标签归档:WebRTC

Installing Janus on Redhat Enterprise Linux

This article discusses the installation of Janus on a Redhat Enterprise Linux 7 server. The installation process is long and complicated due to the dependencies required for Janus and their lack of inclusion in Yum repositories.

The steps below require come code compiling. The process is simple but may be scary for those who’ve never done it. Compiling code has a side effect hindering the use of Yum. Yum (as a system) only knows about packages installed with yum (and rpm) and therefore cannot see what you’ve compiled and installed manually.

The reason i’ve documented this process is because it was difficult. A client requested that we install Janus on their application server which runs Redhat Enterprise Linux 7. In hindsight i would recommend a dedicated Ubuntu server for this role (the media server, not the web sever).

Janus is a WebRTC server described as “Janus is an open source, general purpose, WebRTC server designed and developed by [Meetecho](http://www.meetecho.com). This version of the server is tailored for Linux systems, although it can be compiled for, and installed on, MacOS machines as well. Windows is not supported, but if that’s a requirement, Janus is known to work in the “Windows Subsystem for Linux” on Windows 10.

I strongly recommend taking a backup of the system before following the steps in this article. Even better would be to do this on a test system and then on a production system (still with backups or a snapshot that can be reverted to). I’ve sourced CentOS packages to fill the gaps in what Redhat doesn’t supply.

TIP: This biggest sticking point for me was the “libsrtp, libsrtp-devel” software. See below for the section on installing them. It was a matter of doing things in the right order. If what i’ve done doesn’t work for you, try in different ways with different commands such as “yum” versus “rpm -ihv” versus “rpm -Uhv”.

It helps to have EPEL configured.

yum install epel-release

Install as much as possible using the following Yum command. Several of the packages listed in the command below wont be found.

yum install libmicrohttpd-devel jansson-devel \
openssl-devel libsrtp-devel sofia-sip-devel glib-devel \
opus-devel libogg-devel libcurl-devel lua-devel \
pkgconfig gengetopt libtool autoconf automake coreutils \
glib2-devel openssl098e

Throughout this process i have sourced dependencies from “https://pkgs.org/”.  The versions that i’ve noted below will obviously change over time so consider the date of this article and the versions available.

The documentation at “https://janus.conf.meetecho.com/docs/README.html” gives guidance on the installation process but not specific to Redhat (or CentOS, etc) and includes content not included here. Consider reading that article if you get stuck.

The following sections start with the name of the dependencies being installed (in bold).

Packages: libmicrohttpd, libmicrohttpd-devel wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libmicrohttpd-0.9.33-2.el7.x86_64.rpm
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libmicrohttpd-devel-0.9.33-2.el7.x86_64.rpm
rpm -ihv libmicrohttpd-0.9.33-2.el7.x86_64.rpm
rpm -ihv libmicrohttpd-devel-0.9.33-2.el7.x86_64.rpm
Package: libnice wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libnice-devel-0.1.3-4.el7.x86_64.rpm
rpm -ihv libnice-devel
Packages: jansson, jansson-devel wget http://mirror.centos.org/centos/7/os/x86_64/Packages/jansson-2.10-1.el7.x86_64.rpm
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/jansson-devel-2.10-1.el7.x86_64.rpm
rpm -Uhv jansson-2.10-1.el7.x86_64.rpm
rpm -ihv jansson-devel-2.10-1.el7.x86_64.rpm
Packages: libsrtp, libsrtp-devel yum remove gstreamer1-plugins-bad-free
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/Packages/l/libsrtp-devel.1.5.4-3.el6.x86_64.rpm
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/Packages/l/libsrtp-1.5.4-3.el6.x86_64.rpm
rpm -Uhv libsrtp-1.5.4-3.el6.x86_64.rpm libsrtp-devel-1.5.4-3.el6.x86_64.rpm
yum install cheese empathy farstream02 telepathy-farstream totem totem-nautilus
Package: sofia-sip-devel wget -O sofia-sip-1.12.11.tar.gz https://downloads.sourceforge.net/project/sofia-sip/sofia-sip/1.12.11/sofia-sip-1.12.11.tar.gz?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fsofia-sip%2Ffiles%2Flatest%2Fdownload&ts=1540078563
tar -xzf sofia-sip-1.12.11.tar.gz
cd sofia-sip-1.12.11
./configure; make; make install
Package: opus-devel wget http://mirror.centos.org/centos/7/os/x86_64/Packages/opus-devel-1.0.2-6.el7.x86_64.rpm
rpm -ihv opus-devel-1.0.2-6.el7.x86_64.rpm
Package: libogg-devel wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libogg-devel-1.3.0-7.el7.x86_64.rpm
rpm -ihv libogg-devel-1.3.0-7.el7.x86_64.rpm
Package: lua-devel wget http://mirror.centos.org/centos/7/os/x86_64/Packages/lua-devel-5.1.4-15.el7.x86_64.rpm
rpm -ihv lua-devel-5.1.4-15.el7.x86_64.rpm
Janus: git clone https://github.com/meetecho/janus-gateway.git
cd janus-gateway
sh autogen.sh

The final step is to compile Janus. This step will end either in success of an explanation of anything missing that you’ll need to install manually.

./configure --prefix=/opt/janus
make
make install

Now you should be able to go into “/opt/janus” and run the following command:

janus -V

Janus WebRTC Server 安装

anus is an open source, general purpose, WebRTC server designed and developed by Meetecho. This version of the server is tailored for Linux systems, although it can be compiled for, and installed on, MacOS machines as well. Windows is not supported, but if that’s a requirement, Janus is known to work in the “Windows Subsystem for Linux” on Windows 10.

For some online demos and documentations, make sure you pay the project website a visit!

To discuss Janus with us and other users, there’s a Google Group called meetecho-janus that you can use. If you encounter bugs, though, please submit an issue on github instead.

Dependencies

To install it, you’ll need to satisfy the following dependencies:

  • Jansson
  • libconfig
  • libnice (at least v0.1.13 suggested, master recommended)
  • OpenSSL (at least v1.0.1e)
  • libsrtp (at least v1.5 suggested)
  • usrsctp (only needed if you are interested in Data Channels)
  • libmicrohttpd (only needed if you are interested in REST support for the Janus API)
  • libwebsockets (only needed if you are interested in WebSockets support for the Janus API)
  • cmake (only needed if you are interested in WebSockets and/or BoringSSL support, as they make use of it)
  • rabbitmq-c (only needed if you are interested in RabbitMQ support for the Janus API or events)
  • paho.mqtt.c (only needed if you are interested in MQTT support for the Janus API or events)
  • nanomsg (only needed if you are interested in Nanomsg support for the Janus API)
  • libcurl (only needed if you are interested in the TURN REST API support)

A couple of plugins depend on a few more libraries:

  • Sofia-SIP (only needed for the SIP plugin)
  • libopus (only needed for the bridge plugin)
  • libogg (needed for the voicemail plugin and/or post-processor)
  • libcurl (only needed if you are interested in RTSP support in the Streaming plugin or in the sample Event Handler plugin)
  • Lua (only needed for the Lua plugin)

Additionally, you’ll need the following libraries and tools:

All of those libraries are usually available on most of the most common distributions. Installing these libraries on a recent Fedora, for instance, is very simple:

yum install libmicrohttpd-devel jansson-devel \
   openssl-devel libsrtp-devel sofia-sip-devel glib2-devel \
   opus-devel libogg-devel libcurl-devel pkgconfig gengetopt \
   libconfig-devel libtool autoconf automake 

Notice that you may have to yum install epel-release as well if you’re attempting an installation on a CentOS machine instead.

On Ubuntu or Debian, it would require something like this:

aptitude install libmicrohttpd-dev libjansson-dev \
	libssl-dev libsrtp-dev libsofia-sip-ua-dev libglib2.0-dev \
	libopus-dev libogg-dev libcurl4-openssl-dev liblua5.3-dev \
	libconfig-dev pkg-config gengetopt libtool automake 
  • Note: please notice that libopus may not be available out of the box on Ubuntu or Debian, unless you’re using a recent version (e.g., Ubuntu 14.04 LTS). In that case, you’ll have to install it manually.

While libnice is typically available in most distros as a package, the version available out of the box in Ubuntu is known to cause problems. As such, we always recommend manually compiling and installing the master version of libnice. Installation of libnice master is quite straightforward:

git clone https://gitlab.freedesktop.org/libnice/libnice
cd libnice
./autogen.sh
./configure --prefix=/usr
make && sudo make install 
  • Note: Make sure you remove the distro version first, or you’ll cause conflicts between the installations. In case you want to keep both for some reason, for custom installations of libnice you can also run pkg-config --cflags --libs nice to make sure Janus can find the right installation. If that fails, you may need to set the PKG_CONFIG_PATH environment variable prior to compiling Janus, e.g., export PKG_CONFIG_PATH=/path/to/libnice/lib/pkgconfig

In case you’re interested in compiling the sample Event Handler plugin, you’ll need to install the development version of libcurl as well (usually libcurl-devel on Fedora/CentOS, libcurl4-openssl-dev on Ubuntu/Debian).

If your distro ships a pre-1.5 version of libsrtp, you’ll have to uninstall that version and install 1.5.x, 1.6.x or 2.x manually. In fact, 1.4.x is known to cause several issues with WebRTC. Installation of version 1.5.4 is quite straightforward:

wget https://github.com/cisco/libsrtp/archive/v1.5.4.tar.gz
tar xfv v1.5.4.tar.gz
cd libsrtp-1.5.4
./configure --prefix=/usr --enable-openssl
make shared_library && sudo make install 

The instructions for version 2.x are practically the same. Notice that the following steps are for version 2.2.0, but there may be more recent versions available:

wget https://github.com/cisco/libsrtp/archive/v2.2.0.tar.gz
tar xfv v2.2.0.tar.gz
cd libsrtp-2.2.0
./configure --prefix=/usr --enable-openssl
make shared_library && sudo make install 

The Janus configure script autodetects which one you have installed and links to the correct library automatically, choosing 2.x if both are installed. If you want 1.5 or 1.6 to be picked, pass --disable-libsrtp2 when configuring Janus to force it to use the older version instead.

  • Note: when installing libsrtp, no matter which version, you may need to pass --libdir=/usr/lib64 to the configure script if you’re installing on a x86_64 distribution.

