Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
* [Galene] ANNOUNCE: galene-0.6.2
@ 2023-01-11 18:57 Juliusz Chroboczek
  2023-01-11 19:20 ` [Galene] " Juliusz Chroboczek
  0 siblings, 1 reply; 24+ messages in thread
From: Juliusz Chroboczek @ 2023-01-11 18:57 UTC (permalink / raw)
  To: galene

Dear all,

Galene 0.6.2 is available by doing

  git clone -b galene-0.6.2 https://github.com/jech/galene

For more information about the Galene videoconference server, please see

  https://galene.org


This release works around a bug found in most browsers that would cause
screensharing to have very bad quality.  It also fixes issues with badly
packetised VP8 streams, such as the ones generated by GStreamer.

There is one incompatible change, the rules for computing a group's URL
has changed.  If you are running behind a reverse proxy, you may need to
set the new "proxyURL" field of the configuration file.

-- Juliusz

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: ANNOUNCE: galene-0.6.2
  2023-01-11 18:57 [Galene] ANNOUNCE: galene-0.6.2 Juliusz Chroboczek
@ 2023-01-11 19:20 ` Juliusz Chroboczek
  2023-01-12  7:07   ` Fabrice Rouillier
  0 siblings, 1 reply; 24+ messages in thread
From: Juliusz Chroboczek @ 2023-01-11 19:20 UTC (permalink / raw)
  To: galene

> Galene 0.6.2 is available by doing
> 
>   git clone -b galene-0.6.2 https://github.com/jech/galene

Here's the changelog:

11 January 2023: Galene 0.6.2

  * Disable simulcast for screensharing; this didn't work well with many
    browsers.
  * Fix parsing of VP8 packets with degenerate headers.
  * Fix computation of group URL when running in insecure mode.
  * Add configuration option "proxyURL", which makes it easier to run
    Galene behind a reverse proxy.
  * Disable ulimit checking on BSD systems, where our code doesn't compile.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: ANNOUNCE: galene-0.6.2
  2023-01-11 19:20 ` [Galene] " Juliusz Chroboczek
@ 2023-01-12  7:07   ` Fabrice Rouillier
  2023-01-12 12:13     ` Juliusz Chroboczek
  0 siblings, 1 reply; 24+ messages in thread
From: Fabrice Rouillier @ 2023-01-12  7:07 UTC (permalink / raw)
  To: Juliusz Chroboczek; +Cc: galene

Hi,

>  * Add configuration option "proxyURL", which makes it easier to run
>    Galene behind a reverse proxy.

A full example using Traefik would be highly appreciated especially for people installing Galene behind their internet box.

The top would be a docker image including integration instructions for Traefik, taking into account the capability of traefik to handle automatically with certificates.
I am not sufficiently expert for proposing something correct,  but I would be volunteer for testing.

All the best.

Fabrice.

>  * Disable ulimit checking on BSD systems, where our code doesn't compile.
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: ANNOUNCE: galene-0.6.2
  2023-01-12  7:07   ` Fabrice Rouillier
@ 2023-01-12 12:13     ` Juliusz Chroboczek
  2023-01-12 12:18       ` Werner Fleck
  0 siblings, 1 reply; 24+ messages in thread
From: Juliusz Chroboczek @ 2023-01-12 12:13 UTC (permalink / raw)
  To: Fabrice Rouillier; +Cc: galene

> The top would be a docker image

I am sorry, but I do now know how to run Galene in a Docker container.
Docker provides a plethora of networking options, none of which appear to
be able to make a server accessible from the Internet.

I may be mistaken, but I get the impression that Docker is simply not
designed for general network servers.

-- Juliusz

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: ANNOUNCE: galene-0.6.2
  2023-01-12 12:13     ` Juliusz Chroboczek
@ 2023-01-12 12:18       ` Werner Fleck
  2023-01-12 12:42         ` Juliusz Chroboczek
  0 siblings, 1 reply; 24+ messages in thread
From: Werner Fleck @ 2023-01-12 12:18 UTC (permalink / raw)
  To: galene

Actually I'm running Galène in a docker container behind a Traefik 
reverse proxy (also in a docker container) since two years without 
problems, see 
https://hub.docker.com/repository/docker/deburau/galene/general

Werner


Am 12.01.2023 um 13:13 schrieb Juliusz Chroboczek:
>> The top would be a docker image
> I am sorry, but I do now know how to run Galene in a Docker container.
> Docker provides a plethora of networking options, none of which appear to
> be able to make a server accessible from the Internet.
>
> I may be mistaken, but I get the impression that Docker is simply not
> designed for general network servers.
>
> -- Juliusz
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: ANNOUNCE: galene-0.6.2
  2023-01-12 12:18       ` Werner Fleck
@ 2023-01-12 12:42         ` Juliusz Chroboczek
  2023-01-12 13:55           ` Werner Fleck
  0 siblings, 1 reply; 24+ messages in thread
From: Juliusz Chroboczek @ 2023-01-12 12:42 UTC (permalink / raw)
  To: Werner Fleck; +Cc: galene

> Actually I'm running Galène in a docker container behind a Traefik reverse
> proxy (also in a docker container) since two years without problems,

Interesting.  What's the networking setup?  Are you using an external TURN
server?

