API tools faq
paste
Advertisement
comiclion1

CoTURN POD Logs

comiclion1
Mar 14th, 2024
146
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Apache Log 43.91 KB | None | 0 0
raw download clone embed print report
  1. lorishane@Lionels-MacBook-Pro AntMedia % kubectl logs coturn-cf878
  2. turnserver: unrecognized option '--user {username}:{password}'
  3. turnserver: unrecognized option '--user {username}:{password}'
  4.  
  5. Usage: turnserver [options]
  6. Options:
  7.  -d, --listening-device <device-name>       Listener interface device (NOT RECOMMENDED. Optional, Linux only).
  8.  -p, --listening-port       <port>      TURN listener port (Default: 3478).
  9.                         Note: actually, TLS & DTLS sessions can connect to the "plain" TCP & UDP port(s), too,
  10.                         if allowed by configuration.
  11.  --tls-listening-port       <port>      TURN listener port for TLS & DTLS listeners
  12.                         (Default: 5349).
  13.                         Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS port(s), too,
  14.                         if allowed by configuration. The TURN server
  15.                         "automatically" recognizes the type of traffic. Actually, two listening
  16.                         endpoints (the "plain" one and the "tls" one) are equivalent in terms of
  17.                         functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
  18.                         For secure TCP connections, we currently support SSL version 3 and
  19.                         TLS versions 1.0, 1.1 and 1.2. For secure UDP connections, we support
  20.                         DTLS version 1.
  21.  --alt-listening-port<port> <port>      Alternative listening port for STUN CHANGE_REQUEST (in RFC 5780 sense,
  22.                                                 or in old RFC 3489 sense, default is "listening port plus one").
  23.  --alt-tls-listening-port   <port>      Alternative listening port for TLS and DTLS,
  24.                         the default is "TLS/DTLS port plus one".
  25.  --tcp-proxy-port       <port>      Support connections from TCP loadbalancer on this port. The loadbalancer should
  26.                         use the binary proxy protocol (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
  27.  -L, --listening-ip     <ip>        Listener IP address of relay server. Multiple listeners can be specified.
  28.  --aux-server           <ip:port>   Auxiliary STUN/TURN server listening endpoint.
  29.                         Auxiliary servers do not have alternative ports and
  30.                         they do not support RFC 5780 functionality (CHANGE REQUEST).
  31.                         Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
  32.  --udp-self-balance             (recommended for older Linuxes only) Automatically balance UDP traffic
  33.                         over auxiliary servers (if configured).
  34.                         The load balancing is using the ALTERNATE-SERVER mechanism.
  35.                         The TURN client must support 300 ALTERNATE-SERVER response for this functionality.
  36.  -i, --relay-device     <device-name>   Relay interface device for relay sockets (NOT RECOMMENDED. Optional, Linux only).
  37.  -E, --relay-ip     <ip>            Relay address (the local IP address that will be used to relay the
  38.                         packets to the peer).
  39.                         Multiple relay addresses may be used.
  40.                         The same IP(s) can be used as both listening IP(s) and relay IP(s).
  41.                         If no relay IP(s) specified, then the turnserver will apply the default
  42.                         policy: it will decide itself which relay addresses to be used, and it
  43.                         will always be using the client socket IP address as the relay IP address
  44.                         of the TURN session (if the requested relay address family is the same
  45.                         as the family of the client socket).
  46.  -X, --external-ip  <public-ip[/private-ip]>    TURN Server public/private address mapping, if the server is behind NAT.
  47.                         In that situation, if a -X is used in form "-X ip" then that ip will be reported
  48.                         as relay IP address of all allocations. This scenario works only in a simple case
  49.                         when one single relay address is be used, and no STUN CHANGE_REQUEST
  50.                         functionality is required.
  51.                         That single relay address must be mapped by NAT to the 'external' IP.
  52.                         For that 'external' IP, NAT must forward ports directly (relayed port 12345
  53.                         must be always mapped to the same 'external' port 12345).
  54.                         In more complex case when more than one IP address is involved,
  55.                         that option must be used several times in the command line, each entry must
  56.                         have form "-X public-ip/private-ip", to map all involved addresses.
  57.  --allow-loopback-peers             Allow peers on the loopback addresses (127.x.x.x and ::1).
  58.  --no-multicast-peers               Disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
  59.  -m, --relay-threads        <number>    Number of relay threads to handle the established connections
  60.                         (in addition to authentication thread and the listener thread).
  61.                         If explicitly set to 0 then application runs in single-threaded mode.
  62.                         If not set then a default OS-dependent optimal algorithm will be employed.
  63.                         The default thread number is the number of CPUs.
  64.                         In older systems (pre-Linux 3.9) the number of UDP relay threads always equals
  65.                         the number of listening endpoints (unless -m 0 is set).
  66.  --min-port         <port>      Lower bound of the UDP port range for relay endpoints allocation.
  67.                         Default value is 49152, according to RFC 5766.
  68.  --max-port         <port>      Upper bound of the UDP port range for relay endpoints allocation.
  69.                         Default value is 65535, according to RFC 5766.
  70.  -v, --verbose                  'Moderate' verbose mode.
  71.  -V, --Verbose                  Extra verbose mode, very annoying (for debug purposes only).
  72.  -o, --daemon                   Start process as daemon (detach from current shell).
  73.  --no-software-attribute            Production mode: hide the software version (formerly --prod).
  74.  -f, --fingerprint              Use fingerprints in the TURN messages.
  75.  -a, --lt-cred-mech             Use the long-term credential mechanism.
  76.  -z, --no-auth                  Do not use any credential mechanism, allow anonymous access.
  77.  -u, --user         <user:pwd>  User account, in form 'username:password', for long-term credentials.
  78.                         Cannot be used with TURN REST API.
  79.  -r, --realm            <realm>     The default realm to be used for the users when no explicit
  80.                         origin/realm relationship was found in the database.
  81.                         Must be used with long-term credentials
  82.                         mechanism or with TURN REST API.
  83.  --check-origin-consistency         The flag that sets the origin consistency check:
  84.                         across the session, all requests must have the same
  85.                         main ORIGIN attribute value (if the ORIGIN was
  86.                         initially used by the session).
  87.  -q, --user-quota       <number>    Per-user allocation quota: how many concurrent allocations a user can create.
  88.                         This option can also be set through the database, for a particular realm.
  89.  -Q, --total-quota      <number>    Total allocations quota: global limit on concurrent allocations.
  90.                         This option can also be set through the database, for a particular realm.
  91.  -s, --max-bps          <number>    Default max bytes-per-second bandwidth a TURN session is allowed to handle
  92.                         (input and output network streams are treated separately). Anything above
  93.                         that limit will be dropped or temporary suppressed
  94.                         (within the available buffer limits).
  95.                         This option can also be set through the database, for a particular realm.
  96.  -B, --bps-capacity     <number>    Maximum server capacity.
  97.                         Total bytes-per-second bandwidth the TURN server is allowed to allocate
  98.                         for the sessions, combined (input and output network streams are treated separately).
  99.  -c             <filename>  Configuration file name (default - turnserver.conf).
  100.  -b, , --db, --userdb   <filename>      SQLite database file name; default - /var/db/turndb or
  101.                             /usr/local/var/db/turndb or /var/lib/turn/turndb.
  102.  -e, --psql-userdb, --sql-userdb <conn-string>  PostgreSQL database connection string, if used (default - empty, no PostgreSQL DB used).
  103.                                         This database can be used for long-term credentials mechanism users,
  104.                                         and it can store the secret value(s) for secret-based timed authentication in TURN REST API.
  105.                         See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
  106.                         versions format, see
  107.                         http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
  108.                         for 9.x and newer connection string formats.
  109.  -M, --mysql-userdb <connection-string> MySQL database connection string, if used (default - empty, no MySQL DB used).
  110.                                         This database can be used for long-term credentials mechanism users,
  111.                                         and it can store the secret value(s) for secret-based timed authentication in TURN REST API.
  112.                         The connection string my be space-separated list of parameters:
  113.                                 "host=<ip-addr> dbname=<database-name> user=<database-user> \
  114.                             password=<database-user-password> port=<db-port> connect_timeout=<seconds> read_timeout=<seconds>".
  115.  
  116.                         The connection string parameters for the secure communications (SSL):
  117.                         ca, capath, cert, key, cipher
  118.                         (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
  119.                         command options description).
  120.  
  121.                                 All connection-string parameters are optional.
  122.  
  123.  --secret-key-file  <filename>      This is the file path which contain secret key of aes encryption while using MySQL password encryption.
  124.                         If you want to use in the MySQL connection string the password in encrypted format,
  125.                         then set in this option the file path of the secret key. The key which is used to encrypt MySQL password.
  126.                         Warning: If this option is set, then MySQL password must be set in "mysql-userdb" option in encrypted format!
  127.                         If you want to use cleartext password then do not set this option!
  128.  -J, --mongo-userdb <connection-string> MongoDB connection string, if used (default - empty, no MongoDB used).
  129.                                         This database can be used for long-term credentials mechanism users,
  130.                                         and it can store the secret value(s) for secret-based timed authentication in TURN REST API.
  131.  -N, --redis-userdb <connection-string> Redis user database connection string, if used (default - empty, no Redis DB used).
  132.                                         This database can be used for long-term credentials mechanism users,
  133.                                         and it can store the secret value(s) for secret-based timed authentication in TURN REST API.
  134.                         The connection string my be space-separated list of parameters:
  135.                                 "host=<ip-addr> dbname=<db-number> \
  136.                                 password=<database-user-password> port=<db-port> connect_timeout=<seconds>".
  137.  
  138.                                 All connection-string parameters are optional.
  139.  
  140.  -O, --redis-statsdb    <connection-string> Redis status and statistics database connection string, if used
  141.                         (default - empty, no Redis stats DB used).
  142.                                         This database keeps allocations status information, and it can be also used for publishing
  143.                                         and delivering traffic and allocation event notifications.
  144.                         The connection string has the same parameters as redis-userdb connection string.
  145.  --prometheus                   Enable prometheus metrics. It is disabled by default. If it is enabled it will listen on port 9641 under the path /metrics
  146.                         also the path / on this port can be used as a health check
  147.  --prometheus-port      <port>      Prometheus metrics port (Default: 9641).
  148.  --prometheus-username-labels           When metrics are enabled, add labels with client usernames.
  149.  --use-auth-secret              TURN REST API flag.
  150.                         Flag that sets a special authorization option that is based upon authentication secret
  151.                         (TURN Server REST API, see https://github.com/coturn/coturn/blob/master/README.turnserver).
  152.                         This option is used with timestamp.
  153.  --static-auth-secret       <secret>    'Static' authentication secret value (a string) for TURN REST API only.
