From ab1292059fd2f0a3875c80ad9b02aec724e07787 Mon Sep 17 00:00:00 2001 From: Hyorin Choi <17173216+hyorin@users.noreply.github.com> Date: Thu, 27 Oct 2022 05:53:32 +0900 Subject: [PATCH] Update turnserver.conf (#1009) Made some text proofreading --- docker/coturn/turnserver.conf | 83 ++++++++++++++++++++++++++++++++--- examples/etc/turnserver.conf | 18 ++++---- 2 files changed, 87 insertions(+), 14 deletions(-) diff --git a/docker/coturn/turnserver.conf b/docker/coturn/turnserver.conf index 301951f3..d11bbbd9 100644 --- a/docker/coturn/turnserver.conf +++ b/docker/coturn/turnserver.conf @@ -1,7 +1,7 @@ # Coturn TURN SERVER configuration file # # Boolean values note: where a boolean value is supposed to be used, -# you can use '0', 'off', 'no', 'false', or 'f' as 'false, +# you can use '0', 'off', 'no', 'false', or 'f' as 'false', # and you can use '1', 'on', 'yes', 'true', or 't' as 'true' # If the value is missing, then it means 'true' by default. # @@ -125,7 +125,7 @@ tls-listening-port=5349 # # By default, this value is empty, and no address mapping is used. # -external-ip=193.224.22.37 +#external-ip=60.70.80.91 # #OR: # @@ -186,6 +186,18 @@ lt-cred-mech # #no-auth +# Enable prometheus exporter +# If enabled the turnserver will expose an endpoint with stats on a prometheus format +# this endpoint is listening on a different port to not conflict with other configurations. +# +# You can simply run the turnserver and access the port 9641 and path /metrics +# +# For more info on the prometheus exporter and metrics +# https://prometheus.io/docs/introduction/overview/ +# https://prometheus.io/docs/concepts/data_model/ +# +#prometheus + # TURN REST API flag. # (Time Limited Long Term Credential) # Flag that sets a special authorization option that is based upon authentication secret. @@ -377,7 +389,7 @@ realm=example.org # Total bytes-per-second bandwidth the TURN server is allowed to allocate # for the sessions, combined (input and output network streams are treated separately). # -# bps-capacity=0 +#bps-capacity=0 # Uncomment if no UDP client listener is desired. # By default UDP client listener is always started. @@ -516,12 +528,27 @@ pkey=/etc/ssl/private/privkey.pem # syslog +# Set syslog facility for syslog messages +# Default values is ''. +# +#syslog-facility="LOG_LOCAL1" + # This flag means that no log file rollover will be used, and the log file # name will be constructed as-is, without PID and date appendage. # This option can be used, for example, together with the logrotate tool. # #simple-log +# Enable full ISO-8601 timestamp in all logs. +#new-log-timestamp + +# Set timestamp format (in strftime(1) format). Depends on new-log-timestamp to be enabled. +#new-log-timestamp-format "%FT%T%z" + +# Disabled by default binding logging in verbose log mode to avoid DoS attacks. +# Enable binding logging and UDP endpoint logs in verbose log mode. +#log-binding + # Option to set the "redirection" mode. The value of this option # will be the address of the alternate server for UDP & TCP service in the form of # [:]. The server will send this value in the attribute @@ -584,7 +611,8 @@ syslog # This is the timestamp/username separator symbol (character) in TURN REST API. # The default value is ':'. -# rest-api-separator=: +# +#rest-api-separator=: # Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1). # This is an extra security measure. @@ -636,7 +664,7 @@ syslog # #mobility -# Allocate Address Family according +# Allocate Address Family according (DEPRECATED and will be removed in favor of allocation-default-address-family) # If enabled then TURN server allocates address family according the TURN # Client <=> Server communication address family. # (By default Coturn works according RFC 6156.) @@ -644,6 +672,16 @@ syslog # #keep-address-family +# TURN server allocates address family according TURN client requested address family. +# If address family not requested explicitly by the client, then it falls back to this default. +# The standard RFC explicitly define that this default must be IPv4, +# so use other option values with care! +# Possible values: "ipv4" or "ipv6" or "keep" +# "keep" sets the allocation default address family according to +# the TURN client allocation request connection address family. +# +#allocation-default-address-family="ipv4" +#allocation-default-address-family="ipv4" # User name to run the process. After the initialization, the turnserver process # will attempt to change the current user ID to that user. @@ -697,10 +735,15 @@ cli-password=CHANGE_ME #web-admin-port=8080 # Web-admin server listen on STUN/TURN worker threads -# By default it is disabled for security