You are on page 1of 8

# SAI V-Connect WebRTC server configuration with information

# HTTP listener in format ip:port.
listen =

# Full path to directory where to find the server web assets.

root = /usr/share/spreed-webrtc-server/www

# HTTP socket read timeout in seconds.

readtimeout = 10

# HTTP socket write timeout in seconds.

writetimeout = 10

# Use basePath if the server does not run on the root path (/) of our server.
basePath = /some/sub/path/

# Set maximum number of open files (only works when run as root).
maxfd = 32768

# Enable stats API /api/v1/stats for debugging (not for production use!).
stats = false

# Enable HTTP listener for golang pprof module. See # for details.
pprofListen =

# Native HTTPS listener in format ip:port.
listen =

# Full path to PEM encoded certificate chain.

certificate = /home/vcon/spreed-webrtc/cert.pem

# Full path to PEM encoded private key.

key = /home/vcon/spreed-webrtc/privkey.pem

# Mimimal supported encryption standard (SSLv3, TLSv1, TLSv1.1 or TLSv1.2).

minVersion = SSLv3

# HTTPS socket read timeout in seconds.

readtimeout = 10

# HTTPS socket write timeout in seconds.

writetimeout = 10

[app] # Application Settings

title = SAI V-Connect # HTML page title

# Version string to use for static resources. This defaults to the server version and should only be changed
when we use our own way to invalidate
# long cached static resources.
ver = 1234

# STUN server URIs in format host:port. we can provide multiple seperated by space. If we do not have
one use a public one like If
# we have a TURN server we do not need to set an STUN server as the TURN server will provide STUN
stunURIs =
# TURN server URIs in format host:port?transport=udp|tcp. we can provide multiple seperated by space.
If we do not have at least one TURN server then some users will not be able to use the server as the peer
to peer connection cannot be established without a TURN server due to firewall reasons. An open source
TURN server which is fully supported can be found at
turnURIs = turn:turnserver:port?transport=udp

# Shared secret authentication for TURN user generation if the TURN server is protected (which it should
be). See for details. A supported TURN server
is turnSecret = the-default-turn-shared-secret-do-not-keep
Enable renegotiation support. Set to true to tell clients that they can renegotiate peer connections when
required. Firefox support is not complete, so do not enable if we want compatibility with Firefox clients.
renegotiation = false

# Session secret to use for session id generator. 32 or 64 bytes of random data are recommented (hex
encoded). A warning will be logged if hex decode fails. we can generate a secret easily with "xxd -ps -l
32 -c 32 /dev/random".
sessionSecret = a420dc09438b41049c2eecd7a83116b8e1c167e24b88f3e049812df4d247f903

# Encryption secret protecting the data in generated server side tokens. Use 16, 24, or 32 bytes (hex
encoded) to select AES-128, AES-192, or AES-256. When we change the encryption secret, stored
authentications, sessions and contacts become invalid. A warning will be logged if hex decode fails. We
can generate a secret easily with "xxd -ps -l 32 -c 32 /dev/random".
encryptionSecret = 0fcac292ae0858e7238ec38383d0ea17fc4f925c01985f113e095df0843628cf

# Full path to a text file containig client tokens which a user needs to enter when accessing the web client.
Each line in this file represents a valid token.
tokenFile = tokens.txt

# The name of a global room. If enabled it should be kept secret. Users in that room are visible in all other
SAIVConnect-support = global

# The default room is the room at the root URL of the servers base address and all users will join this
room if enabled. If it is disabled then a room join
# form will be shown instead.
defaultRoomEnabled = true

# Whether a user account is required to join a room. This only has an effect if user accounts are enabled.
Optional, defaults to false.
authorizeRoomJoin = false

# Whether a user account is required to create a room. This only has an effect if user accounts are
enabled. Optional, defaults to false.
authorizeRoomCreation = false

# Wether the pipelines API should be enabled. Optional, defaults to false.

pipelinesEnabled = false

# Server token is a public random string which is used to enhance security of server generated security
tokens. When the serverToken is changed all existing nonces become invalid. Use 32 or 64 characters (eg.
16 or 32 byte hex).
serverToken = 5b60615a5831b126131f714dce984cca51f189e027bc204fd9e51dceab4a3c04

# The server realm is part of the validation chain of tokens and nonces and is added as suffix to server
created user ids if user creation is enabled. When the realm is changed, all existing tokens and nonces
become invalid.
serverRealm = local

# Full path to an extra templates directory. Templates in this directory ending with .html will be parsed on
startup and can be used to fill the supported extra-* template slots. If the extra folder has a sub folder
"static", the resources in this static folder will be available as /extra/static/... relative to our servers base
extra = /usr/share/spreed-webrtc-server/extra
# Full path to an extra.d directory. Subfolders in this directory will be searched for head.html and
body.html on startup. If found, those templates will be automatically included for the web client. In
addition, sub-folder/static will be made available by URL at /extra.d/static/<n>/... relative to our servers
base URL. URL relative to the servers base path for a plugin javascript file which is automatically loaded
on web client start for all users. we can put our plugin in the extra/static folder (see above) or provide
another folder using a front end webserver. Check the doc folder for more info about plugins and
extra.d = /usr/share/spreed-webrtc-server/extra.d
plugin = extra/static/myplugin.js

# Content-Security-Policy HTTP response header value. Spreed WebRTC requires inline styles,
WebSocket connection to itself and
# data: URL for images.
# The currently recommended CSP is:
# default-src 'self';
# frame-src 'self' blob:;
# style-src 'self' 'unsafe-inline';
# img-src 'self' data: blob:;
# connect-src 'self' wss://server:port/ws blob:;
# font-src 'self' data: blob:;
# media-src 'self' blob:;
contentSecurityPolicy =

# Content-Security-Policy-Report-Only HTTP response header value. Use this to test our CSP before
putting it into production.
contentSecurityPolicyReportOnly =


# Modules provide optional functionality. Modules are enabled by default and can be disabled by setting
false to their corresponding configuration.
screensharing = true
wetube = true
presentation = true
contacts = true

logfile = /var/log/SAIVConnect-webrtc-server.log


# Set to true to enable user functionality.

enabled = false

# Set users authorization mode.


# Validates the userid with a HMAC authentication secret. The format goes like this: BASE64(HMAC-
SHA-256(secret, expirationTimestampInSeconds:userid))

# The userid is provided as an HTTP header. The server does not do any validation. This usually only
makes sense with a front end HTTPS proxy which does the authentication and injects the user id as
HTTP header for sessions REST requests. In mode httpheader, allowRegistration should be false.

# The userid is provided as CommonName with a certificate provided with TLS client authentication.
When we use this with a front end proxy for TLS termination, that proxy has to validate the certificate
and inject certain eaders into the proxy connection. While certificate mode offers the highest security it is
currently considered experimental and the user experience varies between browsers and platforms.
mode = sharedsecret

# The shared secred for HMAC validation in "sharedsecret" mode. Best use 32 or 64 bytes of random
sharedsecret_secret = 9dd07ecfe2666532c8cc40d1a9b1730f2a185552431baa774a30ea62e58546f9

# The HTTP header name where to find the userid in "httpheader" mode.
httpheader_header = x-userid

# Full path to PEM encoded private key to use for user creation in "certificate" mode. Keep this
commented if we do not want the server to sign certificate requests.
certificate_key = userskey.key

# Full path to PEM encoded certificate to use for user validation in "certificate" mode. When
allowRegistration is true and certificate_key is also set then the server will act as a CA and sign incoming
user registrations and return certificates to users as registration.
certificate_certificate = usersca.crt

# The HTTP header name where to find if the TLS client authentication was successfull. The value of this
header is matched to certificate_verifiedHeaderValue and only if there is a match, the proxy handled TLS
client authentication is accepted as success. Make sure to secure these headers with our front end proxy
(always set them). Do not use these settings when not using a front end proxy.
certificate_verifiedHeader = x-verified
certificate_verifiedHeaderValue = SUCCESS

# The HTTP header name where to find the PEM encoded certificate authenticated by a front end proxy.
With Nginx the required value is in $ssl_client_cert.
certificate_certificateHeader = x-certificate

# The valid duration of generated certificates created in certificate mode when allowRegistration is
certificate_validForDays = 365

# Organization to set into the created user certificates. Use a readable public name to make the certificate
easily recognizable as certificate for our server so users can choose the correct certificate when prompted.
certificate_organization= = SAI V-Connect
# If enabled the server can create new userids. Set allowRegistration to true to enable userid
creation/registration. Users are created according the settings of the currently configured mode (see
allowRegistration = false

[nats] # NATS server Settings

channelling_trigger = false # Set to true, to enable triggering channelling events via NATS
channelling_trigger_subject = channelling.trigger
url = nats:// # NATS server URL
establishTimeout = 60 # NATS connect establish timeout in seconds

# Use client_id to distinguish between multipe servers. The value is sent together with every NATS
request. Defaults to empty. client_id =

[roomtypes] # Types of room in SAI V-Connect

# we can define room types that should be used for given room names instead of the default type "Room".
Use format "RegularExpression = RoomType" and make sure the regular expression doesn't contain any
"=" or ":". Available room types: "Conference" All participants joining the room automatically call each
other and are in a conference.

^saiv-connect/.+ = Conference