Guest User

Untitled

a guest
Oct 21st, 2021
17
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Coturn TURN SERVER configuration file
  2. #
  3. # Boolean values note: where boolean value is supposed to be used,
  4. # you can use '0', 'off', 'no', 'false', 'f' as 'false,
  5. # and you can use '1', 'on', 'yes', 'true', 't' as 'true'
  6. # If the value is missed, then it means 'true'.
  7. #
  8.  
  9. # Listener interface device (optional, Linux only).
  10. # NOT RECOMMENDED.
  11. #
  12. #listening-device=eth0
  13.  
  14. # TURN listener port for UDP and TCP (Default: 3478).
  15. # Note: actually, TLS & DTLS sessions can connect to the
  16. # "plain" TCP & UDP port(s), too - if allowed by configuration.
  17. #
  18. listening-port=3478
  19.  
  20. # TURN listener port for TLS (Default: 5349).
  21. # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
  22. # port(s), too - if allowed by configuration. The TURN server
  23. # "automatically" recognizes the type of traffic. Actually, two listening
  24. # endpoints (the "plain" one and the "tls" one) are equivalent in terms of
  25. # functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
  26. # For secure TCP connections, we currently support SSL version 3 and
  27. # TLS version 1.0, 1.1 and 1.2.
  28. # For secure UDP connections, we support DTLS version 1.
  29. #
  30. tls-listening-port=5349
  31.  
  32. # Alternative listening port for UDP and TCP listeners;
  33. # default (or zero) value means "listening port plus one".
  34. # This is needed for RFC 5780 support
  35. # (STUN extension specs, NAT behavior discovery). The TURN Server
  36. # supports RFC 5780 only if it is started with more than one
  37. # listening IP address of the same family (IPv4 or IPv6).
  38. # RFC 5780 is supported only by UDP protocol, other protocols
  39. # are listening to that endpoint only for "symmetry".
  40. #
  41. alt-listening-port=3479
  42.  
  43. # Alternative listening port for TLS and DTLS protocols.
  44. # Default (or zero) value means "TLS listening port plus one".
  45. #
  46. alt-tls-listening-port=5350
  47.  
  48. # Listener IP address of relay server. Multiple listeners can be specified.
  49. # If no IP(s) specified in the config file or in the command line options,
  50. # then all IPv4 and IPv6 system IPs will be used for listening.
  51. #
  52. #listening-ip=172.17.19.101
  53. #listening-ip=10.207.21.238
  54. #listening-ip=2607:f0d0:1002:51::4
  55.  
  56. # Auxiliary STUN/TURN server listening endpoint.
  57. # Aux servers have almost full TURN and STUN functionality.
  58. # The (minor) limitations are:
  59. #
  60. # 1) Auxiliary servers do not have alternative ports and
  61. # they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
  62. #
  63. # 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
  64. #
  65. # Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
  66. #
  67. # There may be multiple aux-server options, each will be used for listening
  68. # to client requests.
  69. #
  70. #aux-server=172.17.19.110:33478
  71. #aux-server=[2607:f0d0:1002:51::4]:33478
  72.  
  73. # (recommended for older Linuxes only)
  74. # Automatically balance UDP traffic over auxiliary servers (if configured).
  75. # The load balancing is using the ALTERNATE-SERVER mechanism.
  76. # The TURN client must support 300 ALTERNATE-SERVER response for this
  77. # functionality.
  78. #
  79. #udp-self-balance
  80.  
  81. # Relay interface device for relay sockets (optional, Linux only).
  82. # NOT RECOMMENDED.
  83. #
  84. #relay-device=eth1
  85.  
  86. # Relay address (the local IP address that will be used to relay the
  87. # packets to the peer).
  88. # Multiple relay addresses may be used.
  89. # The same IP(s) can be used as both listening IP(s) and relay IP(s).