If you want to make use of BoringSSL instead of OpenSSL (e.g., because you want to take advantage of --enable-dtls-settimeout), you’ll have to manually install it to a specific location. Use the following steps:

git clone https://boringssl.googlesource.com/boringssl
cd boringssl
# Don't barf on errors
sed -i s/" -Werror"//g CMakeLists.txt
# Build
mkdir -p build
cd build
cmake -DCMAKE_CXX_FLAGS="-lrt" ..
make
cd ..
# Install
sudo mkdir -p /opt/boringssl
sudo cp -R include /opt/boringssl/
sudo mkdir -p /opt/boringssl/lib
sudo cp build/ssl/libssl.a /opt/boringssl/lib/
sudo cp build/crypto/libcrypto.a /opt/boringssl/lib/ 

Once the library is installed, you’ll have to pass an additional --enable-boringssl flag to the configure script, as by default Janus will be built assuming OpenSSL will be used. By default, Janus expects BoringSSL to be installed in /opt/boringssl — if it’s installed in another location, pass the path to the configure script as such: --enable-boringssl=/path/to/boringssl If you were using OpenSSL and want to switch to BoringSSL, make sure you also do a make clean in the Janus folder before compiling with the new BoringSSL support. If you enabled BoringSSL support and also want Janus to detect and react to DTLS timeouts with faster retransmissions, then pass --enable-dtls-settimeout to the configure script too.

For what concerns usrsctp, which is needed for Data Channels support, it is usually not available in repositories, so if you’re interested in them (support is optional) you’ll have to install it manually. It is a pretty easy and standard process:

git clone https://github.com/sctplab/usrsctp
cd usrsctp
./bootstrap
./configure --prefix=/usr && make && sudo make install 
  • Note: you may need to pass --libdir=/usr/lib64 to the configure script if you’re installing on a x86_64 distribution.

The same applies for libwebsockets, which is needed for the optional WebSockets support. If you’re interested in supporting WebSockets to control Janus, as an alternative (or replacement) to the default plain HTTP REST API, you’ll have to install it manually:

git clone https://libwebsockets.org/repo/libwebsockets
cd libwebsockets
# If you want the stable version of libwebsockets, uncomment the next line
# git checkout v2.4-stable
mkdir build
cd build
# See https://github.com/meetecho/janus-gateway/issues/732 re: LWS_MAX_SMP
cmake -DLWS_MAX_SMP=1 -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_C_FLAGS="-fpic" ..
make && sudo make install 

The same applies for Eclipse Paho MQTT C client library, which is needed for the optional MQTT support. If you’re interested in integrating MQTT channels as an alternative (or replacement) to HTTP and/or WebSockets to control Janus, or as a carrier of Janus Events, you can install the latest version with the following steps:

git clone https://github.com/eclipse/paho.mqtt.c.git
cd paho.mqtt.c
make && sudo make install 
  • Note: you may want to set up a different install path for the library, to achieve that, replace the last command by ‘sudo prefix=/usr make install’.

In case you’re interested in Nanomsg support, you’ll need to install the related C library. It is usually available as an easily installable package in pretty much all repositories. The following is an example on how to install it on Ubuntu:

aptitude install libnanomsg-dev 

Finally, the same can be said for rabbitmq-c as well, which is needed for the optional RabbitMQ support. In fact, several different versions of the library can be found, and the versions usually available in most distribution repositories are not up-do-date with respect to the current state of the development. As such, if you’re interested in integrating RabbitMQ queues as an alternative (or replacement) to HTTP and/or WebSockets to control Janus, you can install the latest version with the following steps:

git clone https://github.com/alanxz/rabbitmq-c
cd rabbitmq-c
git submodule init
git submodule update
mkdir build && cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr ..
make && sudo make install 
  • Note: you may need to pass --libdir=/usr/lib64 to the configure script if you’re installing on a x86_64 distribution.

To conclude, should you be interested in building the Janus documentation as well, you’ll need some additional tools too:

On Fedora:

yum install doxygen graphviz 

On Ubuntu/Debian:

aptitude install doxygen graphviz 

Compile

Once you have installed all the dependencies, get the code:

git clone https://github.com/meetecho/janus-gateway.git
cd janus-gateway 

Then just use:

sh autogen.sh 

to generate the configure file. After that, configure and compile as usual to start the whole compilation process:

./configure --prefix=/opt/janus
make
make install 

Since Janus requires configuration files for both the core and its modules in order to work, you’ll probably also want to install the default configuration files to use, which you can do this way:

make configs 

Remember to only do this once, or otherwise a subsequent make configs will overwrite any configuration file you may have modified in themeanwhile.

If you’ve installed the above libraries but are not interested, for instance, in Data Channels, WebSockets, MQTT and/or RabbitMQ, you can disable them when configuring:

./configure --disable-websockets --disable-data-channels --disable-rabbitmq --disable-mqtt 

There are configuration flags for pretty much all external modules and many of the features, so you may want to issue a ./configure --help to dig through the available options. A summary of what’s going to be built will always appear after you do a configure, allowing you to double check if what you need and don’t need is there.

If Doxygen and graphviz are available, the process can also build the documentation for you. By default the compilation process will not try to build the documentation, so if you instead prefer to build it, use the --enable-docs configuration option:

./configure --enable-docs 

You can also selectively enable/disable other features (e.g., specific plugins you don’t care about, or whether or not you want to build the recordings post-processor). Use the –help option when configuring for more info.

Building on MacOS

While most of the above instructions will work when compiling Janus on MacOS as well, there are a few aspects to highlight when doing that.

First of all, you can use brew to install most of the dependencies:

brew install jansson libnice openssl srtp libusrsctp libmicrohttpd \
	libwebsockets cmake rabbitmq-c sofia-sip opus libogg curl glib \
	libconfig pkg-config gengetopt autoconf automake libtool 

For what concerns libwebsockets, though, make sure that the installed version is higher than 2.4.1, or you might encounter the problems described in this post. If brew doesn’t provide a more recent version, you’ll have to install the library manually.

Notice that you may need to provide a custom prefix and PKG_CONFIG_PATH when configuring Janus as well, e.g.:

./configure --prefix=/usr/local/janus PKG_CONFIG_PATH=/usr/local/opt/openssl/lib/pkgconfig 

Everything else works exactly the same way as on Linux.

Configure and start

To start the server, you can use the janus executable. There are several things you can configure, either in a configuration file:

<installdir>/etc/janus/janus.jcfg 

or on the command line:

<installdir>/bin/janus --help

janus 0.7.5

Usage: janus [OPTIONS]...

-h, --help                    Print help and exit
-V, --version                 Print version and exit
-b, --daemon                  Launch Janus in background as a daemon
                              (default=off)
-p, --pid-file=path           Open the specified PID file when starting Janus
                              (default=none)
-N, --disable-stdout          Disable stdout based logging  (default=off)
-L, --log-file=path           Log to the specified file (default=stdout only)
-H  --cwd-path                Working directory for Janus daemon process
                              (default=/)
-i, --interface=ipaddress     Interface to use (will be the public IP)
-P, --plugins-folder=path     Plugins folder (default=./plugins)
-C, --config=filename         Configuration file to use
-F, --configs-folder=path     Configuration files folder (default=./conf)
-c, --cert-pem=filename       DTLS certificate
-k, --cert-key=filename       DTLS certificate key
-K, --cert-pwd=text           DTLS certificate key passphrase (if needed)
-S, --stun-server=filename    STUN server(:port) to use, if needed (e.g.,
							  Janus behind NAT, default=none)
-1, --nat-1-1=ip              Public IP to put in all host candidates,
                              assuming a 1:1 NAT is in place (e.g., Amazon
                              EC2 instances, default=none)
-E, --ice-enforce-list=list   Comma-separated list of the only interfaces to
                              use for ICE gathering; partial strings are
                              supported (e.g., eth0 or eno1,wlan0,
                              default=none)
-X, --ice-ignore-list=list    Comma-separated list of interfaces or IP
                              addresses to ignore for ICE gathering;
                              partial strings are supported (e.g.,
                              vmnet8,192.168.0.1,10.0.0.1 or
                              vmnet,192.168., default=vmnet)
-6, --ipv6-candidates         Whether to enable IPv6 candidates or not
                              (experimental)  (default=off)
-l, --libnice-debug           Whether to enable libnice debugging or not
                              (default=off)
-f, --full-trickle            Do full-trickle instead of half-trickle
                              (default=off)
-I, --ice-lite                Whether to enable the ICE Lite mode or not
                              (default=off)
-T, --ice-tcp                 Whether to enable ICE-TCP or not (warning: only
                              works with ICE Lite)
                              (default=off)
-R, --rfc-4588                Whether to enable RFC4588 retransmissions
                              support or not  (default=off)
-q, --max-nack-queue=number   Maximum size of the NACK queue (in ms) per user
                              for retransmissions
-t, --no-media-timer=number   Time (in s) that should pass with no media
                              (audio or video) being received before Janus
                              notifies you about this
-W, --slowlink-threshold=number
                              Number of lost packets (per s) that should
                              trigger a 'slowlink' Janus API event to users
-r, --rtp-port-range=min-max  Port range to use for RTP/RTCP (only available
							  if the installed libnice supports it)
-B, --twcc-period=number      How often (in ms) to send TWCC feedback back to
                              senders, if negotiated (default=1s)
-n, --server-name=name        Public name of this Janus instance
                              (default=MyJanusInstance)
-s, --session-timeout=number  Session timeout value, in seconds (default=60)
-m, --reclaim-session-timeout=number
                              Reclaim session timeout value, in seconds
                              (default=0)
-d, --debug-level=1-7         Debug/logging level (0=disable debugging,
                              7=maximum debug level; default=4)
-D, --debug-timestamps        Enable debug/logging timestamps  (default=off)
-o, --disable-colors          Disable color in the logging  (default=off)
-M, --debug-locks             Enable debugging of locks/mutexes (very
                              verbose!)  (default=off)
-a, --apisecret=randomstring  API secret all requests need to pass in order
                              to be accepted by Janus (useful when wrapping
                              Janus API requests in a server, none by
                              default)
-A, --token-auth              Enable token-based authentication for all
                              requests  (default=off)
-e, --event-handlers          Enable event handlers  (default=off) 

Options passed through the command line have the precedence on those specified in the configuration file. To start the server, simply run:

<installdir>/bin/janus 

This will start the server, and have it look at the configuration file.

Make sure you have a look at all of the configuration files, to tailor Janus to your specific needs: each configuration file is documented, so it shouldn’t be hard to make changes according to your requirements. The repo comes with some defaults (assuming you issues make configs after installing the server) that tend to make sense for generic deployments, and also includes some sample configurations for all the plugins (e.g., web servers to listen on, conference rooms to create, streaming mountpoints to make available at startup, etc.).

To test whether it’s working correctly, you can use the demos provided with this package in the html folder: these are exactly the same demos available online on the project website. Just copy the file it contains in a webserver, or use a userspace webserver to serve the files in the html folder (e.g., with php or python), and open the index.html page in either Chrome or Firefox. A list of demo pages exploiting the different plugins will be available. Remember to edit the transport/port details in the demo JavaScript files if you changed any transport-related configuration from its defaults. Besides, the demos refer to the pre-configured plugin resources, so if you add some new resources (e.g., a new videoconference) you may have to tweak the demo pages to actually use them.

