matrix
Contents
About
An open network for secure, decentralized communication
Preparation
- Assign ip, make it reachable (routing, firewalling).
- Create DNS-Records
sydent
Reference implementation of the matrix identity service is sydent and you can run your own ID server cluster that tracks 3rd party to Matrix ID mappings.
Not useful, yet.
matrix-synapse
Installation
Download the keyring
/etc/apt/sources.list.d/matrix-org.list
1 deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ buster main
2 deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ bullseye main
3 deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ bookworm main
Configure
1 ### Move distribution config to the side
2 mv /etc/matrix-synapse/homeserver.yaml{,_dist}
3 ### Generate a new configuration
4 /bin/generate_config \
5 --config-dir "/etc/matrix-synapse" \
6 --data-dir "/var/lib/matrix-synapse" \
7 --server-name "matrix.rockstable.it" \
8 --report-stats yes --generate-secrets \
9 |tee /etc/matrix-synapse/homeserver.yaml
Create and set registration_shared_secret and disable registration:
/etc/matrix-synapse/homeserver.yaml
1 # vim:ft=yaml,et
2
3 ## Server ##
4
5 # The domain name of the server, with optional explicit port.
6 # This is used by remote servers to connect to this server,
7 # e.g. matrix.org, localhost:8080, etc.
8 # This is also the last part of your UserID.
9 #
10 server_name: "matrix.rockstable.it"
11
12 # When running as a daemon, the file to store the pid in
13 pid_file: "/run/matrix-synapse/matrix-synapse.pid"
14
15 # The path to the web client which will be served at /_matrix/client/
16 # if 'webclient' is configured under the 'listeners' configuration.
17 #
18 #web_client_location: "/path/to/web/root"
19
20 # The public-facing base URL that clients use to access this HS
21 # (not including _matrix/...). This is the same URL a user would
22 # enter into the 'custom HS URL' field on their client. If you
23 # use synapse with a reverse proxy, this should be the URL to reach
24 # synapse via the proxy.
25 #public_baseurl: https://example.com/
26
27 # Set the soft limit on the number of file descriptors synapse can use
28 # Zero is used to indicate synapse should set the soft limit to the
29 # hard limit.
30 soft_file_limit: 0
31
32 # CPU affinity mask. Setting this restricts the CPUs on which the
33 # process will be scheduled. It is represented as a bitmask, with the
34 # lowest order bit corresponding to the first logical CPU and the
35 # highest order bit corresponding to the last logical CPU. Not all CPUs
36 # may exist on a given system but a mask may specify more CPUs than are
37 # present.
38 #
39 # For example:
40 # 0x00000001 is processor #0,
41 # 0x00000003 is processors #0 and #1,
42 # 0xFFFFFFFF is all processors (#0 through #31).
43 #
44 # Pinning a Python process to a single CPU is desirable, because Python
45 # is inherently single-threaded due to the GIL, and can suffer a
46 # 30-40% slowdown due to cache blow-out and thread context switching
47 # if the scheduler happens to schedule the underlying threads across
48 # different cores. See
49 # https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/.
50 #
51 # cpu_affinity: 0xFFFFFFFF
52
53 # Set to false to disable presence tracking on this homeserver.
54 #
55 #use_presence: False
56
57 # Whether to require authentication to retrieve profile data (avatars,
58 # display names) of other users through the client API. Defaults to
59 # 'false'. Note that profile data is also available via the federation
60 # API, so this setting is of limited value if federation is enabled on
61 # the server.
62 #
63 #require_auth_for_profile_requests: True
64
65 # If set to 'False', requires authentication to access the server's public rooms
66 # directory through the client API. Defaults to 'True'.
67 #
68 #allow_public_rooms_without_auth: False
69
70 # If set to 'False', forbids any other homeserver to fetch the server's public
71 # rooms directory via federation. Defaults to 'True'.
72 #
73 #allow_public_rooms_over_federation: False
74
75 # The default room version for newly created rooms.
76 #
77 # Known room versions are listed here:
78 # https://matrix.org/docs/spec/#complete-list-of-room-versions
79 #
80 # For example, for room version 1, default_room_version should be set
81 # to "1".
82 #
83 #default_room_version: "4"
84
85 # The GC threshold parameters to pass to `gc.set_threshold`, if defined
86 #gc_thresholds: [700, 10, 10]
87
88 # Set the limit on the returned events in the timeline in the get
89 # and sync operations. The default value is -1, means no upper limit.
90 #filter_timeline_limit: 5000
91
92 # Whether room invites to users on this server should be blocked
93 # (except those sent by local server admins). The default is False.
94 #block_non_admin_invites: True
95
96 # Room searching
97 #
98 # If disabled, new messages will not be indexed for searching and users
99 # will receive errors when searching for messages. Defaults to enabled.
100 #
101 #enable_search: False
102
103 # Restrict federation to the following whitelist of domains.
104 # N.B. we recommend also firewalling your federation listener to limit
105 # inbound federation traffic as early as possible, rather than relying
106 # purely on this application-layer restriction. If not specified, the
107 # default is to whitelist everything.
108 #
109 #federation_domain_whitelist:
110 # - lon.example.com
111 # - nyc.example.com
112 # - syd.example.com
113
114 # Prevent federation requests from being sent to the following
115 # blacklist IP address CIDR ranges. If this option is not specified, or
116 # specified with an empty list, no ip range blacklist will be enforced.
117 #
118 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
119 # listed here, since they correspond to unroutable addresses.)
120 #
121 federation_ip_range_blacklist:
122 - '127.0.0.0/8'
123 - '10.0.0.0/8'
124 - '172.16.0.0/12'
125 - '192.168.0.0/16'
126 - '100.64.0.0/10'
127 - '169.254.0.0/16'
128 - '::1/128'
129 - 'fe80::/64'
130 - 'fc00::/7'
131
132 # List of ports that Synapse should listen on, their purpose and their
133 # configuration.
134 #
135 # Options for each listener include:
136 #
137 # port: the TCP port to bind to
138 #
139 # bind_addresses: a list of local addresses to listen on. The default is
140 # 'all local interfaces'.
141 #
142 # type: the type of listener. Normally 'http', but other valid options are:
143 # 'manhole' (see docs/manhole.md),
144 # 'metrics' (see docs/metrics-howto.rst),
145 # 'replication' (see docs/workers.rst).
146 #
147 # tls: set to True to enable TLS for this listener. Will use the TLS
148 # key/cert specified in tls_private_key_path / tls_certificate_path.
149 #
150 # x_forwarded: Only valid for an 'http' listener. Set to True to use the
151 # X-Forwarded-For header as the client IP. Useful when Synapse is
152 # behind a reverse-proxy.
153 #
154 # resources: Only valid for an 'http' listener. A list of resources to host
155 # on this port. Options for each resource are:
156 #
157 # names: a list of names of HTTP resources. See below for a list of
158 # valid resource names.
159 #
160 # compress: set to True to enable HTTP comression for this resource.
161 #
162 # additional_resources: Only valid for an 'http' listener. A map of
163 # additional endpoints which should be loaded via dynamic modules.
164 #
165 # Valid resource names are:
166 #
167 # client: the client-server API (/_matrix/client), and the synapse admin
168 # API (/_synapse/admin). Also implies 'media' and 'static'.
169 #
170 # consent: user consent forms (/_matrix/consent). See
171 # docs/consent_tracking.md.
172 #
173 # federation: the server-server API (/_matrix/federation). Also implies
174 # 'media', 'keys', 'openid'
175 #
176 # keys: the key discovery API (/_matrix/keys).
177 #
178 # media: the media API (/_matrix/media).
179 #
180 # metrics: the metrics interface. See docs/metrics-howto.rst.
181 #
182 # openid: OpenID authentication.
183 #
184 # replication: the HTTP replication API (/_synapse/replication). See
185 # docs/workers.rst.
186 #
187 # static: static resources under synapse/static (/_matrix/static). (Mostly
188 # useful for 'fallback authentication'.)
189 #
190 # webclient: A web client. Requires web_client_location to be set.
191 #
192 listeners:
193 # TLS-enabled listener: for when matrix traffic is sent directly to synapse.
194 #
195 # Disabled by default. To enable it, uncomment the following. (Note that you
196 # will also need to give Synapse a TLS key and certificate: see the TLS section
197 # below.)
198 #
199 #- port: 8448
200 # # This is a 'http' listener, allows us to specify 'resources'.
201 # type: http
202 # tls: True
203
204 # # Local addresses to listen on.
205 # # On Linux and Mac OS, `::` will listen on all IPv4 and IPv6
206 # # addresses by default. For most other OSes, this will only listen
207 # # on IPv6.
208 # bind_addresses:
209 # - '::1'
210 # - '127.0.0.1'
211 # # - '::'
212 # # - '0.0.0.0'
213
214 # # Use the X-Forwarded-For (XFF) header as the client IP and not the
215 # # actual client IP.
216 # x_forwarded: False
217
218 # # List of HTTP resources to serve on this listener.
219 # resources:
220 # - names: federation
221 # compress: False
222
223 # Unsecure HTTP listener:
224 # For when matrix traffic passes through a reverse proxy that unwraps TLS.
225 #
226 # If you plan to use a reverse proxy, please see
227 # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.rst.
228 #
229 - port: 8008
230 tls: False
231 bind_addresses:
232 - '::1'
233 - '127.0.0.1'
234 # - '::'
235 # - '0.0.0.0'
236 type: http
237 # Use the X-Forwarded-For (XFF) header as the client IP and not the
238 # actual client IP.
239 x_forwarded: True
240
241 # List of HTTP resources to serve on this listener.
242 resources:
243 - names: [client, federation]
244 compress: True
245
246 # example additional_resources:
247 #
248 #additional_resources:
249 # "/_matrix/my/custom/endpoint":
250 # module: my_module.CustomRequestHandler
251 # config: {}
252
253 # Turn on the twisted ssh manhole service on localhost on the given
254 # port.
255 #- port: 9000
256 # bind_addresses:
257 # - '::1'
258 # - '127.0.0.1'
259 # type: manhole
260
261
262 ## Homeserver blocking ##
263
264 # How to reach the server admin, used in ResourceLimitError
265 #
266 #admin_contact: 'mailto:root@rockstable.it'
267
268 # Global blocking
269 #
270 #hs_disabled: False
271 #hs_disabled_message: 'Human readable reason for why the HS is blocked'
272 #hs_disabled_limit_type: 'error code(str), to help clients decode reason'
273
274 # Monthly Active User Blocking
275 #
276 # Used in cases where the admin or server owner wants to limit to the
277 # number of monthly active users.
278 #
279 # 'limit_usage_by_mau' disables/enables monthly active user blocking. When
280 # anabled and a limit is reached the server returns a 'ResourceLimitError'
281 # with error type Codes.RESOURCE_LIMIT_EXCEEDED
282 #
283 # 'max_mau_value' is the hard limit of monthly active users above which
284 # the server will start blocking user actions.
285 #
286 # 'mau_trial_days' is a means to add a grace period for active users. It
287 # means that users must be active for this number of days before they
288 # can be considered active and guards against the case where lots of users
289 # sign up in a short space of time never to return after their initial
290 # session.
291 #
292 #limit_usage_by_mau: False
293 #max_mau_value: 50
294 #mau_trial_days: 2
295
296 # If enabled, the metrics for the number of monthly active users will
297 # be populated, however no one will be limited. If limit_usage_by_mau
298 # is True, this is implied to be true.
299 #
300 #mau_stats_only: False
301
302 # Sometimes the server admin will want to ensure certain accounts are
303 # never blocked by mau checking. These accounts are specified here.
304 #
305 #mau_limit_reserved_threepids:
306 # - medium: 'email'
307 # address: 'reserved_user@example.com'
308
309 # Used by phonehome stats to group together related servers.
310 #server_context: context
311
312 # Whether to require a user to be in the room to add an alias to it.
313 # Defaults to 'True'.
314 #
315 #require_membership_for_aliases: False
316
317 # Whether to allow per-room membership profiles through the send of membership
318 # events with profile information that differ from the target's global profile.
319 # Defaults to 'True'.
320 #
321 #allow_per_room_profiles: False
322
323
324 ## TLS ##
325
326 # PEM-encoded X509 certificate for TLS.
327 # This certificate, as of Synapse 1.0, will need to be a valid and verifiable
328 # certificate, signed by a recognised Certificate Authority.
329 #
330 # See 'ACME support' below to enable auto-provisioning this certificate via
331 # Let's Encrypt.
332 #
333 # If supplying your own, be sure to use a `.pem` file that includes the
334 # full certificate chain including any intermediate certificates (for
335 # instance, if using certbot, use `fullchain.pem` as your certificate,
336 # not `cert.pem`).
337 #
338 tls_certificate_path: "/etc/letsencrypt/live/matrix.rockstable.it/fullchain.pem"
339
340 # PEM-encoded private key for TLS
341 tls_private_key_path: "/etc/letsencrypt/live/matrix.rockstable.it/privkey.pem"
342
343 # PEM dh parameters for ephemeral keys
344 tls_dh_params_path: "/etc/ssl/dhparam/dhparam_4096.pem"
345
346 # Don't bind to the https port
347 no_tls: False
348
349 # Whether to verify TLS server certificates for outbound federation requests.
350 #
351 # Defaults to `True`. To disable certificate verification, uncomment the
352 # following line.
353 #
354 #federation_verify_certificates: False
355
356 # The minimum TLS version that will be used for outbound federation requests.
357 #
358 # Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note
359 # that setting this value higher than `1.2` will prevent federation to most
360 # of the public Matrix network: only configure it to `1.3` if you have an
361 # entirely private federation setup and you can ensure TLS 1.3 support.
362 #
363 #federation_client_minimum_tls_version: 1.2
364
365 # Skip federation certificate verification on the following whitelist
366 # of domains.
367 #
368 # This setting should only be used in very specific cases, such as
369 # federation over Tor hidden services and similar. For private networks
370 # of homeservers, you likely want to use a private CA instead.
371 #
372 # Only effective if federation_verify_certicates is `True`.
373 #
374 #federation_certificate_verification_whitelist:
375 # - lon.example.com
376 # - *.domain.com
377 # - *.onion
378
379 # List of custom certificate authorities for federation traffic.
380 #
381 # This setting should only normally be used within a private network of
382 # homeservers.
383 #
384 # Note that this list will replace those that are provided by your
385 # operating environment. Certificates must be in PEM format.
386 #
387 #federation_custom_ca_list:
388 # - myCA1.pem
389 # - myCA2.pem
390 # - myCA3.pem
391
392 # ACME support: This will configure Synapse to request a valid TLS certificate
393 # for your configured `server_name` via Let's Encrypt.
394 #
395 # Note that provisioning a certificate in this way requires port 80 to be
396 # routed to Synapse so that it can complete the http-01 ACME challenge.
397 # By default, if you enable ACME support, Synapse will attempt to listen on
398 # port 80 for incoming http-01 challenges - however, this will likely fail
399 # with 'Permission denied' or a similar error.
400 #
401 # There are a couple of potential solutions to this:
402 #
403 # * If you already have an Apache, Nginx, or similar listening on port 80,
404 # you can configure Synapse to use an alternate port, and have your web
405 # server forward the requests. For example, assuming you set 'port: 8009'
406 # below, on Apache, you would write:
407 #
408 # ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
409 #
410 # * Alternatively, you can use something like `authbind` to give Synapse
411 # permission to listen on port 80.
412 #
413 acme:
414 # ACME support is disabled by default. Uncomment the following line
415 # (and tls_certificate_path and tls_private_key_path above) to enable it.
416 #
417 #enabled: True
418
419 # Endpoint to use to request certificates. If you only want to test,
420 # use Let's Encrypt's staging url:
421 # https://acme-staging.api.letsencrypt.org/directory
422 #
423 #url: https://acme-v01.api.letsencrypt.org/directory
424
425 # Port number to listen on for the HTTP-01 challenge. Change this if
426 # you are forwarding connections through Apache/Nginx/etc.
427 #
428 #port: 80
429
430 # Local addresses to listen on for incoming connections.
431 # Again, you may want to change this if you are forwarding connections
432 # through Apache/Nginx/etc.
433 #
434 #bind_addresses: ['::', '0.0.0.0']
435
436 # How many days remaining on a certificate before it is renewed.
437 #
438 #reprovision_threshold: 30
439
440 # The domain that the certificate should be for. Normally this
441 # should be the same as your Matrix domain (i.e., 'server_name'), but,
442 # by putting a file at 'https://<server_name>/.well-known/matrix/server',
443 # you can delegate incoming traffic to another server. If you do that,
444 # you should give the target of the delegation here.
445 #
446 # For example: if your 'server_name' is 'example.com', but
447 # 'https://example.com/.well-known/matrix/server' delegates to
448 # 'matrix.example.com', you should put 'matrix.example.com' here.
449 #
450 # If not set, defaults to your 'server_name'.
451 #
452 #domain: matrix.example.com
453
454 # file to use for the account key. This will be generated if it doesn't
455 # exist.
456 #
457 # If unspecified, we will use CONFDIR/client.key.
458 #
459 account_key_file: /var/lib/matrix-synapse/acme_account.key
460
461 # List of allowed TLS fingerprints for this server to publish along
462 # with the signing keys for this server. Other matrix servers that
463 # make HTTPS requests to this server will check that the TLS
464 # certificates returned by this server match one of the fingerprints.
465 #
466 # Synapse automatically adds the fingerprint of its own certificate
467 # to the list. So if federation traffic is handled directly by synapse
468 # then no modification to the list is required.
469 #
470 # If synapse is run behind a load balancer that handles the TLS then it
471 # will be necessary to add the fingerprints of the certificates used by
472 # the loadbalancers to this list if they are different to the one
473 # synapse is using.
474 #
475 # Homeservers are permitted to cache the list of TLS fingerprints
476 # returned in the key responses up to the "valid_until_ts" returned in
477 # key. It may be necessary to publish the fingerprints of a new
478 # certificate and wait until the "valid_until_ts" of the previous key
479 # responses have passed before deploying it.
480 #
481 # You can calculate a fingerprint from a given TLS listener via:
482 # openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
483 # openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
484 # or by checking matrix.org/federationtester/api/report?server_name=$host
485 #
486 #tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
487
488
489 ## Database ##
490
491 database:
492 # The database engine name
493 name: "sqlite3"
494 # Arguments to pass to the engine
495 args:
496 # Path to the database
497 database: "/var/lib/matrix-synapse/homeserver.db"
498
499 # Number of events to cache in memory.
500 event_cache_size: "10K"
501
502
503 ## Logging ##
504
505 # A yaml python logging config file
506 log_config: "/etc/matrix-synapse/log.yaml"
507
508
509 ## Ratelimiting ##
510
511 # Ratelimiting settings for client actions (registration, login, messaging).
512 #
513 # Each ratelimiting configuration is made of two parameters:
514 # - per_second: number of requests a client can send per second.
515 # - burst_count: number of requests a client can send before being throttled.
516 #
517 # Synapse currently uses the following configurations:
518 # - one for messages that ratelimits sending based on the account the client
519 # is using
520 # - one for registration that ratelimits registration requests based on the
521 # client's IP address.
522 # - one for login that ratelimits login requests based on the client's IP
523 # address.
524 # - one for login that ratelimits login requests based on the account the
525 # client is attempting to log into.
526 # - one for login that ratelimits login requests based on the account the
527 # client is attempting to log into, based on the amount of failed login
528 # attempts for this account.
529 #
530 # The defaults are as shown below.
531 #
532 #rc_message:
533 # per_second: 0.2
534 # burst_count: 10
535 #
536 #rc_registration:
537 # per_second: 0.17
538 # burst_count: 3
539 #
540 #rc_login:
541 # address:
542 # per_second: 0.17
543 # burst_count: 3
544 # account:
545 # per_second: 0.17
546 # burst_count: 3
547 # failed_attempts:
548 # per_second: 0.17
549 # burst_count: 3
550
551
552 # Ratelimiting settings for incoming federation
553 #
554 # The rc_federation configuration is made up of the following settings:
555 # - window_size: window size in milliseconds
556 # - sleep_limit: number of federation requests from a single server in
557 # a window before the server will delay processing the request.
558 # - sleep_delay: duration in milliseconds to delay processing events
559 # from remote servers by if they go over the sleep limit.
560 # - reject_limit: maximum number of concurrent federation requests
561 # allowed from a single server
562 # - concurrent: number of federation requests to concurrently process
563 # from a single server
564 #
565 # The defaults are as shown below.
566 #
567 #rc_federation:
568 # window_size: 1000
569 # sleep_limit: 10
570 # sleep_delay: 500
571 # reject_limit: 50
572 # concurrent: 3
573
574 # Target outgoing federation transaction frequency for sending read-receipts,
575 # per-room.
576 #
577 # If we end up trying to send out more read-receipts, they will get buffered up
578 # into fewer transactions.
579 #
580 #federation_rr_transactions_per_room_per_second: 50
581
582
583 # Directory where uploaded images and attachments are stored.
584 media_store_path: "/var/lib/matrix-synapse/media"
585 #media_store_path: "/var/lib/matrix-synapse/media_store"
586
587 # Media storage providers allow media to be stored in different
588 # locations.
589 #media_storage_providers:
590 # - module: file_system
591 # # Whether to write new local files.
592 # store_local: False
593 # # Whether to write new remote media
594 # store_remote: False
595 # # Whether to block upload requests waiting for write to this
596 # # provider to complete
597 # store_synchronous: False
598 # config:
599 # directory: /mnt/some/other/directory
600
601 # Directory where in-progress uploads are stored.
602 uploads_path: "/var/lib/matrix-synapse/uploads"
603
604 # The largest allowed upload size in bytes
605 max_upload_size: "20M"
606
607 # Maximum number of pixels that will be thumbnailed
608 max_image_pixels: "32M"
609
610 # Whether to generate new thumbnails on the fly to precisely match
611 # the resolution requested by the client. If True then whenever
612 # a new resolution is requested by the client the server will
613 # generate a new thumbnail. If False the server will pick a thumbnail
614 # from a precalculated list.
615 dynamic_thumbnails: False
616
617 # List of thumbnails to precalculate when an image is uploaded.
618 thumbnail_sizes:
619 - width: 32
620 height: 32
621 method: crop
622 - width: 96
623 height: 96
624 method: crop
625 - width: 320
626 height: 240
627 method: scale
628 - width: 640
629 height: 480
630 method: scale
631 - width: 800
632 height: 600
633 method: scale
634
635 # Is the preview URL API enabled?
636 # 'False' by default: uncomment the following to enable it (and specify a
637 # url_preview_ip_range_blacklist blacklist).
638 url_preview_enabled: False
639
640 # List of IP address CIDR ranges that the URL preview spider is denied
641 # from accessing. There are no defaults: you must explicitly
642 # specify a list for URL previewing to work. You should specify any
643 # internal services in your network that you do not want synapse to try
644 # to connect to, otherwise anyone in any Matrix room could cause your
645 # synapse to issue arbitrary GET requests to your internal services,
646 # causing serious security issues.
647 #
648 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
649 # listed here, since they correspond to unroutable addresses.)
650 #
651 # This must be specified if url_preview_enabled is set. It is recommended that
652 # you uncomment the following list as a starting point.
653 #
654 url_preview_ip_range_blacklist:
655 - '127.0.0.0/8'
656 - '10.0.0.0/8'
657 - '172.16.0.0/12'
658 - '192.168.0.0/16'
659 - '100.64.0.0/10'
660 - '169.254.0.0/16'
661 - '::1/128'
662 - 'fe80::/64'
663 - 'fc00::/7'
664
665 # List of IP address CIDR ranges that the URL preview spider is allowed
666 # to access even if they are specified in url_preview_ip_range_blacklist.
667 # This is useful for specifying exceptions to wide-ranging blacklisted
668 # target IP ranges - e.g. for enabling URL previews for a specific private
669 # website only visible in your network.
670 #
671 #url_preview_ip_range_whitelist:
672 # - '192.168.1.1'
673
674 # Optional list of URL matches that the URL preview spider is
675 # denied from accessing. You should use url_preview_ip_range_blacklist
676 # in preference to this, otherwise someone could define a public DNS
677 # entry that points to a private IP address and circumvent the blacklist.
678 # This is more useful if you know there is an entire shape of URL that
679 # you know that will never want synapse to try to spider.
680 #
681 # Each list entry is a dictionary of url component attributes as returned
682 # by urlparse.urlsplit as applied to the absolute form of the URL. See
683 # https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit
684 # The values of the dictionary are treated as an filename match pattern
685 # applied to that component of URLs, unless they start with a ^ in which
686 # case they are treated as a regular expression match. If all the
687 # specified component matches for a given list item succeed, the URL is
688 # blacklisted.
689 #
690 #url_preview_url_blacklist:
691 # # blacklist any URL with a username in its URI
692 # - username: '*'
693 #
694 # # blacklist all *.google.com URLs
695 # - netloc: 'google.com'
696 # - netloc: '*.google.com'
697 #
698 # # blacklist all plain HTTP URLs
699 # - scheme: 'http'
700 #
701 # # blacklist http(s)://www.acme.com/foo
702 # - netloc: 'www.acme.com'
703 # path: '/foo'
704 #
705 # # blacklist any URL with a literal IPv4 address
706 # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
707
708 # The largest allowed URL preview spidering size in bytes
709 max_spider_size: "10M"
710
711
712 ## Captcha ##
713 # See docs/CAPTCHA_SETUP for full details of configuring this.
714
715 # This Home Server's ReCAPTCHA public key.
716 #recaptcha_public_key: "YOUR_PUBLIC_KEY"
717
718 # This Home Server's ReCAPTCHA private key.
719 #recaptcha_private_key: "YOUR_PRIVATE_KEY"
720
721 # Enables ReCaptcha checks when registering, preventing signup
722 # unless a captcha is answered. Requires a valid ReCaptcha
723 # public/private key.
724 enable_registration_captcha: False
725
726 # A secret key used to bypass the captcha test entirely.
727 #captcha_bypass_secret: "YOUR_SECRET_HERE"
728
729 # The API endpoint to use for verifying m.login.recaptcha responses.
730 recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
731 #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify"
732
733
734 ## TURN ##
735
736 # The public URIs of the TURN server to give to clients
737 turn_uris: [
738 "turn:coturn.rockstable.it:3478?transport=udp",
739 "turn:coturn.rockstable.it:3478?transport=tcp",
740 "turns:coturn.rockstable.it:5349?transport=udp",
741 "turns:coturn.rockstable.it:5349?transport=tcp"
742 ]
743
744 # The shared secret used to compute passwords for the TURN server
745 turn_shared_secret: "YOUR_SHARED_SECRET"
746
747 # The Username and password if the TURN server needs them and
748 # does not use a token
749 #turn_username: "TURNSERVER_USERNAME"
750 #turn_password: "TURNSERVER_PASSWORD"
751
752 # How long generated TURN credentials last
753 turn_user_lifetime: "1h"
754
755 # Whether guests should be allowed to use the TURN server.
756 # This defaults to True, otherwise VoIP will be unreliable for guests.
757 # However, it does introduce a slight security risk as it allows users to
758 # connect to arbitrary endpoints without having first signed up for a
759 # valid account (e.g. by passing a CAPTCHA).
760 turn_allow_guests: False
761
762
763 ## Registration ##
764 #
765 # Registration can be rate-limited using the parameters in the "Ratelimiting"
766 # section of this file.
767
768 # Enable registration for new users.
769 enable_registration: False
770
771 # Optional account validity configuration. This allows for accounts to be denied
772 # any request after a given period.
773 #
774 # ``enabled`` defines whether the account validity feature is enabled. Defaults
775 # to False.
776 #
777 # ``period`` allows setting the period after which an account is valid
778 # after its registration. When renewing the account, its validity period
779 # will be extended by this amount of time. This parameter is required when using
780 # the account validity feature.
781 #
782 # ``renew_at`` is the amount of time before an account's expiry date at which
783 # Synapse will send an email to the account's email address with a renewal link.
784 # This needs the ``email`` and ``public_baseurl`` configuration sections to be
785 # filled.
786 #
787 # ``renew_email_subject`` is the subject of the email sent out with the renewal
788 # link. ``%(app)s`` can be used as a placeholder for the ``app_name`` parameter
789 # from the ``email`` section.
790 #
791 # Once this feature is enabled, Synapse will look for registered users without an
792 # expiration date at startup and will add one to every account it found using the
793 # current settings at that time.
794 # This means that, if a validity period is set, and Synapse is restarted (it will
795 # then derive an expiration date from the current validity period), and some time
796 # after that the validity period changes and Synapse is restarted, the users'
797 # expiration dates won't be updated unless their account is manually renewed. This
798 # date will be randomly selected within a range [now + period - d ; now + period],
799 # where d is equal to 10% of the validity period.
800 #
801 #account_validity:
802 # enabled: True
803 # period: 6w
804 # renew_at: 1w
805 # renew_email_subject: "Renew your %(app)s account"
806
807 # Time that a user's session remains valid for, after they log in.
808 #
809 # Note that this is not currently compatible with guest logins.
810 #
811 # Note also that this is calculated at login time: changes are not applied
812 # retrospectively to users who have already logged in.
813 #
814 # By default, this is infinite.
815 #
816 #session_lifetime: 24h
817
818 # The user must provide all of the below types of 3PID when registering.
819 #
820 #registrations_require_3pid:
821 # - email
822 # - msisdn
823
824 # Explicitly disable asking for MSISDNs from the registration
825 # flow (overrides registrations_require_3pid if MSISDNs are set as required)
826 #
827 #disable_msisdn_registration: True
828
829 # Mandate that users are only allowed to associate certain formats of
830 # 3PIDs with accounts on this server.
831 #
832 #allowed_local_3pids:
833 # - medium: email
834 # pattern: '.*@matrix\.org'
835 # - medium: email
836 # pattern: '.*@vector\.im'
837 # - medium: msisdn
838 # pattern: '\+44'
839
840 # Enable 3PIDs lookup requests to identity servers from this server.
841 #
842 #enable_3pid_lookup: True
843
844 # If set, allows registration of standard or admin accounts by anyone who
845 # has the shared secret, even if registration is otherwise disabled.
846 registration_shared_secret: "<REGISTRATION_SECRET>"
847
848 # Set the number of bcrypt rounds used to generate password hash.
849 # Larger numbers increase the work factor needed to generate the hash.
850 # The default number is 12 (which equates to 2^12 rounds).
851 # N.B. that increasing this will exponentially increase the time required
852 # to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.
853 bcrypt_rounds: 12
854
855 # Allows users to register as guests without a password/email/etc, and
856 # participate in rooms hosted on this server which have been made
857 # accessible to anonymous users.
858 allow_guest_access: False
859
860 # The identity server which we suggest that clients should use when users log
861 # in on this server.
862 #
863 # (By default, no suggestion is made, so it is left up to the client.
864 # This setting is ignored unless public_baseurl is also set.)
865 #
866 #default_identity_server: https://matrix.org
867
868 # The list of identity servers trusted to verify third party
869 # identifiers by this server.
870 #
871 # Also defines the ID server which will be called when an account is
872 # deactivated (one will be picked arbitrarily).
873 #
874 trusted_third_party_id_servers:
875 - matrix.org
876 - vector.im
877 - riot.im
878
879 # Users who register on this homeserver will automatically be joined
880 # to these rooms
881 #auto_join_rooms:
882 # - "#example:example.com"
883
884 # Where auto_join_rooms are specified, setting this flag ensures that the
885 # the rooms exist by creating them when the first user on the
886 # homeserver registers.
887 # Setting to False means that if the rooms are not manually created,
888 # users cannot be auto-joined since they do not exist.
889 #
890 #autocreate_auto_join_rooms: True
891
892
893 ## Metrics ###
894
895 # Enable collection and rendering of performance metrics
896 enable_metrics: False
897
898 # Enable sentry integration
899 # NOTE: While attempts are made to ensure that the logs don't contain
900 # any sensitive information, this cannot be guaranteed. By enabling
901 # this option the sentry server may therefore receive sensitive
902 # information, and it in turn may then diseminate sensitive information
903 # through insecure notification channels if so configured.
904 #
905 #sentry:
906 # dsn: "..."
907
908 # Whether or not to report anonymized homeserver usage statistics.
909 report_stats: True
910
911
912 ## API Configuration ##
913
914 # A list of event types that will be included in the room_invite_state
915 room_invite_state_types:
916 - "m.room.join_rules"
917 - "m.room.canonical_alias"
918 - "m.room.avatar"
919 - "m.room.name"
920 - "m.room.encryption"
921
922
923 # A list of application service config files to use
924 app_service_config_files:
925 - /etc/mautrix-telegram/registration.yaml
926
927 # Uncomment to enable tracking of application service IP addresses. Implicitly
928 # enables MAU tracking for application service users.
929 #
930 #track_appservice_user_ips: True
931
932
933 # a secret which is used to sign access tokens. If none is specified,
934 # the registration_shared_secret is used, if one is given; otherwise,
935 # a secret key is derived from the signing key.
936 #
937 #macaroon_secret_key: <PRIVATE STRING>
938 macaroon_secret_key: "<MACAROON_SECRET>"
939
940 # Used to enable access token expiration.
941 expire_access_token: False
942
943 # a secret which is used to calculate HMACs for form values, to stop
944 # falsification of values. Must be specified for the User Consent
945 # forms to work.
946 #
947 form_secret: "<FORM_SECRET>"
948
949 ## Signing Keys ##
950
951 # Path to the signing key to sign messages with
952 signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
953 #signing_key_path: "/etc/matrix-synapse/matrix.rockstable.it.signing.key"
954
955 # The keys that the server used to sign messages with but won't use
956 # to sign new messages. E.g. it has lost its private key
957 old_signing_keys: {}
958 #old_signing_keys:
959 # "ed25519:auto":
960 # # Base64 encoded public key
961 # key: "The public part of your old signing key."
962 # # Millisecond POSIX timestamp when the key expired.
963 # expired_ts: 123456789123
964
965 # How long key response published by this server is valid for.
966 # Used to set the valid_until_ts in /key/v2 APIs.
967 # Determines how quickly servers will query to check which keys
968 # are still valid.
969 key_refresh_interval: "1d"
970
971 # The trusted servers to download signing keys from.
972 #
973 # When we need to fetch a signing key, each server is tried in parallel.
974 #
975 # Normally, the connection to the key server is validated via TLS certificates.
976 # Additional security can be provided by configuring a `verify key`, which
977 # will make synapse check that the response is signed by that key.
978 #
979 # This setting supercedes an older setting named `perspectives`. The old format
980 # is still supported for backwards-compatibility, but it is deprecated.
981 #
982 # Options for each entry in the list include:
983 #
984 # server_name: the name of the server. required.
985 #
986 # verify_keys: an optional map from key id to base64-encoded public key.
987 # If specified, we will check that the response is signed by at least
988 # one of the given keys.
989 #
990 # accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset,
991 # and federation_verify_certificates is not `True`, synapse will refuse
992 # to start, because this would allow anyone who can spoof DNS responses
993 # to masquerade as the trusted key server. If you know what you are doing
994 # and are sure that your network environment provides a secure connection
995 # to the key server, you can set this to `True` to override this
996 # behaviour.
