forked from wargio/open-rtc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
server.conf.in
269 lines (260 loc) · 12.8 KB
/
server.conf.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
; Open-RTC server example configuration
[http]
; HTTP listener in format ip:port.
listen = 127.0.0.1:8080
; Full path to directory where to find the server web assets.
;root = /usr/share/open-rtc-server/www
; HTTP socket read timeout in seconds.
;readtimeout = 10
; HTTP socket write timeout in seconds.
;writetimeout = 10
; Use basePath if the server does not run on the root path (/) of your server.
;basePath = /some/sub/path/
; Set maximum number of open files (only works when run as root).
;maxfd = 32768
; Enable stats API /api/v1/stats for debugging (not for production use!).
;stats = false
; Enable HTTP listener for golang pprof module. See
; http://golang.org/pkg/net/http/pprof/ for details.
;pprofListen = 127.0.0.1:6060
[https]
; Native HTTPS listener in format ip:port.
;listen = 127.0.0.1:8443
; Full path to PEM encoded certificate chain.
;certificate = server.crt
; Full path to PEM encoded private key.
;key = server.key
; Mimimal supported encryption standard (SSLv3, TLSv1, TLSv1.1 or TLSv1.2).
;minVersion = SSLv3
; HTTPS socket read timeout in seconds.
;readtimeout = 10
; HTTPS socket write timeout in seconds.
;writetimeout = 10
[app]
; HTML page title
;title = Open-RTC
; Version string to use for static resources. This defaults to the server
; version and should only be changed when you use your own way to invalidate
; long cached static resources.
;ver = 1234
; STUN server URIs in format host:port. You can provide multiple seperated by
; space. If you do not have one use a public one like stun.spreed.me:443. If
; you have a TURN server you do not need to set an STUN server as the TURN
; server will provide STUN services.
;stunURIs = stun:stun.spreed.me:443
; TURN server URIs in format host:port?transport=udp|tcp. You can provide
; multiple seperated by space. If you do not have at least one TURN server then
; some users will not be able to use the server as the peer to peer connection
; cannot be established without a TURN server due to firewall reasons. An open
; source TURN server which is fully supported can be found at
; https://code.google.com/p/rfc5766-turn-server/.
;turnURIs = turn:turnserver:port?transport=udp
; Shared secret authentication for TURN user generation if the TURN server is
; protected (which it should be).
; See http://tools.ietf.org/html/draft-uberti-behave-turn-rest-00 for details.
; A supported TURN server is https://code.google.com/p/rfc5766-turn-server/.
;turnSecret = the-default-turn-shared-secret-do-not-keep
; Fixed username/password credentials to be used for the TURN server.
; IMPORTANT: This will give all users connected to the open-rtc service
; access to the credentials, so in almost all cases the shared secret mode
; should be used instead!!
;turnUsername = the-turn-username
;turnPassword = the-turn-secret
; Enable renegotiation support. Set to true to tell clients that they can
; renegotiate peer connections when required. Firefox support is not complete,
; so do not enable if you want compatibility with Firefox clients.
;renegotiation = false
; Session secret to use for session id generator. 32 or 64 bytes of random data
; are recommented (hex encoded). A warning will be logged if hex decode fails.
; You can generate a secret easily with "xxd -ps -l 32 -c 32 /dev/random".
sessionSecret = the-default-secret-do-not-keep-me
; Encryption secret protecting the data in generated server side tokens. Use
; 16, 24, or 32 bytes (hex encoded) to select AES-128, AES-192, or AES-256.
; When you change the encryption secret, stored authentications, sessions and
; contacts become invalid. A warning will be logged if hex decode fails. You
; can generate a secret easily with "xxd -ps -l 32 -c 32 /dev/random".
encryptionSecret = tne-default-encryption-block-key
; Full path to a text file containig client tokens which a user needs to enter
; when accessing the web client. Each line in this file represents a valid
; token.
;tokenFile = tokens.txt
; The name of a global room. If enabled it should be kept secret. Users in that
; room are visible in all other rooms.
