lt-cred-mech
use-auth-secret
static-auth-secret={{ turnserver_pwd }}
realm={{ domain }}

tls-listening-port={{ port_turnserver_tls }}
alt-tls-listening-port={{ port_turnserver_alt_tls }}
min-port=49153
max-port=49193
cli-port={{ port_cli }}

cert=/etc/yunohost/certs/{{ domain }}/crt.pem
pkey=/etc/yunohost/certs/{{ domain }}/key.pem
dh-file=/etc/ssl/private/dh2048.pem

{% if enable_dtls_for_audio_video_turn_call == 'true' %}
# Block clear communication
no-udp
no-tcp
{% endif %}

# Block old protocols
no-sslv2
no-sslv3
no-tlsv1
no-tlsv1_1

log-file=/var/log/matrix-{{ app }}/turnserver.log
pidfile=/run/coturn-{{ app }}/turnserver.pid
simple-log

# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
total-quota=1200

# recommended additional local peers to block, to mitigate external access to internal services.
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=127.0.0.0-127.255.255.255

# Max time 12h
max-allocate-lifetime=43200

{%- for ip in turn_external_ip.strip(',').split(',') %}
external-ip={{ ip }}
{%- endfor %}