  90. #
  91. # If no relay IP(s) specified, then the turnserver will apply the default
  92. # policy: it will decide itself which relay addresses to be used, and it
  93. # will always be using the client socket IP address as the relay IP address
  94. # of the TURN session (if the requested relay address family is the same
  95. # as the family of the client socket).
  96. #
  97. #relay-ip=172.17.19.105
  98. #relay-ip=2607:f0d0:1002:51::5
  99.  
  100. # For Amazon EC2 users:
  101. #
  102. # TURN Server public/private address mapping, if the server is behind NAT.
  103. # In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
  104. # as relay IP address of all allocations. This scenario works only in a simple case
  105. # when one single relay address is be used, and no RFC5780 functionality is required.
  106. # That single relay address must be mapped by NAT to the 'external' IP.
  107. # The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
  108. # For that 'external' IP, NAT must forward ports directly (relayed port 12345
  109. # must be always mapped to the same 'external' port 12345).
  110. #
  111. # In more complex case when more than one IP address is involved,
  112. # that option must be used several times, each entry must
  113. # have form "-X <public-ip/private-ip>", to map all involved addresses.
  114. # RFC5780 NAT discovery STUN functionality will work correctly,
  115. # if the addresses are mapped properly, even when the TURN server itself
  116. # is behind A NAT.
  117. #
  118. # By default, this value is empty, and no address mapping is used.
  119. #
  120. #external-ip=60.70.80.91
  121. #
  122. #OR:
  123. #
  124. #external-ip=60.70.80.91/172.17.19.101
  125. #external-ip=60.70.80.92/172.17.19.102
  126.  
  127.  
  128. # Number of the relay threads to handle the established connections
  129. # (in addition to authentication thread and the listener thread).
  130. # If explicitly set to 0 then application runs relay process in a
  131. # single thread, in the same thread with the listener process
  132. # (the authentication thread will still be a separate thread).
  133. #
  134. # If this parameter is not set, then the default OS-dependent
  135. # thread pattern algorithm will be employed. Usually the default
  136. # algorithm is the most optimal, so you have to change this option
  137. # only if you want to make some fine tweaks.
  138. #
  139. # In the older systems (Linux kernel before 3.9),
  140. # the number of UDP threads is always one thread per network listening
  141. # endpoint - including the auxiliary endpoints - unless 0 (zero) or
  142. # 1 (one) value is set.
  143. #
  144. #relay-threads=0
  145.  
  146. # Lower and upper bounds of the UDP relay endpoints:
  147. # (default values are 49152 and 65535)
  148. #
  149. #min-port=49152
  150. #max-port=65535
  151.  
  152. # Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
  153. # By default the verbose mode is off.
  154. verbose
  155.  
  156. # Uncomment to run TURN server in 'extra' verbose mode.
  157. # This mode is very annoying and produces lots of output.
  158. # Not recommended under any normal circumstances.
  159. #
  160. #Verbose
  161.  
  162. # Uncomment to use fingerprints in the TURN messages.
  163. # By default the fingerprints are off.
  164. #
  165. fingerprint
  166.  
  167. # Uncomment to use long-term credential mechanism.
  168. # By default no credentials mechanism is used (any user allowed).
  169. #
  170. lt-cred-mech
  171.  
  172. # This option is opposite to lt-cred-mech.
  173. # (TURN Server with no-auth option allows anonymous access).
  174. # If neither option is defined, and no users are defined,
  175. # then no-auth is default. If at least one user is defined,
  176. # in this file or in command line or in usersdb file, then
  177. # lt-cred-mech is default.
  178. #
  179. #no-auth
  180.  
  181. # TURN REST API flag.
  182. # (Time Limited Long Term Credential)
  183. # Flag that sets a special authorization option that is based upon authentication secret.
  184. #
  185. # This feature's purpose is to support "TURN Server REST API", see
  186. # "TURN REST API" link in the project's page
  187. # https://github.com/coturn/coturn/
  188. #
  189. # This option is used with timestamp:
  190. #
  191. # usercombo -> "timestamp:userid"
  192. # turn user -> usercombo
  193. # turn password -> base64(hmac(secret key, usercombo))
  194. #
  195. # This allows TURN credentials to be accounted for a specific user id.
  196. # If you don't have a suitable id, the timestamp alone can be used.
  197. # This option is just turning on secret-based authentication.
  198. # The actual value of the secret is defined either by option static-auth-secret,
  199. # or can be found in the turn_secret table in the database (see below).
  200. #
  201. # Read more about it:
  202. # - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
  203. # - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
  204. #
  205. # Be aware that use-auth-secret overrides some part of lt-cred-mech.
  206. # Notice that this feature depends internally on lt-cred-mech, so if you set
  207. # use-auth-secret then it enables internally automatically lt-cred-mech option
  208. # like if you enable both.
  209. #
  210. # You can use only one of the to auth mechanisms in the same time because,
  211. # both mechanism use the username and password validation in different way.
  212. #
  213. # This way be aware that you can't use both auth mechnaism in the same time!
  214. # Use in config either the lt-cred-mech or the use-auth-secret
  215. # to avoid any confusion.
  216. #
  217. #use-auth-secret
  218.  
  219. # 'Static' authentication secret value (a string) for TURN REST API only.
  220. # If not set, then the turn server
  221. # will try to use the 'dynamic' value in turn_secret table
  222. # in user database (if present). The database-stored value can be changed on-the-fly
  223. # by a separate program, so this is why that other mode is 'dynamic'.
  224. #
  225. #static-auth-secret=north
  226.  
  227. # Server name used for
  228. # the oAuth authentication purposes.
  229. # The default value is the realm name.
  230. #
  231. server-name=yoursite.com
  232.  
  233. # Flag that allows oAuth authentication.
  234. #
  235. #oauth
  236.  
  237. # 'Static' user accounts for long term credentials mechanism, only.
  238. # This option cannot be used with TURN REST API.
  239. # 'Static' user accounts are NOT dynamically checked by the turnserver process,
  240. # so that they can NOT be changed while the turnserver is running.
  241. #
  242. user=turnadmin:turnpwd
  243. #user=username2:key2
  244. # OR:
  245. #user=username1:password1
  246. #user=username2:password2
  247. #
  248. # Keys must be generated by turnadmin utility. The key value depends
  249. # on user name, realm, and password:
  250. #
  251. # Example:
  252. # $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
  253. # Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
  254. # ('0x' in the beginning of the key is what differentiates the key from
  255. # password. If it has 0x then it is a key, otherwise it is a password).
  256. #
  257. # The corresponding user account entry in the config file will be:
  258. #
  259. #user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
  260. # Or, equivalently, with open clear password (less secure):
  261. #user=ninefingers:youhavetoberealistic
  262. #
  263.  
  264. # SQLite database file name.
  265. #
  266. # Default file name is /var/db/turndb or /usr/local/var/db/turndb or
  267. # /var/lib/turn/turndb.
  268. #
  269. #userdb=/var/db/turndb
  270.  
  271. # PostgreSQL database connection string in the case that we are using PostgreSQL
  272. # as the user database.
  273. # This database can be used for long-term credential mechanism
  274. # and it can store the secret value for secret-based timed authentication in TURN RESP API.
  275. # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
  276. # versions connection string format, see
  277. # http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
  278. # for 9.x and newer connection string formats.
  279. #
  280. #psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
  281.  
  282. # MySQL database connection string in the case that we are using MySQL
  283. # as the user database.
  284. # This database can be used for long-term credential mechanism
  285. # and it can store the secret value for secret-based timed authentication in TURN RESP API.
  286. #
  287. # Optional connection string parameters for the secure communications (SSL):
  288. # ca, capath, cert, key, cipher
  289. # (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
  290. # command options description).
