Tutorial: Using proxy to handle firewall restrictions

Using proxy to handle firewall restrictions


You may be unable to use the TRTC web SDK in your corporate network due to the use of firewalls. We offer two solutions to this issue:

This document shows you how to set up NGINX + Coturn proxies.


  • Update the TRTC Web SDK version to 4.12.0 or higher.
  • You need to set up two servers: an NGINX server and a TURN server. Please contact your company’s IT support staff for help.
  • The NGINX proxy server is responsible for forwarding the WebSocket signaling data packets of the TRTC web SDK, and the TURN server forwards audio/video data packets.
  • Use Client.setProxyServer to set the NGINX server. The SDK will use the NGINX server you specify for signaling interactions.
  • Use Client.setTurnServer to set the TURN server. The SDK will use the TURN server you specify for audio/video data transmission.


Scheme Description Requirements
Scheme 1 Allows your webpages to access specific external proxy servers. Set up the proxy servers outside your corporate network and add the proxy servers to your firewall allowlist.
Scheme 2 Allows your webpages to access public networks through internal proxy servers. Set up the proxy servers inside your corporate network and allow the proxy servers to access the TRTC server.
Scheme 1
Scheme 2

API examples

const client = TRTC.createClient({ 
	mode: 'rtc', 
// Set the NGINX server. proxy.example.com is the domain name of the NGINX server.
  // Set the WebSocket proxy, which is used to transfer data packets between the SDK and the TRTC backend
  websocketProxy: 'wss://proxy.example.com/ws/',
  // By default, the SDK sends logs to yun.tim.qq.com. If this domain is inaccessible from your corporate network, add the domain to your allowlist or configure a logging proxy as follows:
  // Set the logging proxy. We strongly recommend you set a logging proxy because logs are crucial to troubleshooting. This parameter is valid in v4.8.0 and later versions of the SDK.
  loggerProxy: 'https://proxy.example.com/logger/' 
// Set the TURN server. is the IP address and port number of the TURN server.
client.setTurnServer({ url: '', username: 'turn', credential: 'turn', credentialType: 'password' }); 
await client.join({ roomId });

Scheme 1

Set up the NGINX server

  1. Deploy an NGINX server

    Refer to tutorials on the internet to set up and deploy an NGINX server for your company.

  2. Configure the NGINX server.

    vi /etc/nginx/nginx.conf 
    http {
      server { 
        # The domain of the NGINX server
        server_name proxy.example.com; 
        # The port number of the NGINX server
        listen        443; 
        ssl on; 
        location /ws/ { # The `websocketProxy` parameter in `setProxyServer`
          proxy_pass https://intl-signaling.rtc.qcloud.com/; # The TRTC server
          proxy_http_version 1.1; 
          proxy_set_header Upgrade $http_upgrade; 
          proxy_set_header Connection "upgrade"; 
        location /logger/ { # The `loggerProxy` parameter in `setProxyServer`
          proxy_pass https://videoapi-sgp.im.qcloud.com/;
        # The SSL certificate of the domain, which you need to obtain by yourself 
        ssl_certificate ./crt/1_proxy.trtcapi.com_bundle.crt; 
        ssl_certificate_key ./crt/2_proxy.trtcapi.com.key; 
  3. Reload NGINX.

    sudo nginx -s reload
  4. Check that the IP address and port of the NGINX server are no longer blocked by your corporate firewall.

Set up the TURN server

Refer to tutorials on the internet to set up a TURN server or use the script below to set up a TURN server on Centos.

  1. Create a script file turn.sh in Linux. Below is the content of the file:

    #!/usr/bin/env bash
    # current file name is turn.sh
    # ref:
    # https://gabrieltanner.org/blog/turn-server    STEP 3 testing turn server
    # https://medium.com/av-transcode/what-is-webrtc-and-how-to-setup-stun-turn-server-for-webrtc-communication-63314728b9d0
    # as super-user
    # usage:  current_program <external-ip>
    set -x
    set -e
    ip a
    display_usage() {
            echo "This script must be run with super-user privileges."
            echo -e "\nUsage: $0 <external-ip> \ne.g. $0"
    # if less than two arguments supplied, display usage
    if [ $# -lt 1 ]
            exit 1
    if [[ $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
      echo "get external ip $1"
      echo "wrong external ip $1 , must not have whitespace, tab and other char"
      exit 2
    yum install -y coturn
    # $1 is <external-ip>
    cat <<EOF > /etc/coturn/turnserver.conf
  2. Allow executable permissions.

    chmod +x turn.sh
  3. Run sudo ./turn.sh <The server IP address in public networks> as root. Below is an example:

    sudo ./turn.sh
  4. Start the TURN server.

    systemctl start coturn
    # Check whether the TURN server is started successfully.
    ps aux | grep coturn
    # To restart the service, run the command below.
    service coturn restart 
  5. Configure the firewall of the TURN server: Open the inbound port 3478 (TCP & UDP) and the outbound ports (UDP) between the minimum and maximum port numbers configured above.

  6. Configure your corporate firewall: Allow access to the IP address of the TURN server and open the outbound port 3478 (TCP & UDP).

  7. Test the TURN server.

    Use this test page to test whether you can access the TURN server. "done" indicates that the TURN server is accessible.


Scheme 2

Scheme 2 differs from scheme 1 only in terms of two settings.

  1. When setting up the TURN server, set external-ip to a server address in your corporate network.
# In scheme 1, the parameter is set to a server address in a public network, such as ``.
sudo ./turn.sh
# In scheme 2, the parameter is set to a server address in your corporate network, such as ``.
sudo ./turn.sh
  1. Configure the firewall:
  • Allow the NGINX server to access TRTC domains. For information about the ports and domain names used by the TRTC web SDK, see Firewall Restrictions.
  • Allow the TURN server to access public networks.