What both of you are doing is reverse proxying Galene's web server and
WebSocket endpoint while leaving the media endpoints exposed to the
Internet. That's fine, and there are many circumstances where it is
useful.

Here a way to do it using Traefik version 2 , galene not running in a container on a machine of local address 192.168.1.10 and of external public name THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER

The DMZ of my nat (Freebox pop internet box) is set to 192.168.1.10

In the docker-compose that contains the traefik service description , in the label section just add

- "traefik.http.routers.visio.entrypoints=web,websecure"

- "traefik.http.routers.visio.service=visio@file"

- "traefik.http.routers.visio.rule=Host(`THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER`)"

Now in the file that describe the external service (in my case service.toml:

[http]

[http.services]

[http.services.visio]

[http.services.visio.loadBalancer]

[[http.services.visio.loadBalancer.servers]]

url = "http://192.168.1.10:8443/"

Now, in galene data/config.json, put :

{

"proxyURL": "https://THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER/"

}

From the galene installation directory run :

./galene -insecure -turn THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER:1194

All the best

Fabrice.