Dear,
I forward you an update from the applicant:
***************************
We do run our own coturn server (on google compute). Here is our config -
you can inspect it yourself also:
url: 'turn:turn-eu.uxpro.be:3478',
username: 'uxprobe',
credential: 'usable'
thanks very much for the help
Paul
----------
1. Coturn TURN SERVER configuration file #
2. Boolean values note: where boolean value is supposed to be used,
3. you can use '0', 'off', 'no', 'false', 'f' as 'false,
4. and you can use '1', 'on', 'yes', 'true', 't' as 'true'
5. If the value is missed, then it means 'true'. #
1. Listener interface device (optional, Linux only).
2. NOT RECOMMENDED. #
#listening-device=eth0
1. TURN listener port for UDP and TCP (Default: 3478).
2. Note: actually, TLS & DTLS sessions can connect to the
3. "plain" TCP & UDP port(s), too - if allowed by configuration. #
#listening-port=3478
1. TURN listener port for TLS (Default: 5349).
2. Note: actually, "plain" TCP & UDP sessions can connect to the TLS &
DTLS
3. port(s), too - if allowed by configuration. The TURN server
4. "automatically" recognizes the type of traffic. Actually, two
listening
5. endpoints (the "plain" one and the "tls" one) are equivalent in terms
of
6. functionality; but we keep both endpoints to satisfy the RFC 5766
specs.
7. For secure TCP connections, we currently support SSL version 3 and
8. TLS version 1.0, 1.1 and 1.2. SSL2 "encapculation mode" is also
supported.
9. For secure UDP connections, we support DTLS version 1. #
#tls-listening-port=5349
1. Alternative listening port for UDP and TCP listeners;
2. default (or zero) value means "listening port plus one".
3. This is needed for RFC 5780 support
4. (STUN extension specs, NAT behavior discovery). The TURN Server
5. supports RFC 5780 only if it is started with more than one
6. listening IP address of the same family (IPv4 or IPv6).
7. RFC 5780 is supported only by UDP protocol, other protocols
8. are listening to that endpoint only for "symmetry". #
#alt-listening-port=0
1. Alternative listening port for TLS and DTLS protocols.
2. Default (or zero) value means "TLS listening port plus one". #
#alt-tls-listening-port=0
1. Listener IP address of relay server. Multiple listeners can be
specified.
2. If no IP specified in the config file or in the command line options,
3. then all IPv4 and IPv6 system IPs will be used for listening. #
#listening-ip=172.17.19.101
#listening-ip=10.207.21.238
#listening-ip=2607:f0d0:1002:51::4
1. Auxiliary STUN/TURN server listening endpoint.
2. Aux servers have almost full TURN and STUN functionality.
3. The (minor) limitations are: #
4. 1) Auxiliary servers do not have alternative ports and
5. they do not support STUN RFC 5780 functionality (CHANGE REQUEST). #
6. 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER
reply.
7.
8. Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
#
9. There may be multiple aux-server options, each will be used for
listening
10. to client requests. #
#aux-server=172.17.19.110:33478
#aux-server=[2607:f0d0:1002:51::4]:33478
1. (recommended for older Linuxes only)
2. Automatically balance UDP traffic over auxiliary servers (if
configured).
3. The load balancing is using the ALTERNATE-SERVER mechanism.
4. The TURN client must support 300 ALTERNATE-SERVER response for this
5. functionality. #
#udp-self-balance
1. Relay interface device for relay sockets (optional, Linux only).
2. NOT RECOMMENDED. #
#relay-device=eth1
1. Relay address (the local IP address that will be used to relay the
2. packets to the peer).
3. Multiple relay addresses may be used.
4. The same IP can be used as both listening IP and relay IP. #
5. If no relay IP specified, then the turnserver will apply the default
6. policy: it will decide itself which relay addresses to be used, and it
7. will always be using the client socket IP address as the relay IP
address
8. of the TURN session (if the requested relay address family is the same
9. as the family of the client socket). #
#relay-ip=172.17.19.105
#relay-ip=2607:f0d0:1002:51::5
1. For Amazon EC2 users: #
2. TURN Server public/private address mapping, if the server is behind
NAT.
3. In that situation, if a -X is used in form "-X <ip>" then that ip
will be reported
4. as relay IP address of all allocations. This scenario works only in a
simple case
5. when one single relay address is be used, and no RFC5780
functionality is required.
6. That single relay address must be mapped by NAT to the 'external' IP.
7. The "external-ip" value, if not empty, is returned in
XOR-RELAYED-ADDRESS field.
