Coturn with Nginx reverse proxy to Talk on Port 443

ℹ️ Support 💬 Talk (spreed)
1

Hey,
is it even possible to run Coturn behind a reverse proxy (Nginx) as a turn server?
I can’t connect to my turn server.
I want the turn-server to run on port 443.
But I can see the admin login at https://my.domain.de
The login just doesn’t work. (I created the admin with “turnadmin -A -u name -p PW”.)

My configuration:
The Nginx configuration and turnserver.conf use the same certificates, DH-key!

tunserver.conf:
#listening-port=3478
tls-listening-port=5349

listening-ip=127.0.0.1
relay-ip=127.0.0.1

fingerprint
lt-cred-mech
realm=my.domain.de

total-quota=100
bps-capacity=0
stale-nonce
use-auth-secret
static-auth-secret=cexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo5q

cert=/etc/nginx/ssl/my.domain.de_ecc/fullchain.cer
pkey=/etc/nginx/ssl/my.domain.de_ecc/my.domain.de.key
dh-file=/etc/nginx/ssl/dhparams.pem
cipher-list=“ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128”

ec-curve-name=prime256v1
no-stun
no-loopback-peers
no-multicast-peers
no-stdout-log
simple-log
log-file=/var/log/turn.log
syslog
no-tlsv1
no-tlsv1_1

Nginx config:

upstream coturn {
server 127.0.0.2:5349;

server 127.0.0.2:3478;

}

server {
listen 80;
#listen [::]:80;
server_name my.domain.de;

    root /nowhere;
    rewrite ^ https://$host$request_uri? permanent;

}

server {
listen 443 ssl;
#listen [::]:443 ssl;
server_name my.domain.de;

root /nowhere;

ssl on;
ssl_certificate      /etc/nginx/ssl/my.domain.de_ecc/fullchain.cer;
ssl_certificate_key  /etc/nginx/ssl/my.domain.de_ecc/my.domain.de.key;

ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128';

ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_ecdh_curve prime256v1;
access_log            /var/log/nginx/turn.log;

location / {
    proxy_pass           https://coturn;
  }

}

1 Like
2

Hi!

 proxy_pass           https://coturn;

Is there a reason why you use a second TLS layer?
client <--- tls --> nginx <--- tls --- > coturn

Since your coturn server runs on the same server, there’s no need to do that. :slight_smile: