Examples for how to set up continuwuity in docker.
This commit is contained in:
Fredrik Johansson
51
continuwuity/coturn.conf
Normal file
51
continuwuity/coturn.conf
Normal file
@@ -0,0 +1,51 @@
|
||||
# ============================================================
|
||||
# coturn.conf — Coturn TURN/STUN Server Configuration
|
||||
# Mount this at /etc/coturn/turnserver.conf in the container.
|
||||
#
|
||||
# Generate a secret with: pwgen -s 64 1
|
||||
# The secret here MUST match turn_secret in continuwuity.toml.
|
||||
# ============================================================
|
||||
|
||||
# Use time-limited shared-secret auth (more secure than static credentials)
|
||||
use-auth-secret
|
||||
static-auth-secret=YOUR_COTURN_SECRET # EDIT THIS — must match continuwuity.toml
|
||||
|
||||
# realm should match your Matrix domain
|
||||
realm=matrix.example.com # EDIT THIS
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# Port ranges
|
||||
# Default coturn range is 49152-65535.
|
||||
# We start at 50201 so it doesn't overlap with LiveKit (50100-50200).
|
||||
# ------------------------------------------------------------
|
||||
min-port=50201
|
||||
max-port=65535
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# Optional: TLS support (recommended for production)
|
||||
# You'll need to provide certificates. One approach is to copy
|
||||
# them from your Let's Encrypt store (requires a cron/hook).
|
||||
# Comment these out if you're not setting up TLS on coturn.
|
||||
# ------------------------------------------------------------
|
||||
# tls-listening-port=5349
|
||||
# cert=/etc/coturn/certs/fullchain.pem
|
||||
# pkey=/etc/coturn/certs/privkey.pem
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# Security hardening
|
||||
# Prevents coturn from being used as an open relay/proxy.
|
||||
# ------------------------------------------------------------
|
||||
# Deny connections to private/loopback IP ranges (prevents SSRF)
|
||||
denied-peer-ip=10.0.0.0-10.255.255.255
|
||||
denied-peer-ip=192.168.0.0-192.168.255.255
|
||||
denied-peer-ip=172.16.0.0-172.31.255.255
|
||||
denied-peer-ip=127.0.0.0-127.255.255.255
|
||||
|
||||
# Only allow relay to public IPs
|
||||
no-multicast-peers
|
||||
|
||||
# Disable the web admin interface (not needed, reduces attack surface)
|
||||
no-cli
|
||||
|
||||
# Log to stdout so Docker captures it
|
||||
log-file=stdout
|
||||
Reference in New Issue
Block a user