  291. #
  292. # Use string format as below (space separated parameters, all optional):
  293. #
  294. #mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
  295.  
  296. # If you want to use in the MySQL connection string the password in encrypted format,
  297. # then set in this option the MySQL password encryption secret key file.
  298. #
  299. # Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
  300. # If you want to use cleartext password then do not set this option!
  301. #
  302. # This is the file path which contain secret key of aes encryption while using password encryption.
  303. #
  304. #secret-key-file=/path/
  305.  
  306. # MongoDB database connection string in the case that we are using MongoDB
  307. # as the user database.
  308. # This database can be used for long-term credential mechanism
  309. # and it can store the secret value for secret-based timed authentication in TURN RESP API.
  310. # Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
  311. #
  312. #mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
  313.  
  314. # Redis database connection string in the case that we are using Redis
  315. # as the user database.
  316. # This database can be used for long-term credential mechanism
  317. # and it can store the secret value for secret-based timed authentication in TURN RESP API.
  318. # Use string format as below (space separated parameters, all optional):
  319. #
  320. #redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
  321.  
  322. # Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
  323. # This database keeps allocations status information, and it can be also used for publishing
  324. # and delivering traffic and allocation event notifications.
  325. # The connection string has the same parameters as redis-userdb connection string.
  326. # Use string format as below (space separated parameters, all optional):
  327. #
  328. #redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
  329.  
  330. # The default realm to be used for the users when no explicit
  331. # origin/realm relationship was found in the database, or if the TURN
  332. # server is not using any database (just the commands-line settings
  333. # and the userdb file). Must be used with long-term credentials
  334. # mechanism or with TURN REST API.
  335. #
  336. # Note: If default realm is not specified at all, then realm falls back to the host domain name.
  337. # If domain name is empty string, or '(None)', then it is initialized to am empty string.
  338. #
  339. realm=yoursite.com
  340.  
  341. # The flag that sets the origin consistency
  342. # check: across the session, all requests must have the same
  343. # main ORIGIN attribute value (if the ORIGIN was
  344. # initially used by the session).
  345. #
  346. #check-origin-consistency
  347.  
  348. # Per-user allocation quota.
  349. # default value is 0 (no quota, unlimited number of sessions per user).
  350. # This option can also be set through the database, for a particular realm.
  351. #
  352. #user-quota=0
  353.  
  354. # Total allocation quota.
  355. # default value is 0 (no quota).
  356. # This option can also be set through the database, for a particular realm.
  357. #
  358. #total-quota=0
  359.  
  360. # Max bytes-per-second bandwidth a TURN session is allowed to handle
  361. # (input and output network streams are treated separately). Anything above
  362. # that limit will be dropped or temporary suppressed (within
  363. # the available buffer limits).
  364. # This option can also be set through the database, for a particular realm.
  365. #
  366. #max-bps=0
  367.  
  368. #
  369. # Maximum server capacity.
  370. # Total bytes-per-second bandwidth the TURN server is allowed to allocate
  371. # for the sessions, combined (input and output network streams are treated separately).
  372. #
  373. # bps-capacity=0
  374.  
  375. # Uncomment if no UDP client listener is desired.
  376. # By default UDP client listener is always started.
  377. #
  378. #no-udp
  379.  
  380. # Uncomment if no TCP client listener is desired.
  381. # By default TCP client listener is always started.
  382. #
  383. #no-tcp
  384.  
  385. # Uncomment if no TLS client listener is desired.
  386. # By default TLS client listener is always started.
  387. #
  388. #no-tls
  389.  
  390. # Uncomment if no DTLS client listener is desired.
  391. # By default DTLS client listener is always started.
  392. #
  393. #no-dtls
  394.  
  395. # Uncomment if no UDP relay endpoints are allowed.
  396. # By default UDP relay endpoints are enabled (like in RFC 5766).
  397. #
  398. #no-udp-relay
  399.  
  400. # Uncomment if no TCP relay endpoints are allowed.