WebRTC服务器开源项目汇总

一、重点参考
1.1 知乎
原文链接: http://www.zhihu.com/question/25497090
可以用WebRTC来做视频直播吗?
经常看到WebRTC的点对点的视频, 能不能做一个平台,
让别人通过WebRTC播放视频直播,让粉丝都可以看见? 有什么方案讲讲?

米小嘉:
可以的. webrtc就是浏览器直接有实时视频功能, 不需要额外的插件, 但有可能是浏览器的默认插件
发布于 2014-09-26 9 条评论       
 
刘津玮:
我所在的项目用这个技术两年多了,先说结论:完全可以!

但是,凡事总有但是,也没那么简单。你以为调用几个Chrome的API就能直播了?too simple

楼上 米小嘉 的回答不对,WebRTC用的不是插件,是Chrome自带的功能,是原生js的API,也没有什么浏览器自带的插件。
楼上 煎饼果子社长 的方法也不对,WebRTC的API不仅仅是给你获取本地信源的,
所谓RTC是real time communication的缩写,自然这套API是带传输功能的。
所以获取图像信源之后不应该用websocket发送图像数据,
而是直接用WebRTC的通信相关API发送图像和声音(这套API是同时支持图像和声音的)数据。

所以,正确的方法是什么呢?
1、你得有一个实现了WebRTC相关协议的客户端。比如Chrome浏览器。
2、架设一个类似MCU系统的服务器。(不知道MCU是什么?看这:MCU(视频会议系统中心控制设备))

第一步,用你的客户端,比如Chrome浏览器,通过WebRTC相关的媒体API获取图像及声音信源,
        再用WebRTC中的通信API将图像和声音数据发送到MCU服务器。
第二步,MCU服务器根据你的需求对图像和声音数据进行必要的处理,比如压缩、混音等。
第三步,需要看直播的用户,通过他们的Chrome浏览器,链接上你的MCU服务器,并收取服务器转发来的图像和声音流。

先说步骤一,如果你只是做着玩玩,完全可以直接用Chrome浏览器做你的直播客户端。
把摄像头麦克风连上电脑之后,Chrome可以用相关的js的API获取到摄像头和麦克风的数据。
缺点就是如果长时间直播,Chrome的稳定性堪忧,我不是吓唬你。
我们项目的经验是,chrome这样运行24小时以上内存占用很厉害,而且容易崩溃。

第二步,你可能要问,WebRTC可以直接在浏览器之间P2P地传输流,为什么还要有中转的MCU服务器?
因为Chrome的功能很弱,视频的分辨率控制、多路语音的混音都做不了,所以需要MCU参与。
最重要的是,Chrome同时给6个客户端发视频流就很消耗资源了,
所以你如果有超过10个用户收看的话,Chrome很容易崩溃。

第三步就比较简单了,没什么好说的。
最后最后,还是老话题,兼容性。你可以查一下现在支持的浏览器有款,IE据说支持,
但是我们研究了一下好像他用的协议和Chrome不一样,不能互通。firefox和opera情况也不是很理想。

将空: 
说的有道理,受益非浅
2015-03-31   

Ryan:
mcu类似media Server的角色吧?有点类似red5?
2015-04-04   

刘津玮(作者) 回复 Ryan
对,类似red5,但是MCU这货是我们自己写的,所以没那么强大的功能,基本上是要什么功能的时候就自己写一个加上去
2015-04-05   

知乎用户
说的很详细,个人确实感觉中间需要个服务器~
2015-04-10   

王宇鹏
服务器端有免费或收费的软件吗?
2015-04-12   

刘津玮(作者) 回复 王宇鹏
http://lynckia.com 你可以参考一下这个
2015-04-12   

孙知乎
受教了
2015-04-13   

刘津玮(作者) 回复 孙知乎
受教还不去点赞加感谢?!( ╯#-_-)╯┴—┴
2015-04-13   

孙知乎 回复 刘津玮(作者)
(⊙o⊙)…。。已点
2015-04-13   

周昌:
我弄一个手机视频直播应用,刚刚上线,基于WebRTC技术,Mesh tree的网络架构,
浏览器之间走P2P Relay, 正在产品迭代中。产品见: http://yacamera.com
发布于 2014-10-01 1 条评论       
 
知乎用户:
1对N的直播, 一般都是服务器转发的吧.
发布于 2014-10-12 添加评论       
 
廖郡:
请问两台电脑,只有一台电脑有摄像头,能不能实现视频传输。WebRTC
发布于 2014-10-24 1 条评论       
 
鲁强:
补充一点,直播应该是流媒体处理及利用上早就有的概念。
WebRTC只是提供了一种可以替换现有的直播系统中的流媒体传输及处理的框架。

同时,其它答案也提到了,做直播或者视频内的服务,很多都会牵涉到对流媒体的Mix处理及转发。
在这里我需要提醒大家,Video相关的mix在webrtc的底层框架中是没有的,
这里有很大的坑,不是那么简单就能填起来的,请大家在做产品预言的时候深入考虑下哦:),
Audio相关的Mix倒是在webrtc的底层音频相关的框架中已经有了,很容易就可以被大家拿来使用
(虽然chrome啥的,都是只用来做p2p)。

用WebRTC来实现一个支持直播的服务是完全可行的,
但是,要做到直播的交互性,以及大规模的并发(比如一个主播,数以千计的观众)这是做直播最需要考虑的问题。
WebRTC在这里点上只是提供了一个流媒体的传输途径包括音频、视频编解码的接入等,
这些都是可以借鉴或者使用它来作为实现直播的一个部分。
但是,只用webrtc,你也只能做一个简单的玩具,做产品的话,
请更多考虑产品的应用场景,用户量,带宽需求,服务器搭设及运维。
发布于 2015-04-16 2 条评论       
 
煎饼果子社长:
完全可以,直播我理解是点对多的方式,需要服务器中转分发。

获取信源就用webrtc获取你的桌面或者某应用的图像,可以选择,webrtc的API中可以设置。
然后用WebSocket发送到你的服务器(不是唯一的办法,只是这种方法试过可行),然后转发。
客户端也是一样的原理,websocket接收,直接用html5自带的就能播放信源。

唯一不足,声源需要用类似方法单独处理,因为桌面只有图像,不过原理相似。
发布于 2015-03-30 添加评论  

二、Jitsi视频会议系统
1. 基于WebRTC的多人视频会议
25 July 2014
最近两周在调研和搭建基于WebRTC的多人视频会议系统。目前已经搭建成功,可以在http://jitsi.shengbin.me/试用。
这个系统无需注册和登录,只要多人访问同一个URL(含有系统为每个房间分配的特定ID),就可以进行视频会议。
如果上面那个链接失效,可以尝试国外一个同样的系统:https://meet.jit.si/。
使用视频会议系统需要客户端电脑提供摄像头功能;至于带宽,当然是越大越好了。
下面总结一下该系统的组成。

2. 客户端
客户端是一个Web App的形式,包括HTML、CSS、JavaScript代码组成的网页。HTML和CSS来构造聊天室的界面,JavaScript来实现功能。由于功能比较复杂,JS代码也较多。
通过WebRTC,客户端从用户摄像头获取图像并传给服务器,来实现视频会议。由于WebRTC只在Chrome、Opera、Firefox上支持,而Firefox有相关的bug尚未解决,所以客户端只能运行于Chrome或者Opera浏览器。

3. 服务器
服务器端包含多个部分。下面分别介绍。
Nginx(http://nginx.org/)
Nginx是一个Web服务器,与著名的Apache同类。它的用途是提供网页访问。

Prosody(http://prosody.im/)
Prosody是一个XMPP服务器。XMPP全称是Extensible Messaging and Presence Protocol,即可扩展通信和表示协议。
它是一种即时通信协议,主要是实现文字聊天。
XMPP的前身是Jabber,一个开源的即时通信协议。Jabber被IETF标准化为XMPP。Google Talk用的就是它。

Jitsi-Videobridge(https://jitsi.org/Projects/JitsiVideobridge)
Jitsi-Videobridge用于处理视频传输,也就是视频流在各参与者之间的转发。
如果没有这个组件,各参与者能文字聊天,但无法互相看见。
转发意味着服务器要从N个参与者那里接受视频流,然后给每个参与者发送其他N-1个参与者的视频数据,
这对服务器带宽要求很高。但由于未对视频做任何处理,CPU负载并不高。

Restund(http://www.creytiv.com/restund.html)
这是一个STUN/TURN服务器。STUN是一种NAT穿透技术,用于帮助处在内网的主机确定自己的公网IP和端口,
从而与别的主机建立直接连接(WebRTC中PeerConnection)。
TURN是STUN的增强版,可以在无法穿透NAT进行直连的情况下提供数据的转发。
上述整个系统都是开源的,更多信息可参见相关的GitHub代码库和Jitsi主页。

三、Janus 视频直播系统
前面说过,WebRTC 是用来解决端到端的实时通信问题,也就是说它很适合用在网络电话这种需要双向视频通话的场景上。网上大部分 WebRTC 的 Demo 也都是在页面上放两个 Video,分别来播 localStream 和 RemoteStream。

3.1 无MediaServer的视频直播系统
那么究竟 WebRTC 能否用来实现单向一对多直播呢?当然可以,而且貌似还很简单:
Step1: 首先必须有一个专门负责调用 getUserMedia 采集音视频的页面,我称之为信源服务;
Step2: 打开直播页面时,建立到信源服务的 PeerConnection,并通过 DataChannel 通知信源服务;
Step3: 信源服务收到通知后,通过对应 PeerConnection 的 addStream 方法提供直播流;
Step4: 直播页面监听 PeerConnection 的 onaddstream 事件,将获得的直播流用丢给 Video 播放;

为了方便,我使用了 PeerJS 这个开源项目来验证上面这个过程。
PeerJS 对 WebRTC Api 进行了封装,使用更简单。
它还提供了用来辅助建立连接的 Signaling 服务,在官网注册一个 Api Key 就能用。
也可以通过 PeerJS Server 搭建自己的服务,只需要通过 
npm install peer 装好 peer 后,再通过下面这行命令启动就可以了:
peerjs –port 9000 –key peerjs
启动好 Peer Server,在页面中引入 peer.js 就可以开始玩了。
首先, 实现信源服务:
//由于其它端都要连它,指定一个固定的 ID
var peer = new Peer(‘Server’, {
    host: ‘qgy18.imququ.com’, 
    port: 9003, 
    path: ‘/’,
    config: {
        ‘iceServers’: [
              { url: ‘stun:stun.l.google.com:19302’ }
        ]
    }
});

navigator.getUserMedia({ audio: false, video: true }, function(stream) {
    window.stream = stream;
}, function() { /*…*/ });

peer.on(‘connection’, function(conn) {
    conn.on(‘data’, function(clientId){
        var call = peer.call(clientId, window.stream);

        call.on(‘close’, function() { /*…*/ });
    });
});

然后,就是直播服务:
//随机生成一个 ID
var clientId = (+new Date).toString(36) + ‘_’ + (Math.random().toString()).split(‘.’)[1];

var peer = new Peer(clientId, {
    host: ‘qgy18.imququ.com’, 
    port: 9003, 
    path: ‘/’,
    config: {
        ‘iceServers’: [
              { url: ‘stun:stun.l.google.com:19302’ }
        ]
    }
});

var conn = peer.connect(‘Server’);

conn.on(‘open’, function() {
    conn.send(clientId);
});

peer.on(‘call’, function(call) {
    call.answer();
    call.on(‘stream’, function(remoteStream) {
        var video = document.getElementById(‘video’);
        video.src = window.URL.createObjectURL(remoteStream);
    });

    call.on(‘close’, function() { /*…*/ });
});

直播页面通过指定 ID 的方式跟信源服务建立端到端连接,
然后通过 DataChannel 告诉信源服务自己的 ID,信源服务收到消息后,
主动把直播流发过来,直播页面应答后播放就可以了。整个过程原理就这么简单,
这里有一个「完整的 Demo」。
看完上面的 Demo,你也许会想原来使用 WebRTC 直播这么简单,随便找台带摄像头的电脑,
开个浏览器就能提供直播服务,那还搞 HLS、RTMP 什么的干嘛。

3.2 Janus视频直播系统应用简介
实际上,现实并没有那么美好,这个 Demo 也就玩玩儿还可以,真正使用起来问题还大着呢!
首先,虽然说在 WebRTC 直播方案中,服务端只扮演桥梁的工作,
实际数据传输直接发生在端到端之间,但前面说过仍然会有 8% 的情况完全不能直连。
要保证服务的高可用性,还是得考虑部署 TURN 这种复杂而昂贵的中转服务。
其次,Chrome 对每个 Tab 允许连接的终端数有限制,最多 256 个。
实际上,在我最新的 Retina Macbook Pro 上,差不多有 10 个连接时,
Chrome 就开始变得无比卡,风扇呼呼地转,内存被吃掉 6G,CPU 一直跑满,
网络吞吐开始忙不过来,直播服务也开始变得极其不稳定。

所以实际使用方案中,一般还是需要 Media Server 的支持,
把「端到多端」变成「端到 Media Server 到多端」的架构。
Media Server 可以有更好的性能和带宽,可以自己实现 WebRTC 协议,
也就有了支持更多用户的可能。

我找到一个名为 Janus 的 WebRTC Gateway,这个开源项目用 C 语言实现了对 WebRTC 的支持。
Janus 自身实现得很简单,提供插件机制来支持不同的业务逻辑,
配合官方自带插件就可以用来实现高效的 Media Server 服务。
Janus 官方提供的 Demo 在这里,我也尝试在我的 VPS 上部署了一套。

Janus 有个 Streaming 插件,可以接受 GStreamer 推送的音视频流,
然后通过 PeerConnection 推送给所有的用户。由于 GStreamer 可以直接读摄像头,
也就不用再走 WebRTC 的 MediaStream 获取视频,这样架构就变成了传统的服务器到端了。
整个过程比较复杂和曲折,这里不写了,有兴趣的同学可以单独找我讨论。

3.3 Janus视频直播系统官网
链接:
http://janus.conf.meetecho.com/
https://github.com/meetecho/janus-gateway

Janus: the general purpose WebRTC server

Janus is a WebRTC Server developed by Meetecho conceived to be a general purpose one. As such, it doesn’t provide any functionality per se other than implementing the means to set up a WebRTC media communication with a browser, exchanging JSON messages with it, and relaying RTP/RTCP and messages between browsers and the server-side application logic they’re attached to. Any specific feature/application is provided by server side plugins, that browsers can then contact via Janus to take advantage of the functionality they provide. Example of such plugins can be implementations of applications like echo tests, conference bridges, media recorders, SIP gateways and the like.

The reason for this is simple: we wanted something that would have a small footprint (hence a C implementation) and that we could only equip with what was really needed(hence pluggable modules). That is, something that would allow us to deploy either a full-fledged WebRTC gateway on the cloud, or a small nettop/box to handle a specific use case.

Janus配置文件詳解

General

基本配置,配置和插件的路徑,日誌輸出方式,運行方式等配置.

變量 說明 示例
configs_folder 配置文件目錄路徑 configs_folder=/opt/janus/etc/janus
plugins_folder 插件目錄路徑 plugins_folder=/opt/janus/lib/janus/plugins
transports_folder 傳輸協議目錄路徑,一般是第三方傳輸方面依賴動態庫,默認即可 transports_folder=/opt/janus/lib/janus/transports
events_folder 事件句柄目錄路徑,一般是第三方事件方面依賴的動態庫,默認即可 events_folder=/opt/janus/lib/janus/events
log_to_stdout 日誌是否輸出到標準輸出上,默認爲 true log_to_stdout = false
log_to_file 日誌文件路徑 log_to_file = /path/to/janus.log
daemonize 是否後臺運行, 默認在前臺運行 daemonize = true
pid_file pid 文件路徑, pid 文件在 janus 運行是被創建,關閉時刪除 pid_file = /path/to/janus.pid
interface 使用的接口(在 SDP 中將使用)現在未使用 interface = 1.2.3.4
debug_level 記錄日誌等級, 可用值爲 0-7 debug_level = 4
debug_timestamps 是否每行日誌顯示時間戳 debug_timestamps = yes
debug_colors 日誌中是否禁用顏色 debug_colors = no
debug_locks 是否使能鎖調試(非常詳細) debug_locks = yes
api_secret 所有 janus 請求必須包含的字符串,由 janus core 接受或驗證, 如果假裝所有的請求在你 的服務器這就有用,不想讓其他應用程序混 亂 api_secret = janusrocks
token_auth 基於令牌的身份驗證,該機制強迫用戶在所 有的請求中提供有效的令牌,在想要對來自 web 請求進行身份驗證非常有用 token_auth = yes
token_auth_secret 和 token_auth 一起使用,使用 HMAC-SHA1 簽名令牌, 注意, 沒有該選項, 管理 api 有添加和刪除令牌的操作 token_auth_secret = janus
admin_secret 所有 janus 請求必須包含的由管理或監控接 收或驗證的字符串,只有在所有可用的傳輸 中使能了管理 api 才需要 admin_secret = janusoverlord
server_name 這個 janus 實例的公開名, 將出現在 info 請 求 server_name = MyJanusInstance
session_timeout 會話超時時間,默認 60s session_timeout = 60
reclaim_session_timeout 會話回收時間,默認 0s reclaim_session_timeout = 0
candidates_ti meout 申請超時時間, 注意設置 0 將被因無效數值 而被忽略 candidates_timeout = 45
recordings_tmp_ext 臨時記錄文件名 recordings_tmp_ext = tmp
event_loops 啓動線程數 event_loops = 8

Certificates

DTLS使用的證書和祕鑰(和所需密碼)生成

變量 說明 示例
cert_pem 證書 cert_pem=/opt/janus/share/janus/certs/mycert.pem
cert_key 密鑰 cert_key=/opt/janus/share/janus/certs/mycert.key
cert_pwd 密碼 cert_pwd = secretpassphrase

Media

與媒體相關的配置

變量 說明 示例
ipv6 是否支持 ipv6 ipv6 = true
max_nack_queue 重新傳輸的 NACK 隊列最大值單位毫秒,默認 500 max_nack_queue=500
rfc_4588 是否支持協商 rfc_4588 = yes
rtp_port_range 用於 RTP 和 RTCP 的端口的範圍,默認不考慮範圍 rtp_port_range=20000-40000
dtls_mtu 啓動 DTLS 的 MTU(默認爲 1200,它自動適應) dtls_mtu = 1200
no_media_timer 沒有 media 數據多長時間 janus 通知,單位爲秒默認 1 no_media_timer=1
dtls_timeout 定製重傳的頻率,注意較低的 值(例如 100ms)通常會使連接 速度更快時間,但如果用戶的 RTT 很高,則可能無法工作 合理的權衡(通常是 2*最大期 望 RTT) dtls_timeout = 500

NAT

與NAT相關的內容,如果網關位於NAT之後,可以配置STUN/TURN用於收集候選對象的服務器

變量 說明 示例
stun_server STUN 服務器地址 stun_server = stun.voip.eutelia.it
stun_port STUN 服務器端口 stun_port = 3478
nice_debug NAT debug開關 nice_debug = false
full_trickle 默認 half-trickle full_trickle = false
ice_lite ICE-Lite 模塊, 默認false ice_lite = true
ice_tcp 支持 ICE-Lite ice_tcp = true
nat_1_1_mapping 內外網地址映射 nat_1_1_mapping = 1.2.3.4
turn_server Turn 服務器地址 turn_server = myturnserver.com
turn_port Turn 服務器端口 turn_port = 3478
turn_type Turn 服務器IP類型 turn_type = udp
turn_user 用戶名 turn_user = myuser
turn_pwd 密碼 turn_pwd = mypassword
turn_rest_api TURN REST API 地址 turn_rest_api = http://yourbackend.com/path/to/api
turn_rest_api_key 密鑰 turn_rest_api_key=anyapikeyyoumayhaveset
turn_rest_api_method 方法 turn_rest_api_method = GET
ice_enforce_list 設置並傳遞一個逗號分隔 的接口或 IP 地址列表,網 關選擇 ice_enforce_list = eth0/ ice_enforce_list = eth0,192.168.0.1
ice_ignore_list 忽略的網關 ice_ignore_list = vmnet8,192.168.0.1,10.0.0.1

Plugins

選擇應該使用哪個插件

參數 說明 示例
disable 禁用插件, 用逗號會隔 disable = libjanus_rabbitmq.so

Events

允許您接收來自 Janus happens 的實時事件的事件處理程序

參數 說明 示例
broadcast 所有可用的事件處理程序都是啓用的 broadcast = yes
disable 禁用的事件 disable=libjanus_sampleevh.so
stats_period 每個事件處理的統計傳輸的 時間 stats_period = 5

Centos6 安装 stun/turn服务

1,关于stun和turn

STUN(Simple Traversal of UDP over NATs,NAT 的UDP简单穿越)是一种网络协议,它允许位于NAT(或多重NAT)后的客户端找出自己的公网地址,查出自己位于哪种类型的NAT之后以及NAT为某一 个本地端口所绑定的Internet端端口。这些信息被用来在两个同时处于NAT 路由器之后的主机之间建立UDP通信。该协议由RFC 3489定义。目前RFC 3489协议已被RFC 5389协议所取代,新的协议中,将STUN定义为一个协助穿越NAT的工具,并不独立提供穿越的解决方案。它还有升级版本RFC 7350,目前正在完善中。 

http://baike.baidu.com/view/884586.htm

TURN的全称为Traversal Using Relay NAT,即通过Relay方式穿越NAT,TURN应用模型通过分配TURNServer的地址和端口作为客户端对外的接受地址和端口,即私网用户发出的报文都要经过TURNServer进行Relay转发。 

http://baike.baidu.com/subview/351571/10359693.htm

2,安装

参考: 

http://www.hankcs.com/program/network/compile-rfc5766-turn-server-to-build-turn-server.html

