#
|
|
# By default, this value is empty, and no address mapping is used.
|
|
# By default, this value is empty, and no address mapping is used.
|
|
#
|
|
#
|
|
-external-ip=193.224.22.37
|
|
|
|
|
|
+#external-ip=60.70.80.91
|
|
#
|
|
#
|
|
#OR:
|
|
#OR:
|
|
#
|
|
#
|
|
@@ -186,6 +186,18 @@ lt-cred-mech
|
|
#
|
|
#
|
|
#no-auth
|
|
#no-auth
|
|
|
|
|
|
|
|
+# Enable prometheus exporter
|
|
|
|
+# If enabled the turnserver will expose an endpoint with stats on a prometheus format
|
|
|
|
+# this endpoint is listening on a different port to not conflict with other configurations.
|
|
|
|
+#
|
|
|
|
+# You can simply run the turnserver and access the port 9641 and path /metrics
|
|
|
|
+#
|
|
|
|
+# For more info on the prometheus exporter and metrics
|
|
|
|
+# https://prometheus.io/docs/introduction/overview/
|
|
|
|
+# https://prometheus.io/docs/concepts/data_model/
|
|
|
|
+#
|
|
|
|
+#prometheus
|
|
|
|
+
|
|
# TURN REST API flag.
|
|
# TURN REST API flag.
|
|
# (Time Limited Long Term Credential)
|
|
# (Time Limited Long Term Credential)
|
|
# Flag that sets a special authorization option that is based upon authentication secret.
|
|
# Flag that sets a special authorization option that is based upon authentication secret.
|
|
@@ -377,7 +389,7 @@ realm=example.org
|
|
# Total bytes-per-second bandwidth the TURN server is allowed to allocate
|
|
# Total bytes-per-second bandwidth the TURN server is allowed to allocate
|
|
# for the sessions, combined (input and output network streams are treated separately).
|
|
# for the sessions, combined (input and output network streams are treated separately).
|
|
#
|
|
#
|
|
-# bps-capacity=0
|
|
|
|
|
|
+#bps-capacity=0
|
|
|
|
|
|
# Uncomment if no UDP client listener is desired.
|
|
# Uncomment if no UDP client listener is desired.
|
|
# By default UDP client listener is always started.
|
|
# By default UDP client listener is always started.
|
|
@@ -516,12 +528,27 @@ pkey=/etc/ssl/private/privkey.pem
|
|
#
|
|
#
|
|
syslog
|
|
syslog
|
|
|
|
|
|
|
|
+# Set syslog facility for syslog messages
|
|
|
|
+# Default values is ''.
|
|
|
|
+#
|
|
|
|
+#syslog-facility="LOG_LOCAL1"
|
|
|
|
+
|
|
# This flag means that no log file rollover will be used, and the log file
|
|
# This flag means that no log file rollover will be used, and the log file
|
|
# name will be constructed as-is, without PID and date appendage.
|
|
# name will be constructed as-is, without PID and date appendage.
|
|
# This option can be used, for example, together with the logrotate tool.
|
|
# This option can be used, for example, together with the logrotate tool.
|
|
#
|
|
#
|
|
#simple-log
|
|
#simple-log
|
|
|
|
|
|
|
|
+# Enable full ISO-8601 timestamp in all logs.
|
|
|
|
+#new-log-timestamp
|
|
|
|
+
|
|
|
|
+# Set timestamp format (in strftime(1) format). Depends on new-log-timestamp to be enabled.
|
|
|
|
+#new-log-timestamp-format "%FT%T%z"
|
|
|
|
+
|
|
|
|
+# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
|
|
|
|
+# Enable binding logging and UDP endpoint logs in verbose log mode.
|
|
|
|
+#log-binding
|
|
|
|
+
|
|
# Option to set the "redirection" mode. The value of this option
|
|
# Option to set the "redirection" mode. The value of this option
|
|
# will be the address of the alternate server for UDP & TCP service in the form of
|
|
# will be the address of the alternate server for UDP & TCP service in the form of
|
|
# <ip>[:<port>]. The server will send this value in the attribute
|
|
# <ip>[:<port>]. The server will send this value in the attribute
|
|
@@ -584,7 +611,8 @@ syslog
|
|
|
|
|
|
# This is the timestamp/username separator symbol (character) in TURN REST API.
|
|
# This is the timestamp/username separator symbol (character) in TURN REST API.
|
|
# The default value is ':'.
|
|
# The default value is ':'.
|
|
-# rest-api-separator=:
|
|
|
|
|
|
+#
|
|
|
|
+#rest-api-separator=:
