-
Notifications
You must be signed in to change notification settings - Fork 85
Expand file tree
/
Copy pathserver.conf.in
More file actions
345 lines (282 loc) · 12.6 KB
/
server.conf.in
File metadata and controls
345 lines (282 loc) · 12.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
[http]
# IP and port to listen on for HTTP requests.
# Comment line to disable the listener.
#listen = 127.0.0.1:8080
# HTTP socket read timeout in seconds.
#readtimeout = 15
# HTTP socket write timeout in seconds.
#writetimeout = 30
[https]
# IP and port to listen on for HTTPS requests.
# Comment line to disable the listener.
#listen = 127.0.0.1:8443
# HTTPS socket read timeout in seconds.
#readtimeout = 15
# HTTPS socket write timeout in seconds.
#writetimeout = 30
# Certificate / private key to use for the HTTPS server.
certificate = /etc/nginx/ssl/server.crt
key = /etc/nginx/ssl/server.key
[app]
# Set to "true" to install pprof debug handlers. Access will only be possible
# from IPs allowed through the "allowed_ips" option below.
#
# See "https://golang.org/pkg/net/http/pprof/" for further information.
debug = false
# Set to "true" to allow subscribing any streams. This is insecure and should
# only be enabled for testing. By default only streams of users in the same
# room and call can be subscribed.
#allowsubscribeany = false
# Comma separated list of trusted proxies (IPs or CIDR networks) that may set
# the "X-Real-Ip" or "X-Forwarded-For" headers. If both are provided, the
# "X-Real-Ip" header will take precedence (if valid).
# Leave empty to allow loopback and local addresses.
#trustedproxies =
[sessions]
# Secret value used to generate checksums of sessions. This should be a random
# string of 32 or 64 bytes.
hashkey = the-secret-for-session-checksums
# Optional key for encrypting data in the sessions. Must be either 16, 24 or
# 32 bytes.
# If no key is specified, data will not be encrypted (not recommended).
blockkey = -encryption-key-
[clients]
# Shared secret for connections from internal clients. This must be the same
# value as configured in the respective internal services.
internalsecret = the-shared-secret-for-internal-clients
[federation]
# If set to "true", certificate validation of federation targets will be skipped.
# This should only be enabled during development, e.g. to work with self-signed
# certificates.
#skipverify = false
# Timeout in seconds for requests to federation targets.
#timeout = 10
[backend]
# Type of backend configuration.
# Defaults to "static".
#
# Possible values:
# - static: A comma-separated list of backends is given in the "backends" option.
# - etcd: Backends are retrieved from an etcd cluster.
#backendtype = static
# For backend type "static":
# Comma-separated list of backend ids from which clients are allowed to connect
# from. Each backend will have isolated rooms, i.e. clients connecting to room
# "abc12345" on backend 1 will be in a different room than clients connected to
# a room with the same name on backend 2. Also sessions connected from different
# backends will not be able to communicate with each other.
#backends = backend-id, another-backend
# For backend type "etcd":
# Key prefix of backend entries. All keys below will be watched and assumed to
# contain a JSON document with the following entries:
# - "urls": List of urls of the Nextcloud instance.
# - "url": Url of the Nextcloud instance (deprecated).
# - "secret": Shared secret for requests from and to the backend servers.
#
# Additional optional entries:
# - "maxstreambitrate": Maximum bitrate per publishing stream (in bits per second).
# - "maxscreenbitrate": Maximum bitrate per screensharing stream (in bits per second).
# - "sessionlimit": Number of sessions that are allowed to connect.
#
# Example:
# "/signaling/backend/one" -> {"urls": ["https://nextcloud.domain1.invalid"], ...}
# "/signaling/backend/two" -> {"urls": ["https://domain2.invalid/nextcloud"], ...}
#backendprefix = /signaling/backend
# Allow any hostname as backend endpoint. This is extremely insecure and should
# only be used while running the benchmark client against the server.
allowall = false
# Common shared secret for requests from and to the backend servers. Used if
# "allowall" is enabled or as fallback for individual backends that don't have
# their own secret set.
# This must be the same value as configured in the Nextcloud admin ui.
#secret = the-shared-secret-for-allowall
# Timeout in seconds for requests to the backend.
timeout = 10
# Maximum number of concurrent backend connections per host.
connectionsperhost = 8
# If set to "true", certificate validation of backend endpoints will be skipped.
# This should only be enabled during development, e.g. to work with self-signed
# certificates.
#skipverify = false
# For backendtype "static":
# Backend configurations as defined in the "[backend]" section above. The
# section names must match the ids used in "backends" above.
#[backend-id]
# Comma-separated list of urls of the Nextcloud instance
#urls = https://cloud.domain.invalid
# Shared secret for requests from and to the backend servers. Leave empty to use
# the common shared secret from above.
# This must be the same value as configured in the Nextcloud admin ui.
#secret = the-shared-secret
# Limit the number of sessions that are allowed to connect to this backend.
# Omit or set to 0 to not limit the number of sessions.
#sessionlimit = 10
# The maximum bitrate per publishing stream (in bits per second).
# Defaults to the maximum bitrate configured for the proxy / MCU.
#maxstreambitrate = 1048576
# The maximum bitrate per screensharing stream (in bits per second).
# Defaults to the maximum bitrate configured for the proxy / MCU.
#maxscreenbitrate = 2097152
#[another-backend]
# Comma-separated list of urls of the Nextcloud instance
#urls = https://cloud.otherdomain.invalid
# Shared secret for requests from and to the backend servers. Leave empty to use
# the common shared secret from above.
# This must be the same value as configured in the Nextcloud admin ui.
#secret = the-shared-secret
[nats]
# Url of NATS backend to use. This can also be a list of URLs to connect to
# multiple backends. For local development, this can be set to "nats://loopback"
# to process NATS messages internally instead of sending them through an
# external NATS backend.
#url = nats://localhost:4222
[mcu]
# The type of the MCU to use. Currently only "janus" and "proxy" are supported.
# Leave empty to disable MCU functionality.
#type =
# For type "janus": the URL to the websocket endpoint of the MCU server.
# For type "proxy": a space-separated list of proxy URLs to connect to.
#url =
# The maximum bitrate per publishing stream (in bits per second).
# Defaults to 1 mbit/sec.
# For type "proxy": will be capped to the maximum bitrate configured at the
# proxy server that is used.
#maxstreambitrate = 1048576
# The maximum bitrate per screensharing stream (in bits per second).
# Default is 2 mbit/sec.
# For type "proxy": will be capped to the maximum bitrate configured at the
# proxy server that is used.
#maxscreenbitrate = 2097152
# List of IP addresses / subnets that are allowed to be used by clients in
# candidates. The allowed list has preference over the blocked list below.
#allowedcandidates = 10.0.0.0/8
# List of IP addresses / subnets to filter from candidates received by clients.
#blockedcandidates = 1.2.3.0/24
# For type "proxy": timeout in seconds for requests to the proxy server.
#proxytimeout = 2
# For type "proxy": type of URL configuration for proxy servers.
# Defaults to "static".
#
# Possible values:
# - static: A space-separated list of proxy URLs is given in the "url" option.
# - etcd: Proxy URLs are retrieved from an etcd cluster (see below).
#urltype = static
# If set to "true", certificate validation of proxy servers will be skipped.
# This should only be enabled during development, e.g. to work with self-signed
# certificates.
#skipverify = false
# For type "proxy": the id of the token to use when connecting to proxy servers.
#token_id = server1
# For type "proxy": the private key for the configured token id to use when
# connecting to proxy servers.
#token_key = privkey.pem
# For url type "static": Enable DNS discovery on hostname of configured URL.
# If the hostname resolves to multiple IP addresses, a connection is established
# to each of them.
# Changes to the DNS are monitored regularly and proxy connections are created
# or deleted as necessary.
#dnsdiscovery = true
# For url type "etcd": Key prefix of MCU proxy entries. All keys below will be
# watched and assumed to contain a JSON document. The entry "address" from this
# document will be used as proxy URL, other contents in the document will be
# ignored.
#
# Example:
# "/signaling/proxy/server/one" -> {"address": "https://proxy1.domain.invalid"}
# "/signaling/proxy/server/two" -> {"address": "https://proxy2.domain.invalid"}
#keyprefix = /signaling/proxy/server
[turn]
# API key that the MCU will need to send when requesting TURN credentials.
#apikey = the-api-key-for-the-rest-service
# The shared secret to use for generating TURN credentials. This must be the
# same as on the TURN server.
#secret = 6d1c17a7-c736-4e22-b02c-e2955b7ecc64
# A comma-separated list of TURN servers to use. Leave empty to disable the
# TURN REST API.
#servers = turn:1.2.3.4:9991?transport=udp,turn:1.2.3.4:9991?transport=tcp
[geoip]
# License key to use when downloading the MaxMind GeoIP database. You can
# register an account at "https://www.maxmind.com/en/geolite2/signup" for
# free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/" for further
# information.
# You can also get a free GeoIP database from https://db-ip.com/ without
# registration. Provide the URL below in this case.
# Leave empty to disable GeoIP lookups.
#license =
# Optional URL to download a MaxMind GeoIP database from. Will be generated if
# "license" is provided above. Can be a "file://" url if a local file should
# be used. Please note that the database must provide a country field when
# looking up IP addresses.
#url =
[geoip-overrides]
# Optional overrides for GeoIP lookups. The key is an IP address / range, the
# value the associated country code.
#127.0.0.1 = DE
#192.168.0.0/24 = DE
[continent-overrides]
# Optional overrides for continent mappings. The key is a continent code, the
# value a comma-separated list of continent codes to map the continent to.
# Use European servers for clients in Africa.
#AF = EU
# Use servers in North Africa for clients in South America.
#SA = NA
[stats]
# Comma-separated list of IP addresses that are allowed to access the debug,
# stats and metrics endpoints.
# Leave empty (or commented) to only allow access from localhost.
#allowed_ips =
[etcd]
# Comma-separated list of static etcd endpoints to connect to.
#endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379
# Options to perform endpoint discovery through DNS SRV.
# Only used if no endpoints are configured manually.
#discoverysrv = example.com
#discoveryservice = foo
# Path to private key, client certificate and CA certificate if TLS
# authentication should be used.
#clientkey = /path/to/etcd-client.key
#clientcert = /path/to/etcd-client.crt
#cacert = /path/to/etcd-ca.crt
[grpc]
# IP and port to listen on for GRPC requests.
# Comment line to disable the listener.
#listen = 0.0.0.0:9090
# Certificate / private key to use for the GRPC server.
# Omit to use unencrypted connections.
#servercertificate = /path/to/grpc-server.crt
#serverkey = /path/to/grpc-server.key
# CA certificate that is allowed to issue certificates of GRPC servers.
# Omit to expect unencrypted connections.
#serverca = /path/to/grpc-ca.crt
# Certificate / private key to use for the GRPC client.
# Omit if clients don't need to authenticate on the server.
#clientcertificate = /path/to/grpc-client.crt
#clientkey = /path/to/grpc-client.key
# CA certificate that is allowed to issue certificates of GRPC clients.
# Omit to allow any clients to connect.
#clientca = /path/to/grpc-ca.crt
# Type of GRPC target configuration.
# Defaults to "static".
#
# Possible values:
# - static: A comma-separated list of targets is given in the "targets" option.
# - etcd: Target URLs are retrieved from an etcd cluster.
#targettype = static
# For target type "static": Comma-separated list of GRPC targets to connect to
# for clustering mode.
#targets = 192.168.0.1:9090, 192.168.0.2:9090
# For target type "static": Enable DNS discovery on hostnames of GRPC target.
# If a hostname resolves to multiple IP addresses, a connection is established
# to each of them.
# Changes to the DNS are monitored regularly and GRPC clients are created or
# deleted as necessary.
#dnsdiscovery = true
# For target type "etcd": Key prefix of GRPC target entries. All keys below will
# be watched and assumed to contain a JSON document. The entry "address" from
# this document will be used as target URL, other contents in the document will
# be ignored.
#
# Example:
# "/signaling/cluster/grpc/one" -> {"address": "192.168.0.1:9090"}
# "/signaling/cluster/grpc/two" -> {"address": "192.168.0.2:9090"}
#targetprefix = /signaling/cluster/grpc