|
|
|
|
@ -1,5 +1,6 @@
|
|
|
|
|
# location of example configuration
|
|
|
|
|
## https://github.com/coturn/coturn/blob/master/docker/coturn/
|
|
|
|
|
## https://github.com/coturn/coturn/blob/master/README.turnserver - Line 666 for TURN REST API
|
|
|
|
|
|
|
|
|
|
listening-port=3478
|
|
|
|
|
tls-listening-port=5349
|
|
|
|
|
@ -13,7 +14,7 @@ total-quota=100
|
|
|
|
|
bps-capacity=0
|
|
|
|
|
no-udp #??
|
|
|
|
|
no-tcp #??
|
|
|
|
|
# stale-nonce=600 # Authentication Issue
|
|
|
|
|
# stale-nonce=600 # Authentication Issue - when to force re-authentication in seconds
|
|
|
|
|
cert=/etc/ssl/certs/stun.kuketz-meet_ecdsa.pem # same as jitsi?
|
|
|
|
|
pkey=/etc/ssl/private/stun.kuketz-meet_ecdsa.key # same as jitsi?
|
|
|
|
|
cipher-list="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
|
|
|
|
|
@ -24,15 +25,43 @@ log-file=/var/log/coturn.log
|
|
|
|
|
# simple-log # We want logs with pid and date in the name
|
|
|
|
|
no-multicast-peers
|
|
|
|
|
# cli-port=5766 # do we want cli access?
|
|
|
|
|
#cli-password=SOME_SALTED_PW # do we want a cli password?
|
|
|
|
|
# cli-password=SOME_SALTED_PW # do we want a cli password?
|
|
|
|
|
no-tlsv1
|
|
|
|
|
no-tlsv1_1
|
|
|
|
|
|
|
|
|
|
# Authentication Issue -> restrict access to only jitsi server ?
|
|
|
|
|
## 1 use-auth-secret?
|
|
|
|
|
## 2 if yes: what secret to define
|
|
|
|
|
## 3 reauthentication only possible with auth-secret
|
|
|
|
|
## There seems to be a userdb file for authentication
|
|
|
|
|
## Authentication mechanisms:
|
|
|
|
|
## no-auth [default] - allows anonymous access
|
|
|
|
|
## lt-cred-mech - long time credential mechanism, do not use with use-auth-secret
|
|
|
|
|
## oauth - sets the possibility for oAuth
|
|
|
|
|
## server-name= - sets the server name which is used for oAuth
|
|
|
|
|
|
|
|
|
|
## [define a user in config (this file), command line, or userdb file] - sets lt-cred-mech as default
|
|
|
|
|
### user=username1:key1
|
|
|
|
|
### or
|
|
|
|
|
### user=username1:password1
|
|
|
|
|
### Keys must be generated by turnadmin utility. The key value depends
|
|
|
|
|
### on user name, realm, and password:
|
|
|
|
|
###
|
|
|
|
|
### Example:
|
|
|
|
|
### $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
|
|
|
|
|
### Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
|
|
|
|
|
### ('0x' in the beginning of the key is what differentiates the key from
|
|
|
|
|
### password. If it has 0x then it is a key, otherwise it is a password).
|
|
|
|
|
###
|
|
|
|
|
### The corresponding user account entry in the config file will be:
|
|
|
|
|
###
|
|
|
|
|
### user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
|
|
|
|
|
### Or, equivalently, with open clear password (less secure):
|
|
|
|
|
### user=ninefingers:youhavetoberealistic
|
|
|
|
|
|
|
|
|
|
## use-auth-secret - sets the TURN REST API flag
|
|
|
|
|
### This option is used with timestamp:
|
|
|
|
|
### usercombo -> "timestamp:userid"
|
|
|
|
|
### turn user -> usercombo
|
|
|
|
|
### turn password -> base64(hmac(secret key, usercombo))
|
|
|
|
|
|
|
|
|
|
## we can use a database for storing users and secrets for the TURN REST API
|
|
|
|
|
|
|
|
|
|
# CLI Security
|
|
|
|
|
## do we want a password?
|
|
|
|
|
|