8. For that 'external' IP, NAT must forward ports directly (relayed port
12345
9. must be always mapped to the same 'external' port 12345). #
10. In more complex case when more than one IP address is involved,
11. that option must be used several times, each entry must
12. have form "-X <public-ip/private-ip>", to map all involved addresses.
13. RFC5780 NAT discovery STUN functionality will work correctly,
14. if the addresses are mapped properly, even when the TURN server
itself
15. is behind A NAT. #
16. By default, this value is empty, and no address mapping is used. #
external-ip=130.211.101.160 #
#OR: #
#external-ip=60.70.80.91/172.17.19.101
#external-ip=60.70.80.92/172.17.19.102
1. Number of relay threads to handle the established connections
2. (in addition to authentication thread and the listener thread).
3. If set to 0 then application runs relay process in a single thread,
4. in the same thread with the listener process (the authentication
thread will
5. still be a separate thread). #
6. In the older systems (Linux kernel before 3.9),
7. the number of UDP threads is always one thread per network listening
endpoint -
8. including the auxiliary endpoints - unless 0 (zero) or 1 (one) value
is set. #
#relay-threads=0
1. Lower and upper bounds of the UDP relay endpoints:
2. (default values are 49152 and 65535) #
#min-port=49152
#max-port=65535
1. Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
2. By default the verbose mode is off.
#verbose
1. Uncomment to run TURN server in 'extra' verbose mode.
2. This mode is very annoying and produces lots of output.
3. Not recommended under any normal circumstances.
4.
#Verbose
1. Uncomment to use fingerprints in the TURN messages.
2. By default the fingerprints are off. #
#fingerprint
1. Uncomment to use long-term credential mechanism.
2. By default no credentials mechanism is used (any user allowed).
3. This option can be used with either flat file user database or
4. PostgreSQL DB or MySQL DB or MongoDB or Redis DB for user keys
storage. #
#lt-cred-mech
1. Uncomment to use short-term credential mechanism.
2. By default no credentials mechanism is used (any user allowed).
3. For short-term credential mechanism you have to use PostgreSQL or
4. MySQL or MongoDB or Redis database for user password storage. #
#st-cred-mech
1. This option is opposite to lt-cred-mech or st-cred-mech.
2. (TURN Server with no-auth option allows anonymous access).
3. If neither option is defined, and no users are defined,
4. then no-auth is default. If at least one user is defined,
5. in this file or in command line or in usersdb file, then
6. lt-cred-mech is default. #
#no-auth
1. TURN REST API flag.
2. Flag that sets a special authorization option that is based upon
authentication secret.
3. This feature can be used with the long-term authentication mechanism,
only.
4. This feature purpose is to support "TURN Server REST API", see
5. "TURN REST API" link in the project's page
6. http://code.google.com/p/coturn/. #
7. This option is used with timestamp:
8.
9. usercombo -> "timestamp:userid"
10. turn user -> usercombo
11. turn password -> base64(hmac(secret key, usercombo)) #
12. This allows TURN credentials to be accounted for a specific user id.
13. If you don't have a suitable id, the timestamp alone can be used.
14. This option is just turning on secret-based authentication.
15. The actual value of the secret is defined either by option
static-auth-secret,
16. or can be found in the turn_secret table in the database (see below).
17.
#use-auth-secret
1. 'Static' authentication secret value (a string) for TURN REST API
only.
2. If not set, then the turn server
3. will try to use the 'dynamic' value in turn_secret table
4. in user database (if present). The database-stored value can be
changed on-the-fly
5. by a separate program, so this is why that other mode is 'dynamic'. #
#static-auth-secret=north
1. Server name used for
2. the oAuth authentication purposes.
3. The default value is the realm name. #
#server-name=blackdow.carleon.gov
1. Flag to support oAuth authentication. #
#oauth
1. 'Static' user accounts for long term credentials mechanism, only.
2. This option cannot be used with TURN REST API or with short-term
credentials
3. mechanism.
4. 'Static' user accounts are NOT dynamically checked by the turnserver
process,
5. so that they can NOT be changed while the turnserver is running. #
#user=username1:key1
#user=username2:key2
6. OR:
#user=username1:password1
#user=username2:password2 #
7. Keys must be generated by turnadmin utility. The key value depends
8. on user name, realm, and password: #
9. Example:
10. $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
11. Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
12. ('0x' in the beginning of the key is what differentiates the key from
13. password. If it has 0x then it is a key, otherwise it is a
password). #
14. The corresponding user account entry in the config file will be:
15.