997 #
998 # An example configuration might look like:
999 #
1000 #trusted_key_servers:
1001 # - server_name: "my_trusted_server.example.com"
1002 # verify_keys:
1003 # "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
1004 # - server_name: "my_other_trusted_server.example.com"
1005 #
1006 # The default configuration is:
1007 #
1008 #trusted_key_servers:
1009 # - server_name: "matrix.org"
1010
1011
1012 # Enable SAML2 for registration and login. Uses pysaml2.
1013 #
1014 # `sp_config` is the configuration for the pysaml2 Service Provider.
1015 # See pysaml2 docs for format of config.
1016 #
1017 # Default values will be used for the 'entityid' and 'service' settings,
1018 # so it is not normally necessary to specify them unless you need to
1019 # override them.
1020 #
1021 # Once SAML support is enabled, a metadata file will be exposed at
1022 # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
1023 # use to configure your SAML IdP with. Alternatively, you can manually configure
1024 # the IdP to use an ACS location of
1025 # https://<server>:<port>/_matrix/saml2/authn_response.
1026 #
1027 #saml2_config:
1028 # sp_config:
1029 # # point this to the IdP's metadata. You can use either a local file or
1030 # # (preferably) a URL.
1031 # metadata:
1032 # #local: ["saml2/idp.xml"]
1033 # remote:
1034 # - url: https://our_idp/metadata.xml
1035 #
1036 # # By default, the user has to go to our login page first. If you'd like to
1037 # # allow IdP-initiated login, set 'allow_unsolicited: True' in a
1038 # # 'service.sp' section:
1039 # #
1040 # #service:
1041 # # sp:
1042 # # allow_unsolicited: True
1043 #
1044 # # The examples below are just used to generate our metadata xml, and you
1045 # # may well not need it, depending on your setup. Alternatively you
1046 # # may need a whole lot more detail - see the pysaml2 docs!
1047 #
1048 # description: ["My awesome SP", "en"]
1049 # name: ["Test SP", "en"]
1050 #
1051 # organization:
1052 # name: Example com
1053 # display_name:
1054 # - ["Example co", "en"]
1055 # url: "http://example.com"
1056 #
1057 # contact_person:
1058 # - given_name: Bob
1059 # sur_name: "the Sysadmin"
1060 # email_address": ["admin@example.com"]
1061 # contact_type": technical
1062 #
1063 # # Instead of putting the config inline as above, you can specify a
1064 # # separate pysaml2 configuration file:
1065 # #
1066 # config_path: "/etc/matrix-synapse/sp_conf.py"
1067 #
1068 # # the lifetime of a SAML session. This defines how long a user has to
1069 # # complete the authentication process, if allow_unsolicited is unset.
1070 # # The default is 5 minutes.
1071 # #
1072 # # saml_session_lifetime: 5m
1073
1074
1075 # Enable CAS for registration and login.
1076 #cas_config:
1077 # enabled: True
1078 # server_url: "https://cas-server.com"
1079 # service_url: "https://homeserver.domain.com:8448"
1080 # #required_attributes:
1081 # # name: value
1082
1083
1084 # The JWT needs to contain a globally unique "sub" (subject) claim.
1085 #
1086 #jwt_config:
1087 # enabled: True
1088 # secret: "a secret"
1089 # algorithm: "HS256"
1090
1091
1092 password_config:
1093 # Uncomment to disable password login
1094 #
1095 #enabled: False
1096
1097 # Uncomment to disable authentication against the local password
1098 # database. This is ignored if `enabled` is False, and is only useful
1099 # if you have other password_providers.
1100 #
1101 #localdb_enabled: False
1102
1103 # Uncomment and change to a secret random string for extra security.
1104 # DO NOT CHANGE THIS AFTER INITIAL SETUP!
1105 #pepper: "EVEN_MORE_SECRET"
1106
1107
1108 # Enable sending emails for password resets, notification events or
1109 # account expiry notices
1110 #
1111 # If your SMTP server requires authentication, the optional smtp_user &
1112 # smtp_pass variables should be used
1113 #
1114 #email:
1115 # enable_notifs: False
1116 # smtp_host: "localhost"
1117 # smtp_port: 25 # SSL: 465, STARTTLS: 587
1118 # smtp_user: "exampleusername"
1119 # smtp_pass: "examplepassword"
1120 # require_transport_security: False
1121 # notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>"
1122 # app_name: Matrix
1123 #
1124 # # Enable email notifications by default
1125 # #
1126 # notif_for_new_users: True
1127 #
1128 # # Defining a custom URL for Riot is only needed if email notifications
1129 # # should contain links to a self-hosted installation of Riot; when set
1130 # # the "app_name" setting is ignored
1131 # #
1132 # riot_base_url: "http://localhost/riot"
1133 #
1134 # # Enable sending password reset emails via the configured, trusted
1135 # # identity servers
1136 # #
1137 # # IMPORTANT! This will give a malicious or overtaken identity server
1138 # # the ability to reset passwords for your users! Make absolutely sure
1139 # # that you want to do this! It is strongly recommended that password
1140 # # reset emails be sent by the homeserver instead
1141 # #
1142 # # If this option is set to False and SMTP options have not been
1143 # # configured, resetting user passwords via email will be disabled
1144 # #
1145 # #trust_identity_server_for_password_resets: False
1146 #
1147 # # Configure the time that a validation email or text message code
1148 # # will expire after sending
1149 # #
1150 # # This is currently used for password resets
1151 # #
1152 # #validation_token_lifetime: 1h
1153 #
1154 # # Template directory. All template files should be stored within this
1155 # # directory. If not set, default templates from within the Synapse
1156 # # package will be used
1157 # #
1158 # # For the list of default templates, please see
1159 # # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
1160 # #
1161 # #template_dir: res/templates
1162 #
1163 # # Templates for email notifications
1164 # #
1165 # notif_template_html: notif_mail.html
1166 # notif_template_text: notif_mail.txt
1167 #
1168 # # Templates for account expiry notices
1169 # #
1170 # expiry_template_html: notice_expiry.html
1171 # expiry_template_text: notice_expiry.txt
1172 #
1173 # # Templates for password reset emails sent by the homeserver
1174 # #
1175 # #password_reset_template_html: password_reset.html
1176 # #password_reset_template_text: password_reset.txt
1177 #
1178 # # Templates for password reset success and failure pages that a user
1179 # # will see after attempting to reset their password
1180 # #
1181 # #password_reset_template_success_html: password_reset_success.html
1182 # #password_reset_template_failure_html: password_reset_failure.html
1183
1184
1185 #password_providers:
1186 # - module: "ldap_auth_provider.LdapAuthProvider"
1187 # config:
1188 # enabled: True
1189 # uri: "ldap://ldap.example.com:389"
1190 # start_tls: True
1191 # base: "ou=users,dc=example,dc=com"
1192 # attributes:
1193 # uid: "cn"
1194 # mail: "email"
1195 # name: "givenName"
1196 # #bind_dn:
1197 # #bind_password:
1198 # #filter: "(objectClass=posixAccount)"
1199
1200
1201
1202 # Clients requesting push notifications can either have the body of
1203 # the message sent in the notification poke along with other details
1204 # like the sender, or just the event ID and room ID (`event_id_only`).
1205 # If clients choose the former, this option controls whether the
1206 # notification request includes the content of the event (other details
1207 # like the sender are still included). For `event_id_only` push, it
1208 # has no effect.
1209 #
1210 # For modern android devices the notification content will still appear
1211 # because it is loaded by the app. iPhone, however will send a
1212 # notification saying only that a message arrived and who it came from.
1213 #
1214 #push:
1215 # include_content: True
1216
1217
1218 #spam_checker:
1219 # module: "my_custom_project.SuperSpamChecker"
1220 # config:
1221 # example_option: 'things'
1222
1223
1224 # Uncomment to allow non-server-admin users to create groups on this server
1225 enable_group_creation: True
1226
1227 # If enabled, non server admins can only create groups with local parts
1228 # starting with this prefix
1229 #group_creation_prefix: "unofficial/"
1230
1231
1232
1233 # User Directory configuration
1234 #
1235 # 'enabled' defines whether users can search the user directory. If
1236 # False then empty responses are returned to all queries. Defaults to
1237 # True.
1238 #
1239 # 'search_all_users' defines whether to search all users visible to your HS
1240 # when searching the user directory, rather than limiting to users visible
1241 # in public rooms. Defaults to False. If you set it True, you'll have to
1242 # rebuild the user_directory search indexes, see
1243 # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md
1244 #
1245 #user_directory:
1246 # enabled: True
1247 # search_all_users: False
1248
1249
1250 # User Consent configuration
1251 #
1252 # for detailed instructions, see
1253 # https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md
1254 #
1255 # Parts of this section are required if enabling the 'consent' resource under
1256 # 'listeners', in particular 'template_dir' and 'version'.
1257 #
1258 # 'template_dir' gives the location of the templates for the HTML forms.
1259 # This directory should contain one subdirectory per language (eg, 'en', 'fr'),
1260 # and each language directory should contain the policy document (named as
1261 # '<version>.html') and a success page (success.html).
1262 #
1263 # 'version' specifies the 'current' version of the policy document. It defines
1264 # the version to be served by the consent resource if there is no 'v'
1265 # parameter.
1266 #
1267 # 'server_notice_content', if enabled, will send a user a "Server Notice"
1268 # asking them to consent to the privacy policy. The 'server_notices' section
1269 # must also be configured for this to work. Notices will *not* be sent to
1270 # guest users unless 'send_server_notice_to_guests' is set to True.
1271 #
1272 # 'block_events_error', if set, will block any attempts to send events
1273 # until the user consents to the privacy policy. The value of the setting is
1274 # used as the text of the error.
1275 #
1276 # 'require_at_registration', if enabled, will add a step to the registration
1277 # process, similar to how captcha works. Users will be required to accept the
1278 # policy before their account is created.
1279 #
1280 # 'policy_name' is the display name of the policy users will see when registering
1281 # for an account. Has no effect unless `require_at_registration` is enabled.
1282 # Defaults to "Privacy Policy".
1283 #
1284 #user_consent:
1285 # template_dir: res/templates/privacy
1286 # version: 1.0
1287 # server_notice_content:
1288 # msgtype: m.text
1289 # body: >-
1290 # To continue using this homeserver you must review and agree to the
1291 # terms and conditions at %(consent_uri)s
1292 # send_server_notice_to_guests: True
1293 # block_events_error: >-
1294 # To continue using this homeserver you must review and agree to the
1295 # terms and conditions at %(consent_uri)s
1296 # require_at_registration: False
1297 # policy_name: Privacy Policy
1298 #
1299
1300
1301
1302 # Local statistics collection. Used in populating the room directory.
1303 #
1304 # 'bucket_size' controls how large each statistics timeslice is. It can
1305 # be defined in a human readable short form -- e.g. "1d", "1y".
1306 #
1307 # 'retention' controls how long historical statistics will be kept for.
1308 # It can be defined in a human readable short form -- e.g. "1d", "1y".
1309 #
1310 #
1311 #stats:
1312 # enabled: True
1313 # bucket_size: 1d
1314 # retention: 1y
1315
1316
1317 # Server Notices room configuration
1318 #
1319 # Uncomment this section to enable a room which can be used to send notices
1320 # from the server to users. It is a special room which cannot be left; notices
1321 # come from a special "notices" user id.
1322 #
1323 # If you uncomment this section, you *must* define the system_mxid_localpart
1324 # setting, which defines the id of the user which will be used to send the
1325 # notices.
1326 #
1327 # It's also possible to override the room name, the display name of the
1328 # "notices" user, and the avatar for the user.
1329 #
1330 #server_notices:
1331 # system_mxid_localpart: notices
1332 # system_mxid_display_name: "Server Notices"
1333 # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ"
1334 # room_name: "Server Notices"
1335
1336
1337
1338 # Uncomment to disable searching the public room list. When disabled
1339 # blocks searching local and remote room lists for local and remote
1340 # users by always returning an empty list for all queries.
1341 #
1342 #enable_room_list_search: False
1343
1344 # The `alias_creation` option controls who's allowed to create aliases
1345 # on this server.
1346 #
1347 # The format of this option is a list of rules that contain globs that
1348 # match against user_id, room_id and the new alias (fully qualified with
1349 # server name). The action in the first rule that matches is taken,
1350 # which can currently either be "allow" or "deny".
1351 #
1352 # Missing user_id/room_id/alias fields default to "*".
1353 #
1354 # If no rules match the request is denied. An empty list means no one
1355 # can create aliases.
1356 #
1357 # Options for the rules include:
1358 #
1359 # user_id: Matches against the creator of the alias
1360 # alias: Matches against the alias being created
1361 # room_id: Matches against the room ID the alias is being pointed at
1362 # action: Whether to "allow" or "deny" the request if the rule matches
1363 #
1364 # The default is:
1365 #
1366 #alias_creation_rules:
1367 # - user_id: "*"
1368 # alias: "*"
1369 # room_id: "*"
1370 # action: allow
1371
1372 # The `room_list_publication_rules` option controls who can publish and
1373 # which rooms can be published in the public room list.
1374 #
1375 # The format of this option is the same as that for
1376 # `alias_creation_rules`.
1377 #
1378 # If the room has one or more aliases associated with it, only one of
1379 # the aliases needs to match the alias rule. If there are no aliases
1380 # then only rules with `alias: *` match.
1381 #
1382 # If no rules match the request is denied. An empty list means no one
1383 # can publish rooms.
1384 #
1385 # Options for the rules include:
1386 #
1387 # user_id: Matches agaisnt the creator of the alias
1388 # room_id: Matches against the room ID being published
1389 # alias: Matches against any current local or canonical aliases
1390 # associated with the room
1391 # action: Whether to "allow" or "deny" the request if the rule matches
1392 #
1393 # The default is:
1394 #
1395 #room_list_publication_rules:
1396 # - user_id: "*"
1397 # alias: "*"
1398 # room_id: "*"
1399 # action: allow
1400
1401
1402 # Server admins can define a Python module that implements extra rules for
1403 # allowing or denying incoming events. In order to work, this module needs to
1404 # override the methods defined in synapse/events/third_party_rules.py.
1405 #
1406 # This feature is designed to be used in closed federations only, where each
1407 # participating server enforces the same rules.
1408 #
1409 #third_party_event_rules:
1410 # module: "my_custom_project.SuperRulesSet"
1411 # config:
1412 # example_option: 'things'
1413
1414
1415 ## Opentracing ##
1416
1417 # These settings enable opentracing, which implements distributed tracing.
1418 # This allows you to observe the causal chains of events across servers
1419 # including requests, key lookups etc., across any server running
1420 # synapse or any other other services which supports opentracing
1421 # (specifically those implemented with Jaeger).
1422 #
1423 opentracing:
1424 # tracing is disabled by default. Uncomment the following line to enable it.
1425 #
1426 #enabled: True
1427
1428 # The list of homeservers we wish to send and receive span contexts and span baggage.
1429 # See docs/opentracing.rst
1430 # This is a list of regexes which are matched against the server_name of the
1431 # homeserver.
1432 #
1433 # By defult, it is empty, so no servers are matched.
1434 #
1435 #homeserver_whitelist:
1436 # - ".*"
Migration to postgres
Matrix-synapse, the mautrix-bridges were relatively slow when using Riot. For example joining a room took too long for me. Let's try to speed it up using postgres.
https://github.com/matrix-org/synapse/blob/master/docs/postgres.rst
Preparation
[postgres#Create database]
Make sure python3 postgres-driver is installed
1 apt install python3-psycopg2
Create some copies of your homeserver.yaml.
Adjust the matrix config to use a postgres database: /etc/matrix-synapse/homeserver-postgres.yaml
1 ## Database ##
2
3 #database:
4 # # The database engine name
5 # name: "sqlite3"
6 # # Arguments to pass to the engine
7 # args:
8 # # Path to the database
9 # database: "/var/lib/matrix-synapse/homeserver.db"
10
11 database:
12 name: psycopg2
13 args:
14 user: matrix-synapse
15 password: password_redacted
16 database: matrix-synapse
17 host: localhost
18 cp_min: 5
19 cp_max: 10
Migrate
Stop Matrix-Synapse to get a clean version of the database. And start it afterwards.
1 systemctl stop mautrix-telegram.service
2 systemctl stop mautrix-whatsapp.service
3 systemctl stop matrix-synapse.service
4 cp /var/lib/matrix-synapse/homeserver.db{,.snapshot}
5 systemctl start matrix-synapse.service
6 systemctl start mautrix-whatsapp.service
7 systemctl start mautrix-telegram.service
Continuosly migrate the databases from newer and newer snapshots. The flag --curses gives a progress ui.
When the database is up to date, exchange the configurations.
1 systemctl stop mautrix-telegram.service
2 systemctl stop mautrix-whatsapp.service
3 systemctl stop matrix-synapse.service
4 synapse_port_db \
5 --sqlite-database "/var/lib/matrix-synapse/homeserver.db.snapshot" \
6 --postgres-config "/etc/matrix-synapse/homeserver-postgres.yaml"
7 cp /etc/matrix-synapse/homeserver{,-sqlite3}.yaml
8 cp /etc/matrix-synapse/homeserver{-postgres,}.yaml
9 systemctl start matrix-synapse.service
10 systemctl start mautrix-whatsapp.service
11 systemctl start mautrix-telegram.service
Password reset
Github matrix-org/synapse password-reset
Read or generate a new password and store it in variable PASSWORD
oneliners#Ask for password
Reset the password
1 ### DEPENDS ON YOUR INSTALLATION
2 #su - postgres
3 su - matrix-synapse -s /bin/bash
4 MATRIX_NAME="@user:domain.tld"
5 PASSWORD="$(pwgen 16 1)"
6 echo "$PASSWORD"
7
8 MATRIX_HASH="$(hash_password -p "$PASSWORD")"
9
10 psql -U matrix-synapse -d matrix-synapse <<-EOS
11 UPDATE users
12 SET password_hash='$MATRIX_HASH'
13 WHERE name='$MATRIX_NAME';
14 EOS
I think this UX could be designed somewhat more usable.
Nginx
Serves as:
- Reverse proxy for matrix-synapse
- Webserver for Riot
- Service-Discovery for Matrix (Servers and Clients)
- (Optionally) As proxy for acme to matrix-synapse
Install
1 aptitude install python-certbot-nginx nginx
Configure
/etc/nginx/sites-available/matrix.conf
1 # generated 2019-08-09, https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=modern
2 server {
3 listen 80 default_server;
4 listen [::]:80 default_server;
5
6 # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
7 return 301 https://$host$request_uri;
8 }
9
10 server {
11 listen 443 ssl http2;
12 listen [::]:443 ssl http2;
13
14 include include/matrix.include;
15 }
16
17 server {
18 listen 8448 ssl default_server;
19 listen [::]:8448 ssl default_server;
20
21 include include/matrix.include;
22 }
/etc/nginx/include/matrix.include
1 server_name
2 matrix.rockstable.it
3 matrix1.rockstable.it
4 matrix.rockstable.org
5 matrix1.rockstable.org;
6
7 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
8 ssl_certificate /etc/letsencrypt/live/matrix.rockstable.it/fullchain.pem;
9 ssl_certificate_key /etc/letsencrypt/live/matrix.rockstable.it/privkey.pem;
10 ssl_session_timeout 1d;
11 ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
12 ssl_session_tickets off;
13
14 ssl_dhparam /etc/ssl/dhparam/dhparam_4096.pem;
15 #ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
16
17 # modern configuration
18 ssl_protocols TLSv1.3 TLSv1.2;
19 ssl_prefer_server_ciphers off;
20
21 ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
22
23 # HSTS (ngx_http_headers_module is required) (63072000 seconds)
24 add_header Strict-Transport-Security "max-age=63072000" always;
25 add_header X-Frame-Options SAMEORIGIN;
26
27 # OCSP stapling
28 ssl_stapling on;
29 ssl_stapling_verify on;
30
31 # verify chain of trust of OCSP response using Root CA and Intermediate certs
32 ssl_trusted_certificate /etc/letsencrypt/live/matrix.rockstable.it/chain.pem;
33
34 # replace with the IP address of your resolver
35 resolver 127.0.0.1;
36
37 location ~ ^(/_matrix|/_synapse/client) {
38 # note: do not add a path (even a single /) after the port in `proxy_pass`,
39 # otherwise nginx will canonicalise the URI and cause signature verification
40 # errors.
41 proxy_pass http://localhost:8008;
42 proxy_set_header X-Forwarded-For $remote_addr;
43 proxy_set_header X-Forwarded-Proto $scheme;
44 proxy_set_header Host $host;
45
46 # Nginx by default only allows file uploads up to 1M in size
47 # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
48 client_max_body_size 50M;
49 }
50
51 location /public/telegram {
52 proxy_pass http://localhost:8081;
53 proxy_set_header X-Forwarded-For $remote_addr;
54 proxy_set_header X-Forwarded-Proto $scheme;
55 }
56
57 #location /.well-known/acme-challenge {
58 # proxy_pass http://localhost:8009;
59 #}
60
61 ### Serve files "client" and "server"
62 location /.well-known/matrix {
63 alias /var/www/html/.well-known/matrix;
64 default_type "application/json; charset=utf-8";
65 }
66
67 ### RIOT-WEB
68 root /opt/Riot/resources/webapp;
69 index index.html index.htm;
70
71 location / {
72 try_files $uri $uri/ =404;
73 }
74
75 access_log /var/log/nginx/riot_access.log;
76 ### INCREASE TO "max_upload_size" OF MATRIX-SYNAPSE
77 client_max_body_size 20M;
Adjust boot order
Nginx won't start if the upstream server can't be reached. So matrix-synapse.service must be started before nginx.service This can easily be achieved by adding the line
Before=nginx.service
to /etc/systemd/system/multi-user.target.wants/matrix-synapse.service
1 [Unit]
2 Description=Synapse Matrix homeserver
3 ConditionPathExists=/etc/matrix-synapse/conf.d/server_name.yaml
4 Before=nginx.service
5
6 [Service]
7 Type=simple
8 User=matrix-synapse
9 WorkingDirectory=/var/lib/matrix-synapse
10 EnvironmentFile=/etc/default/matrix-synapse
11 ExecStartPre=/usr/bin/python3 -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --generate-keys
12 ExecStart=/usr/bin/python3 -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/
13 Restart=on-failure
14 RestartSec=3
15
16 [Install]
17 WantedBy=multi-user.target
.well-known
https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client
1 mkdir -p /var/www/html/.well-known/matrix
/var/www/html/.well-known/matrix/client
/var/www/html/.well-known/matrix/server
Riot
Element (formerly known as Vector and Riot) is a Matrix web client built using the Matrix React SDK.
About
riot has been rebranded to element
1 wget -O /usr/share/keyrings/riot-im-archive-keyring.gpg \
2 "https://packages.riot.im/debian/riot-im-archive-keyring.gpg;"
3 echo "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg]" \
4 "https://packages.riot.im/debian/ $(lsb_release -cs) main" \
5 |tee /etc/apt/sources.list.d/riot-im.list
6 apt update
7 apt install riot-web
8 #apt install element-desktop
9
Install Riot
Add a more "current" repository to your package management
1 wget -O /usr/share/keyrings/riot-im-archive-keyring.gpg \
2 "https://packages.riot.im/debian/riot-im-archive-keyring.gpg;"
3 echo "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg]" \
4 "https://packages.riot.im/debian/ $(lsb_release -cs) main" \
5 |tee /etc/apt/sources.list.d/riot-im.list
6 apt update
7 apt install riot-web
8 #apt install element-desktop
9
Configure
Configure riot-web to your needs /opt/Riot/resources/webapp/config.json
1 {
2 "default_server_config": {
3 "m.homeserver": {
4 "base_url": "https://matrix.rockstable.it",
5 "server_name": "matrix.rockstable.it"
6 },
7 "m.identity_server": {
8 "base_url": "https://vector.im"
9 }
10 },
11 "disable_custom_urls": false,
12 "disable_guests": true,
13 "disable_login_language_selector": false,
14 "disable_3pid_login": false,
15 "update_base_url": "https://packages.riot.im/desktop/update/",
16 "brand": "Rockstable Chat - Riot",
17 "default_federate": true,
18 "default_theme": "light",
19 "integrations_ui_url": "https://scalar.vector.im/",
20 "integrations_rest_url": "https://scalar.vector.im/api",
21 "integrations_widgets_urls": [
22 "https://scalar-staging.vector.im/api",
23 "https://scalar-staging.riot.im/scalar/api",
24 "https://scalar.vector.im/api"
25 ],
26 "hosting_signup_link": "https://modular.im/?utm_source=riot-web&utm_medium=web",
27 "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
28 "welcomeUserId": "@riot-bot:matrix.rockstable.it",
29 "roomDirectory": {
30 "servers": [
31 "matrix.rockstable.it",
32 "matrix.org"
33 ]
34 },
35 "piwik": {
36 "url": "https://piwik.riot.im/",
37 "siteId": 1,
38 "policyUrl": "https://matrix.org/docs/guides/riot_im_cookie_policy"
39 },
40 "phasedRollOut": {
41 "feature_lazyloading": {
42 "offset": 1539684000000,
43 "period": 604800000
44 }
45 },
46 "showLabsSettings": true,
47 "features": {
48 "feature_dnd": true,
49 "feature_new_spinner": true,
50 "feature_pinning": true,
51 "feature_mjolnir": true,
52 "feature_jitsi": true,
53 "feature_latex_maths": true,
54 "feature_tag_panel": true
55 },
56 "enable_presence_by_hs_url": {
57 "https://matrix.org": false
58 },
59 "terms_and_conditions_links": [
60 {
61 "url": "https://riot.im/privacy",
62 "text": "Privacy Policy"
63 },
64 {
65 "url": "https://matrix.org/docs/guides/riot_im_cookie_policy",
66 "text": "Cookie Policy"
67 }
68 ]
69 }
Point old nginx riot-web config to the element directories. /etc/nginx/include/matrix.include
1 server_name
2 matrix.rockstable.it
3 matrix1.rockstable.it
4 matrix.rockstable.org
5 matrix1.rockstable.org;
6
7 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
8 ssl_certificate /etc/letsencrypt/live/matrix.rockstable.it/fullchain.pem;
9 ssl_certificate_key /etc/letsencrypt/live/matrix.rockstable.it/privkey.pem;
10 ssl_session_timeout 1d;
11 ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
12 ssl_session_tickets off;
13
14 ssl_dhparam /etc/ssl/dhparam/dhparam_4096.pem;
15 #ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
16
17 # modern configuration
18 ssl_protocols TLSv1.3 TLSv1.2;
19 ssl_prefer_server_ciphers off;
20
21 ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
22
23 # HSTS (ngx_http_headers_module is required) (63072000 seconds)
24 add_header Strict-Transport-Security "max-age=63072000" always;
25 add_header X-Frame-Options SAMEORIGIN;
26
27 # OCSP stapling
28 ssl_stapling on;
29 ssl_stapling_verify on;
30
31 # verify chain of trust of OCSP response using Root CA and Intermediate certs
32 ssl_trusted_certificate /etc/letsencrypt/live/matrix.rockstable.it/chain.pem;
33
34 # replace with the IP address of your resolver
35 resolver 127.0.0.1;
36
37 location /_matrix {
38 proxy_pass http://localhost:8008;
39 proxy_set_header X-Forwarded-For $remote_addr;
40 }
41
42 location /public/telegram {
43 proxy_pass http://localhost:8081;
44 proxy_set_header X-Forwarded-For $remote_addr;
45 }
46
47 #location /.well-known/acme-challenge {
48 # proxy_pass http://localhost:8009;
49 #}
50
51 ### Serve files "client" and "server"
52 location /.well-known/matrix {
53 alias /var/www/html/.well-known/matrix;
54 default_type "application/json; charset=utf-8";
55 }
56
57 ### ELEMENT-WEB
58 root /opt/element-web/webapp;
59 index index.html index.htm;
60
61 location / {
62 try_files $uri $uri/ =404;
63 }
64
65 access_log /var/log/nginx/element_access.log;
66 client_max_body_size 20M;
Element
Element (formerly known as Vector and Riot) is a Matrix web client built using the Matrix React SDK.
About
- For a developer it might be a good idea
to install node.js in the respective home directory with nvm
https://github.com/nvm-sh/nvm
Install node.js
You need a current node.js to build element.
When I tried building the current element with the classic yarn (version<2.0) I received errors during the build like
yarn "SyntaxError: Unexpected token '?'".
Install node.js by script
Install node.js from nodesource.com via script
The script ist pretty straight forward and a good option. Please mind that this script will also configure apt preferences to git nsolid and nodejs from this repo a priority of 600.
Install node.js manually
Add the NodeSource signing key to your keyring
/etc/apt/sources.list.d/nodesource.list
Install nodejs
Install node.js with tar archive
Download and unpack node.js
Well … not really a good idea.
Prepare yarn
Current yarn (v≥2.0)
There a several ways to install node.js
https://nodejs.dev/download/package-manager/
I decided to go with a binary distribution from nodesource.
- It's packaged and signed
Install npm and yarn
Classic yarn (v<2.0)
Deprecated
Install yarn and node.js
1 curl -sS 'https://dl.yarnpkg.com/debian/pubkey.gpg' \
2 |sh -c 'gpg --dearmor \
3 > /usr/share/keyrings/yarn-keyring.gpg'
4 ln -s "/usr/share/keyrings/yarn-keyring.gpg" \
5 "/etc/apt/trusted.gpg.d/"
6 echo "deb https://dl.yarnpkg.com/debian/ stable main" \
7 |tee /etc/apt/sources.list.d/yarn.list
8 sudo apt update && \
9 sudo aptitude install yarn
Install Element
There is no package for element-web in the repository. So we start from source.
Initially clone the repository
Build the client with yarn
1 ### UPDATE THE REPOSITORY
2 git pull
3 ### DETERMINE AND CHECKOUT LATEST VERSION
4 LATEST="$(git tag |grep -v rc |sort -V |tail -n1)"
5 git checkout "$LATEST"
6 #CREATE A "config.json" E.G. FROM "config.sample.json" OR OLD CONFIG
7 ### INSTALL DEPENDENCIES
8 yarn install
9 ### CREATE DIRECTORY "webapp" FOR USAGE WITH WEBSERVER
10 yarn build
11 #yarn dist
12
Configuration Element
Video Conferencing
Stream of Desktop
This kind of desktop streaming is highly unrelieable and unflexible with Riot Try Nextcloud Talk instead.
Install v4l2loopback
1 aptitude install v4l2loopback-utils
Load kernel module
1 modprobe v4l2loopback
Grab video from X11 and stream it to /dev/video0
TURN Server
Traversal UDP Relay NAT
To debug use in
Firefox: about:webrtc
Chrome: chrome://webrtc-internals/
Turnserver Firewalling
Src |
Dst |
Dst-Port |
Rationale |
ANY |
TURNSERVER |
tcp/80, tcp/443 |
|
ANY |
TURNSERVER |
udp/3478, tcp/3478 |
STUN/TURN tcp/udp |
ANY |
TURNSERVER |
udp/5349, tcp/5349 |
STUNs/TURNs tcp/udp |
ANY |
TURNSERVER |
udp/10000 |
Jitsi-Videobridge P2P Port (no STUN/TURN) |
ANY |
TURNSERVER |
udp/49152-65535, tcp/49152-65535 |
TURN(s) Firewall Window |
STUN and TURN are on the same port, because coturn uses Application Layer Protocol Negotiation (ALPN).
Prepare certificates
Install certbot and create certificate LetsEncrypt, which can be used with TLS and DTLS.
Install Turnserver
Install coturn
1 aptitude install coturn ssl-cert
Protect secrets and make sure turnserver can read it (via group rights).
With coturn comes as a tool for administration turnadmin.
Configure coturn in
/etc/turnserver.conf
1 # Coturn TURN SERVER configuration file
2 #
3 # Boolean values note: where boolean value is supposed to be used,
4 # you can use '0', 'off', 'no', 'false', 'f' as 'false,
5 # and you can use '1', 'on', 'yes', 'true', 't' as 'true'
6 # If the value is missed, then it means 'true'.
7 #
8
9 # Listener interface device (optional, Linux only).
10 # NOT RECOMMENDED.
11 #
12 #listening-device=eth0
13
14 # TURN listener port for UDP and TCP (Default: 3478).
15 # Note: actually, TLS & DTLS sessions can connect to the
16 # "plain" TCP & UDP port(s), too - if allowed by configuration.
17 #
18 #listening-port=3478
19
20 # TURN listener port for TLS (Default: 5349).
21 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
22 # port(s), too - if allowed by configuration. The TURN server
23 # "automatically" recognizes the type of traffic. Actually, two listening
24 # endpoints (the "plain" one and the "tls" one) are equivalent in terms of
25 # functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
26 # For secure TCP connections, we currently support SSL version 3 and
27 # TLS version 1.0, 1.1 and 1.2.
28 # For secure UDP connections, we support DTLS version 1.
29 #
30 #tls-listening-port=5349
31
32 # Alternative listening port for UDP and TCP listeners;
33 # default (or zero) value means "listening port plus one".
34 # This is needed for RFC 5780 support
35 # (STUN extension specs, NAT behavior discovery). The TURN Server
36 # supports RFC 5780 only if it is started with more than one
37 # listening IP address of the same family (IPv4 or IPv6).
38 # RFC 5780 is supported only by UDP protocol, other protocols
39 # are listening to that endpoint only for "symmetry".
40 #
41 #alt-listening-port=0
42
43 # Alternative listening port for TLS and DTLS protocols.
44 # Default (or zero) value means "TLS listening port plus one".
45 #
46 #alt-tls-listening-port=0
47
48 # Listener IP address of relay server. Multiple listeners can be specified.
49 # If no IP(s) specified in the config file or in the command line options,
50 # then all IPv4 and IPv6 system IPs will be used for listening.
51 #
52 #listening-ip=172.17.19.101
53 #listening-ip=10.207.21.238
54 #listening-ip=2607:f0d0:1002:51::4
55
56 # Auxiliary STUN/TURN server listening endpoint.
57 # Aux servers have almost full TURN and STUN functionality.
58 # The (minor) limitations are:
59 #
60 # 1) Auxiliary servers do not have alternative ports and
61 # they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
62 #
63 # 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
64 #
65 # Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
66 #
67 # There may be multiple aux-server options, each will be used for listening
68 # to client requests.
69 #
70 #aux-server=172.17.19.110:33478
71 #aux-server=[2607:f0d0:1002:51::4]:33478
72
73 # (recommended for older Linuxes only)
74 # Automatically balance UDP traffic over auxiliary servers (if configured).
75 # The load balancing is using the ALTERNATE-SERVER mechanism.
76 # The TURN client must support 300 ALTERNATE-SERVER response for this
77 # functionality.
78 #
79 #udp-self-balance
80
81 # Relay interface device for relay sockets (optional, Linux only).
82 # NOT RECOMMENDED.
83 #
84 #relay-device=eth1
85
86 # Relay address (the local IP address that will be used to relay the
87 # packets to the peer).
88 # Multiple relay addresses may be used.
89 # The same IP(s) can be used as both listening IP(s) and relay IP(s).
90 #
91 # If no relay IP(s) specified, then the turnserver will apply the default
92 # policy: it will decide itself which relay addresses to be used, and it
93 # will always be using the client socket IP address as the relay IP address
94 # of the TURN session (if the requested relay address family is the same
95 # as the family of the client socket).
96 #
97 #relay-ip=172.17.19.105
98 #relay-ip=2607:f0d0:1002:51::5
99
100 # For Amazon EC2 users:
101 #
102 # TURN Server public/private address mapping, if the server is behind NAT.
103 # In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
104 # as relay IP address of all allocations. This scenario works only in a simple case
105 # when one single relay address is be used, and no RFC5780 functionality is required.
106 # That single relay address must be mapped by NAT to the 'external' IP.
107 # The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
108 # For that 'external' IP, NAT must forward ports directly (relayed port 12345
109 # must be always mapped to the same 'external' port 12345).
110 #
111 # In more complex case when more than one IP address is involved,
112 # that option must be used several times, each entry must
113 # have form "-X <public-ip/private-ip>", to map all involved addresses.
114 # RFC5780 NAT discovery STUN functionality will work correctly,
115 # if the addresses are mapped properly, even when the TURN server itself
116 # is behind A NAT.
117 #
118 # By default, this value is empty, and no address mapping is used.
119 #
120 #external-ip=60.70.80.91
121 #
122 #OR:
123 #
124 #external-ip=60.70.80.91/172.17.19.101
125 #external-ip=60.70.80.92/172.17.19.102
126
127
128 # Number of the relay threads to handle the established connections
129 # (in addition to authentication thread and the listener thread).
130 # If explicitly set to 0 then application runs relay process in a
131 # single thread, in the same thread with the listener process
132 # (the authentication thread will still be a separate thread).
133 #
134 # If this parameter is not set, then the default OS-dependent
135 # thread pattern algorithm will be employed. Usually the default
136 # algorithm is the most optimal, so you have to change this option
137 # only if you want to make some fine tweaks.
138 #
139 # In the older systems (Linux kernel before 3.9),
140 # the number of UDP threads is always one thread per network listening
141 # endpoint - including the auxiliary endpoints - unless 0 (zero) or
142 # 1 (one) value is set.
143 #
144 #relay-threads=0
145
146 # Lower and upper bounds of the UDP relay endpoints:
147 # (default values are 49152 and 65535)
148 #
149 #min-port=49152
150 #max-port=65535
151
152 # Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
153 # By default the verbose mode is off.
154 #verbose
155
156 # Uncomment to run TURN server in 'extra' verbose mode.
157 # This mode is very annoying and produces lots of output.
158 # Not recommended under any normal circumstances.
159 #
160 #Verbose
161
162 # Uncomment to use fingerprints in the TURN messages.
163 # By default the fingerprints are off.
164 #
165 #fingerprint
166
167 # Uncomment to use long-term credential mechanism.
168 # By default no credentials mechanism is used (any user allowed).
169 #
170 #lt-cred-mech
171
172 # This option is opposite to lt-cred-mech.
173 # (TURN Server with no-auth option allows anonymous access).
174 # If neither option is defined, and no users are defined,
175 # then no-auth is default. If at least one user is defined,
176 # in this file or in command line or in usersdb file, then
177 # lt-cred-mech is default.
178 #
179 #no-auth
180
181 # TURN REST API flag.
182 # (Time Limited Long Term Credential)
183 # Flag that sets a special authorization option that is based upon authentication secret.
184 #
185 # This feature's purpose is to support "TURN Server REST API", see
186 # "TURN REST API" link in the project's page
187 # https://github.com/coturn/coturn/
188 #
189 # This option is used with timestamp:
190 #
191 # usercombo -> "timestamp:userid"
192 # turn user -> usercombo
193 # turn password -> base64(hmac(secret key, usercombo))
194 #
195 # This allows TURN credentials to be accounted for a specific user id.
196 # If you don't have a suitable id, the timestamp alone can be used.
197 # This option is just turning on secret-based authentication.
198 # The actual value of the secret is defined either by option static-auth-secret,
199 # or can be found in the turn_secret table in the database (see below).
200 #
201 # Read more about it:
202 # - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
203 # - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
204 #
205 # Be aware that use-auth-secret overrides some part of lt-cred-mech.
206 # Notice that this feature depends internally on lt-cred-mech, so if you set
207 # use-auth-secret then it enables internally automatically lt-cred-mech option
208 # like if you enable both.
209 #
210 # You can use only one of the to auth mechanisms in the same time because,
211 # both mechanism use the username and password validation in different way.
212 #
213 # This way be aware that you can't use both auth mechnaism in the same time!
214 # Use in config either the lt-cred-mech or the use-auth-secret
215 # to avoid any confusion.
216 #
217 use-auth-secret
218
219 # 'Static' authentication secret value (a string) for TURN REST API only.
220 # If not set, then the turn server
221 # will try to use the 'dynamic' value in turn_secret table
222 # in user database (if present). The database-stored value can be changed on-the-fly
223 # by a separate program, so this is why that other mode is 'dynamic'.
224 #
225 static-auth-secret=EiCh8Ohhah3sheang1miel2ooliaNohM
226
227 # Server name used for
228 # the oAuth authentication purposes.
229 # The default value is the realm name.
230 #
231 #server-name=blackdow.carleon.gov
232
233 # Flag that allows oAuth authentication.
234 #
235 #oauth
236
237 # 'Static' user accounts for long term credentials mechanism, only.
238 # This option cannot be used with TURN REST API.
239 # 'Static' user accounts are NOT dynamically checked by the turnserver process,
240 # so that they can NOT be changed while the turnserver is running.
241 #
242 #user=username1:key1
243 #user=username2:key2
244 # OR:
245 #user=username1:password1
246 #user=username2:password2
247 #
248 # Keys must be generated by turnadmin utility. The key value depends
249 # on user name, realm, and password:
250 #
251 # Example:
252 # $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
253 # Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
254 # ('0x' in the beginning of the key is what differentiates the key from
255 # password. If it has 0x then it is a key, otherwise it is a password).
256 #
257 # The corresponding user account entry in the config file will be:
258 #
259 #user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
260 # Or, equivalently, with open clear password (less secure):
261 #user=ninefingers:youhavetoberealistic
262 #
263
264 # SQLite database file name.
265 #
266 # Default file name is /var/db/turndb or /usr/local/var/db/turndb or
267 # /var/lib/turn/turndb.
268 #
269 #userdb=/var/db/turndb
270
271 # PostgreSQL database connection string in the case that we are using PostgreSQL
272 # as the user database.
273 # This database can be used for long-term credential mechanism
274 # and it can store the secret value for secret-based timed authentication in TURN RESP API.
275 # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
276 # versions connection string format, see
277 # http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
278 # for 9.x and newer connection string formats.
279 #
280 #psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
281
282 # MySQL database connection string in the case that we are using MySQL
283 # as the user database.
284 # This database can be used for long-term credential mechanism
285 # and it can store the secret value for secret-based timed authentication in TURN RESP API.
286 #
287 # Optional connection string parameters for the secure communications (SSL):
288 # ca, capath, cert, key, cipher
289 # (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
290 # command options description).
291 #
292 # Use string format as below (space separated parameters, all optional):
293 #
294 #mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
295
296 # If you want to use in the MySQL connection string the password in encrypted format,
297 # then set in this option the MySQL password encryption secret key file.
298 #
299 # Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
300 # If you want to use cleartext password then do not set this option!
301 #
302 # This is the file path which contain secret key of aes encryption while using password encryption.
303 #
304 #secret-key-file=/path/
305
306 # MongoDB database connection string in the case that we are using MongoDB
307 # as the user database.
308 # This database can be used for long-term credential mechanism
309 # and it can store the secret value for secret-based timed authentication in TURN RESP API.
310 # Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
311 #
312 #mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
313
314 # Redis database connection string in the case that we are using Redis
315 # as the user database.
316 # This database can be used for long-term credential mechanism
317 # and it can store the secret value for secret-based timed authentication in TURN RESP API.
318 # Use string format as below (space separated parameters, all optional):
319 #
320 #redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
321
322 # Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
323 # This database keeps allocations status information, and it can be also used for publishing
324 # and delivering traffic and allocation event notifications.
325 # The connection string has the same parameters as redis-userdb connection string.
326 # Use string format as below (space separated parameters, all optional):
327 #
328 #redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
329
330 # The default realm to be used for the users when no explicit
331 # origin/realm relationship was found in the database, or if the TURN
332 # server is not using any database (just the commands-line settings
333 # and the userdb file). Must be used with long-term credentials
334 # mechanism or with TURN REST API.
335 #
336 # Note: If default realm is not specified at all, then realm falls back to the host domain name.
337 # If domain name is empty string, or '(None)', then it is initialized to am empty string.
338 #
339 realm=rockstable.it
340
341 # The flag that sets the origin consistency
342 # check: across the session, all requests must have the same
343 # main ORIGIN attribute value (if the ORIGIN was
344 # initially used by the session).
345 #
346 #check-origin-consistency
347
348 # Per-user allocation quota.
349 # default value is 0 (no quota, unlimited number of sessions per user).
350 # This option can also be set through the database, for a particular realm.
351 #
352 #user-quota=0
353
354 # Total allocation quota.
355 # default value is 0 (no quota).
356 # This option can also be set through the database, for a particular realm.
357 #
358 #total-quota=0
359
360 # Max bytes-per-second bandwidth a TURN session is allowed to handle
361 # (input and output network streams are treated separately). Anything above
362 # that limit will be dropped or temporary suppressed (within
363 # the available buffer limits).
364 # This option can also be set through the database, for a particular realm.
365 #
366 #max-bps=0
367
368 #
369 # Maximum server capacity.
370 # Total bytes-per-second bandwidth the TURN server is allowed to allocate
371 # for the sessions, combined (input and output network streams are treated separately).
372 #
373 # bps-capacity=0
374
375 # Uncomment if no UDP client listener is desired.
376 # By default UDP client listener is always started.
377 #
378 #no-udp
379
380 # Uncomment if no TCP client listener is desired.
381 # By default TCP client listener is always started.
382 #
383 #no-tcp
384
385 # Uncomment if no TLS client listener is desired.
386 # By default TLS client listener is always started.
387 #
388 #no-tls
389
390 # Uncomment if no DTLS client listener is desired.
391 # By default DTLS client listener is always started.
392 #
393 #no-dtls
394
395 # Uncomment if no UDP relay endpoints are allowed.
396 # By default UDP relay endpoints are enabled (like in RFC 5766).
397 #
398 #no-udp-relay
399
400 # Uncomment if no TCP relay endpoints are allowed.
401 # By default TCP relay endpoints are enabled (like in RFC 6062).
402 #
403 #no-tcp-relay
404
405 # Uncomment if extra security is desired,
406 # with nonce value having limited lifetime.
407 # By default, the nonce value is unique for a session,
408 # and has unlimited lifetime.
409 # Set this option to limit the nonce lifetime.
410 # It defaults to 600 secs (10 min) if no value is provided. After that delay,
411 # the client will get 438 error and will have to re-authenticate itself.
412 #
413 #stale-nonce=600
414
415 # Uncomment if you want to set the maximum allocation
416 # time before it has to be refreshed.
417 # Default is 3600s.
418 #
419 #max-allocate-lifetime=3600
420
421
422 # Uncomment to set the lifetime for the channel.
423 # Default value is 600 secs (10 minutes).
424 # This value MUST not be changed for production purposes.
425 #
426 #channel-lifetime=600
427
428 # Uncomment to set the permission lifetime.
429 # Default to 300 secs (5 minutes).
430 # In production this value MUST not be changed,
431 # however it can be useful for test purposes.
432 #
433 #permission-lifetime=300
434
435 # Certificate file.
436 # Use an absolute path or path relative to the
437 # configuration file.
438 #
439 cert=/etc/letsencrypt/live/coturn.rockstable.it/fullchain.pem
440
441 # Private key file.
442 # Use an absolute path or path relative to the
443 # configuration file.
444 # Use PEM file format.
445 #
446 pkey=/etc/letsencrypt/live/coturn.rockstable.it/privkey.pem
447
448 # Private key file password, if it is in encoded format.
449 # This option has no default value.
450 #
451 #pkey-pwd=...
452
453 # Allowed OpenSSL cipher list for TLS/DTLS connections.
454 # Default value is "DEFAULT".
455 #
456 #cipher-list="DEFAULT"
457
458 # CA file in OpenSSL format.
459 # Forces TURN server to verify the client SSL certificates.
460 # By default it is not set: there is no default value and the client
461 # certificate is not checked.
462 #
463 # Example:
464 #CA-file=/etc/ssh/id_rsa.cert
465
466 # Curve name for EC ciphers, if supported by OpenSSL
467 # library (TLS and DTLS). The default value is prime256v1,
468 # if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
469 # an optimal curve will be automatically calculated, if not defined
470 # by this option.
471 #
472 #ec-curve-name=prime256v1
473
474 # Use 566 bits predefined DH TLS key. Default size of the key is 1066.
475 #
476 #dh566
477
478 # Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
479 #
480 #dh2066
481
482 # Use custom DH TLS key, stored in PEM format in the file.
483 # Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
484 #
485 #dh-file=<DH-PEM-file-name>
486
487 # Flag to prevent stdout log messages.
488 # By default, all log messages are going to both stdout and to
489 # the configured log file. With this option everything will be
490 # going to the configured log only (unless the log file itself is stdout).
491 #
492 #no-stdout-log
493
494 # Option to set the log file name.
495 # By default, the turnserver tries to open a log file in
496 # /var/log, /var/tmp, /tmp and current directories directories
497 # (which open operation succeeds first that file will be used).
498 # With this option you can set the definite log file name.
499 # The special names are "stdout" and "-" - they will force everything
500 # to the stdout. Also, the "syslog" name will force everything to
501 # the system log (syslog).
502 # In the runtime, the logfile can be reset with the SIGHUP signal
503 # to the turnserver process.
504 #
505 #log-file=/var/tmp/turn.log
506
507 # Option to redirect all log output into system log (syslog).
508 #
509 syslog
510
511 # This flag means that no log file rollover will be used, and the log file
512 # name will be constructed as-is, without PID and date appendage.
513 # This option can be used, for example, together with the logrotate tool.
514 #
515 #simple-log
516
517 # Option to set the "redirection" mode. The value of this option
518 # will be the address of the alternate server for UDP & TCP service in form of
519 # <ip>[:<port>]. The server will send this value in the attribute
520 # ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
521 # Client will receive only values with the same address family
522 # as the client network endpoint address family.
523 # See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
524 # The client must use the obtained value for subsequent TURN communications.
525 # If more than one --alternate-server options are provided, then the functionality
526 # can be more accurately described as "load-balancing" than a mere "redirection".
527 # If the port number is omitted, then the default port
528 # number 3478 for the UDP/TCP protocols will be used.
529 # Colon (:) characters in IPv6 addresses may conflict with the syntax of
530 # the option. To alleviate this conflict, literal IPv6 addresses are enclosed
531 # in square brackets in such resource identifiers, for example:
532 # [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
533 # Multiple alternate servers can be set. They will be used in the
534 # round-robin manner. All servers in the pool are considered of equal weight and
535 # the load will be distributed equally. For example, if we have 4 alternate servers,
536 # then each server will receive 25% of ALLOCATE requests. A alternate TURN server
537 # address can be used more than one time with the alternate-server option, so this
538 # can emulate "weighting" of the servers.
539 #
540 # Examples:
541 #alternate-server=1.2.3.4:5678
542 #alternate-server=11.22.33.44:56789
543 #alternate-server=5.6.7.8
544 #alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
545
546 # Option to set alternative server for TLS & DTLS services in form of
547 # <ip>:<port>. If the port number is omitted, then the default port
548 # number 5349 for the TLS/DTLS protocols will be used. See the previous
549 # option for the functionality description.
550 #
551 # Examples:
552 #tls-alternate-server=1.2.3.4:5678
553 #tls-alternate-server=11.22.33.44:56789
554 #tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
555
556 # Option to suppress TURN functionality, only STUN requests will be processed.
557 # Run as STUN server only, all TURN requests will be ignored.
558 # By default, this option is NOT set.
559 #
560 #stun-only
561
562 # Option to suppress STUN functionality, only TURN requests will be processed.
563 # Run as TURN server only, all STUN requests will be ignored.
564 # By default, this option is NOT set.
565 #
566 #no-stun
567
568 # This is the timestamp/username separator symbol (character) in TURN REST API.
569 # The default value is ':'.
570 # rest-api-separator=:
571
572 # Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
573 # This is an extra security measure.
574 #
575 # (To avoid any security issue that allowing loopback access may raise,
576 # the no-loopback-peers option is replaced by allow-loopback-peers.)
577 #
578 # Allow it only for testing in a development environment!
579 # In production it adds a possible security vulnerability, so for security reasons
580 # it is not allowed using it together with empty cli-password.
581 #
582 #allow-loopback-peers
583
584 # Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
585 # This is an extra security measure.
586 #
587 #no-multicast-peers
588
589 # Option to set the max time, in seconds, allowed for full allocation establishment.
590 # Default is 60 seconds.
591 #
592 #max-allocate-timeout=60
593
594 # Option to allow or ban specific ip addresses or ranges of ip addresses.
595 # If an ip address is specified as both allowed and denied, then the ip address is
596 # considered to be allowed. This is useful when you wish to ban a range of ip
597 # addresses, except for a few specific ips within that range.
598 #
599 # This can be used when you do not want users of the turn server to be able to access
600 # machines reachable by the turn server, but would otherwise be unreachable from the
601 # internet (e.g. when the turn server is sitting behind a NAT)
602 #
603 # Examples:
604 # denied-peer-ip=83.166.64.0-83.166.95.255
605 # allowed-peer-ip=83.166.68.45
606
607 # File name to store the pid of the process.
608 # Default is /var/run/turnserver.pid (if superuser account is used) or
609 # /var/tmp/turnserver.pid .
610 #
611 #pidfile="/var/run/turnserver.pid"
612
613 # Require authentication of the STUN Binding request.
614 # By default, the clients are allowed anonymous access to the STUN Binding functionality.
615 #
616 #secure-stun
617
618 # Mobility with ICE (MICE) specs support.
619 #
620 #mobility
621
622 # Allocate Address Family according
623 # If enabled then TURN server allocates address family according the TURN
624 # Client <=> Server communication address family.
625 # (By default coTURN works according RFC 6156.)
626 # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
627 #
628 #keep-address-family
629
630
631 # User name to run the process. After the initialization, the turnserver process
632 # will make an attempt to change the current user ID to that user.
633 #
634 #proc-user=<user-name>
635
636 # Group name to run the process. After the initialization, the turnserver process
637 # will make an attempt to change the current group ID to that group.
638 #
639 #proc-group=<group-name>
640
641 # Turn OFF the CLI support.
642 # By default it is always ON.
643 # See also options cli-ip and cli-port.
644 #
645 #no-cli
646
647 #Local system IP address to be used for CLI server endpoint. Default value
648 # is 127.0.0.1.
649 #
650 #cli-ip=127.0.0.1
651
652 # CLI server port. Default is 5766.
653 #
654 #cli-port=5766
655
656 # CLI access password. Default is empty (no password).
657 # For the security reasons, it is recommended to use the encrypted
658 # for of the password (see the -P command in the turnadmin utility).
659 #
660 # Secure form for password 'qwerty':
661 #
662 #cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
663 #
664 # Or unsecure form for the same password:
665 #
666 #cli-password=qwerty
667
668 # Enable Web-admin support on https. By default it is Disabled.
669 # If it is enabled it also enables a http a simple static banner page
670 # with a small reminder that the admin page is available only on https.
671 #
672 #web-admin
673
674 # Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
675 #
676 #web-admin-ip=127.0.0.1
677
678 # Web-admin server port. Default is 8080.
679 #
680 #web-admin-port=8080
681
682 # Web-admin server listen on STUN/TURN worker threads
683 # By default it is disabled for security resons! (Not recommended in any production environment!)
684 #
685 #web-admin-listen-on-workers
686
687 # Server relay. NON-STANDARD AND DANGEROUS OPTION.
688 # Only for those applications when we want to run
689 # server applications on the relay endpoints.
690 # This option eliminates the IP permissions check on
691 # the packets incoming to the relay endpoints.
692 #
693 #server-relay
694
695 # Maximum number of output sessions in ps CLI command.
696 # This value can be changed on-the-fly in CLI. The default value is 256.
697 #
698 #cli-max-output-sessions
699
700 # Set network engine type for the process (for internal purposes).
701 #
702 #ne=[1|2|3]
703
704 # Do not allow an TLS/DTLS version of protocol
705 #
706 no-tlsv1
707 no-tlsv1_1
708 #no-tlsv1_2
709
Firewalling
Open
- udp-tcp/3478 STUN/TURN
- udp-tcp/5349 STUNS/TURNS
- udp/10000 STUNS/TURNS Jitsi
[[https://datatracker.ietf.org/doc/html/rfc5766|IETF RFC5766 Traversal Using Relays around NAT (TURN):
- Relay Extensions to Session Traversal Utilities for NAT (STUN)]] suggests
- udp-tcp/49192-65535 (coturn default)
DNS Records
Coturn is (in comparision to ejabberd) also capable of DTLS. So udp/5349 can be advertized.
1 ;_service._proto.name TTL class SRV priority weight port target
2
3 $ORIGIN _tcp.rockstable.it.
4 ;SIMPLE TRAVERSAL UDP NAT OVER TCP
5 _stun SRV 5 0 3478 coturn.rockstable.it.
6 _stuns SRV 5 0 5349 coturn.rockstable.it.
7 ; TRAVERSAL UDP RELAY NAT OVER TCP
8 _turn SRV 5 0 3478 coturn.rockstable.it.
9 _turns SRV 5 0 5349 coturn.rockstable.it.
10
11 $ORIGIN _udp.rockstable.it.
12 ;SIMPLE TRAVERSAL UDP NAT OVER UDP
13 _stun SRV 5 0 3478 coturn.rockstable.it.
14 _stuns SRV 5 0 5349 coturn.rockstable.it.
15 ; TRAVERSAL UDP RELAY NAT OVER UDP
16 _turn SRV 5 0 3478 coturn.rockstable.it.
17 _turns SRV 5 0 5349 coturn.rockstable.it.
18
19 $ORIGIN rockstable.it.
20 ; CANONICAL HOSTNAME
21 coturn CNAME coturn1
22 ; REAL HOSTNAME
23 coturn1 A 178.63.149.236
Matrix turn_uris
Turn URIs are defined in RFC 7065 - Traversal Using Relays around NAT (TURN) Uniform Resource Identifiers
My turn section in
/etc/matrix-synapse/homeserver.yaml
1 …
2
3 ## TURN ##
4
5 # The public URIs of the TURN server to give to clients
6 turn_uris: [
7 "turn:coturn.rockstable.it:3478?transport=udp",
8 "turn:coturn.rockstable.it:3478?transport=tcp",
9 "turns:coturn.rockstable.it:5349?transport=udp",
10 "turns:coturn.rockstable.it:5349?transport=tcp"
11 ]
12
13 # The shared secret used to compute passwords for the TURN server
14 turn_shared_secret: "YOUR_SHARED_SECRET"
15
16 # The Username and password if the TURN server needs them and
17 # does not use a token
18 #turn_username: "TURNSERVER_USERNAME"
19 #turn_password: "TURNSERVER_PASSWORD"
20
21 # How long generated TURN credentials last
22 turn_user_lifetime: "1h"
23
24 # Whether guests should be allowed to use the TURN server.
25 # This defaults to True, otherwise VoIP will be unreliable for guests.
26 # However, it does introduce a slight security risk as it allows users to
27 # connect to arbitrary endpoints without having first signed up for a
28 # valid account (e.g. by passing a CAPTCHA).
29 turn_allow_guests: False
30