  401. # By default TCP relay endpoints are enabled (like in RFC 6062).
  402. #
  403. #no-tcp-relay
  404.  
  405. # Uncomment if extra security is desired,
  406. # with nonce value having limited lifetime.
  407. # By default, the nonce value is unique for a session,
  408. # and has unlimited lifetime.
  409. # Set this option to limit the nonce lifetime.
  410. # It defaults to 600 secs (10 min) if no value is provided. After that delay,
  411. # the client will get 438 error and will have to re-authenticate itself.
  412. #
  413. #stale-nonce=600
  414.  
  415. # Uncomment if you want to set the maximum allocation
  416. # time before it has to be refreshed.
  417. # Default is 3600s.
  418. #
  419. #max-allocate-lifetime=3600
  420.  
  421.  
  422. # Uncomment to set the lifetime for the channel.
  423. # Default value is 600 secs (10 minutes).
  424. # This value MUST not be changed for production purposes.
  425. #
  426. #channel-lifetime=600
  427.  
  428. # Uncomment to set the permission lifetime.
  429. # Default to 300 secs (5 minutes).
  430. # In production this value MUST not be changed,
  431. # however it can be useful for test purposes.
  432. #
  433. #permission-lifetime=300
  434.  
  435. # Certificate file.
  436. # Use an absolute path or path relative to the
  437. # configuration file.
  438. #
  439. #cert=/etc/pki/coturn/public/turn_server_cert.pem
  440. cert=/etc/coturn/cert.pem
  441.  
  442. # Private key file.
  443. # Use an absolute path or path relative to the
  444. # configuration file.
  445. # Use PEM file format.
  446. #
  447. #pkey=/etc/pki/coturn/private/turn_server_pkey.pem
  448. pkey=/etc/coturn/privkey.pem
  449.  
  450. # Private key file password, if it is in encoded format.
  451. # This option has no default value.
  452. #
  453. #pkey-pwd=...
  454.  
  455. # Allowed OpenSSL cipher list for TLS/DTLS connections.
  456. # Default value is "DEFAULT".
  457. #
  458. cipher-list="DEFAULT"
  459.  
  460. # CA file in OpenSSL format.
  461. # Forces TURN server to verify the client SSL certificates.
  462. # By default it is not set: there is no default value and the client
  463. # certificate is not checked.
  464. #
  465. # Example:
  466. #CA-file=/etc/ssh/id_rsa.cert
  467.  
  468. # Curve name for EC ciphers, if supported by OpenSSL
  469. # library (TLS and DTLS). The default value is prime256v1,
  470. # if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
  471. # an optimal curve will be automatically calculated, if not defined
  472. # by this option.
  473. #
  474. #ec-curve-name=prime256v1
  475.  
  476. # Use 566 bits predefined DH TLS key. Default size of the key is 1066.
  477. #
  478. #dh566
  479.  
  480. # Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
  481. #
  482. #dh2066
  483.  
  484. # Use custom DH TLS key, stored in PEM format in the file.
  485. # Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
  486. #
  487. #dh-file=<DH-PEM-file-name>
  488.  
  489. # Flag to prevent stdout log messages.
  490. # By default, all log messages are going to both stdout and to
  491. # the configured log file. With this option everything will be
  492. # going to the configured log only (unless the log file itself is stdout).
  493. #
  494. #no-stdout-log
  495.  
  496. # Option to set the log file name.
  497. # By default, the turnserver tries to open a log file in
  498. # /var/log, /var/tmp, /tmp and current directories directories
  499. # (which open operation succeeds first that file will be used).
  500. # With this option you can set the definite log file name.
  501. # The special names are "stdout" and "-" - they will force everything
  502. # to the stdout. Also, the "syslog" name will force everything to
  503. # the system log (syslog).
  504. # In the runtime, the logfile can be reset with the SIGHUP signal
  505. # to the turnserver process.
  506. #
  507. log-file=/var/log/coturn/turnserver.log
  508.  
  509. # Option to redirect all log output into system log (syslog).
  510. #
  511. #syslog
  512.  
  513. # This flag means that no log file rollover will be used, and the log file
  514. # name will be constructed as-is, without PID and date appendage.
  515. # This option can be used, for example, together with the logrotate tool.
  516. #
  517. simple-log
  518.  
  519. # Option to set the "redirection" mode. The value of this option
  520. # will be the address of the alternate server for UDP & TCP service in form of
  521. # <ip>[:<port>]. The server will send this value in the attribute
  522. # ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
  523. # Client will receive only values with the same address family
  524. # as the client network endpoint address family.
  525. # See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
  526. # The client must use the obtained value for subsequent TURN communications.
  527. # If more than one --alternate-server options are provided, then the functionality
  528. # can be more accurately described as "load-balancing" than a mere "redirection".
  529. # If the port number is omitted, then the default port
  530. # number 3478 for the UDP/TCP protocols will be used.
  531. # Colon (:) characters in IPv6 addresses may conflict with the syntax of
  532. # the option. To alleviate this conflict, literal IPv6 addresses are enclosed
  533. # in square brackets in such resource identifiers, for example:
  534. # [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
  535. # Multiple alternate servers can be set. They will be used in the
  536. # round-robin manner. All servers in the pool are considered of equal weight and
  537. # the load will be distributed equally. For example, if we have 4 alternate servers,
  538. # then each server will receive 25% of ALLOCATE requests. A alternate TURN server
  539. # address can be used more than one time with the alternate-server option, so this
  540. # can emulate "weighting" of the servers.
  541. #
  542. # Examples:
  543. #alternate-server=1.2.3.4:5678
  544. #alternate-server=11.22.33.44:56789
  545. #alternate-server=5.6.7.8
  546. #alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
  547.  
  548. # Option to set alternative server for TLS & DTLS services in form of
  549. # <ip>:<port>. If the port number is omitted, then the default port
  550. # number 5349 for the TLS/DTLS protocols will be used. See the previous
  551. # option for the functionality description.
  552. #
  553. # Examples:
  554. #tls-alternate-server=1.2.3.4:5678
  555. #tls-alternate-server=11.22.33.44:56789
  556. #tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
  557.  
  558. # Option to suppress TURN functionality, only STUN requests will be processed.
  559. # Run as STUN server only, all TURN requests will be ignored.
  560. # By default, this option is NOT set.
  561. #
  562. #stun-only
  563.  
  564. # Option to suppress STUN functionality, only TURN requests will be processed.
  565. # Run as TURN server only, all STUN requests will be ignored.
  566. # By default, this option is NOT set.
  567. #
  568. #no-stun
  569.  
  570. # This is the timestamp/username separator symbol (character) in TURN REST API.
  571. # The default value is ':'.
  572. # rest-api-separator=:
  573.  
  574. # Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
  575. # This is an extra security measure.
  576. #
  577. # (To avoid any security issue that allowing loopback access may raise,
  578. # the no-loopback-peers option is replaced by allow-loopback-peers.)
  579. #
  580. # Allow it only for testing in a development environment!
  581. # In production it adds a possible security vulnerability, so for security reasons
  582. # it is not allowed using it together with empty cli-password.
  583. #
  584. #allow-loopback-peers
  585.  
  586. # Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
  587. # This is an extra security measure.
  588. #
  589. #no-multicast-peers
  590.  
  591. # Option to set the max time, in seconds, allowed for full allocation establishment.
  592. # Default is 60 seconds.
  593. #
  594. #max-allocate-timeout=60
  595.  
  596. # Option to allow or ban specific ip addresses or ranges of ip addresses.
  597. # If an ip address is specified as both allowed and denied, then the ip address is
  598. # considered to be allowed. This is useful when you wish to ban a range of ip
  599. # addresses, except for a few specific ips within that range.
