From efe85228329d58b94de1b683b85318d9f6259f13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorben=20G=C3=BCnther?= Date: Fri, 14 Oct 2022 13:14:53 +0200 Subject: [PATCH] coturn: Update config 4.6.0 release. --- roles/coturn/templates/turnserver.conf.j2 | 53 ++++++++++++++++++++--- 1 file changed, 48 insertions(+), 5 deletions(-) diff --git a/roles/coturn/templates/turnserver.conf.j2 b/roles/coturn/templates/turnserver.conf.j2 index af6451f..b56473e 100644 --- a/roles/coturn/templates/turnserver.conf.j2 +++ b/roles/coturn/templates/turnserver.conf.j2 @@ -192,7 +192,7 @@ fingerprint # # You can simply run the turnserver and access the port 9641 and path /metrics # -# For mor info on the prometheus exporter and metrics +# For more info on the prometheus exporter and metrics # https://prometheus.io/docs/introduction/overview/ # https://prometheus.io/docs/concepts/data_model/ # @@ -500,7 +500,7 @@ cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH #dh1066 # Use custom DH TLS key, stored in PEM format in the file. -# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file. +# Flags --dh566 and --dh1066 are ignored when the DH key is taken from a file. # dh-file=/etc/ssl/dhparams.pem @@ -528,6 +528,11 @@ log-file=/var/log/turnserver/turn.log # syslog +# Set syslog facility for syslog messages +# Default values is ''. +# +#syslog-facility="LOG_LOCAL1" + # This flag means that no log file rollover will be used, and the log file # name will be constructed as-is, without PID and date appendage. # This option can be used, for example, together with the logrotate tool. @@ -537,7 +542,7 @@ syslog # Enable full ISO-8601 timestamp in all logs. #new-log-timestamp -# Set timestamp format (in strftime(1) format) +# Set timestamp format (in strftime(1) format). Depends on new-log-timestamp to be enabled. #new-log-timestamp-format "%FT%T%z" # Disabled by default binding logging in verbose log mode to avoid DoS attacks. @@ -666,13 +671,13 @@ pidfile=/run/turnserver/turnserver.pid # Require authentication of the STUN Binding request. # By default, the clients are allowed anonymous access to the STUN Binding functionality. # -# secure-stun +#secure-stun # Mobility with ICE (MICE) specs support. # #mobility -# Allocate Address Family according +# Allocate Address Family according (DEPRECATED and will be removed in favour of allocation-default-address-family) # If enabled then TURN server allocates address family according the TURN # Client <=> Server communication address family. # (By default Coturn works according RFC 6156.) @@ -680,6 +685,16 @@ pidfile=/run/turnserver/turnserver.pid # #keep-address-family +# TURN server allocates address family according TURN client requested address family. +# If address family not requested explicitly by the client, then it falls back to this default. +# The standard RFC explicitly define that this default must be IPv4, +# so use other option values with care! +# Possible values: "ipv4" or "ipv6" or "keep" +# "keep" sets the allocation default address family according to +# the TURN client allocation request connection address family. +#allocation-default-address-family="ipv4" +#allocation-default-address-family="ipv4" + # User name to run the process. After the initialization, the turnserver process # will attempt to change the current user ID to that user. @@ -763,3 +778,31 @@ no-cli #no-tlsv1 #no-tlsv1_1 #no-tlsv1_2 + +# Disable RFC5780 (NAT behavior discovery). +# +# Originally, if there are more than one listener address from the same +# address family, then by default the NAT behavior discovery feature enabled. +# This option disables the original behavior, because the NAT behavior +# discovery adds extra attributes to response, and this increase the +# possibility of an amplification attack. +# +# Strongly encouraged to use this option to decrease gain factor in STUN +# binding responses. +# +no-rfc5780 + +# Disable handling old STUN Binding requests and disable MAPPED-ADDRESS +# attribute in binding response (use only the XOR-MAPPED-ADDRESS). +# +# Strongly encouraged to use this option to decrease gain factor in STUN +# binding responses. +# +no-stun-backward-compatibility + +# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled. +# +# Strongly encouraged to use this option to decrease gain factor in STUN +# binding responses. +# +response-origin-only-with-rfc5780 -- 2.44.0