Run coTurn behind Nginx

Intro

• [Xubuntu22.04] Try coTurn for WebRTC 1

I will try run coTurn behind Nginx like my WebRTC application with reverse proxy.

Wireshark

Install Wireshark to see if the specified port is accessed with the specified protocol (TCP or UDP).

sudo apt install wireshark

Because my account haven't had a permission to access "/usr/bin/dumpcap" by default, I couldn't start capturing.

sudo chmod +x /usr/bin/dumpcap

• Fix for "couldn't run /usr/bin/dumpcap in child process: permission denied" - GitHub

Load balancer

According this issue comments, I can run coTurn behind Nginx by a load balancing function of Nginx.

• Make coturn work reverse proxied through nginx #702 - coturn/coturn - GitHub

Before I edit nginx.conf, I added local domains into "/etc/hosts".

192.168.XX.YYY local-webrtc.jp
192.168.XX.YYY local-turn.jp

And Combine UDP and TCP listening ports into one in the turnserver.conf of coTurn.

turnserver.conf

...
# TURN listener port for UDP and TCP (Default: 3478).
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
listening-port=3478

# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
# port(s), too - if allowed by configuration. The TURN server
# "automatically" recognizes the type of traffic. Actually, two listening
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
# For secure TCP connections, Coturn currently supports
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, Coturn supports DTLS version 1.
#
#tls-listening-port=5349
...

nginx.conf

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}
stream {
    map $ssl_preread_server_name $name {
        local-webrtc.jp url_backend;
        local-turn.jp turn_server;
    }
    upstream url_backend {
        server 127.0.0.1:4444;
    }

    upstream turn_server {
        server 192.168.XX.YYY:3478;
    }
    server {
        listen 443;
        ssl_preread on;
        proxy_pass $name;
        proxy_buffer_size 10m;
    }
}
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    keepalive_timeout  65;
    include /etc/nginx/conf.d/*.conf;
}

webrtcapp.conf

map $http_origin $cors {
    'http://localhost:8080' $http_origin;
    'https://127.0.0.1:4444' $http_origin;
    'https://local-webrtc.jp:443' $http_origin;
}
...
server {
    listen 4444 ssl;
    server_name localhost;
...
}

Because 443 port is shared by the Web application and coTurn, TCP protocol is used for communication with coTurn,

• Using nginx as HTTP load balancer
• Module ngx_stream_core_module
• Module ngx_http_upstream_module
• Configuring HTTPS servers
• TCP and UDP Load Balancing - Nginx Plus