Geek Answers Handbook

CoTURN: How to use the TURN REST API?

I created coturn and run it successfully. IP: 192.168.1.111. Now the question I came across is getting the Turn credentials through the REST API. http://tools.ietf.org/html/draft-uberti-behave-turn-rest-00 According to the passage, the request format should be

GET /?service=turn&username=mbzrxpgjys

and the answer should be JSON . Now my question is:

a) How to configure and run the TURN SERVER command to run it in REST API mode?

b) How do I write an http request in the correct format so that TURN SERVER can respond correctly? could you give me an example?

+14
rest api webrtc turn coturn
source share
3 answers

The few things to clarify are:

  • GET /?service=turn&username=mbzrxpgjys , which returns JSON, is just a suggested uri for receiving time-limited TURN credentials from the server, you do not have to follow that your uri might just be /?giveMeCredentials . Actually, I am using my socket connection to retrieve this data, and not a direct HTTP call with a json response. At the end of the day, it does not matter how you (the client who uses the specified TURN) receive these credentials if they are valid.

  • You do not make any requests to the TURN server directly; calling no rest api on the TURN server is under your control.

  • you allocate the secret key when starting the TURN server, it can be taken from db (thus, dynamically changeable), but lazy that I was just hardcoded and gave it to the config file queue, also remember to include the REST API. As part of the turn command, turnserver ... --use-auth-secret --static-auth-secret=MySecretKey

  • Now, on your application server, you will use the same secret key to generate credentials, for the username it is a UNIX timestamp and some string (maybe random or user ID or something else), divided by : and the password will be HMAC username with your secret key.

  • about the UNIX timestamp, this is the time on the TURN server until which your credentials must be valid, so when calculating this, make sure that you take into account the clock difference between the application server and your move server.

Now some sample code taken from my answer to another question

to specify a TURN server:

 turnserver -v --syslog -a -L xx.xxx.xx.xx -X yy.yyy.yyy.yy -E zz.zzz.zz.zzz --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --static-auth-secret=my_secret --realm=north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -q 100 -Q 300 --cipher-list=ALL

node.js code to create TURN credentials on the application server:

 var crypto = require('crypto'); function getTURNCredentials(name, secret){ var unixTimeStamp = parseInt(Date.now()/1000) + 24*3600, // this credential would be valid for the next 24 hours username = [unixTimeStamp, name].join(':'), password, hmac = crypto.createHmac('sha1', secret); hmac.setEncoding('base64'); hmac.write(username); hmac.end(); password = hmac.read(); return { username: username, password: password }; }

Browser code to use:

  ... iceServers:[ { urls: "turn:turn_server_ip", username: username, credential:password } ...
+24
source share

I recently ran into a similar problem (getting a REST API working with a TURN server) and found out that the TURN server does not support REST API calls at all and just supports support for the authentication format with a shared secret when we enable REST API support in the TURN configuration. The project only contains information about the things that we need to consider when implementing such a REST API, and we need to create the API ourselves or use something like turnhttp to create a combination of passwords with a temporary username.

Since @mido is detailed, you can implement the username / password generation part in the application itself. But if you have reasons to separate this from the application and want to implement it as a completely different API service, instead of implementing the full API in accordance with the project , I came across another message in which the OP provided a PHP script to create the username temp and password, and this works very well once you change the hash_hmac () function as follows:

 $turn_password = hash_hmac('sha1', $turn_user, $secret_key, true);

We need base64 to encode the hash_hmac RAW output to make it work, and I believe that is why it did not work for the OP in this link.

You must verify the test authentication with the turnutils_uclient command to ensure that the temp username / password command is working properly .

 turnutils_uclient -y -u GENERATED_USERNAME -w GENERATED_PASSWORD yourturnserver.com

After you have verified the authentication and confirmed that it works, you can configure the web server for the PHP script to make it available to your application and get a temporary username / password. In addition, to protect the API from unauthorized access, you will need to implement a different security setting (authentication).

I know this is an old post, just sharing its findings, hoping that someday it will be useful to someone.

0
source share

After many hours of frustration, @Mido's excellent answer was the only thing that made the CoTurn REST API work for me.

My credential server is PHP, and I use the CoTurn configuration file 'turnserver.conf', so here's a tested and working translation of Mido's work for this situation:

Assuming the 'shared secret' is 3575819665154b268af59efedee8826e ', here are the corresponding turnserver.conf entries:

 lt-cred-mech use-auth-secret static-auth-secret=3575819665154b268af59efedee8826e

... and PHP (which has been misleading me for ages):

 $ttl = 24 * 3600; // Time to live $time = time() + $ttl; $username = $time . ':' . $user; $password = base64_encode(hash_hmac('sha1', $username, '3575819665154b268af59efedee8826e', true));
0
source share

More articles:


All Articles