> see https://hub.docker.com/repository/docker/deburau/galene/general

It's asking me to login.

-- Juliusz

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: ANNOUNCE: galene-0.6.2
  2023-01-12 12:42         ` Juliusz Chroboczek
@ 2023-01-12 13:55           ` Werner Fleck
  2023-01-12 14:47             ` [Galene] Galene in Docker [was: ANNOUNCE: galene-0.6.2] Juliusz Chroboczek
  2023-01-12 15:18             ` [Galene] Re: ANNOUNCE: galene-0.6.2 Fabrice Rouillier
  0 siblings, 2 replies; 24+ messages in thread
From: Werner Fleck @ 2023-01-12 13:55 UTC (permalink / raw)
  To: galene

I`m running Coturn, also in a docker container.

The Coturn container runs in host network mode, i.e. with direct network 
access. I found this necessary because it uses UDP ports 49152 to 65535 
which was a performance killer using bridged networking.

The Galène container runs in standard bridged mode but has no ports 
exposed. It only gets docker internal traffic.

The Traefik container is the entry point for all my HTTP and HTTPS 
containers and does automatic certificate management. The Galène 
container gets its traffic on port 80.

The system runs very stable, but I only used it with less than 8 
participants. So I don´t know how it would behave with much more clients.



Am 12.01.2023 um 13:42 schrieb Juliusz Chroboczek:
>> Actually I'm running Galène in a docker container behind a Traefik 
>> reverse
>> proxy (also in a docker container) since two years without problems,
> Interesting. What's the networking setup? Are you using an external TURN
> server?
>
>> see https://hub.docker.com/repository/docker/deburau/galene/general
> It's asking me to login.
>
> -- Juliusz

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-12 13:55           ` Werner Fleck
@ 2023-01-12 14:47             ` Juliusz Chroboczek
  2023-01-12 15:01               ` [Galene] " Werner Fleck
  2023-01-12 15:18             ` [Galene] Re: ANNOUNCE: galene-0.6.2 Fabrice Rouillier
  1 sibling, 1 reply; 24+ messages in thread
From: Juliusz Chroboczek @ 2023-01-12 14:47 UTC (permalink / raw)
  To: Werner Fleck; +Cc: galene

> I`m running Coturn, also in a docker container.

> The Coturn container runs in host network mode, i.e. with direct network
> access. I found this necessary because it uses UDP ports 49152 to 65535
> which was a performance killer using bridged networking.

Yes, there's no way around it: if you run Galene behind a NAT, you need
something outside of the NAT to establish communication.

> The Galène container runs in standard bridged mode but has no ports
> exposed. It only gets docker internal traffic.

Are you allowing unrestricted outgoing UDP traffic from the Galene
container?  If you don't, then all of the traffic will be routed through
the TURN server, which will cause load on the TURN server and increase
connection establishment delay by two seconds.

If you do allow unrestricted traffic from Galene the Galene, then your
solution is pretty good.  However, it requires setting up an external TURN
server, which I feel is more hassle than just running Galene directly
exposed to the Internet.

> The system runs very stable, but I only used it with less than
> 8 participants. So I don´t know how it would behave with much more
> clients.

You should have no problems (as long as you're allowing unrestricted
outgoing UDP).  There's a slight increase in connection establishment time
due to the STUN exchange with the TURN server, but it should be
negligible.

-- Juliusz

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-12 14:47             ` [Galene] Galene in Docker [was: ANNOUNCE: galene-0.6.2] Juliusz Chroboczek
@ 2023-01-12 15:01               ` Werner Fleck
  2023-01-12 15:29                 ` Juliusz Chroboczek
  0 siblings, 1 reply; 24+ messages in thread
From: Werner Fleck @ 2023-01-12 15:01 UTC (permalink / raw)
  To: Juliusz Chroboczek; +Cc: galene

Outgoing traffic is not restricted and I have not noticed a significant 
connection establishment delay.

And yes, running the Galene container (or any other container) in host 
networking mode would be easier to setup. But since I have many services 
on my server and only a single IPv4 address, this is not possible if all 
services should be reachable at its own hostname on port 443. And 
running some ports in host mode and others in bridged mode is not 
possible afaik.


Am 12.01.2023 um 15:47 schrieb Juliusz Chroboczek:
>> I`m running Coturn, also in a docker container.
>> The Coturn container runs in host network mode, i.e. with direct network
>> access. I found this necessary because it uses UDP ports 49152 to 65535
>> which was a performance killer using bridged networking.
> Yes, there's no way around it: if you run Galene behind a NAT, you need
> something outside of the NAT to establish communication.
>
>> The Galène container runs in standard bridged mode but has no ports
>> exposed. It only gets docker internal traffic.
> Are you allowing unrestricted outgoing UDP traffic from the Galene
> container?  If you don't, then all of the traffic will be routed through
> the TURN server, which will cause load on the TURN server and increase
> connection establishment delay by two seconds.
>
> If you do allow unrestricted traffic from Galene the Galene, then your
> solution is pretty good.  However, it requires setting up an external TURN
> server, which I feel is more hassle than just running Galene directly
> exposed to the Internet.
>
>> The system runs very stable, but I only used it with less than
>> 8 participants. So I don´t know how it would behave with much more
>> clients.
> You should have no problems (as long as you're allowing unrestricted
> outgoing UDP).  There's a slight increase in connection establishment time
> due to the STUN exchange with the TURN server, but it should be
> negligible.
>
> -- Juliusz

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: ANNOUNCE: galene-0.6.2
  2023-01-12 13:55           ` Werner Fleck
  2023-01-12 14:47             ` [Galene] Galene in Docker [was: ANNOUNCE: galene-0.6.2] Juliusz Chroboczek
@ 2023-01-12 15:18             ` Fabrice Rouillier
  2023-01-12 17:00               ` Werner Fleck
  1 sibling, 1 reply; 24+ messages in thread
From: Fabrice Rouillier @ 2023-01-12 15:18 UTC (permalink / raw)
  To: Werner Fleck; +Cc: galene

[-- Attachment #1: Type: text/plain, Size: 1684 bytes --]

Please, could you export you full configuration (for example docker-compose.yml) ?


All the best 

Fabrice.
-------------------------
Fabrice Rouillier
fabrice@rouillier.fr

Bureau virtuel : http://visio-fabrice.rouillier.fr <http://visio-fabrice.rouillier.fr/> 






> Le 12 janv. 2023 à 14:55, Werner Fleck <galene.org@flexoft.net> a écrit :
> 
> I`m running Coturn, also in a docker container.
> 
> The Coturn container runs in host network mode, i.e. with direct network access. I found this necessary because it uses UDP ports 49152 to 65535 which was a performance killer using bridged networking.
> 
> The Galène container runs in standard bridged mode but has no ports exposed. It only gets docker internal traffic.
> 
> The Traefik container is the entry point for all my HTTP and HTTPS containers and does automatic certificate management. The Galène container gets its traffic on port 80.
> 
> The system runs very stable, but I only used it with less than 8 participants. So I don´t know how it would behave with much more clients.
> 
> 
> 
> Am 12.01.2023 um 13:42 schrieb Juliusz Chroboczek:
>>> Actually I'm running Galène in a docker container behind a Traefik reverse
>>> proxy (also in a docker container) since two years without problems,
>> Interesting. What's the networking setup? Are you using an external TURN
>> server?
>> 
>>> see https://hub.docker.com/repository/docker/deburau/galene/general
>> It's asking me to login.
>> 
>> -- Juliusz
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org


[-- Attachment #2: Type: text/html, Size: 5025 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-12 15:01               ` [Galene] " Werner Fleck
@ 2023-01-12 15:29                 ` Juliusz Chroboczek
  2023-01-12 15:32                   ` Fabrice Rouillier
  2023-01-12 15:34                   ` Dianne Skoll
  0 siblings, 2 replies; 24+ messages in thread
From: Juliusz Chroboczek @ 2023-01-12 15:29 UTC (permalink / raw)
  To: Werner Fleck; +Cc: galene

> And yes, running the Galene container (or any other container) in host
> networking mode would be easier to setup. But since I have many services
> on my server and only a single IPv4 address, this is not possible if all
> services should be reachable at its own hostname on port 443. And running
> some ports in host mode and others in bridged mode is not possible afaik.

I think we're agreeing: running Galene in a Docker container is possible,
but it's not as convenient as with traditional web apps.  I feel it's not
worth the hassle, but reasonable people may disagree.

I second Fabrice's request: it'd be helpful if you could publish your config.

-- Juliusz

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-12 15:29                 ` Juliusz Chroboczek
@ 2023-01-12 15:32                   ` Fabrice Rouillier
  2023-01-12 15:34                   ` Dianne Skoll
  1 sibling, 0 replies; 24+ messages in thread
From: Fabrice Rouillier @ 2023-01-12 15:32 UTC (permalink / raw)
  To: Juliusz Chroboczek; +Cc: Werner Fleck, galene

> 
> I second Fabrice's request: it'd be helpful if you could publish your config.
> 
I will try it on a Mac mini M1 behind a Freebox pop (supposed tu support hairpinning) with already installed services using docker and Traefik

Fabrice.

> -- Juliusz
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-12 15:29                 ` Juliusz Chroboczek
  2023-01-12 15:32                   ` Fabrice Rouillier
@ 2023-01-12 15:34                   ` Dianne Skoll
  2023-01-12 18:08                     ` Rémy Dernat
  2023-01-12 20:50                     ` Fabrice Rouillier
  1 sibling, 2 replies; 24+ messages in thread
From: Dianne Skoll @ 2023-01-12 15:34 UTC (permalink / raw)
  To: galene

On Thu, 12 Jan 2023 16:29:05 +0100
Juliusz Chroboczek <jch@irif.fr> wrote:

> I think we're agreeing: running Galene in a Docker container is
> possible, but it's not as convenient as with traditional web apps.  I
> feel it's not worth the hassle, but reasonable people may disagree.

If Galene were complicated to set up, that might argue for using
Docker to reduce installation headaches... but it's a single
executable with a pretty simple set of config files, so I don't see
Docker buying much.

Running behind an HTTP proxy, though, is very useful.

Regards,

Dianne.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: ANNOUNCE: galene-0.6.2
  2023-01-12 15:18             ` [Galene] Re: ANNOUNCE: galene-0.6.2 Fabrice Rouillier
@ 2023-01-12 17:00               ` Werner Fleck
  2023-01-17 13:55                 ` Werner Fleck
  0 siblings, 1 reply; 24+ messages in thread
From: Werner Fleck @ 2023-01-12 17:00 UTC (permalink / raw)
  To: galene

[-- Attachment #1: Type: text/plain, Size: 2054 bytes --]

I updated my Github repository 
https://github.com/deburau/galene-docker/tree/main/example-configuration


Am 12.01.2023 um 16:18 schrieb Fabrice Rouillier:
> Please, could you export you full configuration (for example 
> docker-compose.yml) ?
>
>
> All the best
>
> Fabrice.
> -------------------------
> Fabrice Rouillier
> fabrice@rouillier.fr
>
> Bureau virtuel :http://visio-fabrice.rouillier.fr
>
>
>
>
>
>
>> Le 12 janv. 2023 à 14:55, Werner Fleck <galene.org@flexoft.net> a écrit :
>>
>> I`m running Coturn, also in a docker container.
>>
>> The Coturn container runs in host network mode, i.e. with direct 
>> network access. I found this necessary because it uses UDP ports 
>> 49152 to 65535 which was a performance killer using bridged networking.
>>
>> The Galène container runs in standard bridged mode but has no ports 
>> exposed. It only gets docker internal traffic.
>>
>> The Traefik container is the entry point for all my HTTP and HTTPS 
>> containers and does automatic certificate management. The Galène 
>> container gets its traffic on port 80.
>>
>> The system runs very stable, but I only used it with less than 8 
>> participants. So I don´t know how it would behave with much more clients.
>>
>>
>>
>> Am 12.01.2023 um 13:42 schrieb Juliusz Chroboczek:
>>>> Actually I'm running Galène in a docker container behind a Traefik 
>>>> reverse
>>>> proxy (also in a docker container) since two years without problems,
>>> Interesting. What's the networking setup? Are you using an external TURN
>>> server?
>>>
>>>> see https://hub.docker.com/repository/docker/deburau/galene/general
>>> It's asking me to login.
>>>
>>> -- Juliusz
>> _______________________________________________
>> Galene mailing list -- galene@lists.galene.org
>> To unsubscribe send an email to galene-leave@lists.galene.org
>
>
> _______________________________________________
> Galene mailing list --galene@lists.galene.org
> To unsubscribe send an email togalene-leave@lists.galene.org

[-- Attachment #2: Type: text/html, Size: 9041 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-12 15:34                   ` Dianne Skoll
@ 2023-01-12 18:08                     ` Rémy Dernat
  2023-01-12 18:16                       ` Dianne Skoll
  2023-01-12 20:50                     ` Fabrice Rouillier
  1 sibling, 1 reply; 24+ messages in thread
From: Rémy Dernat @ 2023-01-12 18:08 UTC (permalink / raw)
  To: galene


[-- Attachment #1.1.1: Type: text/plain, Size: 2668 bytes --]

Hi,

My Galene server is running behind a Nginx RP for more than one year. I 
attached my galene server configuration on nginx. It is really simple.

It needs a Let's encrypt certificate, but you may be able to do it with 
ZeroSSL or whatever, or even in basic HTTP with no certs.

I have also a "/room" served from this php code : 
https://github.com/remyd1/galene_room

You can remove this part safely if not needed.

   - edit it and replace galene.example.tld with your FQDN

   - put this in /etc/nginx/sites-available, and do a symlink to it from 
/etc/nginx/sites-enabled

   - test it with "nginx -t"

   - if it is ok, it just should work as is after restarting the nginx 
service.


However, I have a cron job for LE renewals; when certs are changing, you 
may need to check permissions and reload your HTTP server (my server is 
running under a "galene" user, so this user is using acl ({get,set}facl) 
to access to /etc/letsencrypt [1][2]).


Best regards,


[1] in attachments, you can also find a galene.service file to put in 
/etc/systemd/system/, then do "systemctl daemon-reload" (...) "systemctl 
start galene" and an update bash script to update a galene server (my 
galene source code is in /opt/galene-src and galene is installed in 
~galene/...)

[2] To fix permissions after LE renewals, I have this in crontab

@weekly /root/crons/letsencrypt && /root/fix-perms.sh && 
/usr/bin/systemctl restart galene

with fix-perms.sh content :

#!/bin/bash
echo "Checking permissions..."
chown -R galene:galene ~galene
setfacl -R -m u:galene:rx /etc/letsencrypt/
for file in `ls /etc/letsencrypt/live/galene.example.tld/`
do
     setfacl -m u:galene:r /etc/letsencrypt/live/galene.example.tld/$file
done

Le 12/01/2023 à 16:34, Dianne Skoll a écrit :
> On Thu, 12 Jan 2023 16:29:05 +0100
> Juliusz Chroboczek <jch@irif.fr> wrote:
>
>> I think we're agreeing: running Galene in a Docker container is
>> possible, but it's not as convenient as with traditional web apps.  I
>> feel it's not worth the hassle, but reasonable people may disagree.
> If Galene were complicated to set up, that might argue for using
> Docker to reduce installation headaches... but it's a single
> executable with a pretty simple set of config files, so I don't see
> Docker buying much.
>
> Running behind an HTTP proxy, though, is very useful.
>
> Regards,
>
> Dianne.
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org

-- 
Chef de projet SI CNRS
Equipe ISI
ISEM UMR5554


[-- Attachment #1.1.2: galene.conf --]
[-- Type: text/plain, Size: 1618 bytes --]

server {
    listen 443 default_server ssl;
    listen [::]:443 default_server ssl;
    server_name galene.example.tld;
    ssl_certificate /etc/letsencrypt/live/galene.example.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/galene.example.tld/privkey.pem;

    location /room/api {
        root /var/www/html;
        deny all;
        return 404;
    }
    location /room {
        root /var/www/html;
        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswd;
        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        }
    }
    
    location /api {
        root /var/www/html/room/;
        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswdapi;
        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        }
    }
    
    location / {
    
      # Force usage of https
      if ($scheme = http) {
        rewrite ^ https://$server_name$request_uri? permanent;
      }
    
      proxy_pass        https://127.0.0.1:8443;
      proxy_redirect    off;
      proxy_set_header  Host $host;
      proxy_set_header  X-Real-IP $remote_addr;
      proxy_set_header  X-Forwarded-Proto $scheme;
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Host $server_name;
     

      # WebSocket support
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
    }
}

[-- Attachment #1.1.3: galene.service --]
[-- Type: text/x-dbus-service, Size: 290 bytes --]

# /etc/systemd/system/galene.service
[Unit]
Description=Galene
After=network.target

[Service]
Type=simple
WorkingDirectory=/home/galene
User=galene
Group=galene
EnvironmentFile=/etc/default/galene
ExecStart=/home/galene/galene $ARGS
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

[-- Attachment #1.1.4: update-galene.sh --]
[-- Type: application/x-shellscript, Size: 1043 bytes --]

[-- Attachment #1.1.5: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 2327 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-12 18:08                     ` Rémy Dernat
@ 2023-01-12 18:16                       ` Dianne Skoll
  2023-01-12 21:30                         ` Juliusz Chroboczek
  0 siblings, 1 reply; 24+ messages in thread
From: Dianne Skoll @ 2023-01-12 18:16 UTC (permalink / raw)
  To: galene

[-- Attachment #1: Type: text/plain, Size: 1353 bytes --]

On Thu, 12 Jan 2023 19:08:15 +0100
Rémy Dernat <remy.dernat@umontpellier.fr> wrote:

> My Galene server is running behind a Nginx RP for more than one year.
> I attached my galene server configuration on nginx. It is really
> simple.

I run it behind an Apache reverse-proxy.  Config is below.  You need
the mod_proxy_wstunnel module to proxy the Websocket traffic.

#-----------------------------------------------------------------------
  # Apache snippet to reverse-proxy galene running on port 8443
  ProxyPreserveHost on
  ProxyPass /ws ws://127.0.0.1:8443/ws
  ProxyPassReverse /ws ws://127.0.0.1:8443/ws

  ProxyPass / http://127.0.0.1:8443/
  ProxyPassReverse / http://127.0.0.1:8443/
#-----------------------------------------------------------------------

And this is my systemd unit:

#-----------------------------------------------------------------------
[Unit]
Description=Galene
After=network.target

[Service]
Type=simple
WorkingDirectory=/home/galene
User=galene
Group=galene
ExecStart=/home/galene/galene -turn ip.of.my.box:1194 -insecure -http 127.0.0.1:8443
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
#-----------------------------------------------------------------------

I use the -insecure option because Apache handles the TLS termination for me.

Regards,

Dianne.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-12 15:34                   ` Dianne Skoll
  2023-01-12 18:08                     ` Rémy Dernat
@ 2023-01-12 20:50                     ` Fabrice Rouillier
  2023-01-12 21:37                       ` Juliusz Chroboczek
  1 sibling, 1 reply; 24+ messages in thread
From: Fabrice Rouillier @ 2023-01-12 20:50 UTC (permalink / raw)
  To: Dianne Skoll; +Cc: galene



> If Galene were complicated to set up, that might argue for using
> Docker to reduce installation headaches... but it's a single
> executable with a pretty simple set of config files, so I don't see
> Docker buying much.
> 
> Running behind an HTTP proxy, though, is very useful.
> 

Right. it is not the matter of running galène in a container but running galène behind traefik , in a container or not and, in particular handling with the ws protocole correctly.

The point is that traefik is designed to be very powerful with docker containers and has the key advantage to manage automatically the LE certificates.

Another point might also to configure the turn server in order to listen to the 443 port for users on restricted networks using galène in an other network (for example from Sorbonne University….)

Regards

Fabrice

> Regards,
> 
> Dianne.
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-12 18:16                       ` Dianne Skoll
@ 2023-01-12 21:30                         ` Juliusz Chroboczek
  2023-01-15 21:16                           ` Fabrice Rouillier
  0 siblings, 1 reply; 24+ messages in thread
From: Juliusz Chroboczek @ 2023-01-12 21:30 UTC (permalink / raw)
  To: Dianne Skoll; +Cc: galene

>> My Galene server is running behind a Nginx RP for more than one year.
>> I attached my galene server configuration on nginx. It is really
>> simple.

> I run it behind an Apache reverse-proxy.  Config is below.  You need
> the mod_proxy_wstunnel module to proxy the Websocket traffic.

What both of you are doing is reverse proxying Galene's web server and
WebSocket endpoint while leaving the media endpoints exposed to the
Internet.  That's fine, and there are many circumstances where it is
useful.

On the other hand, what people used to web applications are requesting is
the ability to put Galene into a container isolated from the Internet,
with all the traffic going through a proxy.  That's not going to work, at
least not efficiently, and not without a lot of hassle.

In short: the Internet is more than just HTTP.

-- Juliusz

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-12 20:50                     ` Fabrice Rouillier
@ 2023-01-12 21:37                       ` Juliusz Chroboczek
  0 siblings, 0 replies; 24+ messages in thread
From: Juliusz Chroboczek @ 2023-01-12 21:37 UTC (permalink / raw)
  To: Fabrice Rouillier; +Cc: Dianne Skoll, galene

> Another point might also to configure the turn server in order to listen
> to the 443 port for users on restricted networks using galène in an
> other network (for example from Sorbonne University….)

That's an important point.  A TURN server on an unrestricted port is
essential in order for Galene to work on networks managed by the kind of
people who still believe that blocking ports is going to improve security.

The reason why Galene puts its TURN server on port 1194 by default is that
1194 is reserved for OpenVPN, and that the Eduroam policy document¹
requires that outgoing traffic to port 1194 must be allowed.  443 is even
more likely to be open, but it's a privileged port, and hence not suitable
for the default configuration.

(A nice side-effect of putting a TURN server on a carefully chosen port is
that Galene works over TOR.  But shhh...)

¹ https://www.eduroam.org/wp-content/uploads/2016/05/GN3-12-192_eduroam-policy-service-definition_ver28_26072012.pdf

-- Juliusz

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-12 21:30                         ` Juliusz Chroboczek
@ 2023-01-15 21:16                           ` Fabrice Rouillier
  2023-01-27  9:11                             ` Fabrice Rouillier
  0 siblings, 1 reply; 24+ messages in thread
From: Fabrice Rouillier @ 2023-01-15 21:16 UTC (permalink / raw)
  To: Juliusz Chroboczek; +Cc: Dianne Skoll, galene

[-- Attachment #1: Type: text/plain, Size: 1379 bytes --]

> 
> What both of you are doing is reverse proxying Galene's web server and
> WebSocket endpoint while leaving the media endpoints exposed to the
> Internet.  That's fine, and there are many circumstances where it is
> useful.
> 

Here a way to do it using Traefik version 2 , galene not running in a container on a machine of local address 192.168.1.10 and of external public name THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER

The DMZ of my nat (Freebox pop internet box) is set to 192.168.1.10

In the docker-compose that contains the  traefik service description , in the label section just add

      - "traefik.http.routers.visio.entrypoints=web,websecure"
      - "traefik.http.routers.visio.service=visio@file"
      - "traefik.http.routers.visio.rule=Host(`THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER`)"

Now in the file that describe the external service (in my case service.toml:

[http]
  [http.services]
    [http.services.visio]
      [http.services.visio.loadBalancer]
        [[http.services.visio.loadBalancer.servers]]
          url = "http://192.168.1.10:8443/"

Now, in galene data/config.json, put :

{
    "proxyURL": "https://THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER/"
}


From the galene installation directory run : 

./galene -insecure -turn THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER:1194



All the best 

Fabrice.



[-- Attachment #2: Type: text/html, Size: 5061 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: ANNOUNCE: galene-0.6.2
  2023-01-12 17:00               ` Werner Fleck
@ 2023-01-17 13:55                 ` Werner Fleck
  0 siblings, 0 replies; 24+ messages in thread
From: Werner Fleck @ 2023-01-17 13:55 UTC (permalink / raw)
  To: galene

[-- Attachment #1: Type: text/plain, Size: 2788 bytes --]

A follow up: inspired by this discussion, I changed my setup to use the 
internal turn server instead of coturn. This way the configuration is 
much simpler.

I also updated the README 
https://github.com/deburau/galene-docker/blob/main/README.md#complete-docker-compose-example. 
Besides a running reverse proxy (traefik), only two configuration files 
are necessary, i.e. docker-compose.yml and config.json

-- Werner


Am 12.01.2023 um 18:00 schrieb Werner Fleck:
>
> I updated my Github repository 
> https://github.com/deburau/galene-docker/tree/main/example-configuration
>
>
> Am 12.01.2023 um 16:18 schrieb Fabrice Rouillier:
>> Please, could you export you full configuration (for example 
>> docker-compose.yml) ?
>>
>>
>> All the best
>>
>> Fabrice.
>> -------------------------
>> Fabrice Rouillier
>> fabrice@rouillier.fr
>>
>> Bureau virtuel :http://visio-fabrice.rouillier.fr
>>
>>
>>
>>
>>
>>
>>> Le 12 janv. 2023 à 14:55, Werner Fleck <galene.org@flexoft.net> a 
>>> écrit :
>>>
>>> I`m running Coturn, also in a docker container.
>>>
>>> The Coturn container runs in host network mode, i.e. with direct 
>>> network access. I found this necessary because it uses UDP ports 
>>> 49152 to 65535 which was a performance killer using bridged networking.
>>>
>>> The Galène container runs in standard bridged mode but has no ports 
>>> exposed. It only gets docker internal traffic.
>>>
>>> The Traefik container is the entry point for all my HTTP and HTTPS 
>>> containers and does automatic certificate management. The Galène 
>>> container gets its traffic on port 80.
>>>
>>> The system runs very stable, but I only used it with less than 8 
>>> participants. So I don´t know how it would behave with much more 
>>> clients.
>>>
>>>
>>>
>>> Am 12.01.2023 um 13:42 schrieb Juliusz Chroboczek:
>>>>> Actually I'm running Galène in a docker container behind a Traefik 
>>>>> reverse
>>>>> proxy (also in a docker container) since two years without problems,
>>>> Interesting. What's the networking setup? Are you using an external 
>>>> TURN
>>>> server?
>>>>
>>>>> see https://hub.docker.com/repository/docker/deburau/galene/general
>>>> It's asking me to login.
>>>>
>>>> -- Juliusz
>>> _______________________________________________
>>> Galene mailing list -- galene@lists.galene.org
>>> To unsubscribe send an email to galene-leave@lists.galene.org
>>
>>
>> _______________________________________________
>> Galene mailing list --galene@lists.galene.org
>> To unsubscribe send an email togalene-leave@lists.galene.org
>
> _______________________________________________
> Galene mailing list --galene@lists.galene.org
> To unsubscribe send an email togalene-leave@lists.galene.org

[-- Attachment #2: Type: text/html, Size: 11549 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-15 21:16                           ` Fabrice Rouillier
@ 2023-01-27  9:11                             ` Fabrice Rouillier
  2023-01-27 11:50                               ` Juliusz Chroboczek
  0 siblings, 1 reply; 24+ messages in thread
From: Fabrice Rouillier @ 2023-01-27  9:11 UTC (permalink / raw)
  To: Juliusz Chroboczek; +Cc: Dianne Skoll, galene

[-- Attachment #1: Type: text/plain, Size: 2293 bytes --]

Hi all,


Some observations about this configuration behind a freebox after two weeks of use :

- does not work with firefox

- works fine with all the the other navigators we have tested (chrome, safari, chromium, brave, etc.) on all networks where ports 443 and 1194 are open, in particular … eduroam.

So my question is : what’s wrong with firefox ?

The dream : replacing port 1194 with 443 for the turn server in order to work with even more restrictive networks (for example the wired network of sorbonne university)


All the best,

Fabrice.

-------------------------
Fabrice Rouillier
fabrice@rouillier.fr

Bureau virtuel : http://visio-fabrice.rouillier.fr <http://visio-fabrice.rouillier.fr/> 






> Le 15 janv. 2023 à 22:16, Fabrice Rouillier <fabrice@rouillier.fr> a écrit :
> 
>> 
>> What both of you are doing is reverse proxying Galene's web server and
>> WebSocket endpoint while leaving the media endpoints exposed to the
>> Internet.  That's fine, and there are many circumstances where it is
>> useful.
>> 
> 
> Here a way to do it using Traefik version 2 , galene not running in a container on a machine of local address 192.168.1.10 and of external public name THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER
> 
> The DMZ of my nat (Freebox pop internet box) is set to 192.168.1.10
> 
> In the docker-compose that contains the  traefik service description , in the label section just add
> 
>       - "traefik.http.routers.visio.entrypoints=web,websecure"
>       - "traefik.http.routers.visio.service=visio@file"
>       - "traefik.http.routers.visio.rule=Host(`THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER`)"
> 
> Now in the file that describe the external service (in my case service.toml:
> 
> [http]
>   [http.services]
>     [http.services.visio]
>       [http.services.visio.loadBalancer]
>         [[http.services.visio.loadBalancer.servers]]
>           url = "http://192.168.1.10:8443/"
> 
> Now, in galene data/config.json, put :
> 
> {
>     "proxyURL": "https://THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER/"
> }
> 
> 
> From the galene installation directory run : 
> 
> ./galene -insecure -turn THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER:1194
> 
> 
> 
> All the best 
> 
> Fabrice.
> 
> 


[-- Attachment #2: Type: text/html, Size: 8921 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-27  9:11                             ` Fabrice Rouillier
@ 2023-01-27 11:50                               ` Juliusz Chroboczek
  2023-01-27 11:56                                 ` Fabrice Rouillier
  0 siblings, 1 reply; 24+ messages in thread
From: Juliusz Chroboczek @ 2023-01-27 11:50 UTC (permalink / raw)
  To: Fabrice Rouillier; +Cc: galene

> - does not work with firefox

Please go to "about:webrtc", then "show details" and show us the
"ICE Statss" table.

-- Juliusz

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]
  2023-01-27 11:50                               ` Juliusz Chroboczek
@ 2023-01-27 11:56                                 ` Fabrice Rouillier
  0 siblings, 0 replies; 24+ messages in thread
From: Fabrice Rouillier @ 2023-01-27 11:56 UTC (permalink / raw)
  To: Juliusz Chroboczek; +Cc: galene

[-- Attachment #1: Type: text/plain, Size: 491 bytes --]

Ok. Might take time since today all the networks I access are using IPV6 … 

Fabrice.

-------------------------
Fabrice Rouillier
fabrice@rouillier.fr

Bureau virtuel : http://visio-fabrice.rouillier.fr <http://visio-fabrice.rouillier.fr/> 






> Le 27 janv. 2023 à 12:50, Juliusz Chroboczek <jch@irif.fr> a écrit :
> 
>> - does not work with firefox
> 
> Please go to "about:webrtc", then "show details" and show us the
> "ICE Statss" table.
> 
> -- Juliusz


[-- Attachment #2: Type: text/html, Size: 3743 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

end of thread, other threads:[~2023-01-27 11:57 UTC | newest]

Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-11 18:57 [Galene] ANNOUNCE: galene-0.6.2 Juliusz Chroboczek
2023-01-11 19:20 ` [Galene] " Juliusz Chroboczek
2023-01-12  7:07   ` Fabrice Rouillier
2023-01-12 12:13     ` Juliusz Chroboczek
2023-01-12 12:18       ` Werner Fleck
2023-01-12 12:42         ` Juliusz Chroboczek
2023-01-12 13:55           ` Werner Fleck
2023-01-12 14:47             ` [Galene] Galene in Docker [was: ANNOUNCE: galene-0.6.2] Juliusz Chroboczek
2023-01-12 15:01               ` [Galene] " Werner Fleck
2023-01-12 15:29                 ` Juliusz Chroboczek
2023-01-12 15:32                   ` Fabrice Rouillier
2023-01-12 15:34                   ` Dianne Skoll
2023-01-12 18:08                     ` Rémy Dernat
2023-01-12 18:16                       ` Dianne Skoll
2023-01-12 21:30                         ` Juliusz Chroboczek
2023-01-15 21:16                           ` Fabrice Rouillier
2023-01-27  9:11                             ` Fabrice Rouillier
2023-01-27 11:50                               ` Juliusz Chroboczek
2023-01-27 11:56                                 ` Fabrice Rouillier
2023-01-12 20:50                     ` Fabrice Rouillier
2023-01-12 21:37                       ` Juliusz Chroboczek
2023-01-12 15:18             ` [Galene] Re: ANNOUNCE: galene-0.6.2 Fabrice Rouillier
2023-01-12 17:00               ` Werner Fleck
2023-01-17 13:55                 ` Werner Fleck

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox