hans/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Added configuration file for coturn.

Browse source
This commit is contained in:
Hans van Zijst 2024-11-28 14:16:46 +01:00 committed by Valentin Gagarin
parent 438682dabf
commit ebf7a04178
2 changed files with 118 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
matrix/coturn/README.md
View file

@ -60,14 +60,14 @@ This prepares us for the next step: configuring the whole thing.
As stated before, we only use IPv4, so a CNAME to our machine that also does As stated before, we only use IPv4, so a CNAME to our machine that also does
IPv6 is a bad idea. Fix a new entry in DNS for TURN only, we'll use IPv6 is a bad idea. Fix a new entry in DNS for TURN only, we'll use
`turn.matrix.example.com` here. `turn.example.com` here.
Make sure this entry only has an A record, no AAAA. Make sure this entry only has an A record, no AAAA.
Get a certificate for this name: Get a certificate for this name:
``` ```
certbot certonly --nginx -d turn.matrix.example.com certbot certonly --nginx -d turn.example.com
``` ```
This assumes you've already setup and started nginx (see [nginx](../nginx)). This assumes you've already setup and started nginx (see [nginx](../nginx)).
@ -98,7 +98,7 @@ max-port=60000
use-auth-secret use-auth-secret
static-auth-secret=<previously created secret> static-auth-secret=<previously created secret>
realm=turn.matrixdev.example.com realm=turn.example.com
user-quota=12 user-quota=12
total-quota=1200 total-quota=1200
@ -150,7 +150,7 @@ each certificate renewal:
# that it's copied and chowned and made readable by coturn: # that it's copied and chowned and made readable by coturn:
cd /etc/coturn/ssl cd /etc/coturn/ssl
cp /etc/letsencrypt/live/turn.matrixdev.example.com/{fullchain,privkey}.pem . cp /etc/letsencrypt/live/turn.example.com/{fullchain,privkey}.pem .
chown turnserver:turnserver *.pem chown turnserver:turnserver *.pem
# We should restart either coturn or LiveKit, they cannot run both! # We should restart either coturn or LiveKit, they cannot run both!
@ -160,7 +160,7 @@ systemctl restart coturn
``` ```
Run this automatically after every renewal by adding this line to Run this automatically after every renewal by adding this line to
`/etc/letsencrypt/renewal/turn.matrixdev.example.com.conf`: `/etc/letsencrypt/renewal/turn.example.com.conf`:
``` ```
renew_hook = /etc/coturn/fixssl renew_hook = /etc/coturn/fixssl

113
matrix/coturn/turnserver.conf Normal file
View file

@ -0,0 +1,113 @@
# Coturn TURN SERVER configuration file
# Only IPv4, IPv6 can confuse some software
listening-ip=111.222.111.222
# Lower and upper bounds of the UDP relay endpoints:
# (default values are 49152 and 65535)
#
min-port=50000
max-port=60000
use-auth-secret
static-auth-secret=<very secure password>
realm=turn.example.com
# Per-user allocation quota.
# default value is 0 (no quota, unlimited number of sessions per user).
# This option can also be set through the database, for a particular realm.
user-quota=12
# Total allocation quota.
# default value is 0 (no quota).
# This option can also be set through the database, for a particular realm.
total-quota=1200
# Uncomment if no TCP relay endpoints are allowed.
# By default TCP relay endpoints are enabled (like in RFC 6062).
#
no-tcp-relay
# Certificate file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
cert=/etc/coturn/ssl/fullchain.pem
# Private key file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
pkey=/etc/coturn/ssl/privkey.pem
# Option to redirect all log output into system log (syslog).
#
syslog
# Option to allow or ban specific ip addresses or ranges of ip addresses.
# If an ip address is specified as both allowed and denied, then the ip address is
# considered to be allowed. This is useful when you wish to ban a range of ip
# addresses, except for a few specific ips within that range.
#
# This can be used when you do not want users of the turn server to be able to access
# machines reachable by the turn server, but would otherwise be unreachable from the
# internet (e.g. when the turn server is sitting behind a NAT)
#
denied-peer-ip=0.0.0.0-255.255.255.255
denied-peer-ip=127.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
# TURN server allocates address family according TURN client requested address family.
# If address family not requested explicitly by the client, then it falls back to this default.
# The standard RFC explicitly define that this default must be IPv4,
# so use other option values with care!
# Possible values: "ipv4" or "ipv6" or "keep"
# "keep" sets the allocation default address family according to
# the TURN client allocation request connection address family.
allocation-default-address-family="ipv4"
# Turn OFF the CLI support.
# By default it is always ON.
# See also options cli-ip and cli-port.
#
no-cli
# Do not allow an TLS/DTLS version of protocol
#
no-tlsv1
no-tlsv1_1
# Disable RFC5780 (NAT behavior discovery).
#
# Strongly encouraged to use this option to decrease gain factor in STUN
# binding responses.
#
no-rfc5780
# Disable handling old STUN Binding requests and disable MAPPED-ADDRESS
# attribute in binding response (use only the XOR-MAPPED-ADDRESS).
#
# Strongly encouraged to use this option to decrease gain factor in STUN
# binding responses.
#
no-stun-backward-compatibility
# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
#
# Strongly encouraged to use this option to decrease gain factor in STUN
# binding responses.
#
response-origin-only-with-rfc5780