root/F7_HPB
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Выгрузка F7cloud_HPB

Browse Source
This commit is contained in:
root 2026-02-17 23:43:54 +00:00
parent 673cb90bd0
commit d5fcc37b8e
29 changed files with 2461 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@ -1,6 +1,16 @@
# HPB — Nextcloud Spreed Signaling (f7cloud) # HPB — Nextcloud Spreed Signaling (f7cloud)
Сервисы для стека Nextcloud Talk: signaling, Janus, NATS, coTURN. Сервисы и конфиги для стека Nextcloud Talk: signaling, Janus, NATS, coTURN.
## Структура репозитория
| Папка/файл | Назначение |
|------------|------------|
| **systemd/** | unit-файлы: signaling, janus, nats-server, coturn |
| **config/nats/** | Конфиг NATS (`nats-server.conf`) |
| **config/janus/** | Конфиги Janus (основной + плагины, транспорты) |
| **config/coturn/** | Пример конфига coTURN (`turnserver.conf.example`) |
| **server.conf.example** | Пример конфига signaling (в корне) |
## Сервисы ## Сервисы
@ -11,7 +21,9 @@
| **nats-server.service** | NATS — обмен сообщениями | | **nats-server.service** | NATS — обмен сообщениями |
| **coturn.service** | coTURN — STUN/TURN для WebRTC | | **coturn.service** | coTURN — STUN/TURN для WebRTC |
## Установка unit-файлов ## Установка
### 1. Unit-файлы systemd
```bash ```bash
sudo cp systemd/*.service /etc/systemd/system/ sudo cp systemd/*.service /etc/systemd/system/
@ -20,14 +32,16 @@ sudo systemctl enable signaling janus nats-server coturn
sudo systemctl start signaling janus nats-server coturn sudo systemctl start signaling janus nats-server coturn
``` ```
## Конфигурация ### 2. Конфиги приложений
- `server.conf` — конфиг signaling (создаётся вручную, в репозиторий не входит из соображений безопасности). - **NATS**: `sudo cp config/nats/nats-server.conf /etc/nats-server.conf`
- Пример структуры конфига: см. `server.conf.example` (заполните секреты на сервере). - **Janus**: `sudo cp -r config/janus/* /etc/janus/` (перед этим замените `admin_secret` в `janus.jcfg` при необходимости)
- **coTURN**: скопируйте `config/coturn/turnserver.conf.example` в `/etc/turnserver.conf`, подставьте свои IP, realm и секреты
- **Signaling**: скопируйте `server.conf.example` в `server.conf` в каталоге развёртывания, заполните секреты
## Зависимости конфигов ## Пути конфигов на сервере
- **signaling**: `/etc/f7cloud-spreed-signaling/server.conf` - **signaling**: `/etc/f7cloud-spreed-signaling/server.conf`
- **nats-server**: `/etc/nats-server.conf` - **nats-server**: `/etc/nats-server.conf`
- **coturn**: `/etc/turnserver.conf` - **coturn**: `/etc/turnserver.conf`
- **janus**: конфиг по умолчанию (часто `/etc/janus/janus.jcfg`) - **janus**: `/etc/janus/` (главный файл `janus.jcfg`)

774
config/coturn/turnserver.conf.example Normal file
View File

@ -0,0 +1,774 @@
# Coturn TURN SERVER configuration file
#
# Boolean values note: where a boolean value is supposed to be used,
# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
# If the value is missing, then it means 'true' by default.
#
# Listener interface device (optional, Linux only).
# NOT RECOMMENDED.
#
#listening-device=eth0
# TURN listener port for UDP and TCP (Default: 3478).
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
#listening-port=3478
# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
# port(s), too - if allowed by configuration. The TURN server
# "automatically" recognizes the type of traffic. Actually, two listening
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
# For secure TCP connections, Coturn currently supports
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, Coturn supports DTLS version 1.
#
tls-listening-port=5349
# PORT-EDIT (5349)
# Alternative listening port for UDP and TCP listeners;
# default (or zero) value means "listening port plus one".
# This is needed for RFC 5780 support
# (STUN extension specs, NAT behavior discovery). The TURN Server
# supports RFC 5780 only if it is started with more than one
# listening IP address of the same family (IPv4 or IPv6).
# RFC 5780 is supported only by UDP protocol, other protocols
# are listening to that endpoint only for "symmetry".
#
#alt-listening-port=0
# Alternative listening port for TLS and DTLS protocols.
# Default (or zero) value means "TLS listening port plus one".
#
#alt-tls-listening-port=0
# Some network setups will require using a TCP reverse proxy in front
# of the STUN server. If the proxy port option is set a single listener
# is started on the given port that accepts connections using the
# haproxy proxy protocol v2.
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
#
#tcp-proxy-port=5555
# Listener IP address of relay server. Multiple listeners can be specified.
# If no IP(s) specified in the config file or in the command line options,
# then all IPv4 and IPv6 system IPs will be used for listening.
#
#listening-ip=172.17.19.101
#listening-ip=10.207.21.238
#listening-ip=2607:f0d0:1002:51::4
# Укажите IP интерфейсов для приёма (localhost и публичный IP сервера)
listening-ip=127.0.0.1
listening-ip=::1
#listening-ip=YOUR_PUBLIC_IP
# Auxiliary STUN/TURN server listening endpoint.
# Aux servers have almost full TURN and STUN functionality.
# The (minor) limitations are:
#
# 1) Auxiliary servers do not have alternative ports and
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
#
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
#
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
#
# There may be multiple aux-server options, each will be used for listening
# to client requests.
#
#aux-server=172.17.19.110:33478
#aux-server=[2607:f0d0:1002:51::4]:33478
# (recommended for older Linuxes only)
# Automatically balance UDP traffic over auxiliary servers (if configured).
# The load balancing is using the ALTERNATE-SERVER mechanism.
# The TURN client must support 300 ALTERNATE-SERVER response for this
# functionality.
#
#udp-self-balance
# Relay interface device for relay sockets (optional, Linux only).
# NOT RECOMMENDED.
#
#relay-device=eth1
# Relay address (the local IP address that will be used to relay the
# packets to the peer).
# Multiple relay addresses may be used.
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
#
# If no relay IP(s) specified, then the turnserver will apply the default
# policy: it will decide itself which relay addresses to be used, and it
# will always be using the client socket IP address as the relay IP address
# of the TURN session (if the requested relay address family is the same
# as the family of the client socket).
#
#relay-ip=172.17.19.105
#relay-ip=2607:f0d0:1002:51::5
# Укажите публичный IP для relay
relay-ip=YOUR_PUBLIC_IP
# For Amazon EC2 users:
#
# TURN Server public/private address mapping, if the server is behind NAT.
# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
# as relay IP address of all allocations. This scenario works only in a simple case
# when one single relay address is be used, and no RFC5780 functionality is required.
# That single relay address must be mapped by NAT to the 'external' IP.
# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
# For that 'external' IP, NAT must forward ports directly (relayed port 12345
# must be always mapped to the same 'external' port 12345).
#
# In more complex case when more than one IP address is involved,
# that option must be used several times, each entry must
# have form "-X <public-ip/private-ip>", to map all involved addresses.
# RFC5780 NAT discovery STUN functionality will work correctly,
# if the addresses are mapped properly, even when the TURN server itself
# is behind A NAT.
#
# By default, this value is empty, and no address mapping is used.
#
#external-ip=60.70.80.91
#
#OR:
#
#external-ip=60.70.80.91/172.17.19.101
#external-ip=60.70.80.92/172.17.19.102
# Number of the relay threads to handle the established connections
# (in addition to authentication thread and the listener thread).
# If explicitly set to 0 then application runs relay process in a
# single thread, in the same thread with the listener process
# (the authentication thread will still be a separate thread).
#
# If this parameter is not set, then the default OS-dependent
# thread pattern algorithm will be employed. Usually the default
# algorithm is optimal, so you have to change this option
# if you want to make some fine tweaks.
#
# In the older systems (Linux kernel before 3.9),
# the number of UDP threads is always one thread per network listening
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
# 1 (one) value is set.
#
#relay-threads=0
# Lower and upper bounds of the UDP relay endpoints:
# (default values are 49152 and 65535)
#
min-port=49152
max-port=65535
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
# By default the verbose mode is off.
verbose
# Uncomment to run TURN server in 'extra' verbose mode.
# This mode is very annoying and produces lots of output.
# Not recommended under normal circumstances.
#
#Verbose
# Uncomment to use fingerprints in the TURN messages.
# By default the fingerprints are off.
#
fingerprint
# Uncomment to use long-term credential mechanism.
# By default no credentials mechanism is used (any user allowed).
#
#lt-cred-mech
# This option is the opposite of lt-cred-mech.
# (TURN Server with no-auth option allows anonymous access).
# If neither option is defined, and no users are defined,
# then no-auth is default. If at least one user is defined,
# in this file, in command line or in usersdb file, then
# lt-cred-mech is default.
#
#no-auth
# Enable prometheus exporter
# If enabled the turnserver will expose an endpoint with stats on a prometheus format
# this endpoint is listening on a different port to not conflict with other configurations.
#
# You can simply run the turnserver and access the port 9641 and path /metrics
#
# For mor info on the prometheus exporter and metrics
# https://prometheus.io/docs/introduction/overview/
# https://prometheus.io/docs/concepts/data_model/
#
#prometheus
# TURN REST API flag.
# (Time Limited Long Term Credential)
# Flag that sets a special authorization option that is based upon authentication secret.
#
# This feature's purpose is to support "TURN Server REST API", see
# "TURN REST API" link in the project's page
# https://github.com/coturn/coturn/
#
# This option is used with timestamp:
#
# usercombo -> "timestamp:userid"
# turn user -> usercombo
# turn password -> base64(hmac(secret key, usercombo))
#
# This allows TURN credentials to be accounted for a specific user id.
# If you don't have a suitable id, then the timestamp alone can be used.
# This option is enabled by turning on secret-based authentication.
# The actual value of the secret is defined either by the option static-auth-secret,
# or can be found in the turn_secret table in the database (see below).
#
# Read more about it:
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
#
# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
# this option then it automatically enables lt-cred-mech internally
# as if you had enabled both.
#
# Note that you can use only one auth mechanism at the same time! This is because,
# both mechanisms conduct username and password validation in different ways.
#
# Use either lt-cred-mech or use-auth-secret in the conf
# to avoid any confusion.
#
use-auth-secret
# 'Static' authentication secret value (a string) for TURN REST API only.
# If not set, then the turn server
# will try to use the 'dynamic' value in the turn_secret table
# in the user database (if present). The database-stored value can be changed on-the-fly
# by a separate program, so this is why that mode is considered 'dynamic'.
#
# Секрет для TURN REST API (должен совпадать с signaling server.conf [turn] secret)
static-auth-secret=YOUR_TURN_STATIC_AUTH_SECRET
# Server name used for
# the oAuth authentication purposes.
# The default value is the realm name.
#
#server-name=blackdow.carleon.gov
# Flag that allows oAuth authentication.
#
#oauth
# 'Static' user accounts for the long term credentials mechanism, only.
# This option cannot be used with TURN REST API.
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
# so they can NOT be changed while the turnserver is running.
#
#user=username1:key1
#user=username2:key2
# OR:
#user=username1:password1
#user=username2:password2
#
# Keys must be generated by turnadmin utility. The key value depends
# on user name, realm, and password:
#
# Example:
# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
# ('0x' in the beginning of the key is what differentiates the key from
# password. If it has 0x then it is a key, otherwise it is a password).
#
# The corresponding user account entry in the config file will be:
#
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
# Or, equivalently, with open clear password (less secure):
#user=ninefingers:youhavetoberealistic
#
# SQLite database file name.
#
# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
# /var/lib/turn/turndb.
#
#userdb=/var/db/turndb
# PostgreSQL database connection string in the case that you are using PostgreSQL
# as the user database.
# This database can be used for the long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
# versions connection string format, see
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
# for 9.x and newer connection string formats.
#
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
# MySQL database connection string in the case that you are using MySQL
# as the user database.
# This database can be used for the long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
#
# Optional connection string parameters for the secure communications (SSL):
# ca, capath, cert, key, cipher
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
# command options description).
#
# Use the string format below (space separated parameters, all optional):
#
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
# If you want to use an encrypted password in the MySQL connection string,
# then set the MySQL password encryption secret key file with this option.
#
# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
# If you want to use a cleartext password then do not set this option!
#
# This is the file path for the aes encrypted secret key used for password encryption.
#
#secret-key-file=/path/
# MongoDB database connection string in the case that you are using MongoDB
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
#
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
# Redis database connection string in the case that you are using Redis
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# Use the string format below (space separated parameters, all optional):
#
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
# This database keeps allocations status information, and it can be also used for publishing
# and delivering traffic and allocation event notifications.
# The connection string has the same parameters as redis-userdb connection string.
# Use the string format below (space separated parameters, all optional):
#
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# The default realm to be used for the users when no explicit
# origin/realm relationship is found in the database, or if the TURN
# server is not using any database (just the commands-line settings
# and the userdb file). Must be used with long-term credentials
# mechanism or with TURN REST API.
#
# Note: If the default realm is not specified, then realm falls back to the host domain name.
# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
#
realm=YOUR_DOMAIN
# This flag sets the origin consistency
# check. Across the session, all requests must have the same
# main ORIGIN attribute value (if the ORIGIN was
# initially used by the session).
#
#check-origin-consistency
# Per-user allocation quota.
# default value is 0 (no quota, unlimited number of sessions per user).
# This option can also be set through the database, for a particular realm.
#
#user-quota=0
# Total allocation quota.
# default value is 0 (no quota).
# This option can also be set through the database, for a particular realm.
#
#total-quota=0
# Max bytes-per-second bandwidth a TURN session is allowed to handle
# (input and output network streams are treated separately). Anything above
# that limit will be dropped or temporarily suppressed (within
# the available buffer limits).
# This option can also be set through the database, for a particular realm.
#
#max-bps=0
#
# Maximum server capacity.
# Total bytes-per-second bandwidth the TURN server is allowed to allocate
# for the sessions, combined (input and output network streams are treated separately).
#
# bps-capacity=0
# Uncomment if no UDP client listener is desired.
# By default UDP client listener is always started.
#
#no-udp
# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
#no-tcp
# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
#no-tls
# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
#no-dtls
# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
#
#no-udp-relay
# Uncomment if no TCP relay endpoints are allowed.
# By default TCP relay endpoints are enabled (like in RFC 6062).
#
#no-tcp-relay
# Uncomment if extra security is desired,
# with nonce value having a limited lifetime.
# The nonce value is unique for a session.
# Set this option to limit the nonce lifetime.
# Set it to 0 for unlimited lifetime.
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
# the client will get 438 error and will have to re-authenticate itself.
#
#stale-nonce=600
# Uncomment if you want to set the maximum allocation
# time before it has to be refreshed.
# Default is 3600s.
#
#max-allocate-lifetime=3600
# Uncomment to set the lifetime for the channel.
# Default value is 600 secs (10 minutes).
# This value MUST not be changed for production purposes.
#
#channel-lifetime=600
# Uncomment to set the permission lifetime.
# Default to 300 secs (5 minutes).
# In production this value MUST not be changed,
# however it can be useful for test purposes.
#
#permission-lifetime=300
# Certificate file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
cert=/etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
# Private key file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
pkey=/etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
# Private key file password, if it is in encoded format.
# This option has no default value.
#
#pkey-pwd=...
# Allowed OpenSSL cipher list for TLS/DTLS connections.
# Default value is "DEFAULT".
#
#cipher-list="DEFAULT"
# CA file in OpenSSL format.
# Forces TURN server to verify the client SSL certificates.
# By default this is not set: there is no default value and the client
# certificate is not checked.
#
# Example:
#CA-file=/etc/ssh/id_rsa.cert
# Curve name for EC ciphers, if supported by OpenSSL
# library (TLS and DTLS). The default value is prime256v1,
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
# an optimal curve will be automatically calculated, if not defined
# by this option.
#
#ec-curve-name=prime256v1
# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
#
#dh566
# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
#
#dh1066
# Use custom DH TLS key, stored in PEM format in the file.
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
#
dh-file=/etc/certs/dhp/dhp.pem
# Flag to prevent stdout log messages.
# By default, all log messages go to both stdout and to
# the configured log file. With this option everything will
# go to the configured log only (unless the log file itself is stdout).
#
#no-stdout-log
# Option to set the log file name.
# By default, the turnserver tries to open a log file in
# /var/log, /var/tmp, /tmp and the current directory
# (Whichever file open operation succeeds first will be used).
# With this option you can set the definite log file name.
# The special names are "stdout" and "-" - they will force everything
# to the stdout. Also, the "syslog" name will force everything to
# the system log (syslog).
# In the runtime, the logfile can be reset with the SIGHUP signal
# to the turnserver process.
#
log-file=/var/tmp/turnserver.log
# Option to redirect all log output into system log (syslog).
#
#syslog
# This flag means that no log file rollover will be used, and the log file
# name will be constructed as-is, without PID and date appendage.
# This option can be used, for example, together with the logrotate tool.
#
#simple-log
# Enable full ISO-8601 timestamp in all logs.
#new-log-timestamp
# Set timestamp format (in strftime(1) format)
#new-log-timestamp-format "%FT%T%z"
# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
# Enable binding logging and UDP endpoint logs in verbose log mode.
#log-binding
# Option to set the "redirection" mode. The value of this option
# will be the address of the alternate server for UDP & TCP service in the form of
# <ip>[:<port>]. The server will send this value in the attribute
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
# Client will receive only values with the same address family
# as the client network endpoint address family.
# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
# The client must use the obtained value for subsequent TURN communications.
# If more than one --alternate-server option is provided, then the functionality
# can be more accurately described as "load-balancing" than a mere "redirection".
# If the port number is omitted, then the default port
# number 3478 for the UDP/TCP protocols will be used.
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
# in square brackets in such resource identifiers, for example:
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
# Multiple alternate servers can be set. They will be used in the
# round-robin manner. All servers in the pool are considered of equal weight and
# the load will be distributed equally. For example, if you have 4 alternate servers,
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
# address can be used more than one time with the alternate-server option, so this
# can emulate "weighting" of the servers.
#
# Examples:
#alternate-server=1.2.3.4:5678
#alternate-server=11.22.33.44:56789
#alternate-server=5.6.7.8
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
# Option to set alternative server for TLS & DTLS services in form of
# <ip>:<port>. If the port number is omitted, then the default port
# number 5349 for the TLS/DTLS protocols will be used. See the previous
# option for the functionality description.
#
# Examples:
#tls-alternate-server=1.2.3.4:5678
#tls-alternate-server=11.22.33.44:56789
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
# Option to suppress TURN functionality, only STUN requests will be processed.
# Run as STUN server only, all TURN requests will be ignored.
# By default, this option is NOT set.
#
#stun-only
# Option to hide software version. Enhance security when used in production.
# Revealing the specific software version of the agent through the
# SOFTWARE attribute might allow them to become more vulnerable to
# attacks against software that is known to contain security holes.
# Implementers SHOULD make usage of the SOFTWARE attribute a
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
#
#no-software-attribute
# Option to suppress STUN functionality, only TURN requests will be processed.
# Run as TURN server only, all STUN requests will be ignored.
# By default, this option is NOT set.
#
#no-stun
# This is the timestamp/username separator symbol (character) in TURN REST API.
# The default value is ':'.
# rest-api-separator=:
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
# This is an extra security measure.
#
# (To avoid any security issue that allowing loopback access may raise,
# the no-loopback-peers option is replaced by allow-loopback-peers.)
#
# Allow it only for testing in a development environment!
# In production it adds a possible security vulnerability, so for security reasons
# it is not allowed using it together with empty cli-password.
#
#allow-loopback-peers
# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
# This is an extra security measure.
#
no-multicast-peers
# Option to set the max time, in seconds, allowed for full allocation establishment.
# Default is 60 seconds.
#
#max-allocate-timeout=60
# Option to allow or ban specific ip addresses or ranges of ip addresses.
# If an ip address is specified as both allowed and denied, then the ip address is
# considered to be allowed. This is useful when you wish to ban a range of ip
# addresses, except for a few specific ips within that range.
#
# This can be used when you do not want users of the turn server to be able to access
# machines reachable by the turn server, but would otherwise be unreachable from the
# internet (e.g. when the turn server is sitting behind a NAT)
#
# Examples:
# denied-peer-ip=83.166.64.0-83.166.95.255
# allowed-peer-ip=83.166.68.45
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=::ffff:0:0-::ffff:ffff:ffff
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=64:ff9b:1::-64:ff9b:1:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2001:db8::-2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
# File name to store the pid of the process.
# Default is /var/run/turnserver.pid (if superuser account is used) or
# /var/tmp/turnserver.pid .
#
#pidfile="/var/run/turnserver.pid"
# Require authentication of the STUN Binding request.
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
#
#secure-stun
# Mobility with ICE (MICE) specs support.
#
#mobility
# Allocate Address Family according
# If enabled then TURN server allocates address family according the TURN
# Client <=> Server communication address family.
# (By default Coturn works according RFC 6156.)
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
#
keep-address-family
# User name to run the process. After the initialization, the turnserver process
# will attempt to change the current user ID to that user.
#
#proc-user=<user-name>
# Group name to run the process. After the initialization, the turnserver process
# will attempt to change the current group ID to that group.
#
#proc-group=<group-name>
# Turn OFF the CLI support.
# By default it is always ON.
# See also options cli-ip and cli-port.
#
no-cli
#Local system IP address to be used for CLI server endpoint. Default value
# is 127.0.0.1.
#
#cli-ip=127.0.0.1
# CLI server port. Default is 5766.
#
#cli-port=5766
# CLI access password. Default is empty (no password).
# For the security reasons, it is recommended that you use the encrypted
# form of the password (see the -P command in the turnadmin utility).
#
# Secure form for password 'qwerty':
#
#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
#
# Or unsecure form for the same password:
#
#cli-password=qwerty
# Enable Web-admin support on https. By default it is Disabled.
# If it is enabled it also enables a http a simple static banner page
# with a small reminder that the admin page is available only on https.
#
#web-admin
# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
#
#web-admin-ip=127.0.0.1
# Web-admin server port. Default is 8080.
#
#web-admin-port=8080
# Web-admin server listen on STUN/TURN worker threads
# By default it is disabled for security resons! (Not recommended in any production environment!)
#
#web-admin-listen-on-workers
#acme-redirect=http://redirectserver/.well-known/acme-challenge/
# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
# Default is '', i.e. no special handling for such requests.
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
# Only for those applications when you want to run
# server applications on the relay endpoints.
# This option eliminates the IP permissions check on
# the packets incoming to the relay endpoints.
#
#server-relay
# Maximum number of output sessions in ps CLI command.
# This value can be changed on-the-fly in CLI. The default value is 256.
#
#cli-max-output-sessions
# Set network engine type for the process (for internal purposes).
#
#ne=[1|2|3]
# Do not allow an TLS/DTLS version of protocol
#
no-tlsv1
no-tlsv1_1
#no-tlsv1_2

21
config/janus/janus.eventhandler.gelfevh.jcfg Normal file
View File

@ -0,0 +1,21 @@
# This configures the GELF event handler. Appending necessary headers
# and sending messages via TCP or UDP
general: {
enabled = false # By default the module is not enabled
events = "all"
# Comma separated list of the events mask you're interested
# in. Valid values are none, sessions, handles, jsep, webrtc,
# media, plugins, transports, core, external and all. By
# default we subscribe to everything (all)
backend = "your.graylog.server" # DNS or IP of your Graylog server
port = "12201" # Port Graylog server is listening on
protocol = "tcp" # tcp or udp transport type
max_message_len = 1024 # Note that we add 12 bytes of headers + standard UDP headers (8 bytes)
# when calculating packet size based on MTU
#compress = true # Optionally, only for UDP transport, JSON messages can be compressed using zlib
#compression = 9 # In case, you can specify the compression factor, where 1 is
# the fastest (low compression), and 9 gives the best compression
}

57
config/janus/janus.eventhandler.mqttevh.jcfg Normal file
View File

@ -0,0 +1,57 @@
# This configures the MQTT event handler. Events are sent either on
# one topic or on a topic per event type.
#
# By default, configuration topics for handle and webrtc event types
# with the base topic are configured to /janus/events, e.g.:
# /janus/events/handle
# /janus/events/webrtc
general: {
enabled = false # By default the module is not enabled
events = "all" # Comma separated list of the events mask you're interested
# in. Valid values are none, sessions, handles, jsep, webrtc,
# media, plugins, transports, core, external and all. By
# default we subscribe to everything (all)
json = "indented" # Whether the JSON messages should be indented (default),
# plain (no indentation) or compact (no indentation and no spaces)
url = "tcp://localhost:1883" # The URL of the MQTT server. "tcp://" and "ssl://" protocols are supported.
#mqtt_version = "3.1.1" # Protocol version. Available values: 3.1, 3.1.1 (default), 5.
client_id = "janus.example.com" # Janus client id. You have to configure a unique ID (default: guest).
#keep_alive_interval = 20 # Keep connection for N seconds (default: 30)
#cleansession = 0 # Clean session flag (default: off)
#retain = 0 # Default MQTT retain flag for published events
#qos = 1 # Default MQTT QoS for published events
#max_inflight = 10 # Maximum number of inflight messages
#max_buffered = 100 # Maximum number of buffered messages
#disconnect_timeout = 100 # Seconds to wait before destroying client
#username = "guest" # Username for authentication (default: no authentication)
#password = "guest" # Password for authentication (default: no authentication)
#topic = "/janus/events" # Base topic (default: /janus/events)
#addevent = true # Whether we should add the event type to the base topic
#tls_enable = false # Whether TLS support must be enabled
# Initial message sent to status topic
#connect_status = "{\"event\": \"connected\", \"eventhandler\": \"janus.eventhandler.mqttevh\"}"
# Message sent after disconnect or as LWT
#disconnect_status = "{\"event\": \"disconnected\"}"
#will_enabled = false # Whether to enable LWT (default: false)
#will_retain = 1 # Whether LWT should be retained (default: 1)
#will_qos = 0 # QoS for LWT (default: 0)
# Additional parameters if "mqtts://" schema is used
#tls_verify_peer = true # Whether peer verification must be enabled
#tls_verify_hostname = true # Whether hostname verification must be enabled
# Certificates to use when TLS support is enabled, if needed
#tls_cacert = "/path/to/cacert.pem"
tls_client_cert = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
tls_client_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
#tls_ciphers
#tls_version
# These options work with MQTT 5 only.
#add_user_properties = () # List of user property ["key", "value"] pairs to add.
}

30
config/janus/janus.eventhandler.nanomsgevh.jcfg Normal file
View File

@ -0,0 +1,30 @@
# This configures the Nanomsg event handler. Since this plugin only
# forwards each event it receives via Nanomsg, you simply need to
# configure (i) which events to subscribe to, (ii) the address to use for
# the communication, and (iii) whether the address should be used to bind
# locally or to connect to a remote endpoint. Notice that the only supported
# pattern is NN_PUBSUB, where the Nanomsg event handler is the publisher.
general: {
enabled = false # By default the module is not enabled
events = "all" # Comma separated list of the events mask you're interested
# in. Valid values are none, sessions, handles, jsep, webrtc,
# media, plugins, transports, core, external and all. By
# default we subscribe to everything (all)
grouping = true # Whether events should be sent individually (one per
# HTTP POST, JSON object), or if it's ok to group them
# (one or more per HTTP POST, JSON array with objects)
# The default is 'yes' to limit the number of connections.
# Address the plugin will send all events to as HTTP POST
# requests with an application/json payload. In case
# authentication is required to contact the backend, set
# the credentials as well (basic authentication only).
json = "indented" # Whether the JSON messages should be indented (default),
# plain (no indentation) or compact (no indentation and no spaces)
#mode = "bind" # Whether we should 'bind' to the specified
# address, or connect to it if remote (default)
address = "ipc:///tmp/janusevh.ipc" # Address to use, refer to the Nanomsg documentation
# for more info on different transports you can use here
}

34
config/janus/janus.eventhandler.rabbitmqevh.jcfg Normal file
View File

@ -0,0 +1,34 @@
# This configures the RabbitMQ event handler.
general: {
enabled = false # By default the module is not enabled
events = "all" # Comma separated list of the events mask you're interested
# in. Valid values are none, sessions, handles, jsep, webrtc,
# media, plugins, transports, core, external and all. By
# default we subscribe to everything (all)
grouping = true # Whether events should be sent individually , or if it's ok
# to group them. The default is 'yes' to limit the number of
# messages
json = "indented" # Whether the JSON messages should be indented (default),
# plain (no indentation) or compact (no indentation and no spaces)
host = "localhost" # The address of the RabbitMQ server
#port = 5672 # The port of the RabbitMQ server (5672 by default)
#username = "guest" # Username to use to authenticate, if needed
#password = "guest" # Password to use to authenticate, if needed
#vhost = "/" # Virtual host to specify when logging in, if needed
#exchange = "janus-exchange"
route_key = "janus-events" # Routing key to use when publishing messages
#exchange_type = "fanout" # Rabbitmq exchange_type can be one of the available types: direct, topic, headers and fanout (fanout by defualt).
#heartbeat = 60 # Defines the seconds without communication that should pass before considering the TCP connection unreachable.
#declare_outgoing_queue = true # By default (for backwards compatibility), we declare an outgoing queue. Set this to false to disable that behavior
#ssl_enable = false # Whether ssl support must be enabled
#ssl_verify_peer = true # Whether peer verification must be enabled
#ssl_verify_hostname = true # Whether hostname verification must be enabled
# Certificates to use when SSL support is enabled, if needed
#ssl_cacert = "/path/to/cacert.pem"
ssl_cert = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ssl_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
}

44
config/janus/janus.eventhandler.sampleevh.jcfg Normal file
View File

@ -0,0 +1,44 @@
# This configures the sample event handler. Since this plugin simply
# forwards each event it receives via HTTP POST, you simply need to
# configure (i) which events to subscribe to, and (ii) the address of
# the web server which will receive the requests.
general: {
enabled = false # By default the module is not enabled
events = "all" # Comma separated list of the events mask you're interested
# in. Valid values are none, sessions, handles, jsep, webrtc,
# media, plugins, transports, core, external and all. By
# default we subscribe to everything (all)
grouping = true # Whether events should be sent individually (one per
# HTTP POST, JSON object), or if it's ok to group them
# (one or more per HTTP POST, JSON array with objects)
# The default is 'yes' to limit the number of connections.
json = "indented" # Whether the JSON messages should be indented (default),
# plain (no indentation) or compact (no indentation and no spaces)
#compress = true # Optionally, the JSON messages can be compressed using zlib
#compression = 9 # In case, you can specify the compression factor, where 1 is
# the fastest (low compression), and 9 gives the best compression
# Address the plugin will send all events to as HTTP POST
# requests with an application/json payload. In case
# authentication is required to contact the backend, set
# the credentials as well (basic authentication only).
backend = "http://your.webserver.here/and/a/path"
#backend_user = "myuser"
#backend_pwd = "mypwd"
# You can also configure how retransmissions should
# happen, after a failed attempt to deliver an event.
# Specifically, you can specify how many times a
# retransmission should be attempted (default=5) and
# which step is used, in milliseconds, for the exponential
# backoff before retrying (e.g, if step=100ms, then the
# the first retry will happen after 100ms, the second
# after 200ms, then 400ms, and so on). If the event cannot
# be retransmitted after the maximum number of attemps
# is reached, then it's lost. Beware that retransmissions
# will also delay pending events and increase the queue.
#max_retransmissions = 5
#retransmissions_backoff = 100
}

31
config/janus/janus.eventhandler.wsevh.jcfg Normal file
View File

@ -0,0 +1,31 @@
# This configures the WebSockets event handler. Since this plugin only
# forwards each event it receives via WebSockets, you simply need to
# configure (i) which events to subscribe to, and (ii) the address of
# the WebSockets server which will receive the requests.
general: {
enabled = false # By default the module is not enabled
events = "all" # Comma separated list of the events mask you're interested
# in. Valid values are none, sessions, handles, jsep, webrtc,
# media, plugins, transports, core, external and all. By
# default we subscribe to everything (all)
grouping = true # Whether events should be sent individually (one per
# HTTP POST, JSON object), or if it's ok to group them
# (one or more per HTTP POST, JSON array with objects)
# The default is 'yes' to limit the number of connections.
json = "indented" # Whether the JSON messages should be indented (default),
# plain (no indentation) or compact (no indentation and no spaces)
# Address the plugin will send all events to as WebSocket
# messages. In case authentication is required to contact
# the backend, set the credentials as well.
backend = "ws://your.websocket.here"
# subprotocol = "your-subprotocol"
# In case you need to debug connection issues, you can configure
# the libwebsockets debugging level as a comma separated list of things
# to debug, supported values: err, warn, notice, info, debug, parser,
# header, ext, client, latency, user, count (plus 'none' and 'all')
#ws_logging = "err,warn"
}

437
config/janus/janus.jcfg Normal file
View File

@ -0,0 +1,437 @@
# General configuration: folders where the configuration and the plugins
# can be found, how output should be logged, whether Janus should run as
# a daemon or in foreground, default interface to use, debug/logging level
# and, if needed, shared apisecret and/or token authentication mechanism
# between application(s) and Janus.
general: {
configs_folder = "/etc/janus" # Configuration files folder
plugins_folder = "/usr/lib/x86_64-linux-gnu/janus/plugins" # Plugins folder
transports_folder = "/usr/lib/x86_64-linux-gnu/janus/transports" # Transports folder
events_folder = "/usr/lib/x86_64-linux-gnu/janus/events" # Event handlers folder
loggers_folder = "/usr/lib/x86_64-linux-gnu/janus/loggers" # External loggers folder
# The next settings configure logging
#log_to_stdout = false # Whether the Janus output should be written
# to stdout or not (default=true)
log_to_file = "/var/log/janus.log" # Whether to use a log file or not
debug_level = 4 # Debug/logging level, valid values are 0-7
debug_timestamps = true # Whether to show a timestamp for each log line
#debug_colors = false # Whether colors should be disabled in the log
#debug_locks = true # Whether to enable debugging of locks (very verbose!)
#log_prefix = "[janus] " # In case you want log lines to be prefixed by some
# custom text, you can use the 'log_prefix' property.
# It supports terminal colors, meaning something like
# "[\x1b[32mjanus\x1b[0m] " would show a green "janus"
# string in square brackets (assuming debug_colors=true).
# This is what you configure if you want to launch Janus as a daemon
#daemonize = true # Whether Janus should run as a daemon
# or not (default=run in foreground)
#pid_file = "/path/to/janus.pid" # PID file to create when Janus has been
# started, and to destroy at shutdown
# There are different ways you can authenticate the Janus and Admin APIs
#api_secret = "janusrocks" # String that all Janus requests must contain
# to be accepted/authorized by the Janus core.
# Useful if you're wrapping all Janus API requests
# in your servers (that is, not in the browser,
# where you do the things your way) and you
# don't want other application to mess with
# this Janus instance.
#token_auth = true # Enable a token based authentication
# mechanism to force users to always provide
# a valid token in all requests. Useful if
# you want to authenticate requests from web
# users.
#token_auth_secret = "janus" # Use HMAC-SHA1 signed tokens (with token_auth). Note that
# without this, the Admin API MUST
# be enabled, as tokens are added and removed
# through messages sent there.
admin_secret = "CHANGE_ME" # String that all Janus requests must contain
# to be accepted/authorized by the admin/monitor.
# only needed if you enabled the admin API
# in any of the available transports.
# Generic settings
#interface = "1.2.3.4" # Interface to use (will be used in SDP)
#server_name = "MyJanusInstance"# Public name of this Janus instance
# as it will appear in an info request
#session_timeout = 60 # How long (in seconds) we should wait before
# deciding a Janus session has timed out. A
# session times out when no request is received
# for session_timeout seconds (default=60s).
# Setting this to 0 will disable the timeout
# mechanism, which is NOT suggested as it may
# risk having orphaned sessions (sessions not
# controlled by any transport and never freed).
# To avoid timeouts, keep-alives can be used.
#candidates_timeout = 45 # How long (in seconds) we should keep hold of
# pending (trickle) candidates before discarding
# them (default=45s). Notice that setting this
# to 0 will NOT disable the timeout, but will
# be considered an invalid value and ignored.
#reclaim_session_timeout = 0 # How long (in seconds) we should wait for a
# janus session to be reclaimed after the transport
# is gone. After the transport is gone, a session
# times out when no request is received for
# reclaim_session_timeout seconds (default=0s).
# Setting this to 0 will disable the timeout
# mechanism, and sessions will be destroyed immediately
# if the transport is gone.
#recordings_tmp_ext = "tmp" # The extension for recordings, in Janus, is
# .mjr, a custom format we devised ourselves.
# By default, we save to .mjr directly. If you'd
# rather the recording filename have a temporary
# extension while it's being saved, and only
# have the .mjr extension when the recording
# is over (e.g., to automatically trigger some
# external scripts), then uncomment and set the
# recordings_tmp_ext property to the extension
# to add to the base (e.g., tmp --> .mjr.tmp).
#event_loops = 8 # By default, Janus handles each have their own
# event loop and related thread for all the media
# routing and management. If for some reason you'd
# rather limit the number of loop/threads, and
# you want handles to share those, you can do that
# configuring the event_loops property: this will
# spawn the specified amount of threads at startup,
# run a separate event loop on each of them, and
# add new handles to one of them when attaching.
# Notice that, while cutting the number of threads
# and possibly reducing context switching, this
# might have an impact on the media delivery,
# especially if the available loops can't take
# care of all the handles and their media in time.
# As such, if you want to use this you should
# provision the correct value according to the
# available resources (e.g., CPUs available).
#allow_loop_indication = true # In case a static number of event loops is
# configured as explained above, by default
# new handles will be allocated on one loop or
# another by the Janus core itself. In some cases
# it may be helpful to manually tell the Janus
# core which loop a handle should be added to,
# e.g., to group viewers of the same stream on
# the same loop. This is possible via the Janus
# API when performing the 'attach' request, but
# only if allow_loop_indication is set to true;
# it's set to false by default to avoid abuses.
# Don't change if you don't know what you're doing!
#opaqueid_in_api = true # Opaque IDs set by applications are typically
# only passed to event handlers for correlation
# purposes, but not sent back to the user or
# application in the related Janus API responses
# or events; in case you need them to be in the
# Janus API too, set this property to 'true'.
#hide_dependencies = true # By default, a call to the "info" endpoint of
# either the Janus or Admin API now also returns
# the versions of the main dependencies (e.g.,
# libnice, libsrtp, which crypto library is in
# use and so on). Should you want that info not
# to be disclose, set 'hide_dependencies' to true.
#exit_on_dl_error = false # If a Janus shared libary cannot be loaded or an expected
# symbol is not found, exit immediately.
# The following is ONLY useful when debugging RTP/RTCP packets,
# e.g., to look at unencrypted live traffic with a browser. By
# default it is obviously disabled, as WebRTC mandates encryption.
#no_webrtc_encryption = true
# Janus provides ways via its API to specify custom paths to save
# files to (e.g., recordings, pcap captures and the like). In order
# to avoid people can mess with folders they're not supposed to,
# you can configure an array of folders that Janus should prevent
# creating files in. If the 'protected_folder' property below is
# commented, no folder is protected.
# Notice that at the moment this only covers attempts to start
# an .mjr recording and pcap/text2pcap packet captures.
protected_folders = [
"/bin",
"/boot",
"/dev",
"/etc",
"/initrd",
"/lib",
"/lib32",
"/lib64",
"/proc",
"/sbin",
"/sys",
"/usr",
"/var",
# We add what are usually the folders Janus is installed to
# as well: we don't just put "/opt/janus" because that would
# include folders like "/opt/janus/share" that is where
# recordings might be saved to by some plugins
"/opt/janus/bin",
"/opt/janus/etc",
"/opt/janus/include",
"/opt/janus/lib",
"/opt/janus/lib32",
"/opt/janus/lib64",
"/opt/janus/sbin"
]
}
# Certificate and key to use for DTLS (and passphrase if needed). If missing,
# Janus will autogenerate a self-signed certificate to use. Notice that
# self-signed certificates are fine for the purpose of WebRTC DTLS
# connectivity, for the time being, at least until Identity Providers
# are standardized and implemented in browsers. If for some reason you
# want to enforce the DTLS stack in Janus to enforce valid certificates
# from peers, though, you can do that setting 'dtls_accept_selfsigned' to
# 'false' below: DO NOT TOUCH THAT IF YOU DO NOT KNOW WHAT YOU'RE DOING!
# You can also configure the DTLS ciphers to offer: the default if not
# set is "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK"
# Finally, by default NIST P-256 certificates are generated (see #1997),
# but RSA generation is still supported if you set 'rsa_private_key' to 'true'.
certificates: {
#cert_pem = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
#cert_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
#cert_pwd = "secretpassphrase"
#dtls_accept_selfsigned = false
#dtls_ciphers = "your-desired-openssl-ciphers"
#rsa_private_key = false
}
# Media-related stuff: you can configure whether if you want to enable IPv6
# support (and link-local IPs), the minimum size of the NACK queue (in ms,
# defaults to 200ms) for retransmissions no matter the RTT, the range of
# ports to use for RTP and RTCP (by default, no range is envisaged), the
# starting MTU for DTLS (1200 by default, it adapts automatically),
# how much time, in seconds, should pass with no media (audio or
# video) being received before Janus notifies you about this (default=1s,
# 0 disables these events entirely), how many lost packets should trigger a
# 'slowlink' event to users (default=0, disabled), and how often, in milliseconds,
# to send the Transport Wide Congestion Control feedback information back
# to senders, if negotiated (default=200ms). Finally, if you're using BoringSSL
# you can customize the frequency of retransmissions: OpenSSL has a fixed
# value of 1 second (the default), while BoringSSL can override that. Notice
# that lower values (e.g., 100ms) will typically get you faster connection
# times, but may not work in case the RTT of the user is high: as such,
# you should pick a reasonable trade-off (usually 2*max expected RTT).
media: {
#ipv6 = true
#ipv6_linklocal = true
#min_nack_queue = 500
#rtp_port_range = "20000-40000"
#dtls_mtu = 1200
#no_media_timer = 1
#slowlink_threshold = 4
#twcc_period = 100
#dtls_timeout = 500
# Janus can do some optimizations on the NACK queue, specifically when
# keyframes are involved. Namely, you can configure Janus so that any
# time a keyframe is sent to a user, the NACK buffer for that connection
# is emptied. This allows Janus to ignore NACK requests for packets
# sent shortly before the keyframe was sent, since it can be assumed
# that the keyframe will restore a complete working image for the user
# anyway (which is the main reason why video retransmissions are typically
# required). While this optimization is known to work fine in most cases,
# it can backfire in some edge cases, and so is disabled by default.
#nack_optimizations = true
# If you need DSCP packet marking and prioritization, you can configure
# the 'dscp' property to a specific values, and Janus will try to
# set it on all outgoing packets using libnice. Normally, the specs
# suggest to use different values depending on whether audio, video
# or data are used, but since all PeerConnections in Janus are bundled,
# we can only use one. You can refer to this document for more info:
# https://tools.ietf.org/html/draft-ietf-tsvwg-rtcweb-qos-18#page-6
# That said, DON'T TOUCH THIS IF YOU DON'T KNOW WHAT IT MEANS!
#dscp = 46
}
# NAT-related stuff: specifically, you can configure the STUN/TURN
# servers to use to gather candidates if the gateway is behind a NAT,
# and srflx/relay candidates are needed. In case STUN is not enough and
# this is needed (it shouldn't), you can also configure Janus to use a
# TURN server# please notice that this does NOT refer to TURN usage in
# browsers, but in the gathering of relay candidates by Janus itself,
# e.g., if you want to limit the ports used by a Janus instance on a
# private machine. Furthermore, you can choose whether Janus should be
# configured to do full-trickle (Janus also trickles its candidates to
# users) rather than the default half-trickle (Janus supports trickle
# candidates from users, but sends its own within the SDP), and whether
# it should work in ICE-Lite mode (by default it doesn't). If libnice is
# at least 0.1.15, you can choose which ICE nomination mode to use: valid
# values are "regular" and "aggressive" (the default depends on the libnice
# version itself; if we can set it, we set aggressive nomination). You can
# also configure whether to use connectivity checks as keep-alives, which
# might help detecting when a peer is no longer available (notice that
# current libnice master is breaking connections after 50 seconds when
# keepalive-conncheck is being used, so if you want to use it, better
# sticking to 0.1.18 until the issue is addressed upstream). Finally,
# you can also enable ICE-TCP support (beware that this may lead to problems
# if you do not enable ICE Lite as well), choose which interfaces should
# be used for gathering candidates, and enable or disable the
# internal libnice debugging, if needed.
nat: {
stun_server = "hpb-prod.f7cloud.ru" # HAND-EDIT
stun_port = 5349 # HAND-EDIT PORT-EDIT (443)
nice_debug = false
full_trickle = true # HAND-EDIT
#ice_nomination = "regular"
#ice_keepalive_conncheck = true
#ice_lite = true
#ice_tcp = true
# By default Janus tries to resolve mDNS (.local) candidates: even
# though this is now done asynchronously and shouldn't keep the API
# busy, even in case mDNS resolution takes a long time to timeout,
# you can choose to drop all .local candidates instead, which is
# helpful in case you know clients will never be in the same private
# network as the one the Janus instance is running from. Notice that
# this will cause ICE to fail if mDNS is the only way to connect!
#ignore_mdns = true
# In case you're deploying Janus on a server which is configured with
# a 1:1 NAT (e.g., Amazon EC2), you might want to also specify the public
# address of the machine using the setting below. This will result in
# all host candidates (which normally have a private IP address) to
# be rewritten with the public address provided in the settings. As
# such, use the option with caution and only if you know what you're doing.
# Make sure you keep ICE Lite disabled, though, as it's not strictly
# speaking a publicly reachable server, and a NAT is still involved.
# If you'd rather keep the private IP address in place, rather than
# replacing it (and so have both of them as advertised candidates),
# then set the 'keep_private_host' property to true.
# Multiple public IP addresses can be specified as a comma separated list
# if the Janus is deployed in a DMZ between two 1-1 NAT for internal and
# external users.
#nat_1_1_mapping = "1.2.3.4"
#keep_private_host = true
# You can configure a TURN server in two different ways: specifying a
# statically configured TURN server, and thus provide the address of the
# TURN server, the transport (udp/tcp/tls) to use, and a set of valid
# credentials to authenticate. Notice that you should NEVER configure
# a TURN server for Janus unless it's really what you want! If you want
# *users* to use TURN, then you need to configure that on the client
# side, and NOT in Janus. The following TURN configuration should ONLY
# be enabled when Janus itself is sitting behind a restrictive firewall
# (e.g., it's part of a service installed on a box in a private home).
#turn_server = "myturnserver.com"
#turn_port = 3478
#turn_type = "udp"
#turn_user = "myuser"
#turn_pwd = "mypassword"
# You can also make use of the TURN REST API to get info on one or more
# TURN services dynamically. This makes use of the proposed standard of
# such an API (https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00)
# which is currently available in both rfc5766-turn-server and coturn.
# You enable this by specifying the address of your TURN REST API backend,
# the HTTP method to use (GET or POST) and, if required, the API key Janus
# must provide. The timeout can be configured in seconds, with a default of
# 10 seconds and a minimum of 1 second. Notice that the 'opaque_id' provided
# via Janus API will be used as the username for a specific PeerConnection
# by default; if that one is missing, the 'session_id' will be used as the
# username instead.
#turn_rest_api = "http://yourbackend.com/path/to/api"
turn_rest_api_key = "wU6fR0Eb0J4Aky5NuNeo3w==" # HAND-EDIT
#turn_rest_api_method = "GET"
#turn_rest_api_timeout = 10
# In case a TURN server is provided, you can allow applications to force
# Janus to use TURN (https://github.com/meetecho/janus-gateway/pull/2774).
# This is NOT allowed by default: only enable it if you know what you're doing.
#allow_force_relay = true
# You can also choose which interfaces should be explicitly used by the
# gateway for the purpose of ICE candidates gathering, thus excluding
# others that may be available. To do so, use the 'ice_enforce_list'
# setting and pass it a comma-separated list of interfaces or IP addresses
# to enforce. This is especially useful if the server hosting the gateway
# has several interfaces, and you only want a subset to be used. Any of
# the following examples are valid:
# ice_enforce_list = "eth0"
# ice_enforce_list = "eth0,eth1"
# ice_enforce_list = "eth0,192.168."
# ice_enforce_list = "eth0,192.168.0.1"
# By default, no interface is enforced, meaning Janus will try to use them all.
#ice_enforce_list = "eth0"
# In case you don't want to specify specific interfaces to use, but would
# rather tell Janus to use all the available interfaces except some that
# you don't want to involve, you can also choose which interfaces or IP
# addresses should be excluded and ignored by the gateway for the purpose
# of ICE candidates gathering. To do so, use the 'ice_ignore_list' setting
# and pass it a comma-separated list of interfaces or IP addresses to
# ignore. This is especially useful if the server hosting the gateway
# has several interfaces you already know will not be used or will simply
# always slow down ICE (e.g., virtual interfaces created by VMware).
# Partial strings are supported, which means that any of the following
# examples are valid:
# ice_ignore_list = "vmnet8,192.168.0.1,10.0.0.1"
# ice_ignore_list = "vmnet,192.168."
# Just beware that the ICE ignore list is not used if an enforce list
# has been configured. By default, Janus ignores all interfaces whose
# name starts with 'vmnet', to skip VMware interfaces:
ice_ignore_list = "vmnet"
# In case you want to allow Janus to start even if the configured STUN or TURN
# server is unreachable, you can set 'ignore_unreachable_ice_server' to true.
# WARNING: We do not recommend to ignore reachability problems, particularly
# if you run Janus in the cloud. Before enabling this flag, make sure your
# system is correctly configured and Janus starts after the network layer of
# your machine is ready. Note that Linux distributions offer such directives.
# You could use the following directive in systemd: 'After=network-online.target'
# https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before=
#ignore_unreachable_ice_server = true
}
# You can choose which of the available plugins should be
# enabled or not. Use the 'disable' directive to prevent Janus from
# loading one or more plugins: use a comma separated list of plugin file
# names to identify the plugins to disable. By default all available
# plugins are enabled and loaded at startup.
plugins: {
#disable = "libjanus_voicemail.so,libjanus_recordplay.so"
}
# You can choose which of the available transports should be enabled or
# not. Use the 'disable' directive to prevent Janus from loading one
# or more transport: use a comma separated list of transport file names
# to identify the transports to disable. By default all available
# transports are enabled and loaded at startup.
transports: {
#disable = "libjanus_rabbitmq.so"
}
# As a core feature, Janus can log either on the standard output, or to
# a local file. Should you need more advanced logging functionality, you
# can make use of one of the custom loggers, or write one yourself. Use the
# 'disable' directive to prevent Janus from loading one or more loggers:
# use a comma separated list of logger file names to identify the loggers
# to disable. By default all available loggers are enabled and loaded at startup.
loggers: {
#disable = "libjanus_jsonlog.so"
}
# Event handlers allow you to receive live events from Janus happening
# in core and/or plugins. Since this can require some more resources,
# the feature is disabled by default. Setting broadcast to yes will
# enable them. You can then choose which of the available event handlers
# should be loaded or not. Use the 'disable' directive to prevent Janus
# from loading one or more event handlers: use a comma separated list of
# file names to identify the event handlers to disable. By default, if
# broadcast is set to yes all available event handlers are enabled and
# loaded at startup. Finally, you can choose how often media statistics
# (packets sent/received, losses, etc.) should be sent: by default it's
# once per second (audio and video statistics sent separately), but may
# considered too verbose, or you may want to limit the number of events,
# especially if you have many PeerConnections active. To change this,
# just set 'stats_period' to the number of seconds that should pass in
# between statistics for each handle. Setting it to 0 disables them (but
# not other media-related events). By default Janus sends single media
# statistic events per media (audio, video and simulcast layers as separate
# events): if you'd rather receive a single containing all media stats in a
# single array, set 'combine_media_stats' to true.
events: {
#broadcast = true
#combine_media_stats = true
#disable = "libjanus_sampleevh.so"
#stats_period = 5
}

16
config/janus/janus.logger.jsonlog.jcfg Normal file
View File

@ -0,0 +1,16 @@
# This configures the JSON-based file logger. This is a very simple logger
# with no particular advantage over the existing, integrated, logging
# functionality Janus provides, and so it's configuration is quite basic
# as well: it's here mostly to provide a reference implementation for
# developers willing to provide additional, and more complex, external loggers.
general: {
enabled = false # By default the module is not enabled
json = "indented" # Since this logger simply writes each log line as
# a JSON object to a file, you can configure whether
# the JSON log lines should be indented (default),
# plain (no indentation) or compact (no indentation and no spaces)
filename = "/tmp/janus-log.json" # Filename to save to
}

83
config/janus/janus.plugin.audiobridge.jcfg Normal file
View File

@ -0,0 +1,83 @@
# room-<unique room ID>: {
# description = "This is my awesome room"
# is_private = true|false (whether this room should be in the public list, default=true)
# secret = "<optional password needed for manipulating (e.g. destroying) the room>"
# pin = "<optional password needed for joining the room>"
# sampling_rate = <sampling rate> (e.g., 16000 for wideband mixing)
# spatial_audio = true|false (if true, the mix will be stereo to spatially place users, default=false)
# audiolevel_ext = true|false (whether the ssrc-audio-level RTP extension must
# be negotiated/used or not for new joins, default=true)
# audiolevel_event = true|false (whether to emit event to other users or not, default=false)
# audio_active_packets = 100 (number of packets with audio level, default=100, 2 seconds)
# audio_level_average = 25 (average value of audio level, 127=muted, 0='too loud', default=25)
# default_prebuffering = number of packets to buffer before decoding each particiant (default=6)
# default_expectedloss = percent of packets we expect participants may miss, to help with FEC (default=0, max=20; automatically used for forwarders too)
# default_bitrate = default bitrate in bps to use for the all participants (default=0, which means libopus decides; automatically used for forwarders too)
# record = true|false (whether this room should be recorded, default=false)
# record_file = "/path/to/recording.wav" (where to save the recording)
# record_dir = "/path/to/" (path to save the recording to, makes record_file a relative path if provided)
# mjrs = true|false (whether all participants in the room should be individually recorded to mjr files, default=false)
# mjrs_dir = "/path/to/" (path to save the mjr files to)
# allow_rtp_participants = true|false (whether participants should be allowed to join
# via plain RTP as well, rather than just WebRTC, default=false)
# groups = optional, non-hierarchical, array of groups to tag participants, for external forwarding purposes only
#
# The following lines are only needed if you want the mixed audio
# to be automatically forwarded via plain RTP to an external component
# (e.g., an ffmpeg script, or a gstreamer pipeline) for processing
# By default plain RTP is used, SRTP must be configured if needed
# rtp_forward_id = numeric RTP forwarder ID for referencing it via API (optional: random ID used if missing)
# rtp_forward_host = "<host address to forward RTP packets of mixed audio to>"
# rtp_forward_host_family = "<ipv4|ipv6; by default, first family returned by DNS request>"
# rtp_forward_port = port to forward RTP packets of mixed audio to
# rtp_forward_ssrc = SSRC to use to use when streaming (optional: stream_id used if missing)
# rtp_forward_codec = opus (default), pcma (A-Law) or pcmu (mu-Law)
# rtp_forward_ptype = payload type to use when streaming (optional: only read for Opus, 100 used if missing)
# rtp_forward_group = group of participants to forward, if enabled in the room (optional: forwards full mix if missing)
# rtp_forward_srtp_suite = length of authentication tag (32 or 80)
# rtp_forward_srtp_crypto = "<key to use as crypto (base64 encoded key as in SDES)>"
# rtp_forward_always_on = true|false, whether silence should be forwarded when the room is empty (optional: false used if missing)
#}
general: {
#admin_key = "supersecret" # If set, rooms can be created via API only
# if this key is provided in the request
#lock_rtp_forward = true # Whether the admin_key above should be
# enforced for RTP forwarding requests too
#lock_play_file = true # Whether the admin_key above should be
# enforced for playing .opus files too
#record_tmp_ext = "tmp" # Optional temporary extension to add to filenames
# while recording: e.g., setting "tmp" would mean
# .wav --> .wav.tmp until the file is closed
#events = false # Whether events should be sent to event
# handlers (default=true)
# By default, integers are used as a unique ID for both rooms and participants.
# In case you want to use strings instead (e.g., a UUID), set string_ids to true.
#string_ids = true
# Normally, all AudioBridge participants will join by negotiating a WebRTC
# PeerConnection: the plugin also supports adding participants that will
# use plain RTP, though, be it for supporting legacy users (e.g., SIP
# participants who an orchestrator can add to the bridge) or more simply
# to temporarily inject external audio in a room from a live source. To
# support plain RTP, the plugin needs to have a range of ports it can bind
# to: notice this should be configured so that it doesn't conflict with other
# plugins (e.g., Streaming, SIP, NoSIP) and applications (e.g., Janus itself).
# The default if you don't specify anything is 10000-60000.
#rtp_port_range = "50000-60000"
# In case we need to support plain RTP participants, we'll also need to know
# what local IP address to bind to for media. If no address is set in the
# property below, then one will be automatically guessed from the system.
#local_ip = "1.2.3.4"
}
room-1234: {
description = "Demo Room"
secret = "adminpwd"
sampling_rate = 16000
record = false
#record_dir = "/path/to/"
#record_file = "recording.wav"
}

20
config/janus/janus.plugin.duktape.jcfg Normal file
View File

@ -0,0 +1,20 @@
# The only things you configure in here are which JavaScipt file to load and,
# optionally, the paths to add for searching libraries and a configuration
# file, if the script will need it. For what concerns the libraries path,
# by default this configuration file adds a path to where the JS samples
# have been installed, as it contains a couple of helper libraries the
# samples use; should you be interested in adding more, just add other
# paths separated by a semicolon. Due to the syntax of the configuration
# file, make sure you escape all semicolons with a trailing slash, in case.
# The 'config' property is entirely script specific, instead: if your
# script will need to rely on an XML configuration file in its initialization,
# for instance, then set the 'config' property as the path to the file;
# it will be passed, as is, to your script in the init() call. None of
# the samples use this property, which is why it's commented out.
general: {
path = "/usr/share/janus/duktape"
script = "/usr/share/janus/duktape/echotest.js"
#script = "/usr/share/janus/duktape/videoroom.js"
#config = "/path/to/configfile"
}

5
config/janus/janus.plugin.echotest.jcfg Normal file
View File

@ -0,0 +1,5 @@
# events = true|false, whether events should be sent to event handlers
general: {
#events = false
}

20
config/janus/janus.plugin.lua.jcfg Normal file
View File

@ -0,0 +1,20 @@
# The only things you configure in here are which lua script to load and,
# optionally, the paths to add for searching libraries and a configuration
# file, if the script will need it. For what concerns the libraries path,
# by default this configuration file adds a path to where the Lua samples
# have been installed, as it contains a couple of helper libraries the
# samples use; should you be interested in adding more, just add other
# paths separated by a semicolon. Due to the syntax of the configuration
# file, make sure you escape all semicolons with a trailing slash, in case.
# The 'config' property is entirely script specific, instead: if your
# script will need to rely on an XML configuration file in its initialization,
# for instance, then set the 'config' property as the path to the file;
# it will be passed, as is, to your script in the init() call. None of
# the samples use this property, which is why it's commented out.
general: {
path = "/usr/share/janus/lua"
script = "/usr/share/janus/lua/echotest.lua"
#script = "/usr/share/janus/lua/videoroom.lua"
#config = "/path/to/configfile"
}

23
config/janus/janus.plugin.nosip.jcfg Normal file
View File

@ -0,0 +1,23 @@
general: {
# Specify which local IP address to bind to for media.
# If not set it will be automatically guessed from the system
#local_ip = "1.2.3.4"
# Specify which (public) IP address to advertise in the SDP.
# If not set, the value above or anything autodetected will be used
#sdp_ip = "1.2.3.4"
# Range of ports to use for RTP/RTCP (default=10000-60000)
rtp_port_range = "20000-40000"
# Whether events should be sent to event handlers (default=true)
#events = false
# If you need DSCP packet marking and prioritization, you can configure
# the 'dscp_audio_rtp' and/or 'dscp_video_rtp' property to specific values,
# and the plugin will set it on all outgoing audio/video RTP packets.
# No packet marking is done if this parameter is undefined or equal to 0
#dscp_audio_rtp = 46
#dscp_video_rtp = 26
}

7
config/janus/janus.plugin.recordplay.jcfg Normal file
View File

@ -0,0 +1,7 @@
# path = where to place recordings in the file system
# events = true|false, whether events should be sent to event handlers
general: {
path = "/usr/share/janus/recordings"
#events = false
}

55
config/janus/janus.plugin.sip.jcfg Normal file
View File

@ -0,0 +1,55 @@
general: {
# Specify which local IP address to bind to for SIP stack.
# If not set it will be automatically guessed from the system
#local_ip = "1.2.3.4"
# Specify which local IP address to bind for the media stack.
# If not set it will be automatically set to the value of local_ip
#local_media_ip = "1.2.3.4"
# Specify which (public) IP address to advertise in the SDP.
# If not set, the value above or anything autodetected will be used
#sdp_ip = "1.2.3.4"
# Enable local keep-alives to keep the registration open. Keep-alives are
# sent in the form of OPTIONS requests, at the given interval inseconds.
# (0 to disable)
keepalive_interval = 120
# Indicate if the server is behind NAT. If so, the server will use STUN
# to guess its own public IP address and use it in the Contact header of
# outgoing requests
behind_nat = false
# User-Agent string to be used
# user_agent = "Cool WebRTC Gateway"
# Expiration time for registrations
register_ttl = 3600
# Range of ports to use for RTP/RTCP (default=10000-60000)
rtp_port_range = "20000-40000"
# Whether events should be sent to event handlers (default=true)
#events = false
# If you need DSCP packet marking and prioritization, you can configure
# the 'dscp_audio_rtp' and/or 'dscp_video_rtp' property to specific values,
# and the plugin will set it on all outgoing audio/video RTP packets.
# No packet marking is done if this parameter is undefined or equal to 0
#dscp_audio_rtp = 46
#dscp_video_rtp = 26
# In case you want to use SIPS for some sessions, Sofia may need to
# have access to a certificate to use: this is especially true for
# Sofia >= 1.13, which will fail to create the agent if no certificate
# is available. By default, Sofia looks for 'agent.pem' and 'cafile.pem'
# in the '$HOME/.sip/auth' folder, but you can specify a different
# one by uncommenting and setting the property below.
#sips_certs_dir = "/etc/sip/certs"
# Set the T1x64 timeout value (in milliseconds) used by the SIP transaction
# engine (default 32000 milliseconds)
sip_timer_t1x64 = 32000
}

323
config/janus/janus.plugin.streaming.jcfg Normal file
View File

@ -0,0 +1,323 @@
# stream-name: {
# type = rtp|live|ondemand|rtsp
# rtp = stream originated by an external tool (e.g., gstreamer or
# ffmpeg) and sent to the plugin via RTP
# live = local file streamed live to multiple listeners
# (multiple listeners = same streaming context)
# ondemand = local file streamed on-demand to a single listener
# (multiple listeners = different streaming contexts)
# rtsp = stream originated by an external RTSP feed (only
# available if libcurl support was compiled)
# id = <unique numeric ID> (if missing, a random one will be generated)
# description = This is my awesome stream
# metadata = An optional string that can contain any metadata (e.g., JSON)
# associated with the stream you want users to receive
# is_private = true|false (private streams don't appear when you do a 'list'
# request)
# secret = <optional password needed for manipulating (e.g., destroying
# or enabling/disabling) the stream>
# pin = <optional password needed for watching the stream>
# filename = path to the local file to stream (only for live/ondemand)
# audio = true|false (do/don't stream audio)
# video = true|false (do/don't stream video)
# The following options are only valid for the 'rtp' type:
# data = true|false (do/don't stream text via datachannels)
# audioport = local port for receiving audio frames
# audiortcpport = local port, if any, for receiving and sending audio RTCP feedback
# audiomcast = multicast group port for receiving audio frames, if any
# audioiface = network interface or IP address to bind to, if any (binds to all otherwise)
# audiopt = <audio RTP payload type> (e.g., 111)
# audiocodec = name of the audio codec (e.g., opus)
# audioskew = true|false (whether the plugin should perform skew
# analisys and compensation on incoming audio RTP stream, EXPERIMENTAL)
# videoport = local port for receiving video frames
# videortcpport = local port, if any, for receiving and sending video RTCP feedback
# videomcast = multicast group port for receiving video frames, if any
# videoiface = network interface or IP address to bind to, if any (binds to all otherwise)
# videopt = <video RTP payload type> (e.g., 100)
# videocodec = name of the video codec (e.g., vp8)
# videobufferkf = true|false (whether the plugin should store the latest
# keyframe and send it immediately for new viewers, EXPERIMENTAL)
# videosimulcast = true|false (do|don't enable video simulcasting)
# videoport2 = second local port for receiving video frames (only for rtp, and simulcasting)
# videoport3 = third local port for receiving video frames (only for rtp, and simulcasting)
# videoskew = true|false (whether the plugin should perform skew
# analisys and compensation on incoming video RTP stream, EXPERIMENTAL)
# videosvc = true|false (whether the video will have SVC support; works only for VP9-SVC, default=false)
# collision = in case of collision (more than one SSRC hitting the same port), the plugin
# will discard incoming RTP packets with a new SSRC unless this many milliseconds
# passed, which would then change the current SSRC (0=disabled)
# dataport = local port for receiving data messages to relay
# dataiface = network interface or IP address to bind to, if any (binds to all otherwise)
# datatype = text|binary (type of data this mountpoint will relay, default=text)
# databuffermsg = true|false (whether the plugin should store the latest
# message and send it immediately for new viewers)
# threads = number of threads to assist with the relaying part, which can help
# if you expect a lot of viewers that may cause the RTP receiving part
# in the Streaming plugin to slow down and fail to catch up (default=0)
#
# In case you want to use SRTP for your RTP-based mountpoint, you'll need
# to configure the SRTP-related properties as well, namely the suite to
# use for hashing (32 or 80) and the crypto information for decrypting
# the stream (as a base64 encoded string the way SDES does it). Notice
# that with SRTP involved you'll have to pay extra attention to what you
# feed the mountpoint, as you may risk getting SRTP decrypt errors:
# srtpsuite = 32
# srtpcrypto = WbTBosdVUZqEb6Htqhn+m3z7wUh4RJVR8nE15GbN
#
# The Streaming plugin can also be used to (re)stream media that has been
# encrypted using something that can be consumed via Insertable Streams.
# In that case, we only need to be aware of it, so that we can send the
# info along with the SDP. How to decrypt the media is out of scope, and
# up to the application since, again, this is end-to-end encryption and
# so neither Janus nor the Streaming plugin have access to anything.
# DO NOT SET THIS PROPERTY IF YOU DON'T KNOW WHAT YOU'RE DOING!
# e2ee = true
#
# To allow mountpoints to negotiate the playout-delay RTP extension,
# you can set the 'playoutdelay_ext' property to true: this way, any
# subscriber can customize the playout delay of incoming video streams,
# assuming the browser supports the RTP extension in the first place.
# playoutdelay_ext = true
#
# The following options are only valid for the 'rtsp' type:
# url = RTSP stream URL (only for restreaming RTSP)
# rtsp_user = RTSP authorization username (only if type=rtsp)
# rtsp_pwd = RTSP authorization password (only if type=rtsp)
# rtsp_quirk = Some RTSP servers offer the stream using only the path, instead of the fully qualified URL.
# If set true, this boolean informs Janus that we should try a path-only DESCRIBE request if the initial request returns 404.
# rtsp_failcheck = whether an error should be returned if connecting to the RTSP server fails (default=true)
# rtspiface = network interface or IP address to bind to, if any (binds to all otherwise), when receiving RTSP streams
# rtsp_reconnect_delay = after n seconds passed and no media assumed, the RTSP server has gone and schedule a reconnect (default=5s)
# rtsp_session_timeout = by default the streaming plugin will check the RTSP connection with an OPTIONS query,
# the value of the timeout comes from the RTSP session initializer and by default
# this session timeout is the half of this value In some cases this value can be too high (for example more than one minute)
# because of the media server. In that case this plugin will calculate the timeout with this
# formula: timeout = min(session_timeout, rtsp_session_timeout / 2). (default=0s)
# rtsp_timeout = communication timeout (CURLOPT_TIMEOUT) for cURL call gathering the RTSP information (default=10s)
# rtsp_conn_timeout = connection timeout for cURL (CURLOPT_CONNECTTIMEOUT) call gathering the RTSP information (default=5s)
#
# Notice that, for 'rtsp' mountpoints, normally the plugin uses the exact
# SDP codec and fmtp attributes the remote camera or RTSP server sent.
# In case the values set remotely are known to conflict with WebRTC viewers,
# you can override both using the settings introduced above.
#
# To test the 'gstreamer-sample' example, check the test_gstreamer.sh
# script in the plugins/streams folder. The live and on-demand audio
# file streams, use a couple of files (radio.alaw, music.mulaw) that are
# provided in the plugins/streams folder.
#}
general: {
#admin_key = "supersecret" # If set, mountpoints can be created via API
# only if this key is provided in the request
#rtp_port_range = "20000-40000" # Range of ports to use for RTP/RTCP when '0' is
# passed as port for a mountpoint (default=10000-60000)
#events = false # Whether events should be sent to event
# handlers (default=true)
# By default, integers are used as a unique ID for both mountpoints. In case
# you want to use strings instead (e.g., a UUID), set string_ids to true.
#string_ids = true
}
#
# This is an example of an RTP source stream, which is what you'll need
# in the vast majority of cases: here, the Streaming plugin will bind to
# some ports, and expect media to be sent by an external source (e.g.,
# FFmpeg or Gstreamer). This sample listens on 5002 for audio (Opus) and
# 5004 for video (VP8), which is what the sample gstreamer script in the
# plugins/streams folder sends to. Whatever is sent to those ports will
# be the source of a WebRTC broadcast users can subscribe to.
#
rtp-sample: {
type = "rtp"
id = 1
description = "Opus/VP8 live stream coming from external source"
metadata = "You can use this metadata section to put any info you want!"
audio = true
video = true
audioport = 5002
audiopt = 111
audiocodec = "opus"
videoport = 5004
videopt = 100
videocodec = "vp8"
secret = "adminpwd"
}
#
# This is a better example that uses the new settings to configure a live
# mountpoint to send multiple streams of the same type at the same time:
# that is, not simulcasting, but different streams (e.g., two audio
# streams and two video streams). To do so, you don't set the audio,
# video and data properties inline, but use an array of properties instead,
# each identifying a single stream to add, that will then translate to
# a dedicated m-line in the SDP. For each stream, you specify the type,
# a unique ID (mid), and can provide a short description (label) so that
# the client side can know what's what when rendering the streams;
# optionally, a msid to add to the SDP m-line can be provided as well. Notice
# how the port/pt/codec/fmtp/etc. stuff is called just like that, without
# any audio/video/data prefix: in fact, each media stream can be configured
# the same way, and it's the type that allows us to differentiate them.
# As such, you can use the same approach for creating regular mountpoints
# as well (e.g., 1 audio and 1 video) in a much clearer, and cleaner, way.
#
multistream-test: {
type = "rtp"
id = 123
description = "Multistream test (1 audio, 2 video)"
metadata = "This is an example of a multistream mountpoint: you'll get an audio stream and two video feeds"
media = (
{
type = "audio"
mid = "a"
label = "Audio stream"
port = 5102
pt = 111
codec = "opus"
},
{
type = "video"
mid = "v1"
label = "Video stream #1"
port = 5104
pt = 100
codec = "vp8"
},
{
type = "video"
mid = "v2"
label = "Video stream #2"
port = 5106
pt = 100
codec = "vp8"
}
)
secret = "adminpwd"
}
#
# This is a sample of the file-based streaming support. Specifically,
# this simulates a radio broadcast by streaming (in a loop) raw a-Law
# (that is, G.711) frames. Since type is "live", anyone subscribing to
# this mountpoint will listen to the same broadcast as if it were live.
# Notice that file-based streaming supports Opus files too, but no video.
#
file-live-sample: {
type = "live"
id = 2
description = "a-law file source (radio broadcast)"
filename = "/usr/share/janus/streams/radio.alaw"
audio = true
video = false
secret = "adminpwd"
}
#
# This is another sample of the file-based streaming support, but using
# the "ondemand" type instead. In this case, the file we're streaming
# contains raw mu-Law (still G.711) frames. Since this is "ondemand",
# anyone subscribing to this mountpoint will listen to their own version
# of the stream, meaning that it will start from the beginning and then
# loop when it's over. On-demand streaming supports Opus files as well.
#
file-ondemand-sample: {
type = "ondemand"
id = 3
description = "mu-law file source (music)"
filename = "/usr/share/janus/streams/music.mulaw"
audio = true
video = false
secret = "adminpwd"
}
#
# All browsers also support H.264, often through Cisco's OpenH264 plugin.
# The only profile that is definitely supported is the baseline one, which
# means that if you try a higher one it might or might not work. No matter
# which profile you encode, though, you can put a custom one in the SDP if
# you override the fmtp SDP attribute via 'videofmtp'. The following is an
# example of how to create a simple H.264 mountpoint: you can feed it via
# an x264enc+rtph264pay pipeline in gstreamer, an ffmpeg script or other.
#
#h264-sample: {
#type = "rtp"
#id = 10
#description = "H.264 live stream coming from gstreamer"
#audio = false
#video = true
#videoport = 8004
#videopt = 126
#videocodec = "h264"
#videofmtp = "profile-level-id=42e01f;packetization-mode=1"
#secret = "adminpwd"
#}
#
# The Streaming plugin also supports the broadcasting of datachannel
# messages, either by themselves or along other audio/video streams (e.g.,
# to add a subtitle to a stream you're sending). The following is an
# example of how you can create a datachannel-only mountpoint: you can
# feed it with any tool that can send UDP datagrams, e.g., netcat.
# Notice that the 'rtp' type just indicates this is a live mountpoint:
# datachannel messages will be sent as usual, and not use RTP at all.
#
#data-example: {
#type = "rtp"
#id = 15
#description = "Datachannel stream from an UDP source"
#audio = false
#video = false
#data = true
#dataport = 5008
#datatype = "text"
#secret = "adminpwd"
#}
#
# This is a variation of the rtp-sample configuration for Opus/VP8 shown
# before, where multicast support is used to receive the streams. You
# need an external script to feed data on those ports, of course.
#
#rtp-multicast: {
#type = "rtp"
#id = 20
#description = "Opus/VP8 live multicast stream sample"
#audio = true
#video = true
#audioport = 5002
#audiomcast = "232.3.4.5"
#audiopt = 111
#audiocodec = "opus"
#videoport = 5004
#videomcast = "232.3.4.5"
#videopt = 100
#videocodec = "vp8"
#secret = "adminpwd"
#}
#
# This is a sample configuration for an RTSP stream: you can specify
# the url to connect to and whether or not authentication is needed
# using the url/rtsp_user/rtsp_pwd settings (but notice that digest
# authentication will only work if you installed libcurl >= 7.45.0)
# NOTE WELL: the plugin does NOT transcode, so the RTSP stream MUST be
# in a format the browser can digest (e.g., VP8 or H.264 baseline for video)
# Again, you can override payload type, codec and/or fmtp, if needed.
#
#rtsp-test: {
#type = "rtsp"
#id = 99
#description = "RTSP Test"
#audio = false
#video = true
#url = "rtsp://127.0.0.1:8554/unicast"
#rtsp_user = "username"
#rtsp_pwd = "password"
#secret = "adminpwd"
#rtsp_reconnect_delay = 5
#rtsp_session_timeout = 0
#rtsp_timeout = 10
#rtsp_conn_timeout = 5
#}

30
config/janus/janus.plugin.textroom.jcfg Normal file
View File

@ -0,0 +1,30 @@
# room-<unique room ID>: {
# description = This is my awesome room
# is_private = true|false (whether this room should be in the public list, default=true)
# secret = <optional password needed for manipulating (e.g. destroying) the room>
# pin = <optional password needed for joining the room>
# history = <number of messages to store as a history, and send back to new participants (default=0, no history)>
# post = <optional backend to contact via HTTP post for all incoming messages>
#}
general: {
#admin_key = "supersecret" # If set, rooms can be created via API only
# if this key is provided in the request
json = "indented" # Whether the data channel JSON messages should be indented (default),
# plain (no indentation) or compact (no indentation and no spaces)
#events = false # Whether events should be sent to event
# handlers (default=true)
# By default, integers are used as a unique ID for rooms. In case you
# want to use strings instead (e.g., a UUID), set string_ids to true.
#string_ids = true
}
room-1234: {
description = "Demo Room"
# is_private = true
secret = "adminpwd"
# pin = "roompwd"
# history = 10
# post = "http://example.com/forward/here"
}

5
config/janus/janus.plugin.videocall.jcfg Normal file
View File

@ -0,0 +1,5 @@
# events = true|false, whether events should be sent to event handlers
general: {
#events = false
}

95
config/janus/janus.plugin.videoroom.jcfg Normal file
View File

@ -0,0 +1,95 @@
# room-<unique room ID>: {
# description = This is my awesome room
# is_private = true|false (whether this room should be in the public list, default=true)
# secret = <optional password needed for manipulating (e.g. destroying) the room>
# pin = <optional password needed for joining the room>
# require_pvtid = true|false (whether subscriptions are required to provide a valid private_id
# to associate with a publisher, default=false)
# signed_tokens = true|false (whether access to the room requires signed tokens; default=false,
# only works if signed tokens are used in the core as well)
# publishers = <max number of concurrent senders> (e.g., 6 for a video
# conference or 1 for a webinar)
bitrate = 5000000
# bitrate_cap = true|false (whether the above cap should act as a hard limit to
# dynamic bitrate changes by publishers; default=false, publishers can go beyond that)
fir_freq = 5
# audiocodec = opus|g722|pcmu|pcma|isac32|isac16 (audio codec(s) to force on publishers, default=opus
# can be a comma separated list in order of preference, e.g., opus,pcmu)
videocodec = vp9
# can be a comma separated list in order of preference, e.g., vp9,vp8,h264)
# vp9_profile = VP9-specific profile to prefer (e.g., "2" for "profile-id=2")
# h264_profile = H.264-specific profile to prefer (e.g., "42e01f" for "profile-level-id=42e01f")
# opus_fec = true|false (whether inband FEC must be negotiated; only works for Opus, default=true)
# opus_dtx = true|false (whether DTX must be negotiated; only works for Opus, default=false)
# video_svc = true|false (whether SVC support must be enabled; only works for VP9, default=false)
# audiolevel_ext = true|false (whether the ssrc-audio-level RTP extension must
# be negotiated/used or not for new publishers, default=true)
# audiolevel_event = true|false (whether to emit event to other users or not, default=false)
# audio_active_packets = 100 (number of packets with audio level, default=100, 2 seconds)
# audio_level_average = 25 (average value of audio level, 127=muted, 0='too loud', default=25)
# videoorient_ext = true|false (whether the video-orientation RTP extension must
# be negotiated/used or not for new publishers, default=true)
# playoutdelay_ext = true|false (whether the playout-delay RTP extension must
# be negotiated/used or not for new publishers, default=true)
# transport_wide_cc_ext = true|false (whether the transport wide CC RTP extension must be
# negotiated/used or not for new publishers, default=true)
# record = true|false (whether this room should be recorded, default=false)
# rec_dir = <folder where recordings should be stored, when enabled>
# lock_record = true|false (whether recording can only be started/stopped if the secret
# is provided, or using the global enable_recording request, default=false)
# notify_joining = true|false (optional, whether to notify all participants when a new
# participant joins the room. The Videoroom plugin by design only notifies
# new feeds (publishers), and enabling this may result extra notification
# traffic. This flag is particularly useful when enabled with require_pvtid
# for admin to manage listening only participants. default=false)
# require_e2ee = true|false (whether all participants are required to publish and subscribe
# using end-to-end media encryption, e.g., via Insertable Streams; default=false)
# dummy_publisher = true|false (whether a dummy publisher should be created in this room,
# with one separate m-line for each codec supported in the room; this is
# useful when there's a need to create subscriptions with placeholders
# for some or all m-lines, even when they aren't used yet; default=false)
# dummy_streams = in case dummy_publisher is set to true, array of codecs to offer,
# optionally with a fmtp attribute to match (codec/fmtp properties).
# If not provided, all codecs enabled in the room are offered, with no fmtp.
# Notice that the fmtp is parsed, and only a few codecs are supported.
#}
general: {
#admin_key = "supersecret" # If set, rooms can be created via API only
# if this key is provided in the request
#lock_rtp_forward = true # Whether the admin_key above should be
# enforced for RTP forwarding requests too
#events = false # Whether events should be sent to event
# handlers (default=true)
# By default, integers are used as a unique ID for both rooms and participants.
# In case you want to use strings instead (e.g., a UUID), set string_ids to true.
#string_ids = true
}
room-1234: {
description = "Demo Room"
secret = "adminpwd"
publishers = 6
bitrate = 128000
fir_freq = 10
#audiocodec = "opus"
#videocodec = "vp8"
record = false
#rec_dir = "/path/to/recordings-folder"
}
# This other demo room here is only there in case you want to play with
# the VP9 SVC support. Notice that you'll need a Chrome launched with
# the flag that enables that support, or otherwise you'll be using just
# plain VP9 (which is good if you want to test how this indeed affect
# what receivers will get, whether they're encoding SVC or not).
room-5678: {
description = "VP9-SVC Demo Room"
secret = "adminpwd"
publishers = 6
bitrate = 512000
fir_freq = 10
videocodec = "vp9"
video_svc = true
}

11
config/janus/janus.plugin.voicemail.jcfg Normal file
View File

@ -0,0 +1,11 @@
# path = where to place recordings in the file system (should be in a
# properly configured web server, if you want the demo to work)
# base = base path to use when returning the recording URI (use this
# to make sure the file in the path you chose is reachable via HTTP)
# events = true|false, whether events should be sent to event handlers
general: {
path = "/usr/share/janus/demos/voicemail/"
base = "/voicemail/"
events = true
}

74
config/janus/janus.transport.http.jcfg Normal file
View File

@ -0,0 +1,74 @@
# Web server stuff: whether any should be enabled, which ports they
# should use, whether security should be handled directly or demanded to
# an external application (e.g., web frontend) and what should be the
# base path for the Janus API protocol. Notice that by default
# all the web servers will try and bind on both IPv4 and IPv6: if you
# want to only bind to IPv4 addresses (e.g., because your system does not
# support IPv6), you should set the web server 'ip' property to '0.0.0.0'.
# To see debug logs from the HTTP server library, set 'mhd_debug'.
general: {
#events = true # Whether to notify event handlers about transport events (default=true)
json = "indented" # Whether the JSON messages should be indented (default),
# plain (no indentation) or compact (no indentation and no spaces)
base_path = "/janus" # Base path to bind to in the web server (plain HTTP only)
http = true # Whether to enable the plain HTTP interface
port = 8088 # Web server HTTP port
interface = "lo" # HAND-EDIT # Whether we should bind this server to a specific interface only
#ip = "192.168.0.1" # Whether we should bind this server to a specific IP address (v4 or v6) only
https = false # Whether to enable HTTPS (default=false)
#secure_port = 8089 # Web server HTTPS port, if enabled
#secure_interface = "eth0" # Whether we should bind this server to a specific interface only
#secure_ip = "192.168.0.1" # Whether we should bind this server to a specific IP address (v4 or v6) only
#acl = "127.,192.168.0." # Only allow requests coming from this comma separated list of addresses
#mhd_connection_limit = 1020 # Open connections limit in libmicrohttpd (default=1020)
#mhd_debug = false # Ask libmicrohttpd to write warning and error messages to stderr (default=false)
}
# Janus can also expose an admin/monitor endpoint, to allow you to check
# which sessions are up, which handles they're managing, their current
# status and so on. This provides a useful aid when debugging potential
# issues in Janus. The configuration is pretty much the same as the one
# already presented above for the webserver stuff, as the API is very
# similar: choose the base bath for the admin/monitor endpoint (/admin
# by default), ports, etc. Besides, you can specify
# a secret that must be provided in all requests as a crude form of
# authorization mechanism, and partial or full source IPs if you want to
# limit access basing on IP addresses. For security reasons, this
# endpoint is disabled by default, enable it by setting admin_http=true.
admin: {
admin_base_path = "/admin" # Base path to bind to in the admin/monitor web server (plain HTTP only)
admin_http = false # Whether to enable the plain HTTP interface
admin_port = 7088 # Admin/monitor web server HTTP port
#admin_interface = "eth0" # Whether we should bind this server to a specific interface only
#admin_ip = "192.168.0.1" # Whether we should bind this server to a specific IP address (v4 or v6) only
admin_https = false # Whether to enable HTTPS (default=false)
#admin_secure_port = 7889 # Admin/monitor web server HTTPS port, if enabled
#admin_secure_interface = "eth0" # Whether we should bind this server to a specific interface only
#admin_secure_ip = "192.168.0.1" # Whether we should bind this server to a specific IP address (v4 or v6) only
#admin_acl = "127.,192.168.0." # Only allow requests coming from this comma separated list of addresses
}
# The HTTP servers created in Janus support CORS out of the box, but by
# default they return a wildcard (*) in the 'Access-Control-Allow-Origin'
# header. This works fine in most situations, except when we have to
# respond to a credential request (withCredentials=true in the XHR). If
# you need that, uncomment and set the 'allow_origin' below to specify
# what must be returned in 'Access-Control-Allow-Origin'. More details:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
# In case you want to enforce the Origin validation, rather than leave
# it to browsers, you can set 'enforce_cors' to 'true' to have Janus
# return a '403 Forbidden' for all requests that don't comply.
cors: {
#allow_origin = "http://foo.example"
#enforce_cors = true
}
# Certificate and key to use for HTTPS, if enabled (and passphrase if needed).
# You can also disable insecure protocols and ciphers by configuring the
# 'ciphers' property accordingly (no limitation by default).
certificates: {
cert_pem = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
cert_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
#cert_pwd = "secretpassphrase"
#ciphers = "PFS:-VERS-TLS1.0:-VERS-TLS1.1:-3DES-CBC:-ARCFOUR-128"
}

59
config/janus/janus.transport.mqtt.jcfg Normal file
View File

@ -0,0 +1,59 @@
# Configuration of the MQTT additional transport for the Janus API.
general: {
enabled = false # Whether the support must be enabled
#events = true # Whether to notify event handlers about transport events (default=true)
json = "indented" # Whether the JSON messages should be indented (default),
# plain (no indentation) or compact (no indentation and no spaces)
url = "tcp://localhost:1883" # The connection URL of the MQTT broker: if you want
# to use SSL, make sure you type ssl:// instead of tcp://,
# and that you configure the SSL settings below
#mqtt_version = "3.1.1" # Protocol version. Available values: 3.1, 3.1.1 (default), 5.
#client_id = "guest" # Client identifier
#username = "guest" # Username to use to authenticate, if needed
#password = "guest" # Password to use to authenticate, if needed
#keep_alive_interval = 20 # Keep connection for N seconds
#cleansession = 0 # Clean session flag
#max_inflight = 10 # Maximum number of inflight messages
#max_buffered = 100 # Maximum number of buffered messages
#disconnect_timeout = 100 # Milliseconds to wait before destroying client
subscribe_topic = "to-janus" # Topic for incoming messages
#subscribe_qos = 1 # QoS for incoming messages
publish_topic = "from-janus" # Topic for outgoing messages
#publish_qos = 1 # QoS for outgoing messages
#ssl_enabled = true # Whether ssl support must be enabled
#verify_peer = true # Whether peer verification must be enabled
# Certificates to use when SSL support is enabled, if needed
#cacertfile = /path/to/cacert.pem
certfile = /etc/ssl/certs/ssl-cert-snakeoil.pem
keyfile = /etc/ssl/private/ssl-cert-snakeoil.key
# These options work with MQTT 5 only.
#vacuum_interval = 60 # Interval for removing old transaction states in seconds.
#proxy_transaction_user_properties = [] # Array of user property names to copy from the incoming message.
#add_transaction_user_properties = () # List of user property ["key", "value"] pairs to add.
}
admin: {
#admin_enabled = false # Whether the support must be enabled
subscribe_topic = "to-janus-admin" # Topic for incoming admin messages
#subscribe_qos = 1 # QoS for incoming admin messages
publish_topic = "from-janus-admin" # Topic for outgoing admin messages
#publish_qos = 1 # QoS for outgoing admin messages
}
status: {
enabled = false # Whether status messages must be enabled (default: false)
# Initial message sent to status topic. Nothing is being sent if not set.
#connect_message = "{\"online\": true}"
# Message sent after disconnect or as LWT. Nothing is being sent if not set.
#disconnect_message = "{\"online\": false}"
#topic = "status" # Status topic (default: "status")
#qos = 1 # QoS for status messages (default: 1)
#retain = false # Whether status messages should be retained (default: false)
}

29
config/janus/janus.transport.nanomsg.jcfg Normal file
View File

@ -0,0 +1,29 @@
# You can also control a Janus instance using Nanomsg sockets. The only
# aspect you need to configure here is the address to use for the
# communication, and whether the address should be used to bind locally
# or to connect to a remote endpoint. Notice that the only supported
# pattern is NN_PAIR, so you'll only be able to have a single client
# controlling the API with this plugin. As usual, both Janus API and Admin
# API endpoints can be configured.
general: {
enabled = true # Whether to enable the Nanomsg interface
# for Janus API clients
#events = true # Whether to notify event handlers about transport events (default=true)
json = "indented" # Whether the JSON messages should be indented (default),
# plain (no indentation) or compact (no indentation and no spaces)
#mode = "bind" # Whether we should 'bind' to the specified
# address (default), or connect to it if remote
address = "ipc:///tmp/janus.ipc" # Address to use (Janus API), refer
# to the Nanomsg documentation for more info
# on different transports you can use here
}
# As with other transport plugins, you can use Nanomsg to interact with
# the Admin API as well: in case you're interested in it, a different
# address needs to be provided.
admin: {
admin_enabled = false # Whether to enable the Nanomsg interface
# for Admin API clients
#admin_mode = "bind"
#admin_address = "ipc:///tmp/janus-admin.ipc"
}

23
config/janus/janus.transport.pfunix.jcfg Normal file
View File

@ -0,0 +1,23 @@
# You can also control a Janus instance using Unix Sockets. The only
# aspect you need to configure here is the path of the Unix Sockets
# server. Notice that by default the interface is disabled, as you need
# to specify the path(s) to bind to for the API(s).
general: {
enabled = false # Whether to enable the Unix Sockets interface
# for Janus API clients
#events = true # Whether to notify event handlers about transport events (default=true)
json = "indented" # Whether the JSON messages should be indented (default),
# plain (no indentation) or compact (no indentation and no spaces)
#path = "/path/to/ux-janusapi" # Path to bind to (Janus API)
#type = "SOCK_SEQPACKET" # SOCK_SEQPACKET (default) or SOCK_DGRAM?
}
# As with other transport plugins, you can use Unix Sockets to interact
# with the Admin API as well: in case you're interested in it, a different
# path needs to be provided.
admin: {
admin_enabled = false # Whether to enable the Unix Sockets interface
# for Admin API clients
#admin_path = "/path/to/ux-janusadmin" # Path to bind to (Admin API)
#admin_type = "SOCK_SEQPACKET" # SOCK_SEQPACKET (default) or SOCK_DGRAM?
}

64
config/janus/janus.transport.rabbitmq.jcfg Normal file
View File

@ -0,0 +1,64 @@
# Configuration of the RabbitMQ additional transport for the Janus API.
# This is only useful when you're wrapping Janus requests in your server
# application, and handling the communication with clients your own way.
# At the moment, only a single "application" can be handled at the same
# time, meaning that Janus won't implement multiple queues to handle
# multiple concurrent "application servers" taking advantage of its
# features. Support for this is planned, though (e.g., through some kind
# of negotiation to create queues on the fly). Right now, you can only
# configure the address of the RabbitMQ server to use, and the queues to
# make use of to receive (to-janus) and send (from-janus) messages
# from/to an external application. If you're using the same RabbitMQ
# server instance for multiple Janus instances, make sure you configure
# different queues for each of them (e.g., from-janus-1/to-janus-1 and
# from-janus-2/to-janus-2), or otherwise both the instances will make
# use of the same queues and messages will get lost. The integration
# is disabled by default, so set enabled=true if you want to use it.
general: {
enabled = false # Whether the support must be enabled
#events = true # Whether to notify event handlers about transport events (default=true)
json = "indented" # Whether the JSON messages should be indented (default),
# plain (no indentation) or compact (no indentation and no spaces)
host = "localhost" # The address of the RabbitMQ server
#port = 5672 # The port of the RabbitMQ server (5672 by default)
#username = "guest" # Username to use to authenticate, if needed
#password = "guest" # Password to use to authenticate, if needed
#vhost = "/" # Virtual host to specify when logging in, if needed
#janus_exchange = "janus-exchange" # Exchange for outgoing messages, using default if not provided
#janus_exchange_type = "fanout" # Rabbitmq exchange_type can be one of the available types: direct, topic, headers and fanout (fanout by defualt).
#queue_name = "janus-gateway" # Queue name for incoming messages (if set and janus_exchange_type is topic/direct, to_janus will be the routing key the queue is bound to the exchange on)
to_janus = "to-janus" # Name of the queue for incoming messages if queue_name isn't set, otherwise, the routing key that queue_name is bound to
from_janus = "from-janus" # Routing key of the message sent from janus (as well as the name of the outgoing queue if declare_outgoing_queue = true)
#declare_outgoing_queue = true # By default (for backwards compatibility), we declare an outgoing queue. Set this to false to disable that behavior
#queue_durable = false # Whether or not incoming queue should remain after a RabbitMQ reboot
#queue_autodelete = false # Whether or not incoming queue should autodelete after janus disconnects from RabbitMQ
#queue_exclusive = false # Whether or not incoming queue should only allow one subscriber
#heartbeat = 60 # Defines the seconds without communication that should pass before considering the TCP connection unreachable.
#ssl_enabled = false # Whether ssl support must be enabled
#ssl_verify_peer = true # Whether peer verification must be enabled
#ssl_verify_hostname = true # Whether hostname verification must be enabled
# Certificates to use when SSL support is enabled, if needed
#ssl_cacert = "/path/to/cacert.pem"
ssl_cert = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ssl_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
}
# If you want to expose the Admin API via RabbitMQ as well, you need to
# specify a different set of queues, as you cannot mix Janus API and
# Admin API messaging. The same RabbitMQ server is supposed to be used.
# Notice that by default the Admin API support via RabbitMQ is disabled.
admin: {
#admin_enabled = false # Whether the support must be enabled
#queue_name_admin = "janus-gateway-admin" # Queue name for incoming admin messages (if set and janus_exchange_type is topic/direct, to_janus_admin will be the the routing key the queue is bound to the exchange on)
#to_janus_admin = "to-janus-admin" # Name of the queue for incoming messages if queue_name_admin isn't set, otherwise, the routing key that queue_name_admin is bound to
#from_janus_admin = "from-janus-admin" # Routing key of the message sent from janus (as well as the name of the outgoing queue if declare_outgoing_queue_admin = true)
#declare_outgoing_queue_admin = true # By default (for backwards compatibility), we declare an outgoing queue. Set this to false to disable that behavior
#queue_durable_admin = false # Whether or not incoming queue should remain after a RabbitMQ reboot
#queue_autodelete_admin = false # Whether or not incoming queue should autodelete after janus disconnects from RabbitMQ
#queue_exclusive_admin = false # Whether or not incoming queue should only allow one subscriber
}

68
config/janus/janus.transport.websockets.jcfg Normal file
View File

@ -0,0 +1,68 @@
# WebSockets stuff: whether they should be enabled, which ports they
# should use, and so on.
general: {
#events = true # Whether to notify event handlers about transport events (default=true)
json = "indented" # Whether the JSON messages should be indented (default),
# plain (no indentation) or compact (no indentation and no spaces)
#pingpong_trigger = 30 # After how many seconds of idle, a PING should be sent
#pingpong_timeout = 10 # After how many seconds of not getting a PONG, a timeout should be detected
ws = true # Whether to enable the WebSockets API
ws_port = 8188 # WebSockets server port
ws_interface = "lo" # HAND-EDIT # Whether we should bind this server to a specific interface only
#ws_ip = "192.168.0.1" # Whether we should bind this server to a specific IP address only
#ws_unix = "/run/ws.sock" # Use WebSocket server over UNIX socket instead of TCP
wss = false # Whether to enable secure WebSockets
#wss_port = 8989 # WebSockets server secure port, if enabled
#wss_interface = "eth0" # Whether we should bind this server to a specific interface only
#wss_ip = "192.168.0.1" # Whether we should bind this server to a specific IP address only
#wss_unix = "/run/wss.sock" # Use WebSocket server over UNIX socket instead of TCP
#ws_logging = "err,warn" # libwebsockets debugging level as a comma separated list of things
# to debug, supported values: err, warn, notice, info, debug, parser,
# header, ext, client, latency, user, count (plus 'none' and 'all')
#ws_acl = "127.,192.168.0." # Only allow requests coming from this comma separated list of addresses
}
# If you want to expose the Admin API via WebSockets as well, you need to
# specify a different server instance, as you cannot mix Janus API and
# Admin API messaging. Notice that by default the Admin API support via
# WebSockets is disabled.
admin: {
admin_ws = false # Whether to enable the Admin API WebSockets API
admin_ws_port = 7188 # Admin API WebSockets server port, if enabled
#admin_ws_interface = "eth0" # Whether we should bind this server to a specific interface only
#admin_ws_ip = "192.168.0.1" # Whether we should bind this server to a specific IP address only
#admin_ws_unix = "/run/aws.sock" # Use WebSocket server over UNIX socket instead of TCP
admin_wss = false # Whether to enable the Admin API secure WebSockets
#admin_wss_port = 7989 # Admin API WebSockets server secure port, if enabled
#admin_wss_interface = "eth0" # Whether we should bind this server to a specific interface only
#admin_wss_ip = "192.168.0.1" # Whether we should bind this server to a specific IP address only
#admin_wss_unix = "/run/awss.sock" # Use WebSocket server over UNIX socket instead of TCP
#admin_ws_acl = "127.,192.168.0." # Only allow requests coming from this comma separated list of addresses
}
# The HTTP servers created in Janus support CORS out of the box, but by
# default they return a wildcard (*) in the 'Access-Control-Allow-Origin'
# header. This works fine in most situations, except when we have to
# respond to a credential request (withCredentials=true in the XHR). If
# you need that, uncomment and set the 'allow_origin' below to specify
# what must be returned in 'Access-Control-Allow-Origin'. More details:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
# In case you want to enforce the Origin validation, rather than leave
# it to browsers, you can set 'enforce_cors' to 'true' to have Janus
# return a '403 Forbidden' for all requests that don't comply.
cors: {
#allow_origin = "http://foo.example"
#enforce_cors = true
}
# Certificate and key to use for any secure WebSocket server, if enabled (and passphrase if needed).
# You can also disable insecure protocols and ciphers by configuring the
# 'ciphers' property accordingly (no limitation by default).
# Examples of recommended cipher strings at https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html
certificates: {
cert_pem = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
cert_key = "/etc/ssl/private/ssl-cert-snakeoil.key"
#cert_pwd = "secretpassphrase"
#ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
}

2
config/nats/nats-server.conf Normal file
View File

@ -0,0 +1,2 @@
host: 127.0.0.1
port: 4222