代码下载: 

https://github.com/coturn/rfc5766-turn-server/releases 

下载最新的tar.gz包。rfc5766-turn-server-3.2.5.9.tar.gz

安装依赖环境

##ssl 需要yum安装 yum install openssl openssl-libs libevent libevent-devel
  • 1
  • 2

如果还是报错,就手动安装libevent。

centos Libevent2 development libraries are not installed properly in required location
  • 1

下载:http://libevent.org/ 官网,下载 

https://sourceforge.net/projects/levent/files/libevent/libevent-2.0/libevent-2.0.22-stable.tar.gz 

然后解压缩编译安装即可

编译turn-server

tar -zxvf rfc5766-turn-server-3.2.5.9.tar.gz
cd rfc5766-turn-server-3.2.5.9 ./configure 
make
make install
  • 1
  • 2
  • 3
  • 4
  • 5

configure成功:

more is /usr/bin/more
install is /usr/bin/install
pkill is /usr/bin/pkill
Use TMP dir /var/tmp
Compiler: cc Do not use -lsocket Do not use -lwldap32 Do not use -lwldap64 Do not use -lintl
Sockets code is fine: no sin_len field present
Ignore IP_RECVERR
Crypto SSL lib found.
SSL lib found.
Libevent2 development found.
Libevent2 runtime found.
Libevent2 openssl found.
Libevent2 pthreads found.

POSTGRESQL DEVELOPMENT LIBRARY (libpq.a) AND/OR HEADER (libpq-fe.h)
        ARE NOT INSTALLED PROPERLY ON THIS SYSTEM.
        THAT'S OK BUT THE TURN SERVER IS BUILDING WITHOUT POSTGRESQL DATABASE SUPPORT. MYSQL DEVELOPMENT LIBRARY (libmysqlclient) AND/OR HEADER (mysql.h)
        ARE NOT INSTALLED PROPERLY ON THIS SYSTEM.
        THAT'S OK BUT THE TURN SERVER IS BUILDING WITHOUT MYSQL DATABASE SUPPORT. HIREDIS DEVELOPMENT LIBRARY (libhiredis.*) AND/OR HEADERS (hiredis/*.h)
        ARE NOT INSTALLED PROPERLY ON THIS SYSTEM.
        THAT'S OK BUT THE TURN SERVER IS BUILDING WITHOUT REDIS SUPPORT. PREFIX=/usr/local OSLIBS= -L/usr/local/lib/ -L/usr/local/lib/ -L/usr/local/lib64/ -L/usr/local/lib64/ -lrt -pthread -lcrypto -lssl -levent_core -levent_openssl -levent_pthreads  -Wl,-rpath,/usr/local/lib/ -Wl,-rpath,/usr/local/lib/ -Wl,-rpath,/usr/local/lib64/ -Wl,-rpath,/usr/local/lib64/ -Wl,-rpath,/usr/lib64/mysql -Wl,-rpath,/usr/local/lib DBLIBS= OSCFLAGS=-g  -Wall -Wno-deprecated-declarations -Wextra -Wformat-security -Wnested-externs -Wstrict-prototypes  -Wmissing-prototypes -Wpointer-arith -Wcast-qual -I/usr/local/include -I/usr/local/include/ -I/usr/local/include  -DTURN_HAS_DAEMON    -DINSTALL_PREFIX=/usr/local DBCFLAGS=
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33

只是说没有数据库支持的库,暂时不需要。

安装之后说明:

1) If you system supports automatic start-up system daemon services, 
the, to enable the turnserver as an automatically started system 
service, you have to:

        a) Create and edit /etc/turnserver.conf or /usr/local/etc/turnserver.conf . 
        Use /usr/local/etc/turnserver.conf.default as an example.

        b) For user accounts settings, if using the turnserver with authentication: create and edit /etc/turnuserdb.conf 
        file, or set up PostgreSQL or MySQL or Redis database for user accounts.
        Use /usr/local/etc/turnuserdb.conf.default as example for flat file DB, or use /usr/local/share/turnserver/schema.sql as SQL database schema, or use /usr/local/share/turnserver/schema.userdb.redis as Redis database schema description and/or /usr/local/share/turnserver/schema.stats.redis as Redis status & statistics database schema description.

        c) add whatever is necessary to enable start-up daemon for the /usr/local/bin/turnserver. 2) If you do not want the turnserver to be a system service, then you can start/stop it "manually", using the "turnserver" executable with appropriate options (see the documentation). 3) To create database schema, use schema in file /usr/local/share/turnserver/schema.sql. 4) For additional information, run:

   $ man turnserver
   $ man turnadmin
   $ man turnutils
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30

在根目录创建一个user.db文件 

使用turnserver启动:

turnserver --userdb /root/turnuser.db 里面是webrtc用户名密码: webrtc:secret
  • 1
  • 2
  • 3

3,页面调用

https://github.com/EricssonResearch/openwebrtc-examples/tree/master/web 

安装node参考之前文章: 

http://blog.csdn.net/freewebsys/article/details/46649667#t1

修改main.js

// must use 'url' here since Firefox doesn't understand 'urls' var configuration = { "iceServers": [
  { "url": "stun:mmt-stun.verkstad.net" },
  { "url": "turn:mmt-turn.verkstad.net", "username": "webrtc", "credential": "secret" }
  ]
};
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13

将stun服务器和turn服务器替换。

4,总结

stun和trun是webrtc打通的关键服务器,但是资源有限没有在公网测试。

turnserver.conf文件详解

谷歌推荐的开源穿透服务器,包含trun和stun服务,主页:https://code.google.com/p/rfc5766-turn-server/
(个人觉得可以利用这个来进一步搭建VPN,有兴趣的可以试试)

由于国内通讯都被监控,所以WebRTC是不能直接P2P的,都需要中继服务作为转发的,所以在国内使用WebRTC是需要搭建中继服务。

安装:
版本:turnserver-3.2.3.95.tar.gz  系统环境:centos

下载必要库

yum install -y make auomake gcc cc gcc-c++ wget
yum install -y openssl-devel libevent libevent-devel mysql-devel mysql-server
wget https://github.com/downloads/libevent/libevent/libevent-2.0.21-stable.tar.gz
tar xvfz libevent-2.0.21-stable.tar.gz
cd libevent-2.0.21-stable && ./configure
make && make install && cd ..


下载turnserver-3.2.3.95.tar.gz并安装

wget http://turnserver.open-sys.org/downloads/v3.2.3.95/turnserver-3.2.3.95.tar.gz
tar -xvzf turnserver-3.2.3.95.tar.gz
cd turnserver-3.2.3.95
./configure
make && make install




安装后,配置turnserver.conf和turnuserdb.conf
启动

turnserver -L <public_ip_address> -c turnserver.conf -o -a -b turnuserdb.conf -f -r <system_domain_name>




可以通过以下指令获取帮助

turnserver -h




turnserver.conf配置:

# RFC5766-TURN-SERVER configuration file
# RFC5766-TURN-SERVER配置文件
#
# Boolean values note: where boolean value is supposed to be used,
# you can use ‘0’, ‘off’, ‘no’, ‘false’, ‘f’ as ‘false,
# and you can use ‘1’, ‘on’, ‘yes’, ‘true’, ‘t’ as ‘true’
# If the value is missed, then it means ‘true’.
#
# 布尔值注意: 布尔值应该被使用,
# 您可以使用’0′, ‘off’, ‘no’, ‘false’, ‘f’ 相当于 ‘false,
# 还有你可以用’1′, ‘on’, ‘yes’, ‘true’, ‘t’ 相当于 ‘true’
# 如果没有值,相当于’true’.
#

# Listener interface device (optional, Linux only).
# NOT RECOMMENDED.
#
# 侦听器接口设备(仅可选,Linux)。
# 不推荐。
#
#listening-device=eth0

# TURN listener port for UDP and TCP (Default: 3478).
# Note: actually, TLS & DTLS sessions can connect to the
# “plain” TCP & UDP port(s), too – if allowed by configuration.
#
# TURN为UDP和TCP的侦听器端口(默认: 3478)。
# 注:实际上,TLS和DTLS会话可以连接到”清晰的”TCP和UDP端口,——如果允许配置。
#
#listening-port=3478
listening-port=3478

# TURN listener port for TLS (Default: 5349).
# Note: actually, “plain” TCP & UDP sessions can connect to the TLS & DTLS
# port(s), too – if allowed by configuration. The TURN server
# “automatically” recognizes the type of traffic. Actually, two listening
# endpoints (the “plain” one and the “tls” one) are equivalent in terms of
# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
# For secure TCP connections, we currently support SSL version 3 and
# TLS version 1.0, 1.1 and 1.2. SSL2 “encapculation mode” is also supported.
# For secure UDP connections, we support DTLS version 1.
#
# TURN为TLS的侦听器端口(默认: 5349)。
# 注意:事实上,”清晰的”TCP和UDP会话可以连接到TLS和DTLS端口,如果允许配置。
# TURN服务器”自动”识别传输类型。实际上,两个监听终端点(“清晰的”端和”TLS”端)是
# 对等的功能;但我们保持两个端点来满足RFC 5766规范。
# 对于安全的TCP连接,我们目前支持SSL的3个版本,是TLS 1.0版本,1.1版本和1.2版本。
# SSL2还支持”encapculation模式”。对于安全的UDP连接,我们支持DTLS版本1。
#
#tls-listening-port=5349
tls-listening-port=5349

# Alternative listening port for UDP and TCP listeners;
# default (or zero) value means “listening port plus one”.
# This is needed for RFC 5780 support
# (STUN extension specs, NAT behavior discovery). The TURN Server
# supports RFC 5780 only if it is started with more than one
# listening IP address of the same family (IPv4 or IPv6).
# RFC 5780 is supported only by UDP protocol, other protocols
# are listening to that endpoint only for “symmetry”.
#
# 选择UDP和TCP监听器监听端口;
# 默认(或者0)是表示监听的端口加1.
# 这是必须的,为了RFC 5780的支持(STUN的扩展规范, NAT后端的发现)。
# TURN服务器支持RFC 5780只有启动与多个监听同一族的IP地址(IPv4或IPv6).
# RFC 5780只有UDP协议,支持其他协议是监听”对称”型端口的。
#
#alt-listening-port=0
                                   
