| 123456789101112131415161718192021222324252627282930313233343536373839404142434445 |
- # coturn config for BizGaze Connect self-hosted TURN.
- # Put this on your VM (public IP) and run via Docker (see docker-compose.yml) or
- # native coturn (apt install coturn). Replace every CHANGE_ME / placeholder.
-
- # --- listening ---
- listening-port=3478
- tls-listening-port=5349
- # If this VM has a spare 443, also exposing TURNS on 443 gives the best traversal
- # through strict corporate firewalls (uncomment + ensure nothing else uses 443):
- # alt-tls-listening-port=443
-
- # Public address clients reach. If the VM has a 1:1 NAT, use external-ip=PUBLIC/PRIVATE.
- external-ip=CHANGE_ME_PUBLIC_IP
-
- # Relay port range (open these UDP ports in the firewall too).
- min-port=49152
- max-port=65535
-
- # --- auth: time-limited shared-secret credentials (matches the app's TURN_SECRET) ---
- use-auth-secret
- static-auth-secret=CHANGE_ME_LONG_RANDOM_SECRET
- realm=connect.yourdomain.com
-
- # --- TLS (needed for turns: on 5349/443). Use a real cert for turn.yourdomain.com ---
- cert=/etc/letsencrypt/live/turn.yourdomain.com/fullchain.pem
- pkey=/etc/letsencrypt/live/turn.yourdomain.com/privkey.pem
-
- # --- hardening ---
- fingerprint
- no-cli
- no-multicast-peers
- no-tcp-relay
- # Block relaying to private/internal ranges (prevents your relay being used to reach
- # your own LAN / cloud metadata — important SSRF protection):
- denied-peer-ip=0.0.0.0-0.255.255.255
- denied-peer-ip=10.0.0.0-10.255.255.255
- denied-peer-ip=100.64.0.0-100.127.255.255
- denied-peer-ip=169.254.0.0-169.254.255.255
- denied-peer-ip=172.16.0.0-172.31.255.255
- denied-peer-ip=192.168.0.0-192.168.255.255
- denied-peer-ip=::1
- denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- # Optional: cap per-session bandwidth (bytes/sec) to protect the VM, e.g. 700000 = ~5.6 Mbps
- # bps-capacity=0
- # total-quota=100
|