|
|
|
|
|
|
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
|
|
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
|
|
# This is an extra security measure.
|
|
# This is an extra security measure.
|
|
@@ -636,7 +664,7 @@ syslog
|
|
#
|
|
#
|
|
#mobility
|
|
#mobility
|
|
|
|
|
|
-# Allocate Address Family according
|
|
|
|
|
|
+# Allocate Address Family according (DEPRECATED and will be removed in favor of allocation-default-address-family)
|
|
# If enabled then TURN server allocates address family according the TURN
|
|
# If enabled then TURN server allocates address family according the TURN
|
|
# Client <=> Server communication address family.
|
|
# Client <=> Server communication address family.
|
|
# (By default Coturn works according RFC 6156.)
|
|
# (By default Coturn works according RFC 6156.)
|
|
@@ -644,6 +672,16 @@ syslog
|
|
#
|
|
#
|
|
#keep-address-family
|
|
#keep-address-family
|
|
|
|
|
|
|
|
+# TURN server allocates address family according TURN client requested address family.
|
|
|
|
+# If address family not requested explicitly by the client, then it falls back to this default.
|
|
|
|
+# The standard RFC explicitly define that this default must be IPv4,
|
|
|
|
+# so use other option values with care!
|
|
|
|
+# Possible values: "ipv4" or "ipv6" or "keep"
|
|
|
|
+# "keep" sets the allocation default address family according to
|
|
|
|
+# the TURN client allocation request connection address family.
|
|
|
|
+#
|
|
|
|
+#allocation-default-address-family="ipv4"
|
|
|
|
+#allocation-default-address-family="ipv4"
|
|
|
|
|
|
# User name to run the process. After the initialization, the turnserver process
|
|
# User name to run the process. After the initialization, the turnserver process
|
|
# will attempt to change the current user ID to that user.
|
|
# will attempt to change the current user ID to that user.
|
|
@@ -697,10 +735,15 @@ cli-password=CHANGE_ME
|
|
#web-admin-port=8080
|
|
#web-admin-port=8080
|
|
|
|
|
|
# Web-admin server listen on STUN/TURN worker threads
|
|
# Web-admin server listen on STUN/TURN worker threads
|
|
-# By default it is disabled for security resons! (Not recommended in any production environment!)
|
|
|
|
|
|
+# By default it is disabled for security reasons! (Not recommended in any production environment!)
|
|
#
|
|
#
|
|
#web-admin-listen-on-workers
|
|
#web-admin-listen-on-workers
|
|
|
|
|
|
|
|
+# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
|
|
|
|
+# Default is '', i.e. no special handling for such requests.
|
|
|
|
+#
|
|
|
|
+#acme-redirect=http://redirectserver/.well-known/acme-challenge/
|
|
|
|
+
|
|
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
|
|
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
|
|
# Only for those applications when you want to run
|
|
# Only for those applications when you want to run
|
|
# server applications on the relay endpoints.
|
|
# server applications on the relay endpoints.
|
|
@@ -723,3 +766,31 @@ cli-password=CHANGE_ME
|
|
#no-tlsv1
|
|
#no-tlsv1
|
|
#no-tlsv1_1
|
|
#no-tlsv1_1
|
|
#no-tlsv1_2
|
|
#no-tlsv1_2
|
|
|
|
+
|
|
|
|
+# Disable RFC5780 (NAT behavior discovery).
|
|
|
|
+#
|
|
|
|
+# Originally, if there are more than one listener address from the same
|
|
|
|
+# address family, then by default the NAT behavior discovery feature enabled.
|
|
|
|
+# This option disables the original behavior, because the NAT behavior
|
|
|
|
+# discovery adds extra attributes to response, and this increase the
|
|
|
|
+# possibility of an amplification attack.
|
|
|
|
+#
|
|
|
|
+# Strongly encouraged to use this option to decrease gain factor in STUN
|
|
|
|
+# binding responses.
|
|
|
|
+#
|
|
|
|
+no-rfc5780
|
|
|
|
+
|
|
|
|
+# Disable handling old STUN Binding requests and disable MAPPED-ADDRESS
|
|
|
|
+# attribute in binding response (use only the XOR-MAPPED-ADDRESS).
|
|
|
|
+#
|
|
|
|
+# Strongly encouraged to use this option to decrease gain factor in STUN
|
|
|
|
+# binding responses.
|
|
|
|
+#
|
|
|
|
+no-stun-backward-compatibility
|
|
|
|
+
|
|
|
|
+# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
|
|
|
|
+#
|
|
|
|
+# Strongly encouraged to use this option to decrease gain factor in STUN
|
|
|
|
+# binding responses.
|
|
|
|
+#
|
|
|
|
+response-origin-only-with-rfc5780
|