1. 程式人生 > >部署rfc5766-turn-server--谷歌推薦的開源穿透伺服器 [複製連結]

部署rfc5766-turn-server--谷歌推薦的開源穿透伺服器 [複製連結]



# 'Dynamic' user accounts database file name.
# Only users for long-term mechanism can be stored in a flat file,
# short-term mechanism will not work with option, the short-term
# mechanism required PostgreSQL or MySQL or Redis database.
# 'Dynamic' long-term user accounts are dynamically checked by the turnserver process,
# so that they can be changed while the turnserver is running.
# Default file name is turnuserdb.conf.
#
# 'Dynamic'使用者帳戶資料庫檔名。
# 只有使用者長期機制可以儲存在一個檔案,短期機制不會處理選項,短期機制需要PostgreSQL或MySQL或
# Redis資料庫。
# 'Dynamic'的長期使用者帳戶在turnserver程式中動態檢查的,這樣他們可以改變的在turnserver執行時。
# 預設檔名是turnuserdb.conf.
#
#userdb=/usr/local/etc/turnuserdb.conf
userdb=/etc/turnuserdb.conf

# PostgreSQL database connection string in the case that we are using PostgreSQL
# as the user database.
# This database can be used for long-term and short-term credential mechanisms
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html
for 8.x PostgreSQL
# versions connection string format, see
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
# for 9.x and newer connection string formats.
#
# PostgreSQL資料庫連線字串,使用PostgreSQL作為使用者資料庫。
# 該資料庫可用於長期和短期證書機制,它可以儲存的私密值,為基於私密身份驗證的在TURN RESP API中。
# 8.x PostgreSQL版本請參見http://www.postgresql.org/docs/8.4/static/libpq-connect.html的連線字串

# 格式,9.x和更新的請參閱http://www.postgresql.org/docs/9.2/static/libpq-connect.html LIBPQ-CONNSTRING
# 的連線字串格式。
#
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"

# MySQL database connection string in the case that we are using MySQL
# as the user database.
# This database can be used for long-term and short-term credential mechanisms
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format as below (space separated parameters, all optional):
#
# MySQL資料庫連線字串,使用MySQL作為使用者資料庫。
# 該資料庫可用於長期和短期證書機制,它可以儲存的私密值,為基於私密身份驗證的在TURN RESP API中。
# 使用字串格式如下(空間分離引數,所有可選):
#
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds>"

# Redis database connection string in the case that we are using Redis
# as the user database.
# This database can be used for long-term and short-term credential mechanisms
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format as below (space separated parameters, all optional):
#
# Redis資料庫連線字串,使用Redis作為使用者資料庫。
# 該資料庫可用於長期和短期證書機制,它可以儲存的私密值,為基於私密身份驗證的在TURN RESP API中。
# 使用字串格式如下(空間分離引數,所有可選):
#
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"

# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
# This database keeps allocations status information, and it can be also used for publishing
# and delivering traffic and allocation event notifications.
# The connection string has the same parameters as redis-userdb connection string.
# Use string format as below (space separated parameters, all optional):
#
# Redis狀態和統計資料庫連線字串,如果使用(預設空,沒有Redis統計資料庫使用)。
# 這個資料庫保持分配狀態資訊,它也可以用於釋出和交付傳輸和分配事件通知。
# 連線字串有相同的引數作為redis-userdb連線字串。
# 使用字串格式如下(空間分離引數,所有可選):
#
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"

# Realm for long-term credentials mechanism and for TURN REST API.
#
# TURN REST API的長期憑證機制範圍。
#
#realm=mycompany.org

# Per-user allocation quota.
# default value is 0 (no quota, unlimited number of sessions per user).
#
# 每個使用者分配配額。
# 預設值為0(沒有配額,每個使用者無限數量的會話)。
#
#user-quota=0

# Total allocation quota.
# default value is 0 (no quota).
#
# 總分配配額。
# 預設值為0(無配額)。
#
#total-quota=0

# Max bytes-per-second bandwidth a TURN session is allowed to handle
# (input and output network streams are treated separately). Anything above
# that limit will be dropped or temporary suppressed (within
# the available buffer limits).
#
# TURN會話允許最大的傳輸佔用頻寬(輸入和輸出網路流分別處理)。
# 高於限制將被刪除或暫時抑制(在可用的緩衝區範圍內)。
#
#max-bps=0
max-bps=1024

# Uncomment if no UDP client listener is desired.
# By default UDP client listener is always started.
#
# 如果沒有UDP客戶端監聽器需要取消。
# 預設情況下UDP客戶端監聽器總是啟動。
#
#no-udp

# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
# 如果沒有TCPP客戶端監聽器需要取消。
# 預設情況下TCPP客戶端監聽器總是啟動。
#
#no-tcp

# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
# 如果沒有TLS客戶端監聽器需要取消。
# 預設情況下TLS客戶端監聽器總是啟動。
#
#no-tls

# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
# 如果沒有DTLS客戶端監聽器需要取消。
# 預設情況下DTLS客戶端監聽器總是啟動。
#
#no-dtls

# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
#
# 如果不允許UDP中繼端點需要取消。
# 預設情況下啟用UDP繼電器端點(如在RFC 5766)。
#
#no-udp-relay

# Uncomment if no TCP relay endpoints are allowed.
# By default TCP relay endpoints are enabled (like in RFC 6062).
#
# 如果不允許TCP中繼端點需要取消。
# 預設情況下啟用TCP繼電器端點(如在RFC 5766)。
#
#no-tcp-relay

# Uncomment if extra security is desired,
# with nonce value having limited lifetime (600 secs).
# By default, the nonce value is unique for a session,
# but it has unlimited lifetime. With this option,
# the nonce lifetime is limited to 600 seconds, after that
# the client will get 438 error and will have to re-authenticate itself.
#
# 取消如果需要額外的安全,現時已有有限的生命週期(600秒)。
# 預設情況下,一個會話的唯一臨界值,但它一般擁有無限的生命週期。這個選項,臨界值
# 僅限於600秒,之後,客戶端將得到438錯誤,將不得不重新認證。
#
#stale-nonce

# Certificate file.
# Use an absolute path or path relative to the
# configuration file.
#
# 證書檔案。
# 使用絕對路徑或路徑相對於配置檔案。
#
#cert=/usr/local/etc/turn_server_cert.pem

# Private key file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
# 私鑰檔案。
# 使用絕對路徑或路徑相對於配置檔案。使用PEM檔案格式。
#
#pkey=/usr/local/etc/turn_server_pkey.pem

# Private key file password, if it is in encoded format.
# This option has no default value.
#
# 私有金鑰檔案密碼,如果是在編碼格式。
# 這個選項沒有預設值。
#
#pkey-pwd=...

# Allowed OpenSSL cipher list for TLS/DTLS connections.
# Default value is "DEFAULT".
#
# 允許OpenSSL的密碼列表為TLS/DTLS連線。
# 預設值是"DEFAULT"
#
#cipher-list="DEFAULT"

# CA file in OpenSSL format.
# Forces TURN server to verify the client SSL certificates.
# By default it is not set: there is no default value and the client
# certificate is not checked.
#
# 在OpenSSL格式的CA檔案。
# 強制TURN伺服器驗證客戶端SSL證書。
# 預設情況下它沒有設定:沒有預設值,不檢查的客戶端證書。
#
# Example:
#CA-file=/etc/ssh/id_rsa.cert

# Curve name for EC ciphers, if supported by OpenSSL library (TLS and DTLS).
# The default value is prime256v1.
#
# 曲線名稱的EC密碼,如果由OpenSSL庫支援(TLS和DTLS)。
# 預設值是prime256v1。
#
#ec-curve-name=prime256v1

# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
#
# 使用566位預定義DH TLS鍵。預設鍵大小是1066
#
#dh566

# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
#
# 使用2066位預定義DH TLS鍵。預設鍵大小是1066
#
#dh2066

# Use custom DH TLS key, stored in PEM format in the file.
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
#
# 使用慣例的DH TLS鍵,使用PEM格式儲存在檔案裡
# 當DH鍵從檔案里加載,將忽略標誌--dh566和--dh2066
#
#dh-file=<DH-PEM-file-name>

# Flag to prevent stdout log messages.
# By default, all log messages are going to both stdout and to
# the configured log file. With this option everything will be
# going to the configured log only (unless the log file itself is stdout).
#
# 標誌防止輸出日誌資訊
# 預設情況下,所有日誌訊息將輸出到配置的日誌檔案。採用這一選項都將只配置日誌
# (除非日誌檔案本身是輸出的)。
#
#no-stdout-log

# Option to set the log file name.
# By default, the turnserver tries to open a log file in
# /var/log, /var/tmp, /tmp and current directories directories
# (which open operation succeeds first that file will be used).
# With this option you can set the definite log file name.
# The special names are "stdout" and "-" - they will force everything
# to the stdout. Also, the "syslog" name will force everything to
# the system log (syslog).
# In the runtime, the logfile can be reset with the SIGHUP signal
# to the turnserver process.
#
# 設定日誌檔案
# 預設情況下,turnserver嘗試一個日誌檔案在/var/log,/var/tmp,/tmp和
# 當前目錄(那個檔案先開啟成功,檔案將被使用)。
# 採用這一選項可以設定明確的日誌檔名。
# 特殊的名字是"stdout"和"-"——他們將強制所有的輸出。同時,"syslog"名稱將強制所有的系統日誌(syslog)。
# 在執行時,日誌檔案可以重置通過SIGHUP訊號在turnserver程式中。
#
#log-file=/var/tmp/turn.log

# Option to redirect all log output into system log (syslog).
#
# 選擇重定向所有日誌輸出到系統日誌(syslog)。
#
#syslog

# This flag means that no log file rollover will be used, and the log file
# name will be constructed as-is, without PID and date appendage.
#
# 這個標誌意味著沒有日誌檔案將使用翻轉,並按原樣將建立日誌檔名稱,沒有PID和日期的附加。
#
#simple-log

# Option to set the "redirection" mode. The value of this option
# will be the address of the alternate server for UDP & TCP service in form of
# <ip>[:<port>]. The server will send this value in the attribute
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
# Client will receive only values with the same address family
# as the client network endpoint address family.
# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
# The client must use the obtained value for subsequent TURN communications.
# If more than one --alternate-server options are provided, then the functionality
# can be more accurately described as "load-balancing" than a mere "redirection".
# If the port number is omitted, then the default port
# number 3478 for the UDP/TCP protocols will be used.
# Colon (
characters in IPv6 addresses may conflict with the syntax of
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
# in square brackets in such resource identifiers, for example:
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
# Multiple alternate servers can be set. They will be used in the
# round-robin manner. All servers in the pool are considered of equal weight and
# the load will be distributed equally. For example, if we have 4 alternate servers,
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
# address can be used more than one time with the alternate-server option, so this
# can emulate "weighting" of the servers.
#
# 選項設定"redirection"模式。這個選項的值將備用伺服器的地址UDP和TCP服務形式的<ip>[:<port>]。
# 伺服器將傳送這個值屬性ALTERNATE-SERVER,錯誤300,在ALLOCATE請求,客戶端。
# 客戶端將只接收和自己相同的地址族的客戶端的值。檢視RFC 5389和RFC 5766為ALTERNATE-SERVER的功能描述。
# 客戶端必須使用獲得的值為隨後的TURN通訊。如果不止一個——alternate-server選項提供,那麼功能可以更準確
# 地描述為"load-balancing",而不僅僅是一個"redirection"。如果埠號省略,那麼為UDP/TCP協議,使用預設端
# 口號是3478。冒號(在IPv6地址字元可能與選項的語法衝突。緩解這種衝突,文字IPv6地址包含在方括號在這種
# 資源識別符號,例如[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 。
# 可以設定多個備用伺服器。他們將用於迴圈的方式。所有伺服器池中被認為是平等的重量和載荷將平均分配的原則。
# 例如,如果我們有4個備用伺服器,每個伺服器將獲得25%的分配請求。備用TURN伺服器地址可以使用超過一次
# alternate-server選項,所以這可以效仿的"weighting"伺服器。
#
# Examples:
#alternate-server=1.2.3.4:5678
#alternate-server=11.22.33.44:56789
#alternate-server=5.6.7.8
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
              
# Option to set alternative server for TLS & DTLS services in form of
# <ip>:<port>. If the port number is omitted, then the default port
# number 5349 for the TLS/DTLS protocols will be used. See the previous
# option for the functionality description.
#
# 選項設定替代伺服器TLS和DTLS服務形式的<ip>:<port>。
# 如果省略的埠號,那麼預設埠號5349將使用TLS/DTLS協議。看到前面選擇的功能描述。
#
# Examples:
#tls-alternate-server=1.2.3.4:5678
#tls-alternate-server=11.22.33.44:56789
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478

# Option to suppress TURN functionality, only STUN requests will be processed.
# Run as STUN server only, all TURN requests will be ignored.
# By default, this option is NOT set.
#
# 選擇抑制TURN功能,只有STUN的請求將被處理。
# 作為STUN伺服器,所有TURN請求將被忽略。
# 預設情況下,沒有設定這個選項。
#
#stun-only

# Option to suppress STUN functionality, only TURN requests will be processed.
# Run as TURN server only, all STUN requests will be ignored.
# By default, this option is NOT set.
#
# 選擇抑制STUN功能,只有TURN的請求將被處理。
# 作為TURN伺服器,所有STUN請求將被忽略。
# 預設情況下,沒有設定這個選項。
#
#no-stun

# This is the timestamp/username separator symbol (character) in TURN REST API.
# The default value is ':'.
#
# 這是時間戳/使用者名稱分離器符號(字元)在TURN REST API。
# 預設是使用':'
#
# rest-api-separator=:   

# Flag that can be used to disallow peers on the loopback addresses (127.x.x.x and ::1).
# This is an extra security measure.
#
# 標記用於不接受的端在環回地址(127.x.x.x 和 ::1)。
# 這是一個額外的安全措施。
#
#no-loopback-peers

# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
# This is an extra security measure.
#
# 標記用於不接受的端在廣播地址(224.0.0.0和以上的,和FFXX:*)。
# 這是一個額外的安全措施。
#
#no-multicast-peers

# Option to set the max time, in seconds, allowed for full allocation establishment.
# Default is 60 seconds.
#
# 選項設定的最大時間,以秒為單位,允許完整的分配。
# 預設60秒
#
#max-allocate-timeout=60

# Option to allow or ban specific ip addresses or ranges of ip addresses.
# If an ip address is specified as both allowed and denied, then the ip address is
# considered to be allowed. This is useful when you wish to ban a range of ip
# addresses, except for a few specific ips within that range.
# This can be used when you do not want users of the turn server to be able to access
# machines reachable by the turn server, but would otherwise be unreachable from the
# internet (e.g. when the turn server is sitting behind a NAT)
#
# 選擇允許或禁止特定的ip地址或ip地址範圍。
# 如果指定一個ip地址允許和拒絕,那麼ip地址被認為是允許的。這是有用的,當你希望禁止一個範
# 圍的ip地址,除了一些特定的ip範圍內。
# 這可以使用當你不希望turn伺服器的使用者能夠訪問機器通過turn伺服器,但可能是另一方面從互聯
# 網上不能到達(例如,當turn伺服器是在一個NAT後)
#
# Examples:
# denied-peer-ip=83.166.64.0-83.166.95.255
# allowed-peer-ip=83.166.68.45

# File name to store the pid of the process.
# Default is /var/run/turnserver.pid (if superuser account is used) or
# /var/tmp/turnserver.pid .
#
# 儲存程序pid的檔名。
# 預設是/var/run/turnserver.pid(超級使用者使用)或者是/var/tmp/turnserver.pid
#
#pidfile="/var/run/turnserver.pid"
pidfile="/var/tmp/turnserver.pid"

# Require authentication of the STUN Binding request.
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
#
# 需要STUN繫結請求的身份驗證。
# 預設情況下,客戶允許匿名訪問STUN繫結功能。
#
#secure-stun

# Require SHA256 digest function to be used for the message integrity.
# By default, the server uses SHA1 (as per TURN standard specs).
# With this option, the server
# always requires the stronger SHA256 function. The client application
# must support SHA256 hash function if this option is used. If the server obtains
# a message from the client with a weaker (SHA1) hash function then the
# server returns error code 426.
#
# 需要SHA256採摘功能用於訊息的完整性。
# 預設情況下,伺服器使用SHA1(按標準規格)。
# 採用這一選項,伺服器總是需要更強的SHA256功能。客戶端應用程式必須支援SHA256雜湊函式
# 如果使用這個選項。如果伺服器獲得訊息從客戶端較弱(SHA1)雜湊函式那麼伺服器返回錯誤程式碼426。
#
#sha256

# Mobility with ICE (MICE) specs support.
#
# 移動的ICE(MICE)的規範支援。
#
#mobility

# User name to run the process. After the initialization, the turnserver process
# will make an attempt to change the current user ID to that user.
#
# 使用者名稱執行程式。初始化後,turnserver程式將試圖改變當前使用者的使用者ID。
#
#proc-user=<user-name>

# Group name to run the process. After the initialization, the turnserver process
# will make an attempt to change the current group ID to that group.
#
# 組名執行程式。初始化後,turnserver程式將試圖改變當前組的組ID。
#
#proc-group=<group-name>

# Turn OFF the CLI support.
# By default it is always ON.
# See also options cli-ip and cli-port.
#
# 關掉CLI的支援。
# 預設情況下它總是ON。
# 參閱選項cli-ip和cli-port。
#
#no-cli

#Local system IP address to be used for CLI server endpoint. Default value
# is 127.0.0.1.
#
# 本地系統的IP地址將用於CLI伺服器端點。預設值是127.0.0.1。
#
#cli-ip=127.0.0.1

# CLI server port. Default is 5766.
#
# CLI伺服器埠。預設是5766。
#
#cli-port=5766

# CLI access password. Default is empty (no password).
#
# CLI訪問密碼。預設是空的(沒有密碼)。
#
#cli-password=logen

# Server relay. NON-STANDARD AND DANGEROUS OPTION.
# Only for those applications when we want to run
# server applications on the relay endpoints.
# This option eliminates the IP permissions check on
# the packets incoming to the relay endpoints.
#
# 中繼伺服器。NON-STANDARD和DANGEROUS的選擇。
# 只對這些應用程式時,我們想在中繼伺服器上執行伺服器應用程式端點。
# 這個選項可以消除IP許可權檢查傳遞的資料包傳入的端點。
#
#server-relay

# Maximum number of output sessions in ps CLI command.
# This value can be changed on-the-fly in CLI. The default value is 256.
#
# 最大數量的輸出會議在ps CLI命令。
# 這個值可以動態改變在CLI。預設值是256。
#
#cli-max-output-sessions

# Set network engine type for the process (for internal purposes).
#
# 設定網路引擎型別(用於內部目的)的過程。
#
#ne=[1|2|3]

# Do not allow an SSL/TLS version of protocol
#
# 不允許一個SSL/TLS版本的協議
#
#no-sslv2
#no-sslv3
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2