;globalRoom = global
; The default room is the room at the root URL of the servers base address and
; all users will join this room if enabled. If it is disabled then a room join
; form will be shown instead.
;defaultRoomEnabled = true
; Whether the room names are case sensitive. If enabled, different casing
; of room names are different rooms. Optional. Defaults to false.
;caseSensitiveRooms = false
; Whether a user account is required to join a room. This only has an effect
; if user accounts are enabled. Optional, defaults to false.
;authorizeRoomJoin = false
; Whether a user account is required to create a room. This only has an effect
; if user accounts are enabled. Optional, defaults to false.
;authorizeRoomCreation = false
; Whether locked rooms should be joinable by providing the PIN the room was
; locked with. Optional, defaults to true.
;lockedRoomJoinableWithPIN = true
; Regular expression specifying room names that can be created / joined without
; a valid user account (even if "authorizeRoomJoin" or "authorizeRoomCreation"
; is enabled).
;publicRooms =
; Whether the pipelines API should be enabled. Optional, defaults to false.
;pipelinesEnabled = false
; Server token is a public random string which is used to enhance security of
; server generated security tokens. When the serverToken is changed all existing
; nonces become invalid. Use 32 or 64 characters (eg. 16 or 32 byte hex).
serverToken = i-did-not-change-the-public-token-boo
; The server realm is part of the validation chain of tokens and nonces and is
; added as suffix to server created user ids if user creation is enabled. When
; the realm is changed, all existing tokens and nonces become invalid.
serverRealm = local
; Full path to an extra templates directory. Templates in this directory ending
; with .html will be parsed on startup and can be used to fill the supported
; extra-* template slots. If the extra folder has a sub folder "static", the
; resources in this static folder will be available as /extra/static/...
; relative to your servers base URL.
;extra = /usr/share/open-rtc-server/extra
; Full path to an extra.d directory. Subfolders in this directory will be
; searched for head.html and body.html on startup. If found, those templates
; will be automatically included for the web client. In addition,
; sub-folder/static will be made available by URL at /extra.d/static/<n>/...
; relative to your servers base URL.
; URL relative to the servers base path for a plugin javascript file which is
; automatically loaded on web client start for all users. You can put your
; plugin in the extra/static folder (see above) or provide another folder using
; a front end webserver. Check the doc folder for more info about plugins and
; examples.
;extra.d = /usr/share/open-rtc-server/extra.d
;plugin = extra/static/myplugin.js
; Content-Security-Policy HTTP response header value.
; Open-RTC requires inline styles, WebSocket connection to itself and
; data: URL for images.
; The currently recommended CSP is:
; default-src 'self';
; frame-src 'self' blob:;
; style-src 'self' 'unsafe-inline';
; img-src 'self' data: blob:;
; connect-src 'self' wss://server:port/ws blob:;
; font-src 'self' data: blob:;
; media-src 'self' blob:;
;contentSecurityPolicy =
; Content-Security-Policy-Report-Only HTTP response header value. Use this
; to test your CSP before putting it into production.
;contentSecurityPolicyReportOnly =
[modules]
; Modules provide optional functionality. Modules are enabled by default and
; can be disabled by setting false to their corresponding configuration.
;screensharing = true
;youtube = true
;presentation = true
;contacts = true
;roomlocking = true
[log]
;logfile = /var/log/open-rtc-server.log
[users]
; Set to true to enable user functionality.
enabled = false
; Set users authorization mode.
; sharedsecret:
; Validates the userid with a HMAC authentication secret.
; The format goes like this:
; BASE64(HMAC-SHA-256(secret, expirationTimestampInSeconds:userid))
; httpheader:
; The userid is provided as an HTTP header. The server does not do any
; validation. This usually only makes sense with a front end HTTPS proxy which
; does the authentication and injects the user id as HTTP header for sessions
; REST requests. In mode httpheader, allowRegistration should be false.
; certificate:
; The userid is provided as CommonName with a certificate provided with TLS
; client authentication. When you use this with a front end proxy for TLS
; termination, that proxy has to validate the certificate and inject certain
; headers into the proxy connection. While certificate mode offers the highest
; security it is currently considered experimental and the user experience
; varies between browsers and platforms.
;mode = sharedsecret
; The shared secred for HMAC validation in "sharedsecret" mode. Best use 32 or
; 64 bytes of random data.
;sharedsecret_secret = some-secret-do-not-keep
; The HTTP header name where to find the userid in "httpheader" mode.
;httpheader_header = x-userid
; Full path to PEM encoded private key to use for user creation in "certificate"
; mode. Keep this commented if you do not want the server to sign certificate
; requests.
;certificate_key = userskey.key
; Full path to PEM encoded certificate to use for user validation in
; "certificate" mode. When allowRegistration is true and certificate_key is also
; set then the server will act as a CA and sign incoming user registrations and
; return certificates to users as registration.
;certificate_certificate = usersca.crt
; The HTTP header name where to find if the TLS client authentication was
; successfull. The value of this header is matched to
; certificate_verifiedHeaderValue and only if there is a match, the proxy
; handled TLS client authentication is accepted as success. Make sure to secure
; these headers with your front end proxy (always set them). Do not use these
; settings when not using a front end proxy.
;certificate_verifiedHeader = x-verified
;certificate_verifiedHeaderValue = SUCCESS
; The HTTP header name where to find the PEM encoded certificate authenticated
; by a front end proxy. With Nginx the required value is in $ssl_client_cert.
;certificate_certificateHeader = x-certificate
; The valid duration of generated certificates created in certificate mode when
; allowRegistration is enabled.
;certificate_validForDays = 365
; Organization to set into the created user certificates. Use a readable public
; name to make the certificate easily recognizable as certificate for your
; server so users can choose the correct certificate when prompted.
;certificate_organization= = My Spreed Server
; If enabled the server can create new userids. Set allowRegistration to true to
; enable userid creation/registration. Users are created according the settings
; of the currently configured mode (see above).
;allowRegistration = false
[nats]
; Set to true, to connect to NATS on startup. If false, all other settins in the
; [nats] section are ignored. Defaults to false.
;useNATS = false
; Set to true, to enable triggering channelling events via NATS
;channelling_trigger = false
; NATS channel trigger subject. Defaults to 'channelling.trigger'.
;channelling_trigger_subject = channelling.trigger
; NATS server URL.
;url = nats://127.0.0.1:4222
; NATS connect establish timeout in seconds.
;establishTimeout = 60
; Use client_id to distinguish between multipe servers. The value is sent
; together with every NATS request. Defaults to empty.
;client_id =
; Set to true, to load additional configuration settings via NATS. The config
; loaded is applied after loading the [nats] section and all entries extend the
; configuration files with overwrite. Only takes effect when a NATS server URL
; is configured. Defaults to false.
;configFromNATS = false
;configFromNATSSubject = open-rtc.config.get
; NATS config load timeout. If 0, then it waits forever, blocking the startup
; until the configuration was loaded from NATS. Defaults to 0.
;configFromNATSTimeout = 0
[roomtypes]
; You can define room types that should be used for given room names instead of
; the default type "Room". Use format "RegularExpression = RoomType" and make
; sure the regular expression doesn't contain any "=" or ":".
;
; Available room types:
; "Conference"
; All participants joining the room automatically call each other and are in
; a conference.
;
; Example (all rooms below "conference/" are conference rooms):
;^conference/.+ = Conference
;
[turnService]
; To avoid the setup of a self-owned TURN server, a TURN service can be used.
; When a turnServiceURI is set, TurnURIs in the [app] section are ignored.
;turnServiceURI = https://turnservice.spreed.me
; Access token for the TURN service. This is usually required and provided with
; your TURN service subscription.
;turnServiceAccessToken = some-secret-value
; The ClientID can be used to specify additional credentials if required
; by the TURN service. If empty, the value of turnServiceAccessToken is used.
;turnServiceClientID =