  154.                         If not set, then the turn server will try to use the 'dynamic' value
  155.                         in turn_secret table in user database (if present).
  156.                         That database value can be changed on-the-fly
  157.                         by a separate program, so this is why it is 'dynamic'.
  158.                         Multiple shared secrets can be used (both in the database and in the "static" fashion).
  159.  --no-auth-pings                Disable periodic health checks to 'dynamic' auth secret tables.
  160.  --no-dynamic-ip-list               Do not use dynamic allowed/denied peer ip list.
  161.  --no-dynamic-realms                Do not use dynamic realm assignment and options.
  162.  --server-name                  Server name used for
  163.                         the oAuth authentication purposes.
  164.                         The default value is the realm name.
  165.  --oauth                    Support oAuth authentication.
  166.  -n                     Do not use configuration file, take all parameters from the command line only.
  167.  --cert         <filename>      Certificate file, PEM format. Same file search rules
  168.                         applied as for the configuration file.
  169.                         If both --no-tls and --no_dtls options
  170.                         are specified, then this parameter is not needed.
  171.  --pkey         <filename>      Private key file, PEM format. Same file search rules
  172.                         applied as for the configuration file.
  173.                         If both --no-tls and --no-dtls options
  174.  --pkey-pwd     <password>      If the private key file is encrypted, then this password to be used.
  175.  --cipher-list      <cipher-string>     Allowed OpenSSL cipher list for TLS/DTLS connections.
  176.                         Default value is "DEFAULT" for TLS/DTLS versions up to TLSv1.2/DTLSv1.2,
  177.                         and the library default ciphersuites for TLSv1.3.
  178.  --CA-file      <filename>      CA file in OpenSSL format.
  179.                         Forces TURN server to verify the client SSL certificates.
  180.                         By default, no CA is set and no client certificate check is performed.
  181.  --ec-curve-name    <curve-name>        Curve name for EC ciphers, if supported by OpenSSL
  182.                         library (TLS and DTLS). The default value is prime256v1,
  183.                         if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
  184.                         an optimal curve will be automatically calculated, if not defined
  185.                         by this option.
  186.  --dh566                    Use 566 bits predefined DH TLS key. Default size of the predefined key is 2066.
  187.  --dh1066                   Use 1066 bits predefined DH TLS key. Default size of the predefined key is 2066.
  188.  --dh-file  <dh-file-name>          Use custom DH TLS key, stored in PEM format in the file.
  189.                         Flags --dh566 and --dh1066 are ignored when the DH key is taken from a file.
  190.  --no-tlsv1                 Set TLSv1.1/DTLSv1.2 as a minimum supported protocol version.
  191.                         With openssl-1.0.2 and below, do not allow TLSv1/DTLSv1 protocols.
  192.  --no-tlsv1_1                   Set TLSv1.2/DTLSv1.2 as a minimum supported protocol version.
  193.                         With openssl-1.0.2 and below, do not allow TLSv1.1 protocol.
  194.  --no-tlsv1_2                   Set TLSv1.3/DTLSv1.2 as a minimum supported protocol version.
  195.                         With openssl-1.0.2 and below, do not allow TLSv1.2/DTLSv1.2 protocols.
  196.  --no-udp                   Do not start UDP client listeners.
  197.  --no-tcp                   Do not start TCP client listeners.
  198.  --no-tls                   Do not start TLS client listeners.
  199.  --no-dtls                  Do not start DTLS client listeners.
  200.  --no-udp-relay                 Do not allow UDP relay endpoints, use only TCP relay option.
  201.  --no-tcp-relay                 Do not allow TCP relay endpoints, use only UDP relay options.
  202.  -l, --log-file     <filename>      Option to set the full path name of the log file.
  203.                         By default, the turnserver tries to open a log file in
  204.                         /var/log/turnserver/, /var/log, /var/tmp, /tmp and . (current) directories
  205.                         (which open operation succeeds first that file will be used).
  206.                         With this option you can set the definite log file name.
  207.                         The special names are "stdout" and "-" - they will force everything
  208.                         to the stdout; and "syslog" name will force all output to the syslog.
  209.  --no-stdout-log                Flag to prevent stdout log messages.
  210.                         By default, all log messages are going to both stdout and to
  211.                         a log file. With this option everything will be going to the log file only
  212.                         (unless the log file itself is stdout).
  213.  --syslog                   Output all log information into the system log (syslog), do not use the file output.
  214.  --syslog-facility             <value>          Set syslog facility for syslog messages. Default is ''.
  215.  --simple-log                   This flag means that no log file rollover will be used, and the log file
  216.                         name will be constructed as-is, without PID and date appendage.
  217.                         This option can be used, for example, together with the logrotate tool.
  218.  --new-log-timestamp                Enable full ISO-8601 timestamp in all logs.
  219.  --new-log-timestamp-format     <format>    Set timestamp format (in strftime(1) format). Depends on --new-log-timestamp to be enabled.
  220.  --log-binding                  Log STUN binding request. It is now disabled by default to avoid DoS attacks.
  221.  --stale-nonce[=<value>]            Use extra security with nonce value having limited lifetime (default 600 secs).
  222.  --max-allocate-lifetime    <value>     Set the maximum value for the allocation lifetime. Default to 3600 secs.
  223.  --channel-lifetime     <value>     Set the lifetime for channel binding, default to 600 secs.
  224.                         This value MUST not be changed for production purposes.
  225.  --permission-lifetime      <value>     Set the value for the lifetime of the permission. Default to 300 secs.
  226.                         This MUST not be changed for production purposes.
  227.  -S, --stun-only                Option to set standalone STUN operation only, all TURN requests will be ignored.
  228.      --no-stun                  Option to suppress STUN functionality, only TURN requests will be processed.
  229.  --alternate-server     <ip:port>   Set the TURN server to redirect the allocate requests (UDP and TCP services).
  230.                         Multiple alternate-server options can be set for load balancing purposes.
  231.                         See the docs for more information.
  232.  --tls-alternate-server <ip:port>       Set the TURN server to redirect the allocate requests (DTLS and TLS services).
  233.                         Multiple alternate-server options can be set for load balancing purposes.
  234.                         See the docs for more information.
  235.  -C, --rest-api-separator   <SYMBOL>    This is the timestamp/username separator symbol (character) in TURN REST API.
  236.                         The default value is ':'.
  237.  --max-allocate-timeout=<seconds>       Max time, in seconds, allowed for full allocation establishment. Default is 60.
  238.  --allowed-peer-ip=<ip[-ip]>            Specifies an ip or range of ips that are explicitly allowed to connect to the
  239.                         turn server. Multiple allowed-peer-ip can be set.
  240.  --denied-peer-ip=<ip[-ip]>             Specifies an ip or range of ips that are not allowed to connect to the turn server.
  241.                         Multiple denied-peer-ip can be set.
  242.  --pidfile <"pid-file-name">            File name to store the pid of the process.
  243.                         Default is /var/run/turnserver.pid (if superuser account is used) or
  244.                         /var/tmp/turnserver.pid .
  245.  --acme-redirect <URL>              Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
  246.                         Default is '', i.e. no special handling for such requests.
  247.  --secure-stun                  Require authentication of the STUN Binding request.
  248.                         By default, the clients are allowed anonymous access to the STUN Binding functionality.
  249. 0: (1): INFO: System cpu num is 8
  250. 0: (1): INFO: log file opened: /var/tmp/turn_1_2024-03-14.log
  251. 0: (1): INFO: System enable num is 8
  252. 0: (1): WARNING: Cannot find config file: turnserver.conf. Default and command-line settings will be used.
  253.  --proc-user <user-name>            User name to run the turnserver process.
  254.                         After the initialization, the turnserver process
  255.                         will make an attempt to change the current user ID to that user.
  256.  --proc-group <group-name>          Group name to run the turnserver process.
  257.                         After the initialization, the turnserver process
  258.                         will make an attempt to change the current group ID to that group.
  259.  --mobility                 Mobility with ICE (MICE) specs support.
  260.  -K, --keep-address-family          Deprecated in favor of --allocation-default-address-family!!
  261.                         TURN server allocates address family according TURN
  262.                         Client <=> Server communication address family.
  263.                         !! It breaks RFC6156 section-4.2 (violates default IPv4) !!
  264.  -A --allocation-default-address-family=<ipv4|ipv6|keep>        Default is IPv4
  265.                         TURN server allocates address family according TURN client requested address family.
  266.                         If address family is not requested explicitly by client, then it falls back to this default.
  267.                         The standard RFC explicitly define actually that this default must be IPv4,
  268.                         so use other option values with care!
  269.  --no-cli                   Turn OFF the CLI support. By default it is always ON.
  270.  --cli-ip=<IP>                  Local system IP address to be used for CLI server endpoint. Default value
  271.                         is 127.0.0.1.
  272.  --cli-port=<port>              CLI server port. Default is 5766.
  273.  --cli-password=<password>          CLI access password. Default is empty (no password).
  274.                         For the security reasons, it is recommended to use the encrypted
  275.                         for of the password (see the -P command in the turnadmin utility).
  276.                         The dollar signs in the encrypted form must be escaped.
  277.  --web-admin                    Enable Turn Web-admin support. By default it is disabled.
  278.  --web-admin-ip=<IP>                Local system IP address to be used for Web-admin server endpoint. Default value
  279.                         is 127.0.0.1.
  280.  --web-admin-port=<port>            Web-admin server port. Default is 8080.
  281.  --web-admin-listen-on-workers          Enable for web-admin server to listens on STUN/TURN workers STUN/TURN ports.
  282.                         By default it is disabled for security reasons!
  283.                         (This behavior used to be the default behavior, and was enabled by default.)
  284.  --server-relay                 Server relay. NON-STANDARD AND DANGEROUS OPTION. Only for those applications
  285.                         when we want to run server applications on the relay endpoints.
  286.                         This option eliminates the IP permissions check on the packets
  287.                         incoming to the relay endpoints.
  288.  --cli-max-output-sessions          Maximum number of output sessions in ps CLI command.
  289.                         This value can be changed on-the-fly in CLI. The default value is 256.
  290.  --ne=[1|2|3]                   Set network engine type for the process (for internal purposes).
  291.  --no-rfc5780                   Disable RFC5780 (NAT behavior discovery).
  292.                         Originally, if there are more than one listener address from the same
  293.                         address family, then by default the NAT behavior discovery feature enabled.
  294.                         This option disables this original behavior, because the NAT behavior discovery
  295.                         adds attributes to response, and this increase the possibility of an amplification attack.
  296.                         Strongly encouraged to use this option to decrease gain factor in STUN binding responses.
  297.  --no-stun-backward-compatibility       Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute
  298.                         in binding response (use only the XOR-MAPPED-ADDRESS).
  299.  --response-origin-only-with-rfc5780        Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
  300.  --version                  Print version (and exit).