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
16. Or, equivalently, with open clear password (less secure):
#user=ninefingers:youhavetoberealistic #
1. 'Dynamic' user accounts database file name.
2. Only users for long-term mechanism can be stored in a flat file,
3. short-term mechanism will not work with option, the short-term
4. mechanism required PostgreSQL or MySQL or MongoDB or Redis database.
5. 'Dynamic' long-term user accounts are dynamically checked by the
turnserver process,
6. so that they can be changed while the turnserver is running. #
7. Default file name is turnuserdb.conf.
8.
#userdb=/usr/local/etc/turnuserdb.conf
1. PostgreSQL database connection string in the case that we are using
PostgreSQL
2. as the user database.
3. This database can be used for long-term and short-term credential
mechanisms
4. and it can store the secret value for secret-based timed
authentication in TURN RESP API.
5. See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for
8.x PostgreSQL
6. versions connection string format, see
7. http://www.postgresql.org/docs/9.2/static/libpq-connect.
html#LIBPQ-CONNSTRING
8. for 9.x and newer connection string formats. #
#psql-userdb="host=<host> dbname=<database-name> user=<database-user>
password=<database-user-password> connect_timeout=30"
1. MySQL database connection string in the case that we are using MySQL
2. as the user database.
3. This database can be used for long-term and short-term credential
mechanisms
4. and it can store the secret value for secret-based timed
authentication in TURN RESP API. #
5. Optional connection string parameters for the secure communications
(SSL):
6. ca, capath, cert, key, cipher
7. (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
8. command options description). #
9. Use string format as below (space separated parameters, all
optional): #
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user>
password=<database-user-password> port=<port> connect_timeout=<seconds>"
1. MongoDB database connection string in the case that we are using
MongoDB
2. as the user database.
3. This database can be used for long-term and short-term credential
mechanisms
4. and it can store the secret value for secret-based timed
authentication in TURN RESP API.
5. Use string format is described at http://hergert.me/docs/
mongo-c-driver/mongoc_uri.html #
#mongo-userdb="mongodb://[username:password@]host1[:
port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
1. Redis database connection string in the case that we are using Redis
2. as the user database.
3. This database can be used for long-term and short-term credential
mechanisms
4. and it can store the secret value for secret-based timed
authentication in TURN RESP API.
5. Use string format as below (space separated parameters, all
optional): #
#redis-userdb="ip=<ip-address> dbname=<database-number>
password=<database-user-password> port=<port> connect_timeout=<seconds>"
1. Redis status and statistics database connection string, if used
(default - empty, no Redis stats DB used).
2. This database keeps allocations status information, and it can be
also used for publishing
3. and delivering traffic and allocation event notifications.
4. The connection string has the same parameters as redis-userdb
connection string.
5. Use string format as below (space separated parameters, all
optional): #
#redis-statsdb="ip=<ip-address> dbname=<database-number>
password=<database-user-password> port=<port> connect_timeout=<seconds>"
1. The default realm to be used for the users when no explicit
2. origin/realm relationship was found in the database, or if the TURN
3. server is not using any database (just the commands-line settings
4. and the userdb file). Must be used with long-term credentials
5. mechanism or with TURN REST API. #
#realm=mycompany.org
1. The flag that sets the origin consistency
2. check: across the session, all requests must have the same
3. main ORIGIN attribute value (if the ORIGIN was
4. initially used by the session). #
#check-origin-consistency
1. Per-user allocation quota.
2. default value is 0 (no quota, unlimited number of sessions per user).
3. This option can also be set through the database, for a particular
realm. #
#user-quota=0
1. Total allocation quota.
2. default value is 0 (no quota).
3. This option can also be set through the database, for a particular
realm. #
#total-quota=0
1. Max bytes-per-second bandwidth a TURN session is allowed to handle
2. (input and output network streams are treated separately). Anything
above
3. that limit will be dropped or temporary suppressed (within
4. the available buffer limits).
5. This option can also be set through the database, for a particular
realm. #
#max-bps=0
#
1. Maximum server capacity.
2. Total bytes-per-second bandwidth the TURN server is allowed to
allocate
3. for the sessions, combined (input and output network streams are
treated separately). #
4. bps-capacity=0
1. Uncomment if no UDP client listener is desired.
2. By default UDP client listener is always started. #
#no-udp
1. Uncomment if no TCP client listener is desired.
2. By default TCP client listener is always started. #
#no-tcp
1. Uncomment if no TLS client listener is desired.
2. By default TLS client listener is always started. #
no-tls
1. Uncomment if no DTLS client listener is desired.
2. By default DTLS client listener is always started. #
no-dtls
1. Uncomment if no UDP relay endpoints are allowed.
2. By default UDP relay endpoints are enabled (like in RFC 5766). #
#no-udp-relay
1. Uncomment if no TCP relay endpoints are allowed.
2. By default TCP relay endpoints are enabled (like in RFC 6062). #
#no-tcp-relay
1. Uncomment if extra security is desired,
2. with nonce value having limited lifetime (600 secs).
3. By default, the nonce value is unique for a session,
4. but it has unlimited lifetime. With this option,
5. the nonce lifetime is limited to 600 seconds, after that
6. the client will get 438 error and will have to re-authenticate
itself. #
#stale-nonce
1. Certificate file.
2. Use an absolute path or path relative to the
3. configuration file. #
#cert=/usr/local/etc/turn_server_cert.pem
1. Private key file.
2. Use an absolute path or path relative to the
3. configuration file.
4. Use PEM file format. #
#pkey=/usr/local/etc/turn_server_pkey.pem
1. Private key file password, if it is in encoded format.
2. This option has no default value. #
#pkey-pwd=...
1. Allowed OpenSSL cipher list for TLS/DTLS connections.
2. Default value is "DEFAULT". #
#cipher-list="DEFAULT"
1. CA file in OpenSSL format.
2. Forces TURN server to verify the client SSL certificates.
3. By default it is not set: there is no default value and the client
4. certificate is not checked. #
5. Example:
#CA-file=/etc/ssh/id_rsa.cert
1. Curve name for EC ciphers, if supported by OpenSSL library (TLS and
DTLS).
2. The default value is prime256v1. #
#ec-curve-name=prime256v1
1. Use 566 bits predefined DH TLS key. Default size of the key is 1066. #
#dh566
1. Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
#
#dh2066
1. Use custom DH TLS key, stored in PEM format in the file.
2. Flags --dh566 and --dh2066 are ignored when the DH key is taken from
a file. #
#dh-file=<DH-PEM-file-name>
1. Flag to prevent stdout log messages.
2. By default, all log messages are going to both stdout and to
3. the configured log file. With this option everything will be
4. going to the configured log only (unless the log file itself is
stdout). #
#no-stdout-log
1. Option to set the log file name.
2. By default, the turnserver tries to open a log file in
3. /var/log, /var/tmp, /tmp and current directories directories
4. (which open operation succeeds first that file will be used).
5. With this option you can set the definite log file name.
6. The special names are "stdout" and "-" - they will force everything
7. to the stdout. Also, the "syslog" name will force everything to
8. the system log (syslog).
9. In the runtime, the logfile can be reset with the SIGHUP signal
10. to the turnserver process. #
#log-file=/var/tmp/turn.log
1. Option to redirect all log output into system log (syslog). #
#syslog
1. This flag means that no log file rollover will be used, and the log
file
2. name will be constructed as-is, without PID and date appendage.
3. This option can be used, for example, together with the logrotate
tool. #
#simple-log
1. Option to set the "redirection" mode. The value of this option
2. will be the address of the alternate server for UDP & TCP service in
form of
3. <ip>[:<port>]. The server will send this value in the attribute
4. ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
5. Client will receive only values with the same address family
6. as the client network endpoint address family.
7. See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality
description.
8. The client must use the obtained value for subsequent TURN
communications.
9. If more than one --alternate-server options are provided, then the
functionality
10. can be more accurately described as "load-balancing" than a mere
"redirection".
11. If the port number is omitted, then the default port
12. number 3478 for the UDP/TCP protocols will be used.
13. Colon (:) characters in IPv6 addresses may conflict with the syntax
of
14. the option. To alleviate this conflict, literal IPv6 addresses are
enclosed
15. in square brackets in such resource identifiers, for example:
16. [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
17. Multiple alternate servers can be set. They will be used in the
18. round-robin manner. All servers in the pool are considered of equal
weight and
19. the load will be distributed equally. For example, if we have 4
alternate servers,
20. then each server will receive 25% of ALLOCATE requests. A alternate
TURN server
21. address can be used more than one time with the alternate-server
option, so this
22. can emulate "weighting" of the servers. #
23. Examples:
#alternate-server=1.2.3.4:5678
#alternate-server=11.22.33.44:56789
#alternate-server=5.6.7.8
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
1. Option to set alternative server for TLS & DTLS services in form of
2. <ip>:<port>. If the port number is omitted, then the default port
3. number 5349 for the TLS/DTLS protocols will be used. See the previous
4. option for the functionality description. #
5. Examples:
#tls-alternate-server=1.2.3.4:5678
#tls-alternate-server=11.22.33.44:56789
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
1. Option to suppress TURN functionality, only STUN requests will be
processed.
2. Run as STUN server only, all TURN requests will be ignored.
3. By default, this option is NOT set. #
#stun-only
1. Option to suppress STUN functionality, only TURN requests will be
processed.
2. Run as TURN server only, all STUN requests will be ignored.
3. By default, this option is NOT set. #
#no-stun
1. This is the timestamp/username separator symbol (character) in TURN
REST API.
2. The default value is ':'.
3. rest-api-separator=:
1. Flag that can be used to disallow peers on the loopback addresses
(127.x.x.x and ::1).
2. This is an extra security measure. #
#no-loopback-peers
1. Flag that can be used to disallow peers on well-known broadcast
addresses (224.0.0.0 and above, and FFXX:*).
2. This is an extra security measure. #
#no-multicast-peers
1. Option to set the max time, in seconds, allowed for full allocation
establishment.
2. Default is 60 seconds. #
#max-allocate-timeout=60
1. Option to allow or ban specific ip addresses or ranges of ip
addresses.
2. If an ip address is specified as both allowed and denied, then the ip
address is
3. considered to be allowed. This is useful when you wish to ban a range
of ip
4. addresses, except for a few specific ips within that range. #
5. This can be used when you do not want users of the turn server to be
able to access
6. machines reachable by the turn server, but would otherwise be
unreachable from the
7. internet (e.g. when the turn server is sitting behind a NAT) #
8. Examples:
9. denied-peer-ip=83.166.64.0-83.166.95.255
10. allowed-peer-ip=83.166.68.45
1. File name to store the pid of the process.
2. Default is /var/run/turnserver.pid (if superuser account is used) or
3. /var/tmp/turnserver.pid . #
#pidfile="/var/run/turnserver.pid"
1. Require authentication of the STUN Binding request.
2. By default, the clients are allowed anonymous access to the STUN
Binding functionality. #
#secure-stun
1. Require SHA256 digest function to be used for the message integrity.
2. By default, the server uses SHA1 (as per TURN standard specs).
3. With this option, the server
4. always requires the stronger SHA256 function. The client application
5. must support SHA256 hash function if this option is used. If the
server obtains
6. a message from the client with a weaker (SHA1) hash function then the
7. server returns error code 426. #
#sha256
1. Mobility with ICE (MICE) specs support. #
#mobility
1. User name to run the process. After the initialization, the
turnserver process
2. will make an attempt to change the current user ID to that user. #
#proc-user=<user-name>
1. Group name to run the process. After the initialization, the
turnserver process
2. will make an attempt to change the current group ID to that group. #
#proc-group=<group-name>
1. Turn OFF the CLI support.
2. By default it is always ON.
3. See also options cli-ip and cli-port. #
#no-cli
#Local system IP address to be used for CLI server endpoint. Default value
1. is 127.0.0.1. #
#cli-ip=127.0.0.1
1. CLI server port. Default is 5766. #
#cli-port=5766
1. CLI access password. Default is empty (no password). #
#cli-password=logen
1. Server relay. NON-STANDARD AND DANGEROUS OPTION.
2. Only for those applications when we want to run
3. server applications on the relay endpoints.
4. This option eliminates the IP permissions check on
5. the packets incoming to the relay endpoints. #
#server-relay
1. Maximum number of output sessions in ps CLI command.
2. This value can be changed on-the-fly in CLI. The default value is
256. #
#cli-max-output-sessions
1. Set network engine type for the process (for internal purposes). #
#ne=[1|2|3]
1. Do not allow an SSL/TLS version of protocol #
#no-sslv2
#no-sslv3
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2
***************************
On Thu, Sep 1, 2016 at 9:56 AM, Andrea Maestrini <amaestrini at create-net.org>
wrote:
> Dear FIWARE coach,
> we forward you a support request received from a CreatiFI applicant we are
> not able to solve.
> Please let us know if you need direct contact with the submitter.
> Thanks.
>
> ****************************
>
> Dear
> Is there an example or suggested reference for tunneling over 443 for
> corporate envirenments?
> thxs
>
> ****************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/fiware-creatifi-coaching/attachments/20160905/7d408efc/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy