server.conf.in

; Spreed WebRTC server example configuration

[http]
; HTTP listener in format ip:port.
listen = 127.0.0.1:8080
; Full path to directory where to find the server web assets.
;root = /usr/share/spreed-webrtc-server/www
; HTTP socket read timeout in seconds.
;readtimeout = 10
; HTTP socket write timeout in seconds.
;writetimeout = 10
; Use basePath if the server does not run on the root path (/) of your server.
;basePath = /some/sub/path/
; Set maximum number of open files (only works when run as root).
;maxfd = 32768
; Enable stats API /api/v1/stats for debugging (not for production use!).
;stats = false
; Enable HTTP listener for golang pprof module. See
; http://golang.org/pkg/net/http/pprof/ for details.
;pprofListen = 127.0.0.1:6060

[https]
; Native HTTPS listener in format ip:port.
;listen = 127.0.0.1:8443
; Full path to PEM encoded certificate chain.
;certificate = server.crt
; Full path to PEM encoded private key.
;key = server.key
; Mimimal supported encryption standard (SSLv3, TLSv1, TLSv1.1 or TLSv1.2).
;minVersion = SSLv3
; HTTPS socket read timeout in seconds.
;readtimeout = 10
; HTTPS socket write timeout in seconds.
;writetimeout = 10

[app]
; HTML page title
;title = Spreed WebRTC
; Version string to use for static resources. This defaults to the server
; version and should only be changed when you use your own way to invalidate
; long cached static resources.
;ver = 1234
; STUN server URIs in format host:port. You can provide multiple seperated by
; space. If you do not have one use a public one like stun.spreed.me:443. If
; you have a TURN server you do not need to set an STUN server as the TURN
; server will provide STUN services.
;stunURIs = stun:stun.spreed.me:443
; TURN server URIs in format host:port?transport=udp|tcp. You can provide
; multiple seperated by space. If you do not have at least one TURN server then
; some users will not be able to use the server as the peer to peer connection
; cannot be established without a TURN server due to firewall reasons. An open
; source TURN server which is fully supported can be found at
; https://code.google.com/p/rfc5766-turn-server/.
;turnURIs = turn:turnserver:port?transport=udp
; Shared secret authentication for TURN user generation if the TURN server is
; protected (which it should be).
; See http://tools.ietf.org/html/draft-uberti-behave-turn-rest-00 for details.
; A supported TURN server is https://code.google.com/p/rfc5766-turn-server/.
;turnSecret = the-default-turn-shared-secret-do-not-keep
; Enable renegotiation support. Set to true to tell clients that they can
; renegotiate peer connections when required. Firefox support is not complete,
; so do not enable if you want compatibility with Firefox clients.
;renegotiation = false
; Session secret to use for session id generator. 32 or 64 bytes of random data
; are recommented (hex encoded). A warning will be logged if hex decode fails.
; You can generate a secret easily with "xxd -ps -l 32 -c 32 /dev/random".
sessionSecret = the-default-secret-do-not-keep-me
; Encryption secret protecting the data in generated server side tokens. Use
; 16, 24, or 32 bytes (hex encoded) to select AES-128, AES-192, or AES-256.
; When you change the encryption secret, stored authentications, sessions and
; contacts become invalid. A warning will be logged if hex decode fails. You
; can generate a secret easily with "xxd -ps -l 32 -c 32 /dev/random".
encryptionSecret = tne-default-encryption-block-key
; Full path to a text file containig client tokens which a user needs to enter
; when accessing the web client. Each line in this file represents a valid
; token.
;tokenFile = tokens.txt
; The name of a global room. If enabled it should be kept secret. Users in that
; room are visible in all other rooms.
;globalRoom = global
; The default room is the room at the root URL of the servers base address and
; all users will join this room if enabled. If it is disabled then a room join
; form will be shown instead.
;defaultRoomEnabled = true
; Whether a user account is required to join a room. This only has an effect
; if user accounts are enabled. Optional, defaults to false.
;authorizeRoomJoin = false
; Whether a user account is required to create a room. This only has an effect
; if user accounts are enabled. Optional, defaults to false.
;authorizeRoomCreation = false
; Server token is a public random string which is used to enhance security of
; server generated security tokens. When the serverToken is changed all existing
; nonces become invalid. Use 32 or 64 characters (eg. 16 or 32 byte hex).
serverToken = i-did-not-change-the-public-token-boo
; The server realm is part of the validation chain of tokens and nonces and is
; added as suffix to server created user ids if user creation is enabled. When
; the realm is changed, all existing tokens and nonces become invalid.
serverRealm = local
; Full path to an extra templates directory. Templates in this directory ending
; with .html will be parsed on startup and can be used to fill the supported
; extra-* template slots. If the extra folder has a sub folder "static", the
; resources in this static folder will be available as /extra/static/filename
; relative to your servers base URL.
;extra = /usr/share/spreed-webrtc-server/extra
; URL relative to the servers base path for a plugin javascript file which is
; automatically loaded on web client start for all users. You can put your
; plugin in the extra/static folder (see above) or provide another folder using
; a front end webserver. Check the doc folder for more info about plugins and
; examples.
;plugin = extra/static/myplugin.js
; Content-Security-Policy HTTP response header value.
; Spreed WebRTC requires inline styles, WebSocket connection to itself and
; data: URL for images.
; The currently recommended CSP is:
;   default-src 'self';
;   frame-src 'self' blob:;
;   style-src 'self' 'unsafe-inline';
;   img-src 'self' data: blob:;
;   connect-src 'self' wss://server:port/ws blob:;
;   font-src 'self' data: blob:;
;   media-src 'self' blob:;
;contentSecurityPolicy =
; Content-Security-Policy-Report-Only HTTP response header value. Use this
; to test your CSP before putting it into production.
;contentSecurityPolicyReportOnly =

[modules]
; Modules provide optional functionality. Modules are enabled by default and
; can be disabled by setting false to their corresponding configuration.
;screensharing = true
;youtube = true
;presentation = true
;contacts = true

[log]
;logfile = /var/log/spreed-webrtc-server.log

[users]
; Set to true to enable user functionality.
enabled = false
; Set users authorization mode.
; sharedsecret:
;   Validates the userid with a HMAC authentication secret.
;   The format goes like this:
;     BASE64(HMAC-SHA-256(secret, expirationTimestampInSeconds:userid))
; httpheader:
;   The userid is provided as an HTTP header. The server does not do any
;   validation. This usually only makes sense with a front end HTTPS proxy which
;   does the authentication and injects the user id as HTTP header for sessions
;   REST requests. In mode httpheader, allowRegistration should be false.
; certificate:
;   The userid is provided as CommonName with a certificate provided with TLS
;   client authentication. When you use this with a front end proxy for TLS
;   termination, that proxy has to validate the certificate and inject certain
;   headers into the proxy connection. In certificate mode the server can act as
;   a signing CA to sign incoming user certificate requests with a private key
;   when allowRegistration is true. While certificate mode offers the highest
;   security it is currently considered experimental and the user experience
;   varies between browsers and platforms.
;mode = sharedsecret
; The shared secred for HMAC validation in "sharedsecret" mode. Best use 32 or
; 64 bytes of random data.
;sharedsecret_secret = some-secret-do-not-keep
; The HTTP header name where to find the userid in "httpheader" mode.
;httpheader_header = x-userid
; Full path to PEM encoded private key to use for user creation in "certificate"
; mode. Keep this commented if you do not want the server to sign certificate
; requests.
;certificate_key = userskey.key
; Full path to PEM encoded certificate to use for user validation in
; "certificate" mode. When allowRegistration is true and certificate_key is also
; set then the server will act as a CA and sign incoming user registrations and
; return certificates to users as registration.
;certificate_certificate = usersca.crt
; The HTTP header name where to find if the TLS client authentication was
; successfull. The value of this header is matched to
; certificate_verifiedHeaderValue and only if there is a match, the proxy
; handled TLS client authentication is accepted as success. Make sure to secure
; these headers with your front end proxy (always set them). Do not use these
; settings when not using a front end proxy.
;certificate_verifiedHeader = x-verified
;certificate_verifiedHeaderValue = SUCCESS
; The HTTP header name where to find the PEM encoded certificate authenticated
; by a front end proxy. With Nginx the required value is in $ssl_client_cert.
;certificate_certificateHeader = x-certificate
; The valid duration of generated certificates created in certificate mode when
; allowRegistration is enabled.
;certificate_validForDays = 365
; Organization to set into the created user certificates. Use a readable public
; name to make the certificate easily recognizable as certificate for your
; server so users can choose the correct certificate when prompted.
;certificate_organization= = My Spreed Server
; If enabled the server can create new userids. Set allowRegistration to true to
; enable userid creation/registration. Users are created according the settings
; of the currently configured mode (see above).
;allowRegistration = false