  301.  -h                     Help
  302.  
  303.  
  304. lorishane@Lionels-MacBook-Pro AntMedia % kubectl logs coturn-lsfv4
  305. turnserver: unrecognized option '--user {username}:{password}'
  306. turnserver: unrecognized option '--user {username}:{password}'
  307.  
  308. Usage: turnserver [options]
  309. Options:
  310.  -d, --listening-device <device-name>       Listener interface device (NOT RECOMMENDED. Optional, Linux only).
  311.  -p, --listening-port       <port>      TURN listener port (Default: 3478).
  312.                         Note: actually, TLS & DTLS sessions can connect to the "plain" TCP & UDP port(s), too,
  313.                         if allowed by configuration.
  314.  --tls-listening-port       <port>      TURN listener port for TLS & DTLS listeners
  315.                         (Default: 5349).
  316.                         Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS port(s), too,
  317.                         if allowed by configuration. The TURN server
  318.                         "automatically" recognizes the type of traffic. Actually, two listening
  319.                         endpoints (the "plain" one and the "tls" one) are equivalent in terms of
  320.                         functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
  321.                         For secure TCP connections, we currently support SSL version 3 and
  322.                         TLS versions 1.0, 1.1 and 1.2. For secure UDP connections, we support
  323.                         DTLS version 1.
  324.  --alt-listening-port<port> <port>      Alternative listening port for STUN CHANGE_REQUEST (in RFC 5780 sense,
  325.                                                 or in old RFC 3489 sense, default is "listening port plus one").
  326.  --alt-tls-listening-port   <port>      Alternative listening port for TLS and DTLS,
  327.                         the default is "TLS/DTLS port plus one".
  328.  --tcp-proxy-port       <port>      Support connections from TCP loadbalancer on this port. The loadbalancer should
  329.                         use the binary proxy protocol (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
  330.  -L, --listening-ip     <ip>        Listener IP address of relay server. Multiple listeners can be specified.
  331.  --aux-server           <ip:port>   Auxiliary STUN/TURN server listening endpoint.
  332.                         Auxiliary servers do not have alternative ports and
  333.                         they do not support RFC 5780 functionality (CHANGE REQUEST).
  334.                         Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
  335.  --udp-self-balance             (recommended for older Linuxes only) Automatically balance UDP traffic
  336.                         over auxiliary servers (if configured).
  337.                         The load balancing is using the ALTERNATE-SERVER mechanism.
  338.                         The TURN client must support 300 ALTERNATE-SERVER response for this functionality.
  339.  -i, --relay-device     <device-name>   Relay interface device for relay sockets (NOT RECOMMENDED. Optional, Linux only).
  340.  -E, --relay-ip     <ip>            Relay address (the local IP address that will be used to relay the
  341.                         packets to the peer).
  342.                         Multiple relay addresses may be used.
  343.                         The same IP(s) can be used as both listening IP(s) and relay IP(s).
  344.                         If no relay IP(s) specified, then the turnserver will apply the default
  345.                         policy: it will decide itself which relay addresses to be used, and it
  346.                         will always be using the client socket IP address as the relay IP address
  347.                         of the TURN session (if the requested relay address family is the same
  348.                         as the family of the client socket).
  349.  -X, --external-ip  <public-ip[/private-ip]>    TURN Server public/private address mapping, if the server is behind NAT.
  350.                         In that situation, if a -X is used in form "-X ip" then that ip will be reported
  351.                         as relay IP address of all allocations. This scenario works only in a simple case
  352.                         when one single relay address is be used, and no STUN CHANGE_REQUEST
  353.                         functionality is required.
  354.                         That single relay address must be mapped by NAT to the 'external' IP.
  355.                         For that 'external' IP, NAT must forward ports directly (relayed port 12345
  356.                         must be always mapped to the same 'external' port 12345).
  357.                         In more complex case when more than one IP address is involved,
  358.                         that option must be used several times in the command line, each entry must
  359.                         have form "-X public-ip/private-ip", to map all involved addresses.
  360.  --allow-loopback-peers             Allow peers on the loopback addresses (127.x.x.x and ::1).
  361.  --no-multicast-peers               Disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
  362.  -m, --relay-threads        <number>    Number of relay threads to handle the established connections
  363.                         (in addition to authentication thread and the listener thread).
  364.                         If explicitly set to 0 then application runs in single-threaded mode.
  365.                         If not set then a default OS-dependent optimal algorithm will be employed.
  366.                         The default thread number is the number of CPUs.
  367.                         In older systems (pre-Linux 3.9) the number of UDP relay threads always equals
  368.                         the number of listening endpoints (unless -m 0 is set).
  369.  --min-port         <port>      Lower bound of the UDP port range for relay endpoints allocation.
  370.                         Default value is 49152, according to RFC 5766.
  371.  --max-port         <port>      Upper bound of the UDP port range for relay endpoints allocation.
  372.                         Default value is 65535, according to RFC 5766.
  373.  -v, --verbose                  'Moderate' verbose mode.
  374.  -V, --Verbose                  Extra verbose mode, very annoying (for debug purposes only).
  375.  -o, --daemon                   Start process as daemon (detach from current shell).
  376.  --no-software-attribute            Production mode: hide the software version (formerly --prod).
  377.  -f, --fingerprint              Use fingerprints in the TURN messages.
  378.  -a, --lt-cred-mech             Use the long-term credential mechanism.