  600. #
  601. # This can be used when you do not want users of the turn server to be able to access
  602. # machines reachable by the turn server, but would otherwise be unreachable from the
  603. # internet (e.g. when the turn server is sitting behind a NAT)
  604. #
  605. # Examples:
  606. # denied-peer-ip=83.166.64.0-83.166.95.255
  607. # allowed-peer-ip=83.166.68.45
  608.  
  609. # File name to store the pid of the process.
  610. # Default is /var/run/turnserver.pid (if superuser account is used) or
  611. # /var/tmp/turnserver.pid .
  612. #
  613. #pidfile="/var/run/turnserver.pid"
  614.  
  615. # Require authentication of the STUN Binding request.
  616. # By default, the clients are allowed anonymous access to the STUN Binding functionality.
  617. #
  618. #secure-stun
  619.  
  620. # Mobility with ICE (MICE) specs support.
  621. #
  622. #mobility
  623.  
  624. # Allocate Address Family according
  625. # If enabled then TURN server allocates address family according the TURN
  626. # Client <=> Server communication address family.
  627. # (By default coTURN works according RFC 6156.)
  628. # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
  629. #
  630. #keep-address-family
  631.  
  632.  
  633. # User name to run the process. After the initialization, the turnserver process
  634. # will make an attempt to change the current user ID to that user.
  635. #
  636. #proc-user=root
  637.  
  638. # Group name to run the process. After the initialization, the turnserver process
  639. # will make an attempt to change the current group ID to that group.
  640. #
  641. #proc-group=root
  642.  
  643. # Turn OFF the CLI support.
  644. # By default it is always ON.
  645. # See also options cli-ip and cli-port.
  646. #
  647. #no-cli
  648.  
  649. #Local system IP address to be used for CLI server endpoint. Default value
  650. # is 127.0.0.1.
  651. #
  652. #cli-ip=127.0.0.1
  653.  
  654. # CLI server port. Default is 5766.
  655. #
  656. #cli-port=5766
  657.  
  658. # CLI access password. Default is empty (no password).
  659. # For the security reasons, it is recommended to use the encrypted
  660. # for of the password (see the -P command in the turnadmin utility).
  661. #
  662. # Secure form for password 'qwerty':
  663. #
  664. #cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
  665. #
  666. # Or unsecure form for the same password:
  667. #
  668. #cli-password=qwerty
  669.  
  670. # Enable Web-admin support on https. By default it is Disabled.
  671. # If it is enabled it also enables a http a simple static banner page
  672. # with a small reminder that the admin page is available only on https.
  673. #
  674. #web-admin
  675.  
  676. # Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
  677. #
  678. #web-admin-ip=127.0.0.1
  679.  
  680. # Web-admin server port. Default is 8080.
  681. #
  682. #web-admin-port=8080
  683.  
  684. # Web-admin server listen on STUN/TURN worker threads
  685. # By default it is disabled for security resons! (Not recommended in any production environment!)
  686. #
  687. #web-admin-listen-on-workers
  688.  
  689. # Server relay. NON-STANDARD AND DANGEROUS OPTION.
  690. # Only for those applications when we want to run
  691. # server applications on the relay endpoints.
  692. # This option eliminates the IP permissions check on
  693. # the packets incoming to the relay endpoints.
  694. #
  695. #server-relay
  696.  
  697. # Maximum number of output sessions in ps CLI command.
  698. # This value can be changed on-the-fly in CLI. The default value is 256.
  699. #
  700. #cli-max-output-sessions
  701.  
  702. # Set network engine type for the process (for internal purposes).
  703. #
  704. #ne=[1|2|3]
  705.  
  706. # Do not allow an TLS/DTLS version of protocol
  707. #
  708. #no-tlsv1
  709. #no-tlsv1_1
  710. #no-tlsv1_2
  711.  
  712. TURNSERVER_ENABLED=1
RAW Paste Data Copied