diff options
| author | Holger Weiss <holger@zedat.fu-berlin.de> | 2020-05-11 17:32:28 +0200 |
|---|---|---|
| committer | Holger Weiss <holger@zedat.fu-berlin.de> | 2020-05-11 17:32:28 +0200 |
| commit | e286bb23db19bb8627a74d75430b5f571f13e5ab (patch) | |
| tree | 62926eb5211ee484f380c84ba727c254babe5d5d /src/mod_stun_disco.erl | |
| parent | Fix link in mod_sip to SIP Docs section (diff) | |
mod_stun_disco: Bump credentials_lifetime default
Increase the default lifetime of temporary credentials to 12 hours.
ejabberd's built-in TURN server re-queries the temporary password from
mod_stun_disco whenever a TURN client attempts to refresh an allocation,
and mod_stun_disco will only return the password as long as the
credentials didn't expire. Therefore, the credentials lifetime
effectively limits the maximum lifetime of a TURN allocation when
ejabberd's TURN service is used, so the default value shouldn't be too
short.
Diffstat (limited to 'src/mod_stun_disco.erl')
| -rw-r--r-- | src/mod_stun_disco.erl | 31 |
1 files changed, 18 insertions, 13 deletions
diff --git a/src/mod_stun_disco.erl b/src/mod_stun_disco.erl index 45beed7c1..377d25227 100644 --- a/src/mod_stun_disco.erl +++ b/src/mod_stun_disco.erl @@ -149,7 +149,7 @@ mod_opt_type(services) -> -spec mod_options(binary()) -> [{services, [tuple()]} | {atom(), any()}]. mod_options(_Host) -> [{access, local}, - {credentials_lifetime, timer:minutes(10)}, + {credentials_lifetime, timer:hours(12)}, {offer_local_services, true}, {secret, undefined}, {services, []}]. @@ -171,10 +171,14 @@ mod_doc() -> {credentials_lifetime, #{value => "timeout()", desc => - ?T("The lifetime of temporary credentails offered to " - "clients. If a lifetime longer than the default value of " - "'10' minutes is specified, it's strongly recommended to " - "also specify a 'secret' (see below).")}}, + ?T("The lifetime of temporary credentials offered to " + "clients. If ejabberd's built-in TURN service is used, " + "TURN relays allocated using temporary credentials will " + "be terminated shortly after the credentials expired. The " + "default value is '12' hours. Note that restarting the " + "ejabberd node invalidates any temporary credentials " + "offered before the restart unless a 'secret' is " + "specified (see below).")}}, {offer_local_services, #{value => "true | false", desc => @@ -191,14 +195,15 @@ mod_doc() -> desc => ?T("The secret used for generating temporary credentials. If " "this option isn't specified, a secret will be " - "auto-generated. However, a secret must be specified if " - "non-anonymous TURN services running on other ejabberd " - "nodes and/or external TURN 'services' are configured. " - "Also note that auto-generated secrets are lost when the " - "node is restarted, which invalidates any credentials " - "offered before the restart. Therefore, the " - "'credentials_lifetime' should not exceed a few minutes " - "if no 'secret' is specified.")}}, + "auto-generated. However, a secret must be specified " + "explicitly if non-anonymous TURN services running on " + "other ejabberd nodes and/or external TURN 'services' are " + "configured. Also note that auto-generated secrets are " + "lost when the node is restarted, which invalidates any " + "credentials offered before the restart. Therefore, it's " + "recommended to explicitly specify a secret if clients " + "cache retrieved credentials (for later use) across " + "service restarts.")}}, {services, #{value => "[Service, ...]", example => |