# Alternative listening port for TLS and DTLS protocols.
# Default (or zero) value means “TLS listening port plus one”.
#
# 选择监听端口TLS和DTLS协议。
# 默认(或者0)是表示TLS监听的端口加1.
#
#alt-tls-listening-port=0
    
# Listener IP address of relay server. Multiple listeners can be specified.
# If no IP(s) specified in the config file or in the command line options,
# then all IPv4 and IPv6 system IPs will be used for listening.
#
# 侦听器中继服务器的IP地址。可以指定多个侦听器。
# 如果没有在配置文件或者命令选项中指定监听的IP,
# 那么所有的IPv4和IPv6所有的IP将被监听
#
#listening-ip=172.17.19.101
#listening-ip=10.207.21.238
#listening-ip=2607:f0d0:1002:51::4
listening-ip=<IP>

# Auxiliary STUN/TURN server listening endpoint.
# Aux servers have almost full TURN and STUN functionality.
# The (minor) limitations are:
# 1) Auxiliary servers do not have alternative ports and
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
# There may be multiple aux-server options, each will be used for listening
# to client requests.
#
# 辅助STUN/TURN服务器监听端口。
# 辅助服务器几乎有齐TURN和STUN功能
# (一些)局限性:
# 1) 辅助服务器没有替代的端口并且他们不支持STUN RFC 5780功能(变更请求)。
# 2) 辅助服务器也不会返回ALTERNATIVE-SERVER回复。
# 有效格式,IPv4的1.2.3.4:5555 和IPv6的[1:2::3:4]:5555。
# 可能会有多个aux-server选项,每个将用于监听客户端请求。
#
#aux-server=172.17.19.110:33478
#aux-server=[2607:f0d0:1002:51::4]:33478

# (recommended for older Linuxes only)
# Automatically balance UDP traffic over auxiliary servers (if configured).
# The load balancing is using the ALTERNATE-SERVER mechanism.
# The TURN client must support 300 ALTERNATE-SERVER response for this
# functionality.
#
# (仅推荐老的Linuxes)
# 在辅助服务器自动均衡UDP流量(如果配置)。
# 使用ALTERNATE-SERVER的负载均衡机制。
# TURN客户端必须支持300个ALTERNATE-SERVER响应。
#
#udp-self-balance

# Relay interface device for relay sockets (optional, Linux only).
# NOT RECOMMENDED.
#
# 终极接口设备为中继套接字(可选, 仅Linux).
# 不推荐。
#
#relay-device=eth1

# Relay address (the local IP address that will be used to relay the
# packets to the peer).
# Multiple relay addresses may be used.
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
# If no relay IP(s) specified, then the turnserver will apply the default
# policy: it will decide itself which relay addresses to be used, and it
# will always be using the client socket IP address as the relay IP address
# of the TURN session (if the requested relay address family is the same
# as the family of the client socket).
#
# 中继地址(本地IP地址将用于传递数据包的给每个端)
# 可以使用多个中继地址。
# 相同的IP可以用作监听IP和继电器IP。
# 如果没有指定中继IP,那么turnserver将应用默认策略:它将自行决定使用那个中继
# 地址,并且它总是会使用客户端套接字的IP地址作为中继的IP地址在TURN会话中(如果
# 请求的中继地址族解决同族的客户端套接字)。
#
#relay-ip=172.17.19.105
#relay-ip=2607:f0d0:1002:51::5
relay-ip=<IP>

# For Amazon EC2 users:#
# TURN Server public/private address mapping, if the server is behind NAT.
# In that situation, if a -X is used in form “-X <ip>” then that ip will be reported
# as relay IP address of all allocations. This scenario works only in a simple case
# when one single relay address is be used, and no RFC5780 functionality is required.
# That single relay address must be mapped by NAT to the ‘external’ IP.
# The “external-ip” value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
# For that ‘external’ IP, NAT must forward ports directly (relayed port 12345
# must be always mapped to the same ‘external’ port 12345).
# In more complex case when more than one IP address is involved,
# that option must be used several times, each entry must
# have form “-X <public-ip/private-ip>”, to map all involved addresses.
# RFC5780 NAT discovery STUN functionality will work correctly,
# if the addresses are mapped properly, even when the TURN server itself
# is behind A NAT.
# By default, this value is empty, and no address mapping is used.
#
# Amazon EC2用户:
# TURN服务器公开/私有的地址映射,假如服务器是在NAT后端。
# 在这种情况下,如果一个表单中”-X <ip>”使用一个-X,然后该ip将被作为中继ip地址来使用。
# 这种情况只适用于一个简单的例子,当一个中继的地址是被使用,和没有RFC5780功能是必需的。
# 单个中继地址必须通过NAT映射到外部的IP。
# 外部的IP值,假如不为空,通过XOR-RELAYED-ADDRESS字段返回。
# 外部的IP,NAT必须直接转发端口(转发端口12345,必须总是映射到相同的外部端口12345)。
# 在更复杂的情况下,当涉及到多个IP地址,这个选项必须使用几次,每个条目必须形
# 成”-X <public-ip/private-ip>”,将所有涉及到的地址。
# RFC5780 NAT发现STUN功能正常工作,如果正确的地址映射,即使TURN服务器本身是
# 在一个NAT后。
# 默认,该值为空,并且没有使用地址映射。
#
#external-ip=60.70.80.91
#
#OR:
#
#external-ip=60.70.80.91/172.17.19.101
#external-ip=60.70.80.92/172.17.19.102
external-ip=<IP>

# Number of relay threads to handle the established connections
# (in addition to authentication thread and the listener thread).
# If set to 0 then application runs relay process in a single thread,
# in the same thread with the listener process (the authentication thread will
# still be a separate thread).
# In the older systems (Linux kernel before 3.9),
# the number of UDP threads is always one thread per network listening endpoint –
# including the auxiliary endpoints – unless 0 (zero) or 1 (one) value is set.
#
# 数量的中继线程处理建立连接(除了验证线程和侦听器线程)。
# 如果设置为0,那么应用程序中继进程在一个线程中运行,在同一
# 个线程中监听处理(身份验证线程仍然是一个单独的线程)。
# 在旧系统(3.9 Linux内核之前),数量的UDP线程总是一个线程监听一个网络端点,包括辅助端点——除非设置0或1值。
#
#relay-threads=0
relay-threads=10

# Lower and upper bounds of the UDP relay endpoints:
# (default values are 49152 and 65535)
#
# UDP中继端点的上下边界:
# (默认是49152至65535)
#
#min-port=49152
#max-port=65535
    
# Uncomment to run TURN server in ‘normal’ ‘moderate’ verbose mode.
# By default the verbose mode is off.
#
# 取消TURN服务器运行’normal’ ‘moderate’详细模式。
# 默认情况下,详细模式是关闭的。
#
#verbose
    
# Uncomment to run TURN server in ‘extra’ verbose mode.
# This mode is very annoying and produces lots of output.
# Not recommended under any normal circumstances.
#
# 取消TURN服务器运行’extra’详细模式。
# 这种模式是非常恼人的,产生大量的输出。
# 在任何正常情况下不建议。
#
#Verbose

# Uncomment to use fingerprints in the TURN messages.
# By default the fingerprints are off.
#
# 取消在TURN消息中使用指纹。
# 默认情况下,指纹是关闭的。
#
#fingerprint

# Uncomment to use long-term credential mechanism.
# By default no credentials mechanism is used (any user allowed).
# This option can be used with either flat file user database or
# PostgreSQL DB or MySQL DB or Redis DB for user keys storage.
#
# 取消使用长期证书机制。
# 默认情况下不使用凭证机制(允许任何用户)。
# 这个选项可能使用用户数据文件或PostgreSQL或MySQL或Redis来存储用户密钥。
#
#lt-cred-mech
lt-cred-mech

# Uncomment to use short-term credential mechanism.
# By default no credentials mechanism is used (any user allowed).
# For short-term credential mechanism you have to use PostgreSQL or
# MySQL or Redis database for user password storage.
#
# 取消使用短期证书机制。
# 默认情况下不使用凭证机制(允许任何用户)。
# 短期证书机制必须使用PostgreSQL或MySQL或Redis数据库来存储用户密码。
#
#st-cred-mech

# This option is opposite to lt-cred-mech or st-cred-mech.
# (TURN Server with no-auth option allows anonymous access).
# If neither option is defined, and no users are defined,
# then no-auth is default. If at least one user is defined,
# in this file or in command line or in usersdb file, then
# lt-cred-mech is default.
#
# 这个选项是lt-cred-mech或st-cred-mech相反。
# (TURN服务器no-auth选项允许匿名访问)。
# 如果没有选项定义,没有用户定义,那么no-auth默认。
# 如果至少定义有一个用户,在这个文件中或在命令行或usersdb文件,
# 那么lt-cred-mech默认。
#
#no-auth

# TURN REST API flag.
# Flag that sets a special authorization option that is based upon authentication secret.
# This feature can be used with the long-term authentication mechanism, only.
# This feature purpose is to support “TURN Server REST API”, see
# “TURN REST API” link in the project’s page
http://code.google.com/p/rfc5766-turn-server/.
# This option is used with timestamp:
# usercombo -> “timestamp:userid”
# turn user -> usercombo
# turn password -> base64(hmac(secret key, usercombo))
# This allows TURN credentials to be accounted for a specific user id.
# If you don’t have a suitable id, the timestamp alone can be used.
# This option is just turning on secret-based authentication.
# The actual value of the secret is defined either by option static-auth-secret,
# or can be found in the turn_secret table in the database (see below).
#
# TURN REST API标志。
# 标志是设置一个特殊的授权选项,是基于身份验证的私密。
# 这个功能可以用于长期验证机制。
# 这个功能的目的是支持”TURN Server REST API”,看到”TURN Server REST API”项目的页面的链接
http://code.google.com/p/rfc5766-turn-server/。
# 这个选项是使用时间戳:
# usercombo -> “timestamp:userid”
# turn user -> usercombo
# turn password -> base64(hmac(secret key, usercombo))
# 这允许TURN凭证占用一个特定的用户id。
# 如果你没有一个合适的id,可以使用单独的时间戳。
# 这个选项只是打开基于私密的身份验证。
# 实际值定义的私密就是通过选择static-auth-secret,或可以在数据库中找到turn_secret表(见下文)。
#
#use-auth-secret

# ‘Static’ authentication secret value (a string) for TURN REST API only.
# If not set, then the turn server
# will try to use the ‘dynamic’ value in turn_secret table
# in user database (if present). The database-stored  value can be changed on-the-fly
# by a separate program, so this is why that other mode is ‘dynamic’.
#
# TURN REST API的’Static’身份验证的私密值(字符串)
# 如果没有设置,那么turn服务器将尝试使用’dynamic’值在用户数据库的turn_secret表(如果存在)。
# 数据库存储的值可以随时改变,通过单独的程序,所以这就是’dynamic’模式。
#
#static-auth-secret     

# ‘Static’ user accounts for long term credentials mechanism, only.
# This option cannot be used with TURN REST API or with short-term credentials
# mechanism.
# ‘Static’ user accounts are NOT dynamically checked by the turnserver process,
# so that they can NOT be changed while the turnserver is running.
#
# ‘Static’用户长期占凭证机制。
# 这个选项不能用于TURN REST API或短期凭证机制。
# ‘Static’用户帐户不是turnserver程序动态检查,所以他们不能改变在turnserver运行时。
#
#user=username1:key1
#user=username2:key2
# OR:
#user=username1:password1
#user=username2:password2
#
# Keys must be generated by turnadmin utility. The key value depends
# on user name, realm, and password:
#
# 钥匙必须由turnadmin实用程序生成。键值取决于用户名称、领域和密码:
#
# Example:
# 例子,使用以下命令:
#
# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
#
# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
# 输出是: 0xbc807ee29df3c9ffa736523fb2c4e8ee
#
# (‘0x’ in the beginning of the key is what differentiates the key from
# password. If it has 0x then it is a key, otherwise it is a password).
# (‘0x’开始的关键是区分从密码的关键。如果它有0x,那么它是一个关键,否则这是一个密码)。
#
# The corresponding user account entry in the config file will be:
# 相应的配置文件中的用户帐户条目将:
#
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
# Or, equivalently, with open clear password (less secure):
#或者是这样,明文密码(不安全的):
#user=ninefingers:youhavetoberealistic
#
user=<yourname:yourpsw>

# ‘Dynamic’ user accounts database file name.
# Only users for long-term mechanism can be stored in a flat file,
# short-term mechanism will not work with option, the short-term
# mechanism required PostgreSQL or MySQL or Redis database.
# ‘Dynamic’ long-term user accounts are dynamically checked by the turnserver process,
# so that they can be changed while the turnserver is running.
# Default file name is turnuserdb.conf.
#
# ‘Dynamic’用户帐户数据库文件名。
# 只有用户长期机制可以存储在一个文件,短期机制不会处理选项,短期机制需要PostgreSQL或MySQL或
# Redis数据库。
# ‘Dynamic’的长期用户帐户在turnserver程序中动态检查的,这样他们可以改变的在turnserver运行时。
# 默认文件名是turnuserdb.conf.
#
#userdb=/usr/local/etc/turnuserdb.conf
userdb=/etc/turnuserdb.conf

# PostgreSQL database connection string in the case that we are using PostgreSQL
# as the user database.
# This database can be used for long-term and short-term credential mechanisms
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
# versions connection string format, see
http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
# for 9.x and newer connection string formats.
#
# PostgreSQL数据库连接字符串,使用PostgreSQL作为用户数据库。
# 该数据库可用于长期和短期证书机制,它可以存储的私密值,为基于私密身份验证的在TURN RESP API中。
# 8.x PostgreSQL版本请参见http://www.postgresql.org/docs/8.4/static/libpq-connect.html的连接字符串
# 格式,9.x和更新的请参阅http://www.postgresql.org/docs/9.2/static/libpq-connect.html LIBPQ-CONNSTRING
# 的连接字符串格式。
#
#psql-userdb=”host=<host> dbname=<database-name>
user=<database-user> password=<database-user-password>
connect_timeout=30″

# MySQL database connection string in the case that we are using MySQL
# as the user database.
# This database can be used for long-term and short-term credential mechanisms
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format as below (space separated parameters, all optional):
#
# MySQL数据库连接字符串,使用MySQL作为用户数据库。
# 该数据库可用于长期和短期证书机制,它可以存储的私密值,为基于私密身份验证的在TURN RESP API中。
# 使用字符串格式如下(空间分离参数,所有可选):
#
#mysql-userdb=”host=<host> dbname=<database-name>
user=<database-user> password=<database-user-password>
port=<port> connect_timeout=<seconds>”

# Redis database connection string in the case that we are using Redis
# as the user database.
# This database can be used for long-term and short-term credential mechanisms
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format as below (space separated parameters, all optional):
#
# Redis数据库连接字符串,使用Redis作为用户数据库。
# 该数据库可用于长期和短期证书机制,它可以存储的私密值,为基于私密身份验证的在TURN RESP API中。
# 使用字符串格式如下(空间分离参数,所有可选):
#
#redis-userdb=”ip=<ip-address> dbname=<database-number>
password=<database-user-password> port=<port>
connect_timeout=<seconds>”

# Redis status and statistics database connection string, if used (default – empty, no Redis stats DB used).
# This database keeps allocations status information, and it can be also used for publishing
# and delivering traffic and allocation event notifications.
# The connection string has the same parameters as redis-userdb connection string.
# Use string format as below (space separated parameters, all optional):
#
# Redis状态和统计数据库连接字符串,如果使用(默认空,没有Redis统计数据库使用)。
# 这个数据库保持分配状态信息,它也可以用于发布和交付传输和分配事件通知。
# 连接字符串有相同的参数作为redis-userdb连接字符串。
# 使用字符串格式如下(空间分离参数,所有可选):
#
#redis-statsdb=”ip=<ip-address> dbname=<database-number>
password=<database-user-password> port=<port>
connect_timeout=<seconds>”

# Realm for long-term credentials mechanism and for TURN REST API.
#
# TURN REST API的长期凭证机制范围。
#
#realm=mycompany.org

# Per-user allocation quota.
# default value is 0 (no quota, unlimited number of sessions per user).
#
# 每个用户分配配额。
# 默认值为0(没有配额,每个用户无限数量的会话)。
#
#user-quota=0

# Total allocation quota.
# default value is 0 (no quota).
#
# 总分配配额。
# 默认值为0(无配额)。
#
#total-quota=0

# Max bytes-per-second bandwidth a TURN session is allowed to handle
# (input and output network streams are treated separately). Anything above
# that limit will be dropped or temporary suppressed (within
# the available buffer limits).
#
# TURN会话允许最大的传输占用带宽(输入和输出网络流分别处理)。
# 高于限制将被删除或暂时抑制(在可用的缓冲区范围内)。
#
#max-bps=0
max-bps=1024

# Uncomment if no UDP client listener is desired.
# By default UDP client listener is always started.
#
# 如果没有UDP客户端监听器需要取消。
# 默认情况下UDP客户端监听器总是启动。
#
#no-udp

# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
# 如果没有TCPP客户端监听器需要取消。
# 默认情况下TCPP客户端监听器总是启动。
#
#no-tcp

# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
# 如果没有TLS客户端监听器需要取消。
# 默认情况下TLS客户端监听器总是启动。
#
#no-tls

# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
# 如果没有DTLS客户端监听器需要取消。
# 默认情况下DTLS客户端监听器总是启动。
#
#no-dtls

# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
#
# 如果不允许UDP中继端点需要取消。
# 默认情况下启用UDP继电器端点(如在RFC 5766)。
#
#no-udp-relay

# Uncomment if no TCP relay endpoints are allowed.
# By default TCP relay endpoints are enabled (like in RFC 6062).
#
# 如果不允许TCP中继端点需要取消。
# 默认情况下启用TCP继电器端点(如在RFC 5766)。
#
#no-tcp-relay

# Uncomment if extra security is desired,
# with nonce value having limited lifetime (600 secs).
# By default, the nonce value is unique for a session,
# but it has unlimited lifetime. With this option,
# the nonce lifetime is limited to 600 seconds, after that
# the client will get 438 error and will have to re-authenticate itself.
#
# 取消如果需要额外的安全,现时已有有限的生命周期(600秒)。
# 默认情况下,一个会话的唯一临界值,但它一般拥有无限的生命周期。这个选项,临界值
# 仅限于600秒,之后,客户端将得到438错误,将不得不重新认证。
#
#stale-nonce

# Certificate file.
# Use an absolute path or path relative to the
# configuration file.
#
# 证书文件。
# 使用绝对路径或路径相对于配置文件。
#
#cert=/usr/local/etc/turn_server_cert.pem

# Private key file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
# 私钥文件。
# 使用绝对路径或路径相对于配置文件。使用PEM文件格式。
#
#pkey=/usr/local/etc/turn_server_pkey.pem

# Private key file password, if it is in encoded format.
# This option has no default value.
#
# 私有密钥文件密码,如果是在编码格式。
# 这个选项没有默认值。
#
#pkey-pwd=…

# Allowed OpenSSL cipher list for TLS/DTLS connections.
# Default value is “DEFAULT”.
#
# 允许OpenSSL的密码列表为TLS/DTLS连接。
# 默认值是”DEFAULT”
#
#cipher-list=”DEFAULT”

# CA file in OpenSSL format.
# Forces TURN server to verify the client SSL certificates.
# By default it is not set: there is no default value and the client
# certificate is not checked.
#
# 在OpenSSL格式的CA文件。
# 强制TURN服务器验证客户端SSL证书。
# 默认情况下它没有设置:没有默认值,不检查的客户端证书。
#
# Example:
#CA-file=/etc/ssh/id_rsa.cert

# Curve name for EC ciphers, if supported by OpenSSL library (TLS and DTLS).
# The default value is prime256v1.
#
# 曲线名称的EC密码,如果由OpenSSL库支持(TLS和DTLS)。
# 默认值是prime256v1。
#
#ec-curve-name=prime256v1

# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
#
# 使用566位预定义DH TLS键。默认键大小是1066
#
#dh566

# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
#
# 使用2066位预定义DH TLS键。默认键大小是1066
#
#dh2066

# Use custom DH TLS key, stored in PEM format in the file.
# Flags –dh566 and –dh2066 are ignored when the DH key is taken from a file.
#
# 使用惯例的DH TLS键,使用PEM格式存储在文件里
# 当DH键从文件里加载,将忽略标志–dh566和–dh2066
#
#dh-file=<DH-PEM-file-name>

# Flag to prevent stdout log messages.
# By default, all log messages are going to both stdout and to
# the configured log file. With this option everything will be
# going to the configured log only (unless the log file itself is stdout).
#
# 标志防止输出日志信息
# 默认情况下,所有日志消息将输出到配置的日志文件。采用这一选项都将只配置日志
# (除非日志文件本身是输出的)。
#
#no-stdout-log

# Option to set the log file name.
# By default, the turnserver tries to open a log file in
# /var/log, /var/tmp, /tmp and current directories directories
# (which open operation succeeds first that file will be used).
# With this option you can set the definite log file name.
# The special names are “stdout” and “-” – they will force everything
# to the stdout. Also, the “syslog” name will force everything to
# the system log (syslog).
# In the runtime, the logfile can be reset with the SIGHUP signal
# to the turnserver process.
#
# 设置日志文件
# 默认情况下,turnserver尝试一个日志文件在/var/log,/var/tmp,/tmp和
# 当前目录(那个文件先打开成功,文件将被使用)。
# 采用这一选项可以设置明确的日志文件名。
# 特殊的名字是”stdout”和”-“——他们将强制所有的输出。同时,”syslog”名称将强制所有的系统日志(syslog)。
# 在运行时,日志文件可以重置通过SIGHUP信号在turnserver程序中。
#
#log-file=/var/tmp/turn.log

# Option to redirect all log output into system log (syslog).
#
# 选择重定向所有日志输出到系统日志(syslog)。
#
#syslog

# This flag means that no log file rollover will be used, and the log file
# name will be constructed as-is, without PID and date appendage.
#
# 这个标志意味着没有日志文件将使用翻转,并按原样将创建日志文件名称,没有PID和日期的附加。
#
#simple-log

# Option to set the “redirection” mode. The value of this option
# will be the address of the alternate server for UDP & TCP service in form of
# <ip>[:<port>]. The server will send this value in the attribute
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
# Client will receive only values with the same address family
# as the client network endpoint address family.
# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
# The client must use the obtained value for subsequent TURN communications.
# If more than one –alternate-server options are provided, then the functionality
# can be more accurately described as “load-balancing” than a mere “redirection”.
# If the port number is omitted, then the default port
# number 3478 for the UDP/TCP protocols will be used.
# Colon ( characters in IPv6 addresses may conflict with the syntax of
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
# in square brackets in such resource identifiers, for example:
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
# Multiple alternate servers can be set. They will be used in the
# round-robin manner. All servers in the pool are considered of equal weight and
# the load will be distributed equally. For example, if we have 4 alternate servers,
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
# address can be used more than one time with the alternate-server option, so this
# can emulate “weighting” of the servers.
#
# 选项设置”redirection”模式。这个选项的值将备用服务器的地址UDP和TCP服务形式的<ip>[:<port>]。
# 服务器将发送这个值属性ALTERNATE-SERVER,错误300,在ALLOCATE请求,客户端。
# 客户端将只接收和自己相同的地址族的客户端的值。查看RFC 5389和RFC 5766为ALTERNATE-SERVER的功能描述。
# 客户端必须使用获得的值为随后的TURN通信。如果不止一个——alternate-server选项提供,那么功能可以更准确
# 地描述为”load-balancing”,而不仅仅是一个”redirection”。如果端口号省略,那么为UDP/TCP协议,使用默认端
# 口号是3478。冒号(在IPv6地址字符可能与选项的语法冲突。缓解这种冲突,文字IPv6地址包含在方括号在这种
# 资源标识符,例如[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 。
# 可以设置多个备用服务器。他们将用于循环的方式。所有服务器池中被认为是平等的重量和载荷将平均分配的原则。
# 例如,如果我们有4个备用服务器,每个服务器将获得25%的分配请求。备用TURN服务器地址可以使用超过一次
# alternate-server选项,所以这可以效仿的”weighting”服务器。
#
# Examples:
#alternate-server=1.2.3.4:5678
#alternate-server=11.22.33.44:56789
#alternate-server=5.6.7.8
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
              
# Option to set alternative server for TLS & DTLS services in form of
# <ip>:<port>. If the port number is omitted, then the default port
# number 5349 for the TLS/DTLS protocols will be used. See the previous
# option for the functionality description.
#
# 选项设置替代服务器TLS和DTLS服务形式的<ip>:<port>。
# 如果省略的端口号,那么默认端口号5349将使用TLS/DTLS协议。看到前面选择的功能描述。
#
# Examples:
#tls-alternate-server=1.2.3.4:5678
#tls-alternate-server=11.22.33.44:56789
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478

# Option to suppress TURN functionality, only STUN requests will be processed.
# Run as STUN server only, all TURN requests will be ignored.
# By default, this option is NOT set.
#
# 选择抑制TURN功能,只有STUN的请求将被处理。
# 作为STUN服务器,所有TURN请求将被忽略。
# 默认情况下,没有设置这个选项。
#
#stun-only

# Option to suppress STUN functionality, only TURN requests will be processed.
# Run as TURN server only, all STUN requests will be ignored.
# By default, this option is NOT set.
#
# 选择抑制STUN功能,只有TURN的请求将被处理。
# 作为TURN服务器,所有STUN请求将被忽略。
# 默认情况下,没有设置这个选项。
#
#no-stun

# This is the timestamp/username separator symbol (character) in TURN REST API.
# The default value is ‘:’.
#
# 这是时间戳/用户名分离器符号(字符)在TURN REST API。
# 默认是使用’:’
#
# rest-api-separator=:    

# Flag that can be used to disallow peers on the loopback addresses (127.x.x.x and ::1).
# This is an extra security measure.
#
# 标记用于不接受的端在环回地址(127.x.x.x 和 ::1)。
# 这是一个额外的安全措施。
#
#no-loopback-peers

# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
# This is an extra security measure.
#
# 标记用于不接受的端在广播地址(224.0.0.0和以上的,和FFXX:*)。
# 这是一个额外的安全措施。
#
#no-multicast-peers

# Option to set the max time, in seconds, allowed for full allocation establishment.
# Default is 60 seconds.
#
# 选项设置的最大时间,以秒为单位,允许完整的分配。
# 默认60秒
#
#max-allocate-timeout=60

# Option to allow or ban specific ip addresses or ranges of ip addresses.
# If an ip address is specified as both allowed and denied, then the ip address is
# considered to be allowed. This is useful when you wish to ban a range of ip
# addresses, except for a few specific ips within that range.
# This can be used when you do not want users of the turn server to be able to access
# machines reachable by the turn server, but would otherwise be unreachable from the
# internet (e.g. when the turn server is sitting behind a NAT)
#
# 选择允许或禁止特定的ip地址或ip地址范围。
# 如果指定一个ip地址允许和拒绝,那么ip地址被认为是允许的。这是有用的,当你希望禁止一个范
# 围的ip地址,除了一些特定的ip范围内。
# 这可以使用当你不希望turn服务器的用户能够访问机器通过turn服务器,但可能是另一方面从互联
# 网上不能到达(例如,当turn服务器是在一个NAT后)
#
# Examples:
# denied-peer-ip=83.166.64.0-83.166.95.255
# allowed-peer-ip=83.166.68.45

# File name to store the pid of the process.
# Default is /var/run/turnserver.pid (if superuser account is used) or
# /var/tmp/turnserver.pid .
#
# 存储进程pid的文件名。
# 默认是/var/run/turnserver.pid(超级用户使用)或者是/var/tmp/turnserver.pid
#
#pidfile=”/var/run/turnserver.pid”
pidfile=”/var/tmp/turnserver.pid”

# Require authentication of the STUN Binding request.
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
#
# 需要STUN绑定请求的身份验证。
# 默认情况下,客户允许匿名访问STUN绑定功能。
#
#secure-stun

# Require SHA256 digest function to be used for the message integrity.
# By default, the server uses SHA1 (as per TURN standard specs).
# With this option, the server
# always requires the stronger SHA256 function. The client application
# must support SHA256 hash function if this option is used. If the server obtains
# a message from the client with a weaker (SHA1) hash function then the
# server returns error code 426.
#
# 需要SHA256采摘功能用于消息的完整性。
# 默认情况下,服务器使用SHA1(按标准规格)。
# 采用这一选项,服务器总是需要更强的SHA256功能。客户端应用程序必须支持SHA256散列函数
# 如果使用这个选项。如果服务器获得消息从客户端较弱(SHA1)散列函数那么服务器返回错误代码426。
#
#sha256

# Mobility with ICE (MICE) specs support.
#
# 移动的ICE(MICE)的规范支持。
#
#mobility

# User name to run the process. After the initialization, the turnserver process
# will make an attempt to change the current user ID to that user.
#
# 用户名运行程序。初始化后,turnserver程序将试图改变当前用户的用户ID。
#
#proc-user=<user-name>

# Group name to run the process. After the initialization, the turnserver process
# will make an attempt to change the current group ID to that group.
#
# 组名运行程序。初始化后,turnserver程序将试图改变当前组的组ID。
#
#proc-group=<group-name>

# Turn OFF the CLI support.
# By default it is always ON.
# See also options cli-ip and cli-port.
#
# 关掉CLI的支持。
# 默认情况下它总是ON。
# 参阅选项cli-ip和cli-port。
#
#no-cli

#Local system IP address to be used for CLI server endpoint. Default value
# is 127.0.0.1.
#
# 本地系统的IP地址将用于CLI服务器端点。默认值是127.0.0.1。
#
#cli-ip=127.0.0.1

# CLI server port. Default is 5766.
#
# CLI服务器端口。默认是5766。
#
#cli-port=5766

# CLI access password. Default is empty (no password).
#
# CLI访问密码。默认是空的(没有密码)。
#
#cli-password=logen

# Server relay. NON-STANDARD AND DANGEROUS OPTION.
# Only for those applications when we want to run
# server applications on the relay endpoints.
# This option eliminates the IP permissions check on
# the packets incoming to the relay endpoints.
#
# 中继服务器。NON-STANDARD和DANGEROUS的选择。
# 只对这些应用程序时,我们想在中继服务器上运行服务器应用程序端点。
# 这个选项可以消除IP权限检查传递的数据包传入的端点。
#
#server-relay

# Maximum number of output sessions in ps CLI command.
# This value can be changed on-the-fly in CLI. The default value is 256.
#
# 最大数量的输出会议在ps CLI命令。
# 这个值可以动态改变在CLI。默认值是256。
#
#cli-max-output-sessions

# Set network engine type for the process (for internal purposes).
#
# 设置网络引擎类型(用于内部目的)的过程。
#
#ne=[1|2|3]

# Do not allow an SSL/TLS version of protocol
#
# 不允许一个SSL/TLS版本的协议
#
#no-sslv2
#no-sslv3
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2




turnuserdb.conf

#This file can be used as user accounts storage for long-term credentials mechanism.
#这个文件可以用作长期用户帐户存储凭证机制。
#
#username1:key1
#username2:key2
# OR:
#username1:password1
#username2:password2
#
# Keys must be generated by turnadmin utility. The key value depends
# on user name, realm, and password:
# 钥匙必须由turnadmin实用程序生成。键值取决于用户名称、领域和密码:
#
# Example:
# 例子,使用以下命令:
# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
# 输出是: 0xbc807ee29df3c9ffa736523fb2c4e8ee
#
# (‘0x’ in the beginning of the key is what differentiates the key from
# password. If it has 0x then it is a key, otherwise it is a password).
# (‘0x’开始的关键是区分从密码的关键。如果它有0x,那么它是一个关键,否则这是一个密码)。
#
# The corresponding user account entry in the userdb file will be:
# 相应的用户帐号在userdb文件中是:
#
#ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
# Or, equivalently (less secure):
#或者是这样(不安全的):
#ninefingers:youhavetoberealistic
#
yourname:yourpsw


转自:www.webrtcbbs.com