HELP ME understand if both STUN and TURN servers are required

I’m not stupid, but there seems to be a break in the connection between function of STUN, TURN, and web-RTC servers… and how they all interconnect. I have an unusual config as my Cloud resides in a network that has ONLY 443 access to the web. I can provide access to the other ports however my Cloud is on a test server and my port 80 content is on a Production server which I do not like to disturb with config changes that require restarting Apache server.

Does anyone have a diagram of the interconnection…

If proxy has to be on port 80 is there a way it could be configured to access web-RTC on a different machine in the same subnet ?

So… questions are:
Does the proxy server need to be on port 80?
Does STUN need to be used if I have Static IP
Does TURN need to be used if I have Static IP
Is Docker the way to go for installation?

I only wish to connect with people who are use my Cloud…

I tried changing the port on proxy to 443, and it didn’t work. Why/

Thanks, Dave

The STUN server gives you as client your external IP. If you are connecting to eg. Abdul Ahmed in Katar, Ahmed needs to what’s your external IP to connect directly to you, vice versa you need his external IP. Changed are theese IP’s between the Clients via SpreedME.
If you are behind a Firewall and don’t have activated UPNP or using a HTTP-Proxy you need a TURN-Server (I would try it first without). The TURN server is the “man in the middle”. Both clients connecting to the TURN server, if one of them is behind a NAT or Proxy. The DTLS session keys, given from the SpreedME server, are protecting the integrity and authenticity of the communication. But the TURN-Server can log the metadata (Who connected when to which destination).

So to answer Q2 and Q3:
It doesn’t matter if you have a static IP or not. The Other WebRTC-Client needs to know your IP and must can establish a successful connection to the other client. If not you need a STUN/TURN server. I need to use a STUN server, my config is:

stunURIs = stun.spreed.me:443 stun:stun1.l.google.com:19302 stun:stun2.l.google.com:19302 stun:stun3.l.google.com:19302 stun:stun4.l.google.com:19302

Of course the STUN server can log metadata but it is just “Client XY asked at 15:34 for his own IP” so worthless for the provider (or secret services).

I found a nice picture about STUN servers: Signallingserver and Webserver = SpreedME

To commend Q3:
I would use apt for installation (better to update). Docker does also work, but you have to update manually (correct me if wrong).

Hope i could help…

Because of some crazy permissions and restrictions thanks to @bjoern and co. :wink: i can just add 2 links and one pic per post so:

A Picture about TURN servers:

And some interesting i tried to link with the word “metadata” to think about it: https://www.youtube.com/watch?v=UdQiz0Vavmc

Do you mean the proxy you set up for webrtc in your nextcloud vhost? As you just want to use webrtc within nextcloud and it is by default manual intended, you should use a totally different free port for this. The connection of nextcloud/spreedme web app to the actual webrtc server is just server internally. E.g. my nextcloud.conf looks like this, so uses port 8080, which doesn’t need to be opened to the web:

  # Spreed WebRTC config (must be in same vhost)
  <Location /webrtc>
  	ProxyPass http://127.0.0.1:8080/webrtc
  	ProxyPassReverse /webrtc
  </Location>
  <Location /webrtc/ws>
  	ProxyPass ws://127.0.0.1:8080/webrtc/ws
  </Location>
  ProxyVia On
  ProxyPreserveHost On
  RequestHeader set X-Forwarded-Proto 'https' env=HTTPS

The access from the web just goes through your default http(s) port.

My experience is, that in most cases you need a TURN server, whether static IP or not. Thus e.g. install coturn and follow e.g. the related steps here: Complete NC installation on Debian with Spreed.me and TURN step by step

Ah now i understand what he meant with the proxy server… Thought he means a proxy clientside.