Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Comprehensive Cloudflare platform skill covering Workers, D1, R2, KV, AI, Durable Objects, and security.
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
references/turn/configuration.md
1# TURN Configuration23Setup and configuration for Cloudflare TURN service in Workers and applications.45## Environment Variables67```bash8# .env9CLOUDFLARE_ACCOUNT_ID=your_account_id10CLOUDFLARE_API_TOKEN=your_api_token11TURN_KEY_ID=your_turn_key_id12TURN_KEY_SECRET=your_turn_key_secret13```1415Validate with zod:1617```typescript18import { z } from 'zod';1920const envSchema = z.object({21CLOUDFLARE_ACCOUNT_ID: z.string().min(1),22CLOUDFLARE_API_TOKEN: z.string().min(1),23TURN_KEY_ID: z.string().min(1),24TURN_KEY_SECRET: z.string().min(1)25});2627export const config = envSchema.parse(process.env);28```2930## wrangler.jsonc3132```jsonc33{34"name": "turn-credentials-api",35"main": "src/index.ts",36"compatibility_date": "2025-01-01",37"vars": {38"TURN_KEY_ID": "your-turn-key-id" // Non-sensitive, can be in vars39},40"env": {41"production": {42"kv_namespaces": [43{44"binding": "CREDENTIALS_CACHE",45"id": "your-kv-namespace-id"46}47]48}49}50}51```5253**Store secrets separately**:54```bash55wrangler secret put TURN_KEY_SECRET56```5758## Cloudflare Worker Integration5960### Worker Binding Types6162```typescript63interface Env {64TURN_KEY_ID: string;65TURN_KEY_SECRET: string;66CREDENTIALS_CACHE?: KVNamespace;67}6869export default {70async fetch(request: Request, env: Env): Promise<Response> {71// See patterns.md for implementation72}73}74```7576### Basic Worker Example7778```typescript79export default {80async fetch(request: Request, env: Env): Promise<Response> {81if (request.url.endsWith('/turn-credentials')) {82// Validate client auth83const authHeader = request.headers.get('Authorization');84if (!authHeader) {85return new Response('Unauthorized', { status: 401 });86}8788const response = await fetch(89`https://rtc.live.cloudflare.com/v1/turn/keys/${env.TURN_KEY_ID}/credentials/generate`,90{91method: 'POST',92headers: {93'Authorization': `Bearer ${env.TURN_KEY_SECRET}`,94'Content-Type': 'application/json'95},96body: JSON.stringify({ ttl: 3600 })97}98);99100if (!response.ok) {101return new Response('Failed to generate credentials', { status: 500 });102}103104const data = await response.json();105106// Filter port 53 for browser clients107const filteredUrls = data.iceServers.urls.filter(108(url: string) => !url.includes(':53')109);110111return Response.json({112iceServers: [113{ urls: 'stun:stun.cloudflare.com:3478' },114{115urls: filteredUrls,116username: data.iceServers.username,117credential: data.iceServers.credential118}119]120});121}122123return new Response('Not found', { status: 404 });124}125};126```127128## IP Allowlisting (Enterprise/Firewall)129130For strict firewalls, allowlist these IPs for `turn.cloudflare.com`:131132| Type | Address | Protocol |133|------|---------|----------|134| IPv4 | 141.101.90.1/32 | All |135| IPv4 | 162.159.207.1/32 | All |136| IPv6 | 2a06:98c1:3200::1/128 | All |137| IPv6 | 2606:4700:48::1/128 | All |138139**IMPORTANT**: These IPs may change with 14-day notice. Monitor DNS:140141```bash142# Check A and AAAA records143dig turn.cloudflare.com A144dig turn.cloudflare.com AAAA145```146147Set up automated monitoring to detect IP changes and update allowlists within 14 days.148149## IPv6 Support150151- **Client-to-TURN**: Both IPv4 and IPv6 supported152- **Relay addresses**: IPv4 only (no RFC 6156 support)153- **TCP relaying**: Not supported (RFC 6062)154155Clients can connect via IPv6, but relayed traffic uses IPv4 addresses.156157## TLS Configuration158159### Supported TLS Versions160- TLS 1.1161- TLS 1.2162- TLS 1.3163164### Recommended Ciphers (TLS 1.3)165- AEAD-AES128-GCM-SHA256166- AEAD-AES256-GCM-SHA384167- AEAD-CHACHA20-POLY1305-SHA256168169### Recommended Ciphers (TLS 1.2)170- ECDHE-ECDSA-AES128-GCM-SHA256171- ECDHE-RSA-AES128-GCM-SHA256172- ECDHE-RSA-AES128-SHA (also TLS 1.1)173- AES128-GCM-SHA256174175## See Also176177- [api.md](./api.md) - TURN key creation, credential generation API178- [patterns.md](./patterns.md) - Full Worker implementation patterns179- [gotchas.md](./gotchas.md) - Security best practices, troubleshooting180