; Spreed WebRTC server example configuration [http] ; HTTP listener in format ip:port. listen = 127.0.0.1:8080 ; Full path to directory where to find the server web assets. ;root = /usr/share/spreed-webrtc-server/www ; HTTP socket read timeout in seconds. ;readtimeout = 10 ; HTTP socket write timeout in seconds. ;writetimeout = 10 ; Use basePath if the server does not run on the root path (/) of your server. ;basePath = /some/sub/path/ ; Set maximum number of open files (only works when run as root). ;maxfd = 32768 ; Enable stats API /api/v1/stats for debugging (not for production use!). ;stats = false ; Enable HTTP listener for golang pprof module. See ; http://golang.org/pkg/net/http/pprof/ for details. ;pprofListen = 127.0.0.1:6060 [https] ; Native HTTPS listener in format ip:port. ;listen = 127.0.0.1:8443 ; Full path to PEM encoded certificate chain. ;certificate = server.crt ; Full path to PEM encoded private key. ;key = server.key ; Mimimal supported encryption standard (SSLv3, TLSv1, TLSv1.1 or TLSv1.2). ;minVersion = SSLv3 ; HTTPS socket read timeout in seconds. ;readtimeout = 10 ; HTTPS socket write timeout in seconds. ;writetimeout = 10 [app] ; HTML page title ;title = Spreed WebRTC ; Version string to use for static resources. This defaults to the server ; version and should only be changed when you use your own way to invalidate ; long cached static resources. ;ver = 1234 ; STUN server URIs in format host:port. You can provide multiple seperated by ; space. If you do not have one use a public one like stun.spreed.me:443. If ; you have a TURN server you do not need to set an STUN server as the TURN ; server will provide STUN services. ;stunURIs = stun:stun.spreed.me:443 ; TURN server URIs in format host:port?transport=udp|tcp. You can provide ; multiple seperated by space. If you do not have at least one TURN server then ; some users will not be able to use the server as the peer to peer connection ; cannot be established without a TURN server due to firewall reasons. An open ; source TURN server which is fully supported can be found at ; https://code.google.com/p/rfc5766-turn-server/. ;turnURIs = turn:turnserver:port?transport=udp ; Shared secret authentication for TURN user generation if the TURN server is ; protected (which it should be). ; See http://tools.ietf.org/html/draft-uberti-behave-turn-rest-00 for details. ; A supported TURN server is https://code.google.com/p/rfc5766-turn-server/. ;turnSecret = the-default-turn-shared-secret-do-not-keep ; Enable renegotiation support. Set to true to tell clients that they can ; renegotiate peer connections when required. Firefox support is not complete, ; so do not enable if you want compatibility with Firefox clients. ;renegotiation = false ; Session secret to use for session id generator. 32 or 64 bytes of random data ; are recommented (hex encoded). A warning will be logged if hex decode fails. ; You can generate a secret easily with "xxd -ps -l 32 -c 32 /dev/random". sessionSecret = the-default-secret-do-not-keep-me ; Encryption secret protecting the data in generated server side tokens. Use ; 16, 24, or 32 bytes (hex encoded) to select AES-128, AES-192, or AES-256. ; When you change the encryption secret, stored authentications, sessions and ; contacts become invalid. A warning will be logged if hex decode fails. You ; can generate a secret easily with "xxd -ps -l 32 -c 32 /dev/random". encryptionSecret = tne-default-encryption-block-key ; Full path to a text file containig client tokens which a user needs to enter ; when accessing the web client. Each line in this file represents a valid ; token. ;tokenFile = tokens.txt ; The name of a global room. If enabled it should be kept secret. Users in that ; room are visible in all other rooms. ;globalRoom = global ; The default room is the room at the root URL of the servers base address and ; all users will join this room if enabled. If it is disabled then a room join ; form will be shown instead. ;defaultRoomEnabled = true ; Whether a user account is required to join a room. This only has an effect ; if user accounts are enabled. Optional, defaults to false. ;authorizeRoomJoin = false ; Whether a user account is required to create a room. This only has an effect ; if user accounts are enabled. Optional, defaults to false. ;authorizeRoomCreation = false ; Wether the pipelines API should be enabled. Optional, defaults to false. ;pipelinesEnabled = false ; Server token is a public random string which is used to enhance security of ; server generated security tokens. When the serverToken is changed all existing ; nonces become invalid. Use 32 or 64 characters (eg. 16 or 32 byte hex). serverToken = i-did-not-change-the-public-token-boo ; The server realm is part of the validation chain of tokens and nonces and is ; added as suffix to server created user ids if user creation is enabled. When ; the realm is changed, all existing tokens and nonces become invalid. serverRealm = local ; Full path to an extra templates directory. Templates in this directory ending ; with .html will be parsed on startup and can be used to fill the supported ; extra-* template slots. If the extra folder has a sub folder "static", the ; resources in this static folder will be available as /extra/static/... ; relative to your servers base URL. ;extra = /usr/share/spreed-webrtc-server/extra ; Full path to an extra.d directory. Subfolders in this directory will be ; searched for head.html and body.html on startup. If found, those templates ; will be automatically included for the web client. In addition, ; sub-folder/static will be made available by URL at /extra.d/static//... ; relative to your servers base URL. ; URL relative to the servers base path for a plugin javascript file which is ; automatically loaded on web client start for all users. You can put your ; plugin in the extra/static folder (see above) or provide another folder using ; a front end webserver. Check the doc folder for more info about plugins and ; examples. ;extra.d = /usr/share/spreed-webrtc-server/extra.d ;plugin = extra/static/myplugin.js ; Content-Security-Policy HTTP response header value. ; Spreed WebRTC requires inline styles, WebSocket connection to itself and ; data: URL for images. ; The currently recommended CSP is: ; default-src 'self'; ; frame-src 'self' blob:; ; style-src 'self' 'unsafe-inline'; ; img-src 'self' data: blob:; ; connect-src 'self' wss://server:port/ws blob:; ; font-src 'self' data: blob:; ; media-src 'self' blob:; ;contentSecurityPolicy = ; Content-Security-Policy-Report-Only HTTP response header value. Use this ; to test your CSP before putting it into production. ;contentSecurityPolicyReportOnly = [modules] ; Modules provide optional functionality. Modules are enabled by default and ; can be disabled by setting false to their corresponding configuration. ;screensharing = true ;youtube = true ;presentation = true ;contacts = true [log] ;logfile = /var/log/spreed-webrtc-server.log [users] ; Set to true to enable user functionality. enabled = false ; Set users authorization mode. ; sharedsecret: ; Validates the userid with a HMAC authentication secret. ; The format goes like this: ; BASE64(HMAC-SHA-256(secret, expirationTimestampInSeconds:userid)) ; httpheader: ; The userid is provided as an HTTP header. The server does not do any ; validation. This usually only makes sense with a front end HTTPS proxy which ; does the authentication and injects the user id as HTTP header for sessions ; REST requests. In mode httpheader, allowRegistration should be false. ; certificate: ; The userid is provided as CommonName with a certificate provided with TLS ; client authentication. When you use this with a front end proxy for TLS ; termination, that proxy has to validate the certificate and inject certain ; headers into the proxy connection. While certificate mode offers the highest ; security it is currently considered experimental and the user experience ; varies between browsers and platforms. ;mode = sharedsecret ; The shared secred for HMAC validation in "sharedsecret" mode. Best use 32 or ; 64 bytes of random data. ;sharedsecret_secret = some-secret-do-not-keep ; The HTTP header name where to find the userid in "httpheader" mode. ;httpheader_header = x-userid ; Full path to PEM encoded private key to use for user creation in "certificate" ; mode. Keep this commented if you do not want the server to sign certificate ; requests. ;certificate_key = userskey.key ; Full path to PEM encoded certificate to use for user validation in ; "certificate" mode. When allowRegistration is true and certificate_key is also ; set then the server will act as a CA and sign incoming user registrations and ; return certificates to users as registration. ;certificate_certificate = usersca.crt ; The HTTP header name where to find if the TLS client authentication was ; successfull. The value of this header is matched to ; certificate_verifiedHeaderValue and only if there is a match, the proxy ; handled TLS client authentication is accepted as success. Make sure to secure ; these headers with your front end proxy (always set them). Do not use these ; settings when not using a front end proxy. ;certificate_verifiedHeader = x-verified ;certificate_verifiedHeaderValue = SUCCESS ; The HTTP header name where to find the PEM encoded certificate authenticated ; by a front end proxy. With Nginx the required value is in $ssl_client_cert. ;certificate_certificateHeader = x-certificate ; The valid duration of generated certificates created in certificate mode when ; allowRegistration is enabled. ;certificate_validForDays = 365 ; Organization to set into the created user certificates. Use a readable public ; name to make the certificate easily recognizable as certificate for your ; server so users can choose the correct certificate when prompted. ;certificate_organization= = My Spreed Server ; If enabled the server can create new userids. Set allowRegistration to true to ; enable userid creation/registration. Users are created according the settings ; of the currently configured mode (see above). ;allowRegistration = false [nats] ; Set to true, to enable triggering channelling events via NATS ;channelling_trigger = false ;channelling_trigger_subject = channelling.trigger ; NATS server URL ;url = nats://127.0.0.1:4222 ; NATS connect establish timeout in seconds ;establishTimeout = 60 ; Use client_id to distinguish between multipe servers. The value is sent ; together with every NATS request. Defaults to empty. ;client_id = [roomtypes] ; You can define room types that should be used for given room names instead of ; the default type "Room". Use format "RegularExpression = RoomType" and make ; sure the regular expression doesn't contain any "=" or ":". ; ; Available room types: ; "Conference" ; All participants joining the room automatically call each other and are in ; a conference. ; ; Example (all rooms below "conference/" are conference rooms): ;^conference/.+ = Conference ;