> 
> What both of you are doing is reverse proxying Galene's web server and
> WebSocket endpoint while leaving the media endpoints exposed to the
> Internet.  That's fine, and there are many circumstances where it is
> useful.
> 

Here a way to do it using Traefik version 2 , galene not running in a container on a machine of local address 192.168.1.10 and of external public name THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER

The DMZ of my nat (Freebox pop internet box) is set to 192.168.1.10

In the docker-compose that contains the  traefik service description , in the label section just add

      - "traefik.http.routers.visio.entrypoints=web,websecure"
      - "traefik.http.routers.visio.service=visio@file"
      - "traefik.http.routers.visio.rule=Host(`THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER`)"

Now in the file that describe the external service (in my case service.toml:

[http]
  [http.services]
    [http.services.visio]
      [http.services.visio.loadBalancer]
        [[http.services.visio.loadBalancer.servers]]
          url = "http://192.168.1.10:8443/"

Now, in galene data/config.json, put :

{
    "proxyURL": "https://THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER/"
}


From the galene installation directory run : 

./galene -insecure -turn THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER:1194



All the best 

Fabrice.