From d5fcc37b8ecd396996ef9adefced4fb4ae14c31b Mon Sep 17 00:00:00 2001 From: root Date: Tue, 17 Feb 2026 23:43:54 +0000 Subject: [PATCH] =?UTF-8?q?=D0=92=D1=8B=D0=B3=D1=80=D1=83=D0=B7=D0=BA?= =?UTF-8?q?=D0=B0=20F7cloud=5FHPB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 28 +- config/coturn/turnserver.conf.example | 774 ++++++++++++++++++ config/janus/janus.eventhandler.gelfevh.jcfg | 21 + config/janus/janus.eventhandler.mqttevh.jcfg | 57 ++ .../janus/janus.eventhandler.nanomsgevh.jcfg | 30 + .../janus/janus.eventhandler.rabbitmqevh.jcfg | 34 + .../janus/janus.eventhandler.sampleevh.jcfg | 44 + config/janus/janus.eventhandler.wsevh.jcfg | 31 + config/janus/janus.jcfg | 437 ++++++++++ config/janus/janus.logger.jsonlog.jcfg | 16 + config/janus/janus.plugin.audiobridge.jcfg | 83 ++ config/janus/janus.plugin.duktape.jcfg | 20 + config/janus/janus.plugin.echotest.jcfg | 5 + config/janus/janus.plugin.lua.jcfg | 20 + config/janus/janus.plugin.nosip.jcfg | 23 + config/janus/janus.plugin.recordplay.jcfg | 7 + config/janus/janus.plugin.sip.jcfg | 55 ++ config/janus/janus.plugin.streaming.jcfg | 323 ++++++++ config/janus/janus.plugin.textroom.jcfg | 30 + config/janus/janus.plugin.videocall.jcfg | 5 + config/janus/janus.plugin.videoroom.jcfg | 95 +++ config/janus/janus.plugin.voicemail.jcfg | 11 + config/janus/janus.transport.http.jcfg | 74 ++ config/janus/janus.transport.mqtt.jcfg | 59 ++ config/janus/janus.transport.nanomsg.jcfg | 29 + config/janus/janus.transport.pfunix.jcfg | 23 + config/janus/janus.transport.rabbitmq.jcfg | 64 ++ config/janus/janus.transport.websockets.jcfg | 68 ++ config/nats/nats-server.conf | 2 + 29 files changed, 2461 insertions(+), 7 deletions(-) create mode 100644 config/coturn/turnserver.conf.example create mode 100644 config/janus/janus.eventhandler.gelfevh.jcfg create mode 100644 config/janus/janus.eventhandler.mqttevh.jcfg create mode 100644 config/janus/janus.eventhandler.nanomsgevh.jcfg create mode 100644 config/janus/janus.eventhandler.rabbitmqevh.jcfg create mode 100644 config/janus/janus.eventhandler.sampleevh.jcfg create mode 100644 config/janus/janus.eventhandler.wsevh.jcfg create mode 100644 config/janus/janus.jcfg create mode 100644 config/janus/janus.logger.jsonlog.jcfg create mode 100644 config/janus/janus.plugin.audiobridge.jcfg create mode 100644 config/janus/janus.plugin.duktape.jcfg create mode 100644 config/janus/janus.plugin.echotest.jcfg create mode 100644 config/janus/janus.plugin.lua.jcfg create mode 100644 config/janus/janus.plugin.nosip.jcfg create mode 100644 config/janus/janus.plugin.recordplay.jcfg create mode 100644 config/janus/janus.plugin.sip.jcfg create mode 100644 config/janus/janus.plugin.streaming.jcfg create mode 100644 config/janus/janus.plugin.textroom.jcfg create mode 100644 config/janus/janus.plugin.videocall.jcfg create mode 100644 config/janus/janus.plugin.videoroom.jcfg create mode 100644 config/janus/janus.plugin.voicemail.jcfg create mode 100644 config/janus/janus.transport.http.jcfg create mode 100644 config/janus/janus.transport.mqtt.jcfg create mode 100644 config/janus/janus.transport.nanomsg.jcfg create mode 100644 config/janus/janus.transport.pfunix.jcfg create mode 100644 config/janus/janus.transport.rabbitmq.jcfg create mode 100644 config/janus/janus.transport.websockets.jcfg create mode 100644 config/nats/nats-server.conf diff --git a/README.md b/README.md index c835f4e..07dacd6 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,16 @@ # HPB — Nextcloud Spreed Signaling (f7cloud) -Сервисы для стека Nextcloud Talk: signaling, Janus, NATS, coTURN. +Сервисы и конфиги для стека Nextcloud Talk: signaling, Janus, NATS, coTURN. + +## Структура репозитория + +| Папка/файл | Назначение | +|------------|------------| +| **systemd/** | unit-файлы: signaling, janus, nats-server, coturn | +| **config/nats/** | Конфиг NATS (`nats-server.conf`) | +| **config/janus/** | Конфиги Janus (основной + плагины, транспорты) | +| **config/coturn/** | Пример конфига coTURN (`turnserver.conf.example`) | +| **server.conf.example** | Пример конфига signaling (в корне) | ## Сервисы @@ -11,7 +21,9 @@ | **nats-server.service** | NATS — обмен сообщениями | | **coturn.service** | coTURN — STUN/TURN для WebRTC | -## Установка unit-файлов +## Установка + +### 1. Unit-файлы systemd ```bash sudo cp systemd/*.service /etc/systemd/system/ @@ -20,14 +32,16 @@ sudo systemctl enable signaling janus nats-server coturn sudo systemctl start signaling janus nats-server coturn ``` -## Конфигурация +### 2. Конфиги приложений -- `server.conf` — конфиг signaling (создаётся вручную, в репозиторий не входит из соображений безопасности). -- Пример структуры конфига: см. `server.conf.example` (заполните секреты на сервере). +- **NATS**: `sudo cp config/nats/nats-server.conf /etc/nats-server.conf` +- **Janus**: `sudo cp -r config/janus/* /etc/janus/` (перед этим замените `admin_secret` в `janus.jcfg` при необходимости) +- **coTURN**: скопируйте `config/coturn/turnserver.conf.example` в `/etc/turnserver.conf`, подставьте свои IP, realm и секреты +- **Signaling**: скопируйте `server.conf.example` в `server.conf` в каталоге развёртывания, заполните секреты -## Зависимости конфигов +## Пути конфигов на сервере - **signaling**: `/etc/f7cloud-spreed-signaling/server.conf` - **nats-server**: `/etc/nats-server.conf` - **coturn**: `/etc/turnserver.conf` -- **janus**: конфиг по умолчанию (часто `/etc/janus/janus.jcfg`) +- **janus**: `/etc/janus/` (главный файл `janus.jcfg`) diff --git a/config/coturn/turnserver.conf.example b/config/coturn/turnserver.conf.example new file mode 100644 index 0000000..434609a --- /dev/null +++ b/config/coturn/turnserver.conf.example @@ -0,0 +1,774 @@ +# Coturn TURN SERVER configuration file +# +# Boolean values note: where a boolean value is supposed to be used, +# you can use '0', 'off', 'no', 'false', or 'f' as 'false, +# and you can use '1', 'on', 'yes', 'true', or 't' as 'true' +# If the value is missing, then it means 'true' by default. +# + +# Listener interface device (optional, Linux only). +# NOT RECOMMENDED. +# +#listening-device=eth0 + +# TURN listener port for UDP and TCP (Default: 3478). +# Note: actually, TLS & DTLS sessions can connect to the +# "plain" TCP & UDP port(s), too - if allowed by configuration. +# +#listening-port=3478 + +# TURN listener port for TLS (Default: 5349). +# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS +# port(s), too - if allowed by configuration. The TURN server +# "automatically" recognizes the type of traffic. Actually, two listening +# endpoints (the "plain" one and the "tls" one) are equivalent in terms of +# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs. +# For secure TCP connections, Coturn currently supports +# TLS version 1.0, 1.1 and 1.2. +# For secure UDP connections, Coturn supports DTLS version 1. +# +tls-listening-port=5349 +# PORT-EDIT (5349) + +# Alternative listening port for UDP and TCP listeners; +# default (or zero) value means "listening port plus one". +# This is needed for RFC 5780 support +# (STUN extension specs, NAT behavior discovery). The TURN Server +# supports RFC 5780 only if it is started with more than one +# listening IP address of the same family (IPv4 or IPv6). +# RFC 5780 is supported only by UDP protocol, other protocols +# are listening to that endpoint only for "symmetry". +# +#alt-listening-port=0 + +# Alternative listening port for TLS and DTLS protocols. +# Default (or zero) value means "TLS listening port plus one". +# +#alt-tls-listening-port=0 + +# Some network setups will require using a TCP reverse proxy in front +# of the STUN server. If the proxy port option is set a single listener +# is started on the given port that accepts connections using the +# haproxy proxy protocol v2. +# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) +# +#tcp-proxy-port=5555 + +# Listener IP address of relay server. Multiple listeners can be specified. +# If no IP(s) specified in the config file or in the command line options, +# then all IPv4 and IPv6 system IPs will be used for listening. +# +#listening-ip=172.17.19.101 +#listening-ip=10.207.21.238 +#listening-ip=2607:f0d0:1002:51::4 +# Укажите IP интерфейсов для приёма (localhost и публичный IP сервера) +listening-ip=127.0.0.1 +listening-ip=::1 +#listening-ip=YOUR_PUBLIC_IP + +# Auxiliary STUN/TURN server listening endpoint. +# Aux servers have almost full TURN and STUN functionality. +# The (minor) limitations are: +# +# 1) Auxiliary servers do not have alternative ports and +# they do not support STUN RFC 5780 functionality (CHANGE REQUEST). +# +# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply. +# +# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6. +# +# There may be multiple aux-server options, each will be used for listening +# to client requests. +# +#aux-server=172.17.19.110:33478 +#aux-server=[2607:f0d0:1002:51::4]:33478 + +# (recommended for older Linuxes only) +# Automatically balance UDP traffic over auxiliary servers (if configured). +# The load balancing is using the ALTERNATE-SERVER mechanism. +# The TURN client must support 300 ALTERNATE-SERVER response for this +# functionality. +# +#udp-self-balance + +# Relay interface device for relay sockets (optional, Linux only). +# NOT RECOMMENDED. +# +#relay-device=eth1 + +# Relay address (the local IP address that will be used to relay the +# packets to the peer). +# Multiple relay addresses may be used. +# The same IP(s) can be used as both listening IP(s) and relay IP(s). +# +# If no relay IP(s) specified, then the turnserver will apply the default +# policy: it will decide itself which relay addresses to be used, and it +# will always be using the client socket IP address as the relay IP address +# of the TURN session (if the requested relay address family is the same +# as the family of the client socket). +# +#relay-ip=172.17.19.105 +#relay-ip=2607:f0d0:1002:51::5 +# Укажите публичный IP для relay +relay-ip=YOUR_PUBLIC_IP + +# For Amazon EC2 users: +# +# TURN Server public/private address mapping, if the server is behind NAT. +# In that situation, if a -X is used in form "-X " then that ip will be reported +# as relay IP address of all allocations. This scenario works only in a simple case +# when one single relay address is be used, and no RFC5780 functionality is required. +# That single relay address must be mapped by NAT to the 'external' IP. +# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field. +# For that 'external' IP, NAT must forward ports directly (relayed port 12345 +# must be always mapped to the same 'external' port 12345). +# +# In more complex case when more than one IP address is involved, +# that option must be used several times, each entry must +# have form "-X ", to map all involved addresses. +# RFC5780 NAT discovery STUN functionality will work correctly, +# if the addresses are mapped properly, even when the TURN server itself +# is behind A NAT. +# +# By default, this value is empty, and no address mapping is used. +# +#external-ip=60.70.80.91 +# +#OR: +# +#external-ip=60.70.80.91/172.17.19.101 +#external-ip=60.70.80.92/172.17.19.102 + +# Number of the relay threads to handle the established connections +# (in addition to authentication thread and the listener thread). +# If explicitly set to 0 then application runs relay process in a +# single thread, in the same thread with the listener process +# (the authentication thread will still be a separate thread). +# +# If this parameter is not set, then the default OS-dependent +# thread pattern algorithm will be employed. Usually the default +# algorithm is optimal, so you have to change this option +# if you want to make some fine tweaks. +# +# In the older systems (Linux kernel before 3.9), +# the number of UDP threads is always one thread per network listening +# endpoint - including the auxiliary endpoints - unless 0 (zero) or +# 1 (one) value is set. +# +#relay-threads=0 + +# Lower and upper bounds of the UDP relay endpoints: +# (default values are 49152 and 65535) +# +min-port=49152 +max-port=65535 + +# Uncomment to run TURN server in 'normal' 'moderate' verbose mode. +# By default the verbose mode is off. +verbose + +# Uncomment to run TURN server in 'extra' verbose mode. +# This mode is very annoying and produces lots of output. +# Not recommended under normal circumstances. +# +#Verbose + +# Uncomment to use fingerprints in the TURN messages. +# By default the fingerprints are off. +# +fingerprint + +# Uncomment to use long-term credential mechanism. +# By default no credentials mechanism is used (any user allowed). +# +#lt-cred-mech + +# This option is the opposite of lt-cred-mech. +# (TURN Server with no-auth option allows anonymous access). +# If neither option is defined, and no users are defined, +# then no-auth is default. If at least one user is defined, +# in this file, in command line or in usersdb file, then +# lt-cred-mech is default. +# +#no-auth + +# Enable prometheus exporter +# If enabled the turnserver will expose an endpoint with stats on a prometheus format +# this endpoint is listening on a different port to not conflict with other configurations. +# +# You can simply run the turnserver and access the port 9641 and path /metrics +# +# For mor info on the prometheus exporter and metrics +# https://prometheus.io/docs/introduction/overview/ +# https://prometheus.io/docs/concepts/data_model/ +# +#prometheus + +# TURN REST API flag. +# (Time Limited Long Term Credential) +# Flag that sets a special authorization option that is based upon authentication secret. +# +# This feature's purpose is to support "TURN Server REST API", see +# "TURN REST API" link in the project's page +# https://github.com/coturn/coturn/ +# +# This option is used with timestamp: +# +# usercombo -> "timestamp:userid" +# turn user -> usercombo +# turn password -> base64(hmac(secret key, usercombo)) +# +# This allows TURN credentials to be accounted for a specific user id. +# If you don't have a suitable id, then the timestamp alone can be used. +# This option is enabled by turning on secret-based authentication. +# The actual value of the secret is defined either by the option static-auth-secret, +# or can be found in the turn_secret table in the database (see below). +# +# Read more about it: +# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00 +# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf +# +# Be aware that use-auth-secret overrides some parts of lt-cred-mech. +# The use-auth-secret feature depends internally on lt-cred-mech, so if you set +# this option then it automatically enables lt-cred-mech internally +# as if you had enabled both. +# +# Note that you can use only one auth mechanism at the same time! This is because, +# both mechanisms conduct username and password validation in different ways. +# +# Use either lt-cred-mech or use-auth-secret in the conf +# to avoid any confusion. +# +use-auth-secret + +# 'Static' authentication secret value (a string) for TURN REST API only. +# If not set, then the turn server +# will try to use the 'dynamic' value in the turn_secret table +# in the user database (if present). The database-stored value can be changed on-the-fly +# by a separate program, so this is why that mode is considered 'dynamic'. +# +# Секрет для TURN REST API (должен совпадать с signaling server.conf [turn] secret) +static-auth-secret=YOUR_TURN_STATIC_AUTH_SECRET + +# Server name used for +# the oAuth authentication purposes. +# The default value is the realm name. +# +#server-name=blackdow.carleon.gov + +# Flag that allows oAuth authentication. +# +#oauth + +# 'Static' user accounts for the long term credentials mechanism, only. +# This option cannot be used with TURN REST API. +# 'Static' user accounts are NOT dynamically checked by the turnserver process, +# so they can NOT be changed while the turnserver is running. +# +#user=username1:key1 +#user=username2:key2 +# OR: +#user=username1:password1 +#user=username2:password2 +# +# Keys must be generated by turnadmin utility. The key value depends +# on user name, realm, and password: +# +# Example: +# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic +# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee +# ('0x' in the beginning of the key is what differentiates the key from +# password. If it has 0x then it is a key, otherwise it is a password). +# +# The corresponding user account entry in the config file will be: +# +#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee +# Or, equivalently, with open clear password (less secure): +#user=ninefingers:youhavetoberealistic +# + +# SQLite database file name. +# +# The default file name is /var/db/turndb or /usr/local/var/db/turndb or +# /var/lib/turn/turndb. +# +#userdb=/var/db/turndb + +# PostgreSQL database connection string in the case that you are using PostgreSQL +# as the user database. +# This database can be used for the long-term credential mechanism +# and it can store the secret value for secret-based timed authentication in TURN REST API. +# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL +# versions connection string format, see +# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING +# for 9.x and newer connection string formats. +# +#psql-userdb="host= dbname= user= password= connect_timeout=30" + +# MySQL database connection string in the case that you are using MySQL +# as the user database. +# This database can be used for the long-term credential mechanism +# and it can store the secret value for secret-based timed authentication in TURN REST API. +# +# Optional connection string parameters for the secure communications (SSL): +# ca, capath, cert, key, cipher +# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the +# command options description). +# +# Use the string format below (space separated parameters, all optional): +# +#mysql-userdb="host= dbname= user= password= port= connect_timeout= read_timeout=" + +# If you want to use an encrypted password in the MySQL connection string, +# then set the MySQL password encryption secret key file with this option. +# +# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format! +# If you want to use a cleartext password then do not set this option! +# +# This is the file path for the aes encrypted secret key used for password encryption. +# +#secret-key-file=/path/ + +# MongoDB database connection string in the case that you are using MongoDB +# as the user database. +# This database can be used for long-term credential mechanism +# and it can store the secret value for secret-based timed authentication in TURN REST API. +# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html +# +#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]" + +# Redis database connection string in the case that you are using Redis +# as the user database. +# This database can be used for long-term credential mechanism +# and it can store the secret value for secret-based timed authentication in TURN REST API. +# Use the string format below (space separated parameters, all optional): +# +#redis-userdb="ip= dbname= password= port= connect_timeout=" + +# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used). +# This database keeps allocations status information, and it can be also used for publishing +# and delivering traffic and allocation event notifications. +# The connection string has the same parameters as redis-userdb connection string. +# Use the string format below (space separated parameters, all optional): +# +#redis-statsdb="ip= dbname= password= port= connect_timeout=" + +# The default realm to be used for the users when no explicit +# origin/realm relationship is found in the database, or if the TURN +# server is not using any database (just the commands-line settings +# and the userdb file). Must be used with long-term credentials +# mechanism or with TURN REST API. +# +# Note: If the default realm is not specified, then realm falls back to the host domain name. +# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string. +# +realm=YOUR_DOMAIN + +# This flag sets the origin consistency +# check. Across the session, all requests must have the same +# main ORIGIN attribute value (if the ORIGIN was +# initially used by the session). +# +#check-origin-consistency + +# Per-user allocation quota. +# default value is 0 (no quota, unlimited number of sessions per user). +# This option can also be set through the database, for a particular realm. +# +#user-quota=0 + +# Total allocation quota. +# default value is 0 (no quota). +# This option can also be set through the database, for a particular realm. +# +#total-quota=0 + +# Max bytes-per-second bandwidth a TURN session is allowed to handle +# (input and output network streams are treated separately). Anything above +# that limit will be dropped or temporarily suppressed (within +# the available buffer limits). +# This option can also be set through the database, for a particular realm. +# +#max-bps=0 + +# +# Maximum server capacity. +# Total bytes-per-second bandwidth the TURN server is allowed to allocate +# for the sessions, combined (input and output network streams are treated separately). +# +# bps-capacity=0 + +# Uncomment if no UDP client listener is desired. +# By default UDP client listener is always started. +# +#no-udp + +# Uncomment if no TCP client listener is desired. +# By default TCP client listener is always started. +# +#no-tcp + +# Uncomment if no TLS client listener is desired. +# By default TLS client listener is always started. +# +#no-tls + +# Uncomment if no DTLS client listener is desired. +# By default DTLS client listener is always started. +# +#no-dtls + +# Uncomment if no UDP relay endpoints are allowed. +# By default UDP relay endpoints are enabled (like in RFC 5766). +# +#no-udp-relay + +# Uncomment if no TCP relay endpoints are allowed. +# By default TCP relay endpoints are enabled (like in RFC 6062). +# +#no-tcp-relay + +# Uncomment if extra security is desired, +# with nonce value having a limited lifetime. +# The nonce value is unique for a session. +# Set this option to limit the nonce lifetime. +# Set it to 0 for unlimited lifetime. +# It defaults to 600 secs (10 min) if no value is provided. After that delay, +# the client will get 438 error and will have to re-authenticate itself. +# +#stale-nonce=600 + +# Uncomment if you want to set the maximum allocation +# time before it has to be refreshed. +# Default is 3600s. +# +#max-allocate-lifetime=3600 + +# Uncomment to set the lifetime for the channel. +# Default value is 600 secs (10 minutes). +# This value MUST not be changed for production purposes. +# +#channel-lifetime=600 + +# Uncomment to set the permission lifetime. +# Default to 300 secs (5 minutes). +# In production this value MUST not be changed, +# however it can be useful for test purposes. +# +#permission-lifetime=300 + +# Certificate file. +# Use an absolute path or path relative to the +# configuration file. +# Use PEM file format. +# +cert=/etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem + +# Private key file. +# Use an absolute path or path relative to the +# configuration file. +# Use PEM file format. +# +pkey=/etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem + +# Private key file password, if it is in encoded format. +# This option has no default value. +# +#pkey-pwd=... + +# Allowed OpenSSL cipher list for TLS/DTLS connections. +# Default value is "DEFAULT". +# +#cipher-list="DEFAULT" + +# CA file in OpenSSL format. +# Forces TURN server to verify the client SSL certificates. +# By default this is not set: there is no default value and the client +# certificate is not checked. +# +# Example: +#CA-file=/etc/ssh/id_rsa.cert + +# Curve name for EC ciphers, if supported by OpenSSL +# library (TLS and DTLS). The default value is prime256v1, +# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+, +# an optimal curve will be automatically calculated, if not defined +# by this option. +# +#ec-curve-name=prime256v1 + +# Use 566 bits predefined DH TLS key. Default size of the key is 2066. +# +#dh566 + +# Use 1066 bits predefined DH TLS key. Default size of the key is 2066. +# +#dh1066 + +# Use custom DH TLS key, stored in PEM format in the file. +# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file. +# +dh-file=/etc/certs/dhp/dhp.pem + +# Flag to prevent stdout log messages. +# By default, all log messages go to both stdout and to +# the configured log file. With this option everything will +# go to the configured log only (unless the log file itself is stdout). +# +#no-stdout-log + +# Option to set the log file name. +# By default, the turnserver tries to open a log file in +# /var/log, /var/tmp, /tmp and the current directory +# (Whichever file open operation succeeds first will be used). +# With this option you can set the definite log file name. +# The special names are "stdout" and "-" - they will force everything +# to the stdout. Also, the "syslog" name will force everything to +# the system log (syslog). +# In the runtime, the logfile can be reset with the SIGHUP signal +# to the turnserver process. +# +log-file=/var/tmp/turnserver.log + +# Option to redirect all log output into system log (syslog). +# +#syslog + +# This flag means that no log file rollover will be used, and the log file +# name will be constructed as-is, without PID and date appendage. +# This option can be used, for example, together with the logrotate tool. +# +#simple-log + +# Enable full ISO-8601 timestamp in all logs. +#new-log-timestamp + +# Set timestamp format (in strftime(1) format) +#new-log-timestamp-format "%FT%T%z" + +# Disabled by default binding logging in verbose log mode to avoid DoS attacks. +# Enable binding logging and UDP endpoint logs in verbose log mode. +#log-binding + +# Option to set the "redirection" mode. The value of this option +# will be the address of the alternate server for UDP & TCP service in the form of +# [:]. The server will send this value in the attribute +# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client. +# Client will receive only values with the same address family +# as the client network endpoint address family. +# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality. +# The client must use the obtained value for subsequent TURN communications. +# If more than one --alternate-server option is provided, then the functionality +# can be more accurately described as "load-balancing" than a mere "redirection". +# If the port number is omitted, then the default port +# number 3478 for the UDP/TCP protocols will be used. +# Colon (:) characters in IPv6 addresses may conflict with the syntax of +# the option. To alleviate this conflict, literal IPv6 addresses are enclosed +# in square brackets in such resource identifiers, for example: +# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . +# Multiple alternate servers can be set. They will be used in the +# round-robin manner. All servers in the pool are considered of equal weight and +# the load will be distributed equally. For example, if you have 4 alternate servers, +# then each server will receive 25% of ALLOCATE requests. A alternate TURN server +# address can be used more than one time with the alternate-server option, so this +# can emulate "weighting" of the servers. +# +# Examples: +#alternate-server=1.2.3.4:5678 +#alternate-server=11.22.33.44:56789 +#alternate-server=5.6.7.8 +#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 + +# Option to set alternative server for TLS & DTLS services in form of +# :. If the port number is omitted, then the default port +# number 5349 for the TLS/DTLS protocols will be used. See the previous +# option for the functionality description. +# +# Examples: +#tls-alternate-server=1.2.3.4:5678 +#tls-alternate-server=11.22.33.44:56789 +#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 + +# Option to suppress TURN functionality, only STUN requests will be processed. +# Run as STUN server only, all TURN requests will be ignored. +# By default, this option is NOT set. +# +#stun-only + +# Option to hide software version. Enhance security when used in production. +# Revealing the specific software version of the agent through the +# SOFTWARE attribute might allow them to become more vulnerable to +# attacks against software that is known to contain security holes. +# Implementers SHOULD make usage of the SOFTWARE attribute a +# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2) +# +#no-software-attribute + +# Option to suppress STUN functionality, only TURN requests will be processed. +# Run as TURN server only, all STUN requests will be ignored. +# By default, this option is NOT set. +# +#no-stun + +# This is the timestamp/username separator symbol (character) in TURN REST API. +# The default value is ':'. +# rest-api-separator=: + +# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1). +# This is an extra security measure. +# +# (To avoid any security issue that allowing loopback access may raise, +# the no-loopback-peers option is replaced by allow-loopback-peers.) +# +# Allow it only for testing in a development environment! +# In production it adds a possible security vulnerability, so for security reasons +# it is not allowed using it together with empty cli-password. +# +#allow-loopback-peers + +# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*). +# This is an extra security measure. +# +no-multicast-peers + +# Option to set the max time, in seconds, allowed for full allocation establishment. +# Default is 60 seconds. +# +#max-allocate-timeout=60 + +# Option to allow or ban specific ip addresses or ranges of ip addresses. +# If an ip address is specified as both allowed and denied, then the ip address is +# considered to be allowed. This is useful when you wish to ban a range of ip +# addresses, except for a few specific ips within that range. +# +# This can be used when you do not want users of the turn server to be able to access +# machines reachable by the turn server, but would otherwise be unreachable from the +# internet (e.g. when the turn server is sitting behind a NAT) +# +# Examples: +# denied-peer-ip=83.166.64.0-83.166.95.255 +# allowed-peer-ip=83.166.68.45 +denied-peer-ip=10.0.0.0-10.255.255.255 +denied-peer-ip=172.16.0.0-172.31.255.255 +denied-peer-ip=192.168.0.0-192.168.255.255 +denied-peer-ip=100.64.0.0-100.127.255.255 +denied-peer-ip=169.254.0.0-169.254.255.255 +denied-peer-ip=192.0.0.0-192.0.0.255 +denied-peer-ip=192.0.2.0-192.0.2.255 +denied-peer-ip=198.18.0.0-198.19.255.255 +denied-peer-ip=198.51.100.0-198.51.100.255 +denied-peer-ip=203.0.113.0-203.0.113.255 +denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff +denied-peer-ip=::ffff:0:0-::ffff:ffff:ffff +denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff +denied-peer-ip=64:ff9b:1::-64:ff9b:1:ffff:ffff:ffff:ffff:ffff +denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff +denied-peer-ip=2001:db8::-2001:db8:ffff:ffff:ffff:ffff:ffff:ffff +denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +# File name to store the pid of the process. +# Default is /var/run/turnserver.pid (if superuser account is used) or +# /var/tmp/turnserver.pid . +# +#pidfile="/var/run/turnserver.pid" + +# Require authentication of the STUN Binding request. +# By default, the clients are allowed anonymous access to the STUN Binding functionality. +# +#secure-stun + +# Mobility with ICE (MICE) specs support. +# +#mobility + +# Allocate Address Family according +# If enabled then TURN server allocates address family according the TURN +# Client <=> Server communication address family. +# (By default Coturn works according RFC 6156.) +# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!! +# +keep-address-family + +# User name to run the process. After the initialization, the turnserver process +# will attempt to change the current user ID to that user. +# +#proc-user= + +# Group name to run the process. After the initialization, the turnserver process +# will attempt to change the current group ID to that group. +# +#proc-group= + +# Turn OFF the CLI support. +# By default it is always ON. +# See also options cli-ip and cli-port. +# +no-cli + +#Local system IP address to be used for CLI server endpoint. Default value +# is 127.0.0.1. +# +#cli-ip=127.0.0.1 + +# CLI server port. Default is 5766. +# +#cli-port=5766 + +# CLI access password. Default is empty (no password). +# For the security reasons, it is recommended that you use the encrypted +# form of the password (see the -P command in the turnadmin utility). +# +# Secure form for password 'qwerty': +# +#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a +# +# Or unsecure form for the same password: +# +#cli-password=qwerty + +# Enable Web-admin support on https. By default it is Disabled. +# If it is enabled it also enables a http a simple static banner page +# with a small reminder that the admin page is available only on https. +# +#web-admin + +# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1. +# +#web-admin-ip=127.0.0.1 + +# Web-admin server port. Default is 8080. +# +#web-admin-port=8080 + +# Web-admin server listen on STUN/TURN worker threads +# By default it is disabled for security resons! (Not recommended in any production environment!) +# +#web-admin-listen-on-workers + +#acme-redirect=http://redirectserver/.well-known/acme-challenge/ +# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '$1'. +# Default is '', i.e. no special handling for such requests. + +# Server relay. NON-STANDARD AND DANGEROUS OPTION. +# Only for those applications when you want to run +# server applications on the relay endpoints. +# This option eliminates the IP permissions check on +# the packets incoming to the relay endpoints. +# +#server-relay + +# Maximum number of output sessions in ps CLI command. +# This value can be changed on-the-fly in CLI. The default value is 256. +# +#cli-max-output-sessions + +# Set network engine type for the process (for internal purposes). +# +#ne=[1|2|3] + +# Do not allow an TLS/DTLS version of protocol +# +no-tlsv1 +no-tlsv1_1 +#no-tlsv1_2 diff --git a/config/janus/janus.eventhandler.gelfevh.jcfg b/config/janus/janus.eventhandler.gelfevh.jcfg new file mode 100644 index 0000000..fe1340a --- /dev/null +++ b/config/janus/janus.eventhandler.gelfevh.jcfg @@ -0,0 +1,21 @@ +# This configures the GELF event handler. Appending necessary headers +# and sending messages via TCP or UDP + +general: { + enabled = false # By default the module is not enabled + events = "all" + # Comma separated list of the events mask you're interested + # in. Valid values are none, sessions, handles, jsep, webrtc, + # media, plugins, transports, core, external and all. By + # default we subscribe to everything (all) + + backend = "your.graylog.server" # DNS or IP of your Graylog server + port = "12201" # Port Graylog server is listening on + protocol = "tcp" # tcp or udp transport type + max_message_len = 1024 # Note that we add 12 bytes of headers + standard UDP headers (8 bytes) + # when calculating packet size based on MTU + + #compress = true # Optionally, only for UDP transport, JSON messages can be compressed using zlib + #compression = 9 # In case, you can specify the compression factor, where 1 is + # the fastest (low compression), and 9 gives the best compression +} diff --git a/config/janus/janus.eventhandler.mqttevh.jcfg b/config/janus/janus.eventhandler.mqttevh.jcfg new file mode 100644 index 0000000..3bf7578 --- /dev/null +++ b/config/janus/janus.eventhandler.mqttevh.jcfg @@ -0,0 +1,57 @@ +# This configures the MQTT event handler. Events are sent either on +# one topic or on a topic per event type. +# +# By default, configuration topics for handle and webrtc event types +# with the base topic are configured to /janus/events, e.g.: +# /janus/events/handle +# /janus/events/webrtc + +general: { + enabled = false # By default the module is not enabled + events = "all" # Comma separated list of the events mask you're interested + # in. Valid values are none, sessions, handles, jsep, webrtc, + # media, plugins, transports, core, external and all. By + # default we subscribe to everything (all) + json = "indented" # Whether the JSON messages should be indented (default), + # plain (no indentation) or compact (no indentation and no spaces) + + url = "tcp://localhost:1883" # The URL of the MQTT server. "tcp://" and "ssl://" protocols are supported. + #mqtt_version = "3.1.1" # Protocol version. Available values: 3.1, 3.1.1 (default), 5. + client_id = "janus.example.com" # Janus client id. You have to configure a unique ID (default: guest). + #keep_alive_interval = 20 # Keep connection for N seconds (default: 30) + #cleansession = 0 # Clean session flag (default: off) + #retain = 0 # Default MQTT retain flag for published events + #qos = 1 # Default MQTT QoS for published events + #max_inflight = 10 # Maximum number of inflight messages + #max_buffered = 100 # Maximum number of buffered messages + #disconnect_timeout = 100 # Seconds to wait before destroying client + #username = "guest" # Username for authentication (default: no authentication) + #password = "guest" # Password for authentication (default: no authentication) + #topic = "/janus/events" # Base topic (default: /janus/events) + #addevent = true # Whether we should add the event type to the base topic + + #tls_enable = false # Whether TLS support must be enabled + + # Initial message sent to status topic + #connect_status = "{\"event\": \"connected\", \"eventhandler\": \"janus.eventhandler.mqttevh\"}" + # Message sent after disconnect or as LWT + #disconnect_status = "{\"event\": \"disconnected\"}" + + #will_enabled = false # Whether to enable LWT (default: false) + #will_retain = 1 # Whether LWT should be retained (default: 1) + #will_qos = 0 # QoS for LWT (default: 0) + + # Additional parameters if "mqtts://" schema is used + #tls_verify_peer = true # Whether peer verification must be enabled + #tls_verify_hostname = true # Whether hostname verification must be enabled + + # Certificates to use when TLS support is enabled, if needed + #tls_cacert = "/path/to/cacert.pem" + tls_client_cert = "/etc/ssl/certs/ssl-cert-snakeoil.pem" + tls_client_key = "/etc/ssl/private/ssl-cert-snakeoil.key" + #tls_ciphers + #tls_version + + # These options work with MQTT 5 only. + #add_user_properties = () # List of user property ["key", "value"] pairs to add. +} diff --git a/config/janus/janus.eventhandler.nanomsgevh.jcfg b/config/janus/janus.eventhandler.nanomsgevh.jcfg new file mode 100644 index 0000000..1dfe499 --- /dev/null +++ b/config/janus/janus.eventhandler.nanomsgevh.jcfg @@ -0,0 +1,30 @@ +# This configures the Nanomsg event handler. Since this plugin only +# forwards each event it receives via Nanomsg, you simply need to +# configure (i) which events to subscribe to, (ii) the address to use for +# the communication, and (iii) whether the address should be used to bind +# locally or to connect to a remote endpoint. Notice that the only supported +# pattern is NN_PUBSUB, where the Nanomsg event handler is the publisher. + +general: { + enabled = false # By default the module is not enabled + events = "all" # Comma separated list of the events mask you're interested + # in. Valid values are none, sessions, handles, jsep, webrtc, + # media, plugins, transports, core, external and all. By + # default we subscribe to everything (all) + grouping = true # Whether events should be sent individually (one per + # HTTP POST, JSON object), or if it's ok to group them + # (one or more per HTTP POST, JSON array with objects) + # The default is 'yes' to limit the number of connections. + + # Address the plugin will send all events to as HTTP POST + # requests with an application/json payload. In case + # authentication is required to contact the backend, set + # the credentials as well (basic authentication only). + json = "indented" # Whether the JSON messages should be indented (default), + # plain (no indentation) or compact (no indentation and no spaces) + + #mode = "bind" # Whether we should 'bind' to the specified + # address, or connect to it if remote (default) + address = "ipc:///tmp/janusevh.ipc" # Address to use, refer to the Nanomsg documentation + # for more info on different transports you can use here +} diff --git a/config/janus/janus.eventhandler.rabbitmqevh.jcfg b/config/janus/janus.eventhandler.rabbitmqevh.jcfg new file mode 100644 index 0000000..ea7f2d2 --- /dev/null +++ b/config/janus/janus.eventhandler.rabbitmqevh.jcfg @@ -0,0 +1,34 @@ +# This configures the RabbitMQ event handler. + +general: { + enabled = false # By default the module is not enabled + events = "all" # Comma separated list of the events mask you're interested + # in. Valid values are none, sessions, handles, jsep, webrtc, + # media, plugins, transports, core, external and all. By + # default we subscribe to everything (all) + grouping = true # Whether events should be sent individually , or if it's ok + # to group them. The default is 'yes' to limit the number of + # messages + json = "indented" # Whether the JSON messages should be indented (default), + # plain (no indentation) or compact (no indentation and no spaces) + + host = "localhost" # The address of the RabbitMQ server + #port = 5672 # The port of the RabbitMQ server (5672 by default) + #username = "guest" # Username to use to authenticate, if needed + #password = "guest" # Password to use to authenticate, if needed + #vhost = "/" # Virtual host to specify when logging in, if needed + #exchange = "janus-exchange" + route_key = "janus-events" # Routing key to use when publishing messages + #exchange_type = "fanout" # Rabbitmq exchange_type can be one of the available types: direct, topic, headers and fanout (fanout by defualt). + #heartbeat = 60 # Defines the seconds without communication that should pass before considering the TCP connection unreachable. + #declare_outgoing_queue = true # By default (for backwards compatibility), we declare an outgoing queue. Set this to false to disable that behavior + + #ssl_enable = false # Whether ssl support must be enabled + #ssl_verify_peer = true # Whether peer verification must be enabled + #ssl_verify_hostname = true # Whether hostname verification must be enabled + + # Certificates to use when SSL support is enabled, if needed + #ssl_cacert = "/path/to/cacert.pem" + ssl_cert = "/etc/ssl/certs/ssl-cert-snakeoil.pem" + ssl_key = "/etc/ssl/private/ssl-cert-snakeoil.key" +} diff --git a/config/janus/janus.eventhandler.sampleevh.jcfg b/config/janus/janus.eventhandler.sampleevh.jcfg new file mode 100644 index 0000000..d32b7a5 --- /dev/null +++ b/config/janus/janus.eventhandler.sampleevh.jcfg @@ -0,0 +1,44 @@ +# This configures the sample event handler. Since this plugin simply +# forwards each event it receives via HTTP POST, you simply need to +# configure (i) which events to subscribe to, and (ii) the address of +# the web server which will receive the requests. + +general: { + enabled = false # By default the module is not enabled + events = "all" # Comma separated list of the events mask you're interested + # in. Valid values are none, sessions, handles, jsep, webrtc, + # media, plugins, transports, core, external and all. By + # default we subscribe to everything (all) + grouping = true # Whether events should be sent individually (one per + # HTTP POST, JSON object), or if it's ok to group them + # (one or more per HTTP POST, JSON array with objects) + # The default is 'yes' to limit the number of connections. + json = "indented" # Whether the JSON messages should be indented (default), + # plain (no indentation) or compact (no indentation and no spaces) + + #compress = true # Optionally, the JSON messages can be compressed using zlib + #compression = 9 # In case, you can specify the compression factor, where 1 is + # the fastest (low compression), and 9 gives the best compression + + # Address the plugin will send all events to as HTTP POST + # requests with an application/json payload. In case + # authentication is required to contact the backend, set + # the credentials as well (basic authentication only). + backend = "http://your.webserver.here/and/a/path" + #backend_user = "myuser" + #backend_pwd = "mypwd" + + # You can also configure how retransmissions should + # happen, after a failed attempt to deliver an event. + # Specifically, you can specify how many times a + # retransmission should be attempted (default=5) and + # which step is used, in milliseconds, for the exponential + # backoff before retrying (e.g, if step=100ms, then the + # the first retry will happen after 100ms, the second + # after 200ms, then 400ms, and so on). If the event cannot + # be retransmitted after the maximum number of attemps + # is reached, then it's lost. Beware that retransmissions + # will also delay pending events and increase the queue. + #max_retransmissions = 5 + #retransmissions_backoff = 100 +} diff --git a/config/janus/janus.eventhandler.wsevh.jcfg b/config/janus/janus.eventhandler.wsevh.jcfg new file mode 100644 index 0000000..c5cc364 --- /dev/null +++ b/config/janus/janus.eventhandler.wsevh.jcfg @@ -0,0 +1,31 @@ +# This configures the WebSockets event handler. Since this plugin only +# forwards each event it receives via WebSockets, you simply need to +# configure (i) which events to subscribe to, and (ii) the address of +# the WebSockets server which will receive the requests. + +general: { + enabled = false # By default the module is not enabled + events = "all" # Comma separated list of the events mask you're interested + # in. Valid values are none, sessions, handles, jsep, webrtc, + # media, plugins, transports, core, external and all. By + # default we subscribe to everything (all) + grouping = true # Whether events should be sent individually (one per + # HTTP POST, JSON object), or if it's ok to group them + # (one or more per HTTP POST, JSON array with objects) + # The default is 'yes' to limit the number of connections. + + json = "indented" # Whether the JSON messages should be indented (default), + # plain (no indentation) or compact (no indentation and no spaces) + + # Address the plugin will send all events to as WebSocket + # messages. In case authentication is required to contact + # the backend, set the credentials as well. + backend = "ws://your.websocket.here" + # subprotocol = "your-subprotocol" + + # In case you need to debug connection issues, you can configure + # the libwebsockets debugging level as a comma separated list of things + # to debug, supported values: err, warn, notice, info, debug, parser, + # header, ext, client, latency, user, count (plus 'none' and 'all') + #ws_logging = "err,warn" +} diff --git a/config/janus/janus.jcfg b/config/janus/janus.jcfg new file mode 100644 index 0000000..8f683de --- /dev/null +++ b/config/janus/janus.jcfg @@ -0,0 +1,437 @@ +# General configuration: folders where the configuration and the plugins +# can be found, how output should be logged, whether Janus should run as +# a daemon or in foreground, default interface to use, debug/logging level +# and, if needed, shared apisecret and/or token authentication mechanism +# between application(s) and Janus. +general: { + configs_folder = "/etc/janus" # Configuration files folder + plugins_folder = "/usr/lib/x86_64-linux-gnu/janus/plugins" # Plugins folder + transports_folder = "/usr/lib/x86_64-linux-gnu/janus/transports" # Transports folder + events_folder = "/usr/lib/x86_64-linux-gnu/janus/events" # Event handlers folder + loggers_folder = "/usr/lib/x86_64-linux-gnu/janus/loggers" # External loggers folder + + # The next settings configure logging + #log_to_stdout = false # Whether the Janus output should be written + # to stdout or not (default=true) + log_to_file = "/var/log/janus.log" # Whether to use a log file or not + debug_level = 4 # Debug/logging level, valid values are 0-7 + debug_timestamps = true # Whether to show a timestamp for each log line + #debug_colors = false # Whether colors should be disabled in the log + #debug_locks = true # Whether to enable debugging of locks (very verbose!) + #log_prefix = "[janus] " # In case you want log lines to be prefixed by some + # custom text, you can use the 'log_prefix' property. + # It supports terminal colors, meaning something like + # "[\x1b[32mjanus\x1b[0m] " would show a green "janus" + # string in square brackets (assuming debug_colors=true). + + # This is what you configure if you want to launch Janus as a daemon + #daemonize = true # Whether Janus should run as a daemon + # or not (default=run in foreground) + #pid_file = "/path/to/janus.pid" # PID file to create when Janus has been + # started, and to destroy at shutdown + + # There are different ways you can authenticate the Janus and Admin APIs + #api_secret = "janusrocks" # String that all Janus requests must contain + # to be accepted/authorized by the Janus core. + # Useful if you're wrapping all Janus API requests + # in your servers (that is, not in the browser, + # where you do the things your way) and you + # don't want other application to mess with + # this Janus instance. + #token_auth = true # Enable a token based authentication + # mechanism to force users to always provide + # a valid token in all requests. Useful if + # you want to authenticate requests from web + # users. + #token_auth_secret = "janus" # Use HMAC-SHA1 signed tokens (with token_auth). Note that + # without this, the Admin API MUST + # be enabled, as tokens are added and removed + # through messages sent there. + admin_secret = "CHANGE_ME" # String that all Janus requests must contain + # to be accepted/authorized by the admin/monitor. + # only needed if you enabled the admin API + # in any of the available transports. + + # Generic settings + #interface = "1.2.3.4" # Interface to use (will be used in SDP) + #server_name = "MyJanusInstance"# Public name of this Janus instance + # as it will appear in an info request + #session_timeout = 60 # How long (in seconds) we should wait before + # deciding a Janus session has timed out. A + # session times out when no request is received + # for session_timeout seconds (default=60s). + # Setting this to 0 will disable the timeout + # mechanism, which is NOT suggested as it may + # risk having orphaned sessions (sessions not + # controlled by any transport and never freed). + # To avoid timeouts, keep-alives can be used. + #candidates_timeout = 45 # How long (in seconds) we should keep hold of + # pending (trickle) candidates before discarding + # them (default=45s). Notice that setting this + # to 0 will NOT disable the timeout, but will + # be considered an invalid value and ignored. + #reclaim_session_timeout = 0 # How long (in seconds) we should wait for a + # janus session to be reclaimed after the transport + # is gone. After the transport is gone, a session + # times out when no request is received for + # reclaim_session_timeout seconds (default=0s). + # Setting this to 0 will disable the timeout + # mechanism, and sessions will be destroyed immediately + # if the transport is gone. + #recordings_tmp_ext = "tmp" # The extension for recordings, in Janus, is + # .mjr, a custom format we devised ourselves. + # By default, we save to .mjr directly. If you'd + # rather the recording filename have a temporary + # extension while it's being saved, and only + # have the .mjr extension when the recording + # is over (e.g., to automatically trigger some + # external scripts), then uncomment and set the + # recordings_tmp_ext property to the extension + # to add to the base (e.g., tmp --> .mjr.tmp). + #event_loops = 8 # By default, Janus handles each have their own + # event loop and related thread for all the media + # routing and management. If for some reason you'd + # rather limit the number of loop/threads, and + # you want handles to share those, you can do that + # configuring the event_loops property: this will + # spawn the specified amount of threads at startup, + # run a separate event loop on each of them, and + # add new handles to one of them when attaching. + # Notice that, while cutting the number of threads + # and possibly reducing context switching, this + # might have an impact on the media delivery, + # especially if the available loops can't take + # care of all the handles and their media in time. + # As such, if you want to use this you should + # provision the correct value according to the + # available resources (e.g., CPUs available). + #allow_loop_indication = true # In case a static number of event loops is + # configured as explained above, by default + # new handles will be allocated on one loop or + # another by the Janus core itself. In some cases + # it may be helpful to manually tell the Janus + # core which loop a handle should be added to, + # e.g., to group viewers of the same stream on + # the same loop. This is possible via the Janus + # API when performing the 'attach' request, but + # only if allow_loop_indication is set to true; + # it's set to false by default to avoid abuses. + # Don't change if you don't know what you're doing! + #opaqueid_in_api = true # Opaque IDs set by applications are typically + # only passed to event handlers for correlation + # purposes, but not sent back to the user or + # application in the related Janus API responses + # or events; in case you need them to be in the + # Janus API too, set this property to 'true'. + #hide_dependencies = true # By default, a call to the "info" endpoint of + # either the Janus or Admin API now also returns + # the versions of the main dependencies (e.g., + # libnice, libsrtp, which crypto library is in + # use and so on). Should you want that info not + # to be disclose, set 'hide_dependencies' to true. + #exit_on_dl_error = false # If a Janus shared libary cannot be loaded or an expected + # symbol is not found, exit immediately. + + # The following is ONLY useful when debugging RTP/RTCP packets, + # e.g., to look at unencrypted live traffic with a browser. By + # default it is obviously disabled, as WebRTC mandates encryption. + #no_webrtc_encryption = true + + # Janus provides ways via its API to specify custom paths to save + # files to (e.g., recordings, pcap captures and the like). In order + # to avoid people can mess with folders they're not supposed to, + # you can configure an array of folders that Janus should prevent + # creating files in. If the 'protected_folder' property below is + # commented, no folder is protected. + # Notice that at the moment this only covers attempts to start + # an .mjr recording and pcap/text2pcap packet captures. + protected_folders = [ + "/bin", + "/boot", + "/dev", + "/etc", + "/initrd", + "/lib", + "/lib32", + "/lib64", + "/proc", + "/sbin", + "/sys", + "/usr", + "/var", + # We add what are usually the folders Janus is installed to + # as well: we don't just put "/opt/janus" because that would + # include folders like "/opt/janus/share" that is where + # recordings might be saved to by some plugins + "/opt/janus/bin", + "/opt/janus/etc", + "/opt/janus/include", + "/opt/janus/lib", + "/opt/janus/lib32", + "/opt/janus/lib64", + "/opt/janus/sbin" + ] +} + +# Certificate and key to use for DTLS (and passphrase if needed). If missing, +# Janus will autogenerate a self-signed certificate to use. Notice that +# self-signed certificates are fine for the purpose of WebRTC DTLS +# connectivity, for the time being, at least until Identity Providers +# are standardized and implemented in browsers. If for some reason you +# want to enforce the DTLS stack in Janus to enforce valid certificates +# from peers, though, you can do that setting 'dtls_accept_selfsigned' to +# 'false' below: DO NOT TOUCH THAT IF YOU DO NOT KNOW WHAT YOU'RE DOING! +# You can also configure the DTLS ciphers to offer: the default if not +# set is "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK" +# Finally, by default NIST P-256 certificates are generated (see #1997), +# but RSA generation is still supported if you set 'rsa_private_key' to 'true'. +certificates: { + #cert_pem = "/etc/ssl/certs/ssl-cert-snakeoil.pem" + #cert_key = "/etc/ssl/private/ssl-cert-snakeoil.key" + #cert_pwd = "secretpassphrase" + #dtls_accept_selfsigned = false + #dtls_ciphers = "your-desired-openssl-ciphers" + #rsa_private_key = false +} + +# Media-related stuff: you can configure whether if you want to enable IPv6 +# support (and link-local IPs), the minimum size of the NACK queue (in ms, +# defaults to 200ms) for retransmissions no matter the RTT, the range of +# ports to use for RTP and RTCP (by default, no range is envisaged), the +# starting MTU for DTLS (1200 by default, it adapts automatically), +# how much time, in seconds, should pass with no media (audio or +# video) being received before Janus notifies you about this (default=1s, +# 0 disables these events entirely), how many lost packets should trigger a +# 'slowlink' event to users (default=0, disabled), and how often, in milliseconds, +# to send the Transport Wide Congestion Control feedback information back +# to senders, if negotiated (default=200ms). Finally, if you're using BoringSSL +# you can customize the frequency of retransmissions: OpenSSL has a fixed +# value of 1 second (the default), while BoringSSL can override that. Notice +# that lower values (e.g., 100ms) will typically get you faster connection +# times, but may not work in case the RTT of the user is high: as such, +# you should pick a reasonable trade-off (usually 2*max expected RTT). +media: { + #ipv6 = true + #ipv6_linklocal = true + #min_nack_queue = 500 + #rtp_port_range = "20000-40000" + #dtls_mtu = 1200 + #no_media_timer = 1 + #slowlink_threshold = 4 + #twcc_period = 100 + #dtls_timeout = 500 + + # Janus can do some optimizations on the NACK queue, specifically when + # keyframes are involved. Namely, you can configure Janus so that any + # time a keyframe is sent to a user, the NACK buffer for that connection + # is emptied. This allows Janus to ignore NACK requests for packets + # sent shortly before the keyframe was sent, since it can be assumed + # that the keyframe will restore a complete working image for the user + # anyway (which is the main reason why video retransmissions are typically + # required). While this optimization is known to work fine in most cases, + # it can backfire in some edge cases, and so is disabled by default. + #nack_optimizations = true + + # If you need DSCP packet marking and prioritization, you can configure + # the 'dscp' property to a specific values, and Janus will try to + # set it on all outgoing packets using libnice. Normally, the specs + # suggest to use different values depending on whether audio, video + # or data are used, but since all PeerConnections in Janus are bundled, + # we can only use one. You can refer to this document for more info: + # https://tools.ietf.org/html/draft-ietf-tsvwg-rtcweb-qos-18#page-6 + # That said, DON'T TOUCH THIS IF YOU DON'T KNOW WHAT IT MEANS! + #dscp = 46 +} + +# NAT-related stuff: specifically, you can configure the STUN/TURN +# servers to use to gather candidates if the gateway is behind a NAT, +# and srflx/relay candidates are needed. In case STUN is not enough and +# this is needed (it shouldn't), you can also configure Janus to use a +# TURN server# please notice that this does NOT refer to TURN usage in +# browsers, but in the gathering of relay candidates by Janus itself, +# e.g., if you want to limit the ports used by a Janus instance on a +# private machine. Furthermore, you can choose whether Janus should be +# configured to do full-trickle (Janus also trickles its candidates to +# users) rather than the default half-trickle (Janus supports trickle +# candidates from users, but sends its own within the SDP), and whether +# it should work in ICE-Lite mode (by default it doesn't). If libnice is +# at least 0.1.15, you can choose which ICE nomination mode to use: valid +# values are "regular" and "aggressive" (the default depends on the libnice +# version itself; if we can set it, we set aggressive nomination). You can +# also configure whether to use connectivity checks as keep-alives, which +# might help detecting when a peer is no longer available (notice that +# current libnice master is breaking connections after 50 seconds when +# keepalive-conncheck is being used, so if you want to use it, better +# sticking to 0.1.18 until the issue is addressed upstream). Finally, +# you can also enable ICE-TCP support (beware that this may lead to problems +# if you do not enable ICE Lite as well), choose which interfaces should +# be used for gathering candidates, and enable or disable the +# internal libnice debugging, if needed. +nat: { + stun_server = "hpb-prod.f7cloud.ru" # HAND-EDIT + stun_port = 5349 # HAND-EDIT PORT-EDIT (443) + nice_debug = false + full_trickle = true # HAND-EDIT + #ice_nomination = "regular" + #ice_keepalive_conncheck = true + #ice_lite = true + #ice_tcp = true + + # By default Janus tries to resolve mDNS (.local) candidates: even + # though this is now done asynchronously and shouldn't keep the API + # busy, even in case mDNS resolution takes a long time to timeout, + # you can choose to drop all .local candidates instead, which is + # helpful in case you know clients will never be in the same private + # network as the one the Janus instance is running from. Notice that + # this will cause ICE to fail if mDNS is the only way to connect! + #ignore_mdns = true + + # In case you're deploying Janus on a server which is configured with + # a 1:1 NAT (e.g., Amazon EC2), you might want to also specify the public + # address of the machine using the setting below. This will result in + # all host candidates (which normally have a private IP address) to + # be rewritten with the public address provided in the settings. As + # such, use the option with caution and only if you know what you're doing. + # Make sure you keep ICE Lite disabled, though, as it's not strictly + # speaking a publicly reachable server, and a NAT is still involved. + # If you'd rather keep the private IP address in place, rather than + # replacing it (and so have both of them as advertised candidates), + # then set the 'keep_private_host' property to true. + # Multiple public IP addresses can be specified as a comma separated list + # if the Janus is deployed in a DMZ between two 1-1 NAT for internal and + # external users. + #nat_1_1_mapping = "1.2.3.4" + #keep_private_host = true + + # You can configure a TURN server in two different ways: specifying a + # statically configured TURN server, and thus provide the address of the + # TURN server, the transport (udp/tcp/tls) to use, and a set of valid + # credentials to authenticate. Notice that you should NEVER configure + # a TURN server for Janus unless it's really what you want! If you want + # *users* to use TURN, then you need to configure that on the client + # side, and NOT in Janus. The following TURN configuration should ONLY + # be enabled when Janus itself is sitting behind a restrictive firewall + # (e.g., it's part of a service installed on a box in a private home). + #turn_server = "myturnserver.com" + #turn_port = 3478 + #turn_type = "udp" + #turn_user = "myuser" + #turn_pwd = "mypassword" + + # You can also make use of the TURN REST API to get info on one or more + # TURN services dynamically. This makes use of the proposed standard of + # such an API (https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00) + # which is currently available in both rfc5766-turn-server and coturn. + # You enable this by specifying the address of your TURN REST API backend, + # the HTTP method to use (GET or POST) and, if required, the API key Janus + # must provide. The timeout can be configured in seconds, with a default of + # 10 seconds and a minimum of 1 second. Notice that the 'opaque_id' provided + # via Janus API will be used as the username for a specific PeerConnection + # by default; if that one is missing, the 'session_id' will be used as the + # username instead. + #turn_rest_api = "http://yourbackend.com/path/to/api" + turn_rest_api_key = "wU6fR0Eb0J4Aky5NuNeo3w==" # HAND-EDIT + #turn_rest_api_method = "GET" + #turn_rest_api_timeout = 10 + + # In case a TURN server is provided, you can allow applications to force + # Janus to use TURN (https://github.com/meetecho/janus-gateway/pull/2774). + # This is NOT allowed by default: only enable it if you know what you're doing. + #allow_force_relay = true + + # You can also choose which interfaces should be explicitly used by the + # gateway for the purpose of ICE candidates gathering, thus excluding + # others that may be available. To do so, use the 'ice_enforce_list' + # setting and pass it a comma-separated list of interfaces or IP addresses + # to enforce. This is especially useful if the server hosting the gateway + # has several interfaces, and you only want a subset to be used. Any of + # the following examples are valid: + # ice_enforce_list = "eth0" + # ice_enforce_list = "eth0,eth1" + # ice_enforce_list = "eth0,192.168." + # ice_enforce_list = "eth0,192.168.0.1" + # By default, no interface is enforced, meaning Janus will try to use them all. + #ice_enforce_list = "eth0" + + # In case you don't want to specify specific interfaces to use, but would + # rather tell Janus to use all the available interfaces except some that + # you don't want to involve, you can also choose which interfaces or IP + # addresses should be excluded and ignored by the gateway for the purpose + # of ICE candidates gathering. To do so, use the 'ice_ignore_list' setting + # and pass it a comma-separated list of interfaces or IP addresses to + # ignore. This is especially useful if the server hosting the gateway + # has several interfaces you already know will not be used or will simply + # always slow down ICE (e.g., virtual interfaces created by VMware). + # Partial strings are supported, which means that any of the following + # examples are valid: + # ice_ignore_list = "vmnet8,192.168.0.1,10.0.0.1" + # ice_ignore_list = "vmnet,192.168." + # Just beware that the ICE ignore list is not used if an enforce list + # has been configured. By default, Janus ignores all interfaces whose + # name starts with 'vmnet', to skip VMware interfaces: + ice_ignore_list = "vmnet" + + # In case you want to allow Janus to start even if the configured STUN or TURN + # server is unreachable, you can set 'ignore_unreachable_ice_server' to true. + # WARNING: We do not recommend to ignore reachability problems, particularly + # if you run Janus in the cloud. Before enabling this flag, make sure your + # system is correctly configured and Janus starts after the network layer of + # your machine is ready. Note that Linux distributions offer such directives. + # You could use the following directive in systemd: 'After=network-online.target' + # https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before= + #ignore_unreachable_ice_server = true +} + +# You can choose which of the available plugins should be +# enabled or not. Use the 'disable' directive to prevent Janus from +# loading one or more plugins: use a comma separated list of plugin file +# names to identify the plugins to disable. By default all available +# plugins are enabled and loaded at startup. +plugins: { + #disable = "libjanus_voicemail.so,libjanus_recordplay.so" +} + +# You can choose which of the available transports should be enabled or +# not. Use the 'disable' directive to prevent Janus from loading one +# or more transport: use a comma separated list of transport file names +# to identify the transports to disable. By default all available +# transports are enabled and loaded at startup. +transports: { + #disable = "libjanus_rabbitmq.so" +} + +# As a core feature, Janus can log either on the standard output, or to +# a local file. Should you need more advanced logging functionality, you +# can make use of one of the custom loggers, or write one yourself. Use the +# 'disable' directive to prevent Janus from loading one or more loggers: +# use a comma separated list of logger file names to identify the loggers +# to disable. By default all available loggers are enabled and loaded at startup. +loggers: { + #disable = "libjanus_jsonlog.so" +} + +# Event handlers allow you to receive live events from Janus happening +# in core and/or plugins. Since this can require some more resources, +# the feature is disabled by default. Setting broadcast to yes will +# enable them. You can then choose which of the available event handlers +# should be loaded or not. Use the 'disable' directive to prevent Janus +# from loading one or more event handlers: use a comma separated list of +# file names to identify the event handlers to disable. By default, if +# broadcast is set to yes all available event handlers are enabled and +# loaded at startup. Finally, you can choose how often media statistics +# (packets sent/received, losses, etc.) should be sent: by default it's +# once per second (audio and video statistics sent separately), but may +# considered too verbose, or you may want to limit the number of events, +# especially if you have many PeerConnections active. To change this, +# just set 'stats_period' to the number of seconds that should pass in +# between statistics for each handle. Setting it to 0 disables them (but +# not other media-related events). By default Janus sends single media +# statistic events per media (audio, video and simulcast layers as separate +# events): if you'd rather receive a single containing all media stats in a +# single array, set 'combine_media_stats' to true. +events: { + #broadcast = true + #combine_media_stats = true + #disable = "libjanus_sampleevh.so" + #stats_period = 5 +} diff --git a/config/janus/janus.logger.jsonlog.jcfg b/config/janus/janus.logger.jsonlog.jcfg new file mode 100644 index 0000000..6b505c8 --- /dev/null +++ b/config/janus/janus.logger.jsonlog.jcfg @@ -0,0 +1,16 @@ +# This configures the JSON-based file logger. This is a very simple logger +# with no particular advantage over the existing, integrated, logging +# functionality Janus provides, and so it's configuration is quite basic +# as well: it's here mostly to provide a reference implementation for +# developers willing to provide additional, and more complex, external loggers. + +general: { + enabled = false # By default the module is not enabled + + json = "indented" # Since this logger simply writes each log line as + # a JSON object to a file, you can configure whether + # the JSON log lines should be indented (default), + # plain (no indentation) or compact (no indentation and no spaces) + + filename = "/tmp/janus-log.json" # Filename to save to +} diff --git a/config/janus/janus.plugin.audiobridge.jcfg b/config/janus/janus.plugin.audiobridge.jcfg new file mode 100644 index 0000000..39d41d5 --- /dev/null +++ b/config/janus/janus.plugin.audiobridge.jcfg @@ -0,0 +1,83 @@ +# room-: { +# description = "This is my awesome room" +# is_private = true|false (whether this room should be in the public list, default=true) +# secret = "" +# pin = "" +# sampling_rate = (e.g., 16000 for wideband mixing) +# spatial_audio = true|false (if true, the mix will be stereo to spatially place users, default=false) +# audiolevel_ext = true|false (whether the ssrc-audio-level RTP extension must +# be negotiated/used or not for new joins, default=true) +# audiolevel_event = true|false (whether to emit event to other users or not, default=false) +# audio_active_packets = 100 (number of packets with audio level, default=100, 2 seconds) +# audio_level_average = 25 (average value of audio level, 127=muted, 0='too loud', default=25) +# default_prebuffering = number of packets to buffer before decoding each particiant (default=6) +# default_expectedloss = percent of packets we expect participants may miss, to help with FEC (default=0, max=20; automatically used for forwarders too) +# default_bitrate = default bitrate in bps to use for the all participants (default=0, which means libopus decides; automatically used for forwarders too) +# record = true|false (whether this room should be recorded, default=false) +# record_file = "/path/to/recording.wav" (where to save the recording) +# record_dir = "/path/to/" (path to save the recording to, makes record_file a relative path if provided) +# mjrs = true|false (whether all participants in the room should be individually recorded to mjr files, default=false) +# mjrs_dir = "/path/to/" (path to save the mjr files to) +# allow_rtp_participants = true|false (whether participants should be allowed to join +# via plain RTP as well, rather than just WebRTC, default=false) +# groups = optional, non-hierarchical, array of groups to tag participants, for external forwarding purposes only +# +# The following lines are only needed if you want the mixed audio +# to be automatically forwarded via plain RTP to an external component +# (e.g., an ffmpeg script, or a gstreamer pipeline) for processing +# By default plain RTP is used, SRTP must be configured if needed +# rtp_forward_id = numeric RTP forwarder ID for referencing it via API (optional: random ID used if missing) +# rtp_forward_host = "" +# rtp_forward_host_family = "" +# rtp_forward_port = port to forward RTP packets of mixed audio to +# rtp_forward_ssrc = SSRC to use to use when streaming (optional: stream_id used if missing) +# rtp_forward_codec = opus (default), pcma (A-Law) or pcmu (mu-Law) +# rtp_forward_ptype = payload type to use when streaming (optional: only read for Opus, 100 used if missing) +# rtp_forward_group = group of participants to forward, if enabled in the room (optional: forwards full mix if missing) +# rtp_forward_srtp_suite = length of authentication tag (32 or 80) +# rtp_forward_srtp_crypto = "" +# rtp_forward_always_on = true|false, whether silence should be forwarded when the room is empty (optional: false used if missing) +#} + +general: { + #admin_key = "supersecret" # If set, rooms can be created via API only + # if this key is provided in the request + #lock_rtp_forward = true # Whether the admin_key above should be + # enforced for RTP forwarding requests too + #lock_play_file = true # Whether the admin_key above should be + # enforced for playing .opus files too + #record_tmp_ext = "tmp" # Optional temporary extension to add to filenames + # while recording: e.g., setting "tmp" would mean + # .wav --> .wav.tmp until the file is closed + #events = false # Whether events should be sent to event + # handlers (default=true) + + # By default, integers are used as a unique ID for both rooms and participants. + # In case you want to use strings instead (e.g., a UUID), set string_ids to true. + #string_ids = true + + # Normally, all AudioBridge participants will join by negotiating a WebRTC + # PeerConnection: the plugin also supports adding participants that will + # use plain RTP, though, be it for supporting legacy users (e.g., SIP + # participants who an orchestrator can add to the bridge) or more simply + # to temporarily inject external audio in a room from a live source. To + # support plain RTP, the plugin needs to have a range of ports it can bind + # to: notice this should be configured so that it doesn't conflict with other + # plugins (e.g., Streaming, SIP, NoSIP) and applications (e.g., Janus itself). + # The default if you don't specify anything is 10000-60000. + #rtp_port_range = "50000-60000" + # In case we need to support plain RTP participants, we'll also need to know + # what local IP address to bind to for media. If no address is set in the + # property below, then one will be automatically guessed from the system. + #local_ip = "1.2.3.4" + +} + +room-1234: { + description = "Demo Room" + secret = "adminpwd" + sampling_rate = 16000 + record = false + #record_dir = "/path/to/" + #record_file = "recording.wav" +} diff --git a/config/janus/janus.plugin.duktape.jcfg b/config/janus/janus.plugin.duktape.jcfg new file mode 100644 index 0000000..555bb98 --- /dev/null +++ b/config/janus/janus.plugin.duktape.jcfg @@ -0,0 +1,20 @@ +# The only things you configure in here are which JavaScipt file to load and, +# optionally, the paths to add for searching libraries and a configuration +# file, if the script will need it. For what concerns the libraries path, +# by default this configuration file adds a path to where the JS samples +# have been installed, as it contains a couple of helper libraries the +# samples use; should you be interested in adding more, just add other +# paths separated by a semicolon. Due to the syntax of the configuration +# file, make sure you escape all semicolons with a trailing slash, in case. +# The 'config' property is entirely script specific, instead: if your +# script will need to rely on an XML configuration file in its initialization, +# for instance, then set the 'config' property as the path to the file; +# it will be passed, as is, to your script in the init() call. None of +# the samples use this property, which is why it's commented out. + +general: { + path = "/usr/share/janus/duktape" + script = "/usr/share/janus/duktape/echotest.js" + #script = "/usr/share/janus/duktape/videoroom.js" + #config = "/path/to/configfile" +} diff --git a/config/janus/janus.plugin.echotest.jcfg b/config/janus/janus.plugin.echotest.jcfg new file mode 100644 index 0000000..cfc94d2 --- /dev/null +++ b/config/janus/janus.plugin.echotest.jcfg @@ -0,0 +1,5 @@ +# events = true|false, whether events should be sent to event handlers + +general: { + #events = false +} diff --git a/config/janus/janus.plugin.lua.jcfg b/config/janus/janus.plugin.lua.jcfg new file mode 100644 index 0000000..3438b51 --- /dev/null +++ b/config/janus/janus.plugin.lua.jcfg @@ -0,0 +1,20 @@ +# The only things you configure in here are which lua script to load and, +# optionally, the paths to add for searching libraries and a configuration +# file, if the script will need it. For what concerns the libraries path, +# by default this configuration file adds a path to where the Lua samples +# have been installed, as it contains a couple of helper libraries the +# samples use; should you be interested in adding more, just add other +# paths separated by a semicolon. Due to the syntax of the configuration +# file, make sure you escape all semicolons with a trailing slash, in case. +# The 'config' property is entirely script specific, instead: if your +# script will need to rely on an XML configuration file in its initialization, +# for instance, then set the 'config' property as the path to the file; +# it will be passed, as is, to your script in the init() call. None of +# the samples use this property, which is why it's commented out. + +general: { + path = "/usr/share/janus/lua" + script = "/usr/share/janus/lua/echotest.lua" + #script = "/usr/share/janus/lua/videoroom.lua" + #config = "/path/to/configfile" +} diff --git a/config/janus/janus.plugin.nosip.jcfg b/config/janus/janus.plugin.nosip.jcfg new file mode 100644 index 0000000..48073ef --- /dev/null +++ b/config/janus/janus.plugin.nosip.jcfg @@ -0,0 +1,23 @@ +general: { + # Specify which local IP address to bind to for media. + # If not set it will be automatically guessed from the system + #local_ip = "1.2.3.4" + + # Specify which (public) IP address to advertise in the SDP. + # If not set, the value above or anything autodetected will be used + #sdp_ip = "1.2.3.4" + + # Range of ports to use for RTP/RTCP (default=10000-60000) + rtp_port_range = "20000-40000" + + # Whether events should be sent to event handlers (default=true) + #events = false + + # If you need DSCP packet marking and prioritization, you can configure + # the 'dscp_audio_rtp' and/or 'dscp_video_rtp' property to specific values, + # and the plugin will set it on all outgoing audio/video RTP packets. + # No packet marking is done if this parameter is undefined or equal to 0 + #dscp_audio_rtp = 46 + #dscp_video_rtp = 26 + +} diff --git a/config/janus/janus.plugin.recordplay.jcfg b/config/janus/janus.plugin.recordplay.jcfg new file mode 100644 index 0000000..ca6bc76 --- /dev/null +++ b/config/janus/janus.plugin.recordplay.jcfg @@ -0,0 +1,7 @@ +# path = where to place recordings in the file system +# events = true|false, whether events should be sent to event handlers + +general: { + path = "/usr/share/janus/recordings" + #events = false +} diff --git a/config/janus/janus.plugin.sip.jcfg b/config/janus/janus.plugin.sip.jcfg new file mode 100644 index 0000000..06b9b4a --- /dev/null +++ b/config/janus/janus.plugin.sip.jcfg @@ -0,0 +1,55 @@ +general: { + # Specify which local IP address to bind to for SIP stack. + # If not set it will be automatically guessed from the system + #local_ip = "1.2.3.4" + + # Specify which local IP address to bind for the media stack. + # If not set it will be automatically set to the value of local_ip + #local_media_ip = "1.2.3.4" + + # Specify which (public) IP address to advertise in the SDP. + # If not set, the value above or anything autodetected will be used + #sdp_ip = "1.2.3.4" + + # Enable local keep-alives to keep the registration open. Keep-alives are + # sent in the form of OPTIONS requests, at the given interval inseconds. + # (0 to disable) + keepalive_interval = 120 + + # Indicate if the server is behind NAT. If so, the server will use STUN + # to guess its own public IP address and use it in the Contact header of + # outgoing requests + behind_nat = false + + # User-Agent string to be used + # user_agent = "Cool WebRTC Gateway" + + # Expiration time for registrations + register_ttl = 3600 + + # Range of ports to use for RTP/RTCP (default=10000-60000) + rtp_port_range = "20000-40000" + + # Whether events should be sent to event handlers (default=true) + #events = false + + # If you need DSCP packet marking and prioritization, you can configure + # the 'dscp_audio_rtp' and/or 'dscp_video_rtp' property to specific values, + # and the plugin will set it on all outgoing audio/video RTP packets. + # No packet marking is done if this parameter is undefined or equal to 0 + #dscp_audio_rtp = 46 + #dscp_video_rtp = 26 + + # In case you want to use SIPS for some sessions, Sofia may need to + # have access to a certificate to use: this is especially true for + # Sofia >= 1.13, which will fail to create the agent if no certificate + # is available. By default, Sofia looks for 'agent.pem' and 'cafile.pem' + # in the '$HOME/.sip/auth' folder, but you can specify a different + # one by uncommenting and setting the property below. + #sips_certs_dir = "/etc/sip/certs" + + # Set the T1x64 timeout value (in milliseconds) used by the SIP transaction + # engine (default 32000 milliseconds) + sip_timer_t1x64 = 32000 + +} diff --git a/config/janus/janus.plugin.streaming.jcfg b/config/janus/janus.plugin.streaming.jcfg new file mode 100644 index 0000000..e611b9c --- /dev/null +++ b/config/janus/janus.plugin.streaming.jcfg @@ -0,0 +1,323 @@ +# stream-name: { +# type = rtp|live|ondemand|rtsp +# rtp = stream originated by an external tool (e.g., gstreamer or +# ffmpeg) and sent to the plugin via RTP +# live = local file streamed live to multiple listeners +# (multiple listeners = same streaming context) +# ondemand = local file streamed on-demand to a single listener +# (multiple listeners = different streaming contexts) +# rtsp = stream originated by an external RTSP feed (only +# available if libcurl support was compiled) +# id = (if missing, a random one will be generated) +# description = This is my awesome stream +# metadata = An optional string that can contain any metadata (e.g., JSON) +# associated with the stream you want users to receive +# is_private = true|false (private streams don't appear when you do a 'list' +# request) +# secret = +# pin = +# filename = path to the local file to stream (only for live/ondemand) +# audio = true|false (do/don't stream audio) +# video = true|false (do/don't stream video) +# The following options are only valid for the 'rtp' type: +# data = true|false (do/don't stream text via datachannels) +# audioport = local port for receiving audio frames +# audiortcpport = local port, if any, for receiving and sending audio RTCP feedback +# audiomcast = multicast group port for receiving audio frames, if any +# audioiface = network interface or IP address to bind to, if any (binds to all otherwise) +# audiopt =