  379.  -z, --no-auth                  Do not use any credential mechanism, allow anonymous access.
  380.  -u, --user         <user:pwd>  User account, in form 'username:password', for long-term credentials.
  381.                         Cannot be used with TURN REST API.
  382.  -r, --realm            <realm>     The default realm to be used for the users when no explicit
  383.                         origin/realm relationship was found in the database.
  384.                         Must be used with long-term credentials
  385.                         mechanism or with TURN REST API.
  386.  --check-origin-consistency         The flag that sets the origin consistency check:
  387.                         across the session, all requests must have the same
  388.                         main ORIGIN attribute value (if the ORIGIN was
  389.                         initially used by the session).
  390.  -q, --user-quota       <number>    Per-user allocation quota: how many concurrent allocations a user can create.
  391.                         This option can also be set through the database, for a particular realm.
  392.  -Q, --total-quota      <number>    Total allocations quota: global limit on concurrent allocations.
  393.                         This option can also be set through the database, for a particular realm.
  394.  -s, --max-bps          <number>    Default max bytes-per-second bandwidth a TURN session is allowed to handle
  395.                         (input and output network streams are treated separately). Anything above
  396.                         that limit will be dropped or temporary suppressed
  397.                         (within the available buffer limits).
  398.                         This option can also be set through the database, for a particular realm.
  399.  -B, --bps-capacity     <number>    Maximum server capacity.
  400.                         Total bytes-per-second bandwidth the TURN server is allowed to allocate
  401.                         for the sessions, combined (input and output network streams are treated separately).
  402.  -c             <filename>  Configuration file name (default - turnserver.conf).
  403.  -b, , --db, --userdb   <filename>      SQLite database file name; default - /var/db/turndb or
  404.                             /usr/local/var/db/turndb or /var/lib/turn/turndb.
  405.  -e, --psql-userdb, --sql-userdb <conn-string>  PostgreSQL database connection string, if used (default - empty, no PostgreSQL DB used).
  406.                                         This database can be used for long-term credentials mechanism users,
  407.                                         and it can store the secret value(s) for secret-based timed authentication in TURN REST API.
  408.                         See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
  409.                         versions format, see
  410.                         http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
  411.                         for 9.x and newer connection string formats.
  412.  -M, --mysql-userdb <connection-string> MySQL database connection string, if used (default - empty, no MySQL DB used).
  413.                                         This database can be used for long-term credentials mechanism users,
  414.                                         and it can store the secret value(s) for secret-based timed authentication in TURN REST API.
  415.                         The connection string my be space-separated list of parameters:
  416.                                 "host=<ip-addr> dbname=<database-name> user=<database-user> \
  417.                             password=<database-user-password> port=<db-port> connect_timeout=<seconds> read_timeout=<seconds>".
  418.  
  419.                         The connection string parameters for the secure communications (SSL):
  420.                         ca, capath, cert, key, cipher
  421.                         (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
  422.                         command options description).
  423.  
  424.                                 All connection-string parameters are optional.
  425.  
  426.  --secret-key-file  <filename>      This is the file path which contain secret key of aes encryption while using MySQL password encryption.
  427.                         If you want to use in the MySQL connection string the password in encrypted format,
  428.                         then set in this option the file path of the secret key. The key which is used to encrypt MySQL password.
  429.                         Warning: If this option is set, then MySQL password must be set in "mysql-userdb" option in encrypted format!
  430.                         If you want to use cleartext password then do not set this option!
  431.  -J, --mongo-userdb <connection-string> MongoDB connection string, if used (default - empty, no MongoDB used).
  432.                                         This database can be used for long-term credentials mechanism users,
  433.                                         and it can store the secret value(s) for secret-based timed authentication in TURN REST API.
  434.  -N, --redis-userdb <connection-string> Redis user database connection string, if used (default - empty, no Redis DB used).
  435.                                         This database can be used for long-term credentials mechanism users,
  436.                                         and it can store the secret value(s) for secret-based timed authentication in TURN REST API.
  437.                         The connection string my be space-separated list of parameters:
  438.                                 "host=<ip-addr> dbname=<db-number> \
  439.                                 password=<database-user-password> port=<db-port> connect_timeout=<seconds>".
  440.  
  441.                                 All connection-string parameters are optional.
  442.  
  443.  -O, --redis-statsdb    <connection-string> Redis status and statistics database connection string, if used
  444.                         (default - empty, no Redis stats DB used).
  445.                                         This database keeps allocations status information, and it can be also used for publishing
  446.                                         and delivering traffic and allocation event notifications.
  447.                         The connection string has the same parameters as redis-userdb connection string.
  448.  --prometheus                   Enable prometheus metrics. It is disabled by default. If it is enabled it will listen on port 9641 under the path /metrics
  449.                         also the path / on this port can be used as a health check
  450.  --prometheus-port      <port>      Prometheus metrics port (Default: 9641).
  451.  --prometheus-username-labels           When metrics are enabled, add labels with client usernames.
  452.  --use-auth-secret              TURN REST API flag.
  453.                         Flag that sets a special authorization option that is based upon authentication secret
  454.                         (TURN Server REST API, see https://github.com/coturn/coturn/blob/master/README.turnserver).
  455.                         This option is used with timestamp.
  456.  --static-auth-secret       <secret>    'Static' authentication secret value (a string) for TURN REST API only.
  457.                         If not set, then the turn server will try to use the 'dynamic' value
  458.                         in turn_secret table in user database (if present).
  459.                         That database value can be changed on-the-fly
  460.                         by a separate program, so this is why it is 'dynamic'.
  461.                         Multiple shared secrets can be used (both in the database and in the "static" fashion).
  462.  --no-auth-pings                Disable periodic health checks to 'dynamic' auth secret tables.
  463.  --no-dynamic-ip-list               Do not use dynamic allowed/denied peer ip list.
  464.  --no-dynamic-realms                Do not use dynamic realm assignment and options.
  465.  --server-name                  Server name used for
  466.                         the oAuth authentication purposes.
  467.                         The default value is the realm name.
  468.  --oauth                    Support oAuth authentication.
  469.  -n                     Do not use configuration file, take all parameters from the command line only.
  470.  --cert         <filename>      Certificate file, PEM format. Same file search rules
  471.                         applied as for the configuration file.
  472.                         If both --no-tls and --no_dtls options
  473.                         are specified, then this parameter is not needed.
  474.  --pkey         <filename>      Private key file, PEM format. Same file search rules
  475.                         applied as for the configuration file.
  476.                         If both --no-tls and --no-dtls options
  477.  --pkey-pwd     <password>      If the private key file is encrypted, then this password to be used.
  478.  --cipher-list      <cipher-string>     Allowed OpenSSL cipher list for TLS/DTLS connections.
  479.                         Default value is "DEFAULT" for TLS/DTLS versions up to TLSv1.2/DTLSv1.2,
  480.                         and the library default ciphersuites for TLSv1.3.
  481.  --CA-file      <filename>      CA file in OpenSSL format.
  482.                         Forces TURN server to verify the client SSL certificates.
  483.                         By default, no CA is set and no client certificate check is performed.
  484.  --ec-curve-name    <curve-name>        Curve name for EC ciphers, if supported by OpenSSL
  485.                         library (TLS and DTLS). The default value is prime256v1,
  486.                         if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
  487.                         an optimal curve will be automatically calculated, if not defined
  488.                         by this option.
  489.  --dh566                    Use 566 bits predefined DH TLS key. Default size of the predefined key is 2066.
  490.  --dh1066                   Use 1066 bits predefined DH TLS key. Default size of the predefined key is 2066.
  491.  --dh-file  <dh-file-name>          Use custom DH TLS key, stored in PEM format in the file.
  492.                         Flags --dh566 and --dh1066 are ignored when the DH key is taken from a file.
  493.  --no-tlsv1                 Set TLSv1.1/DTLSv1.2 as a minimum supported protocol version.
  494.                         With openssl-1.0.2 and below, do not allow TLSv1/DTLSv1 protocols.
  495.  --no-tlsv1_1                   Set TLSv1.2/DTLSv1.2 as a minimum supported protocol version.
  496.                         With openssl-1.0.2 and below, do not allow TLSv1.1 protocol.
  497.  --no-tlsv1_2                   Set TLSv1.3/DTLSv1.2 as a minimum supported protocol version.
  498.                         With openssl-1.0.2 and below, do not allow TLSv1.2/DTLSv1.2 protocols.
  499.  --no-udp                   Do not start UDP client listeners.
  500.  --no-tcp                   Do not start TCP client listeners.
  501.  --no-tls                   Do not start TLS client listeners.
  502.  --no-dtls                  Do not start DTLS client listeners.
  503.  --no-udp-relay                 Do not allow UDP relay endpoints, use only TCP relay option.
  504.  --no-tcp-relay                 Do not allow TCP relay endpoints, use only UDP relay options.
  505.  -l, --log-file     <filename>      Option to set the full path name of the log file.
  506.                         By default, the turnserver tries to open a log file in
  507.                         /var/log/turnserver/, /var/log, /var/tmp, /tmp and . (current) directories
  508.                         (which open operation succeeds first that file will be used).
  509.                         With this option you can set the definite log file name.
  510.                         The special names are "stdout" and "-" - they will force everything
  511.                         to the stdout; and "syslog" name will force all output to the syslog.
  512.  --no-stdout-log                Flag to prevent stdout log messages.
  513.                         By default, all log messages are going to both stdout and to
  514.                         a log file. With this option everything will be going to the log file only
  515.                         (unless the log file itself is stdout).
  516.  --syslog                   Output all log information into the system log (syslog), do not use the file output.
  517.  --syslog-facility             <value>          Set syslog facility for syslog messages. Default is ''.
  518.  --simple-log                   This flag means that no log file rollover will be used, and the log file
  519.                         name will be constructed as-is, without PID and date appendage.
  520.                         This option can be used, for example, together with the logrotate tool.
  521.  --new-log-timestamp                Enable full ISO-8601 timestamp in all logs.
  522.  --new-log-timestamp-format     <format>    Set timestamp format (in strftime(1) format). Depends on --new-log-timestamp to be enabled.
  523.  --log-binding                  Log STUN binding request. It is now disabled by default to avoid DoS attacks.
  524.  --stale-nonce[=<value>]            Use extra security with nonce value having limited lifetime (default 600 secs).
  525.  --max-allocate-lifetime    <value>     Set the maximum value for the allocation lifetime. Default to 3600 secs.
  526.  --channel-lifetime     <value>     Set the lifetime for channel binding, default to 600 secs.
  527.                         This value MUST not be changed for production purposes.
  528.  --permission-lifetime      <value>     Set the value for the lifetime of the permission. Default to 300 secs.
  529.                         This MUST not be changed for production purposes.
  530.  -S, --stun-only                Option to set standalone STUN operation only, all TURN requests will be ignored.
  531.      --no-stun                  Option to suppress STUN functionality, only TURN requests will be processed.
  532.  --alternate-server     <ip:port>   Set the TURN server to redirect the allocate requests (UDP and TCP services).
  533.                         Multiple alternate-server options can be set for load balancing purposes.
  534.                         See the docs for more information.
  535.  --tls-alternate-server <ip:port>       Set the TURN server to redirect the allocate requests (DTLS and TLS services).
  536.                         Multiple alternate-server options can be set for load balancing purposes.
  537.                         See the docs for more information.
  538.  -C, --rest-api-separator   <SYMBOL>    This is the timestamp/username separator symbol (character) in TURN REST API.
  539.                         The default value is ':'.
  540.  --max-allocate-timeout=<seconds>       Max time, in seconds, allowed for full allocation establishment. Default is 60.
  541.  --allowed-peer-ip=<ip[-ip]>            Specifies an ip or range of ips that are explicitly allowed to connect to the
  542.                         turn server. Multiple allowed-peer-ip can be set.
  543.  --denied-peer-ip=<ip[-ip]>             Specifies an ip or range of ips that are not allowed to connect to the turn server.
  544.                         Multiple denied-peer-ip can be set.
  545.  --pidfile <"pid-file-name">            File name to store the pid of the process.
  546.                         Default is /var/run/turnserver.pid (if superuser account is used) or
  547.                         /var/tmp/turnserver.pid .
  548.  --acme-redirect <URL>              Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
  549.                         Default is '', i.e. no special handling for such requests.
  550.  --secure-stun                  Require authentication of the STUN Binding request.
  551.                         By default, the clients are allowed anonymous access to the STUN Binding functionality.
  552.  --proc-user <user-name>            User name to run the turnserver process.
  553.                         After the initialization, the turnserver process
  554.                         will make an attempt to change the current user ID to that user.
  555.  --proc-group <group-name>          Group name to run the turnserver process.
  556.                         After the initialization, the turnserver process
  557.                         will make an attempt to change the current group ID to that group.
  558.  --mobility                 Mobility with ICE (MICE) specs support.
  559.  -K, --keep-address-family          Deprecated in favor of --allocation-default-address-family!!
  560.                         TURN server allocates address family according TURN
  561.                         Client <=> Server communication address family.
  562. 0: (1): INFO: System cpu num is 8
  563. 0: (1): INFO: log file opened: /var/tmp/turn_1_2024-03-14.log
  564. 0: (1): INFO: System enable num is 8
  565. 0: (1): WARNING: Cannot find config file: turnserver.conf. Default and command-line settings will be used.
  566.                         !! It breaks RFC6156 section-4.2 (violates default IPv4) !!
  567.  -A --allocation-default-address-family=<ipv4|ipv6|keep>        Default is IPv4
  568.                         TURN server allocates address family according TURN client requested address family.
  569.                         If address family is not requested explicitly by client, then it falls back to this default.
  570.                         The standard RFC explicitly define actually that this default must be IPv4,
  571.                         so use other option values with care!
  572.  --no-cli                   Turn OFF the CLI support. By default it is always ON.
  573.  --cli-ip=<IP>                  Local system IP address to be used for CLI server endpoint. Default value
  574.                         is 127.0.0.1.
  575.  --cli-port=<port>              CLI server port. Default is 5766.
  576.  --cli-password=<password>          CLI access password. Default is empty (no password).
  577.                         For the security reasons, it is recommended to use the encrypted
  578.                         for of the password (see the -P command in the turnadmin utility).
  579.                         The dollar signs in the encrypted form must be escaped.
  580.  --web-admin                    Enable Turn Web-admin support. By default it is disabled.
  581.  --web-admin-ip=<IP>                Local system IP address to be used for Web-admin server endpoint. Default value
  582.                         is 127.0.0.1.
  583.  --web-admin-port=<port>            Web-admin server port. Default is 8080.
  584.  --web-admin-listen-on-workers          Enable for web-admin server to listens on STUN/TURN workers STUN/TURN ports.
  585.                         By default it is disabled for security reasons!
  586.                         (This behavior used to be the default behavior, and was enabled by default.)
  587.  --server-relay                 Server relay. NON-STANDARD AND DANGEROUS OPTION. Only for those applications
  588.                         when we want to run server applications on the relay endpoints.
  589.                         This option eliminates the IP permissions check on the packets
  590.                         incoming to the relay endpoints.
  591.  --cli-max-output-sessions          Maximum number of output sessions in ps CLI command.
  592.                         This value can be changed on-the-fly in CLI. The default value is 256.
  593.  --ne=[1|2|3]                   Set network engine type for the process (for internal purposes).
  594.  --no-rfc5780                   Disable RFC5780 (NAT behavior discovery).
  595.                         Originally, if there are more than one listener address from the same
  596.                         address family, then by default the NAT behavior discovery feature enabled.
  597.                         This option disables this original behavior, because the NAT behavior discovery
  598.                         adds attributes to response, and this increase the possibility of an amplification attack.
  599.                         Strongly encouraged to use this option to decrease gain factor in STUN binding responses.
  600.  --no-stun-backward-compatibility       Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute
  601.                         in binding response (use only the XOR-MAPPED-ADDRESS).
  602.  --response-origin-only-with-rfc5780        Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
  603.  --version                  Print version (and exit).
  604.  -h                     Help
  605.  
Tags: coturnpod.log
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!