ben
/
infra
1
1
Fork 2
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
infra/roles/coturn/templates/turnserver.conf.j2

115 lines
4.0 KiB
Django/Jinja
Raw Permalink Blame History

# {{ ansible_managed }}
# config reference: https://github.com/coturn/coturn/wiki/turnserver
use-auth-secret
static-auth-secret={{ coturn_shared_secret }}
realm={{ coturn_url }}
# logs
#syslog
log-file=/var/log/turnserver/coturn.log
#log-file=/tmp/coturn.log
# VoIP traffic is all UDP. no reason to let users connect to any TCP endpoints
# via the relay.
no-tcp-relay
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
# recommended additional local peers to block, to mitigate external access to internal services.
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
# special case the turn server itself so that client->TURN->TURN->client
# flows work
allowed-peer-ip={{ wg_clients[inventory_hostname]['ip'] }}
{% for item in coturn_allowed_peer_ip|default([]) -%}
allowed-peer-ip={{ item }}
{% endfor %}
# its possible to limit the quota of relayed streams per user (or
# total) to avoid risk of DoS.
#
# 4 streams per video call, so 12 streams = 3 simultaneous relayed calls
# per user.
user-quota=12
total-quota=1200
# these are not the regular letsencrypt certs
# see item 4 under "Configuration": https://matrix-org.github.io/synapse/develop/turn-howto.html
# Voice & video WebRTC traffic is always encrypted.
# Not using TLS will only leave signaling traffic unencrypted (when used by matrix clients,
# the turn server cant force clients to use client-side encryption, bue Element does)
# TLS certificates provided by Let's Encryp will not work with any Matrix client that
# uses Chromium's WebRTC library. This currently includes Element Android & iOS
# https://github.com/vector-im/element-android/issues/1533
# https://github.com/vector-im/element-ios/issues/2712
# https://bugs.chromium.org/p/webrtc/issues/detail?id=11710
# https://matrix-org.github.io/synapse/latest/setup/turn/coturn.html
{% if coturn_tls|default(false) -%}
cert=/usr/local/etc/certs/{{ coturn_url }}/fullchain.crt
pkey=/usr/local/etc/certs/{{ coturn_url }}/private.key
{% else -%}
no-tls
no-dtls
# no-tlsv1
# no-tlsv1_1
# no-tlsv1_2
{% endif %}
# Ensure your firewall allows traffic into the TURN server on the
# ports you've configured it to listen on (By default: 3478 and 5349 for
# TURN traffic (remember to allow both TCP and UDP traffic), and ports
# 49152-65535 for the UDP relay.)
# interesting parts from debian example file:
# Turn OFF the CLI support. By default it is always ON, and the
# process turnserver accepts the telnet client connections on IP address
# 127.0.0.1, port 5766.
# See also options cli-ip, cli-port and cli-password.
#no-cli
#cli-ip=127.0.0.1
#cli-port=5766
# Enable Web-admin support on https. By default it is Disabled.
# If it is enabled it also enables a http a simple static banner page
# with a small reminder that the admin page is available only on https.
#
#web-admin
# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
#
#web-admin-ip=127.0.0.1
# Web-admin server port. Default is 8080.
#
#web-admin-port=8080
# Web-admin server listen on STUN/TURN worker threads
# By default it is disabled for security resons! (Not recommended in any production environment!)
#
#web-admin-listen-on-workers
#acme-redirect=http://redirectserver/.well-known/acme-challenge/
# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
# Default is '', i.e. no special handling for such requests.
# exposes path /metrics on port 9641
#prometheus
View Git Blame Copy Permalink