resons! (Not recommended in any production environment!) +# By default it is disabled for security reasons! (Not recommended in any production environment!) # #web-admin-listen-on-workers +# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '$1'. +# Default is '', i.e. no special handling for such requests. +# +#acme-redirect=http://redirectserver/.well-known/acme-challenge/ + # Server relay. NON-STANDARD AND DANGEROUS OPTION. # Only for those applications when you want to run # server applications on the relay endpoints. @@ -723,3 +766,31 @@ cli-password=CHANGE_ME #no-tlsv1 #no-tlsv1_1 #no-tlsv1_2 + +# Disable RFC5780 (NAT behavior discovery). +# +# Originally, if there are more than one listener address from the same +# address family, then by default the NAT behavior discovery feature enabled. +# This option disables the original behavior, because the NAT behavior +# discovery adds extra attributes to response, and this increase the +# possibility of an amplification attack. +# +# Strongly encouraged to use this option to decrease gain factor in STUN +# binding responses. +# +no-rfc5780 + +# Disable handling old STUN Binding requests and disable MAPPED-ADDRESS +# attribute in binding response (use only the XOR-MAPPED-ADDRESS). +# +# Strongly encouraged to use this option to decrease gain factor in STUN +# binding responses. +# +no-stun-backward-compatibility + +# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled. +# +# Strongly encouraged to use this option to decrease gain factor in STUN +# binding responses. +# +response-origin-only-with-rfc5780 diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index 892fb0b8..4a909a98 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -1,7 +1,7 @@ # Coturn TURN SERVER configuration file # # Boolean values note: where a boolean value is supposed to be used, -# you can use '0', 'off', 'no', 'false', or 'f' as 'false, +# you can use '0', 'off', 'no', 'false', or 'f' as 'false', # and you can use '1', 'on', 'yes', 'true', or 't' as 'true' # If the value is missing, then it means 'true' by default. # @@ -23,7 +23,7 @@ # "automatically" recognizes the type of traffic. Actually, two listening # endpoints (the "plain" one and the "tls" one) are equivalent in terms of # functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs. -# For secure TCP connections, Coturn currently supports +# For secure TCP connections, Coturn currently supports SSL version 3 and # TLS version 1.0, 1.1 and 1.2. # For secure UDP connections, Coturn supports DTLS version 1. # @@ -389,7 +389,7 @@ # Total bytes-per-second bandwidth the TURN server is allowed to allocate # for the sessions, combined (input and output network streams are treated separately). # -# bps-capacity=0 +#bps-capacity=0 # Uncomment if no UDP client listener is desired. # By default UDP client listener is always started. @@ -611,7 +611,8 @@ # This is the timestamp/username separator symbol (character) in TURN REST API. # The default value is ':'. -# rest-api-separator=: +# +#rest-api-separator=: # Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1). # This is an extra security measure. @@ -663,7 +664,7 @@ # #mobility -# Allocate Address Family according (DEPRECATED and will be removed in favour of allocation-default-address-family) +# Allocate Address Family according (DEPRECATED and will be removed in favor of allocation-default-address-family) # If enabled then TURN server allocates address family according the TURN # Client <=> Server communication address family. # (By default Coturn works according RFC 6156.) @@ -678,10 +679,10 @@ # Possible values: "ipv4" or "ipv6" or "keep" # "keep" sets the allocation default address family according to # the TURN client allocation request connection address family. +# #allocation-default-address-family="ipv4" #allocation-default-address-family="ipv4" - # User name to run the process. After the initialization, the turnserver process # will attempt to change the current user ID to that user. # @@ -734,13 +735,14 @@ #web-admin-port=8080 # Web-admin server listen on STUN/TURN worker threads -# By default it is disabled for security resons! (Not recommended in any production environment!) +# By default it is disabled for security reasons! (Not recommended in any production environment!) # #web-admin-listen-on-workers -#acme-redirect=http://redirectserver/.well-known/acme-challenge/ # Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '$1'. # Default is '', i.e. no special handling for such requests. +# +#acme-redirect=http://redirectserver/.well-known/acme-challenge/ # Server relay. NON-STANDARD AND DANGEROUS OPTION. # Only for those applications when you want to run