@@ 192,7 192,7 @@ fingerprint
#
# You can simply run the turnserver and access the port 9641 and path /metrics
#
-# For mor info on the prometheus exporter and metrics
+# For more info on the prometheus exporter and metrics
# https://prometheus.io/docs/introduction/overview/
# https://prometheus.io/docs/concepts/data_model/
#
@@ 500,7 500,7 @@ cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH
#dh1066
# Use custom DH TLS key, stored in PEM format in the file.
-# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
+# Flags --dh566 and --dh1066 are ignored when the DH key is taken from a file.
#
dh-file=/etc/ssl/dhparams.pem
@@ 528,6 528,11 @@ log-file=/var/log/turnserver/turn.log
#
syslog
+# Set syslog facility for syslog messages
+# Default values is ''.
+#
+#syslog-facility="LOG_LOCAL1"
+
# This flag means that no log file rollover will be used, and the log file
# name will be constructed as-is, without PID and date appendage.
# This option can be used, for example, together with the logrotate tool.
@@ 537,7 542,7 @@ syslog
# Enable full ISO-8601 timestamp in all logs.
#new-log-timestamp
-# Set timestamp format (in strftime(1) format)
+# Set timestamp format (in strftime(1) format). Depends on new-log-timestamp to be enabled.
#new-log-timestamp-format "%FT%T%z"
# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
@@ 666,13 671,13 @@ pidfile=/run/turnserver/turnserver.pid
# Require authentication of the STUN Binding request.
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
#
-# secure-stun
+#secure-stun
# Mobility with ICE (MICE) specs support.
#
#mobility
-# Allocate Address Family according
+# Allocate Address Family according (DEPRECATED and will be removed in favour of allocation-default-address-family)
# If enabled then TURN server allocates address family according the TURN
# Client <=> Server communication address family.
# (By default Coturn works according RFC 6156.)
@@ 680,6 685,16 @@ pidfile=/run/turnserver/turnserver.pid
#
#keep-address-family
+# TURN server allocates address family according TURN client requested address family.
+# If address family not requested explicitly by the client, then it falls back to this default.
+# The standard RFC explicitly define that this default must be IPv4,
+# so use other option values with care!
+# Possible values: "ipv4" or "ipv6" or "keep"
+# "keep" sets the allocation default address family according to
+# the TURN client allocation request connection address family.
+#allocation-default-address-family="ipv4"
+#allocation-default-address-family="ipv4"
+
# User name to run the process. After the initialization, the turnserver process
# will attempt to change the current user ID to that user.
@@ 763,3 778,31 @@ no-cli
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2
+
+# Disable RFC5780 (NAT behavior discovery).
+#
+# Originally, if there are more than one listener address from the same
+# address family, then by default the NAT behavior discovery feature enabled.
+# This option disables the original behavior, because the NAT behavior
+# discovery adds extra attributes to response, and this increase the
+# possibility of an amplification attack.
+#
+# Strongly encouraged to use this option to decrease gain factor in STUN
+# binding responses.
+#
+no-rfc5780
+
+# Disable handling old STUN Binding requests and disable MAPPED-ADDRESS
+# attribute in binding response (use only the XOR-MAPPED-ADDRESS).
+#
+# Strongly encouraged to use this option to decrease gain factor in STUN
+# binding responses.
+#
+no-stun-backward-compatibility
+
+# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
+#
+# Strongly encouraged to use this option to decrease gain factor in STUN
+# binding responses.
+#
+response-origin-only-with-rfc5780