* [Galene] ANNOUNCE: galene-0.6.2 @ 2023-01-11 18:57 Juliusz Chroboczek 2023-01-11 19:20 ` [Galene] " Juliusz Chroboczek 0 siblings, 1 reply; 24+ messages in thread From: Juliusz Chroboczek @ 2023-01-11 18:57 UTC (permalink / raw) To: galene Dear all, Galene 0.6.2 is available by doing git clone -b galene-0.6.2 https://github.com/jech/galene For more information about the Galene videoconference server, please see https://galene.org This release works around a bug found in most browsers that would cause screensharing to have very bad quality. It also fixes issues with badly packetised VP8 streams, such as the ones generated by GStreamer. There is one incompatible change, the rules for computing a group's URL has changed. If you are running behind a reverse proxy, you may need to set the new "proxyURL" field of the configuration file. -- Juliusz ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: ANNOUNCE: galene-0.6.2 2023-01-11 18:57 [Galene] ANNOUNCE: galene-0.6.2 Juliusz Chroboczek @ 2023-01-11 19:20 ` Juliusz Chroboczek 2023-01-12 7:07 ` Fabrice Rouillier 0 siblings, 1 reply; 24+ messages in thread From: Juliusz Chroboczek @ 2023-01-11 19:20 UTC (permalink / raw) To: galene > Galene 0.6.2 is available by doing > > git clone -b galene-0.6.2 https://github.com/jech/galene Here's the changelog: 11 January 2023: Galene 0.6.2 * Disable simulcast for screensharing; this didn't work well with many browsers. * Fix parsing of VP8 packets with degenerate headers. * Fix computation of group URL when running in insecure mode. * Add configuration option "proxyURL", which makes it easier to run Galene behind a reverse proxy. * Disable ulimit checking on BSD systems, where our code doesn't compile. ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: ANNOUNCE: galene-0.6.2 2023-01-11 19:20 ` [Galene] " Juliusz Chroboczek @ 2023-01-12 7:07 ` Fabrice Rouillier 2023-01-12 12:13 ` Juliusz Chroboczek 0 siblings, 1 reply; 24+ messages in thread From: Fabrice Rouillier @ 2023-01-12 7:07 UTC (permalink / raw) To: Juliusz Chroboczek; +Cc: galene Hi, > * Add configuration option "proxyURL", which makes it easier to run > Galene behind a reverse proxy. A full example using Traefik would be highly appreciated especially for people installing Galene behind their internet box. The top would be a docker image including integration instructions for Traefik, taking into account the capability of traefik to handle automatically with certificates. I am not sufficiently expert for proposing something correct, but I would be volunteer for testing. All the best. Fabrice. > * Disable ulimit checking on BSD systems, where our code doesn't compile. > _______________________________________________ > Galene mailing list -- galene@lists.galene.org > To unsubscribe send an email to galene-leave@lists.galene.org ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: ANNOUNCE: galene-0.6.2 2023-01-12 7:07 ` Fabrice Rouillier @ 2023-01-12 12:13 ` Juliusz Chroboczek 2023-01-12 12:18 ` Werner Fleck 0 siblings, 1 reply; 24+ messages in thread From: Juliusz Chroboczek @ 2023-01-12 12:13 UTC (permalink / raw) To: Fabrice Rouillier; +Cc: galene > The top would be a docker image I am sorry, but I do now know how to run Galene in a Docker container. Docker provides a plethora of networking options, none of which appear to be able to make a server accessible from the Internet. I may be mistaken, but I get the impression that Docker is simply not designed for general network servers. -- Juliusz ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: ANNOUNCE: galene-0.6.2 2023-01-12 12:13 ` Juliusz Chroboczek @ 2023-01-12 12:18 ` Werner Fleck 2023-01-12 12:42 ` Juliusz Chroboczek 0 siblings, 1 reply; 24+ messages in thread From: Werner Fleck @ 2023-01-12 12:18 UTC (permalink / raw) To: galene Actually I'm running Galène in a docker container behind a Traefik reverse proxy (also in a docker container) since two years without problems, see https://hub.docker.com/repository/docker/deburau/galene/general Werner Am 12.01.2023 um 13:13 schrieb Juliusz Chroboczek: >> The top would be a docker image > I am sorry, but I do now know how to run Galene in a Docker container. > Docker provides a plethora of networking options, none of which appear to > be able to make a server accessible from the Internet. > > I may be mistaken, but I get the impression that Docker is simply not > designed for general network servers. > > -- Juliusz > _______________________________________________ > Galene mailing list -- galene@lists.galene.org > To unsubscribe send an email to galene-leave@lists.galene.org ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: ANNOUNCE: galene-0.6.2 2023-01-12 12:18 ` Werner Fleck @ 2023-01-12 12:42 ` Juliusz Chroboczek 2023-01-12 13:55 ` Werner Fleck 0 siblings, 1 reply; 24+ messages in thread From: Juliusz Chroboczek @ 2023-01-12 12:42 UTC (permalink / raw) To: Werner Fleck; +Cc: galene > Actually I'm running Galène in a docker container behind a Traefik reverse > proxy (also in a docker container) since two years without problems, Interesting. What's the networking setup? Are you using an external TURN server? > see https://hub.docker.com/repository/docker/deburau/galene/general It's asking me to login. -- Juliusz ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: ANNOUNCE: galene-0.6.2 2023-01-12 12:42 ` Juliusz Chroboczek @ 2023-01-12 13:55 ` Werner Fleck 2023-01-12 14:47 ` [Galene] Galene in Docker [was: ANNOUNCE: galene-0.6.2] Juliusz Chroboczek 2023-01-12 15:18 ` [Galene] Re: ANNOUNCE: galene-0.6.2 Fabrice Rouillier 0 siblings, 2 replies; 24+ messages in thread From: Werner Fleck @ 2023-01-12 13:55 UTC (permalink / raw) To: galene I`m running Coturn, also in a docker container. The Coturn container runs in host network mode, i.e. with direct network access. I found this necessary because it uses UDP ports 49152 to 65535 which was a performance killer using bridged networking. The Galène container runs in standard bridged mode but has no ports exposed. It only gets docker internal traffic. The Traefik container is the entry point for all my HTTP and HTTPS containers and does automatic certificate management. The Galène container gets its traffic on port 80. The system runs very stable, but I only used it with less than 8 participants. So I don´t know how it would behave with much more clients. Am 12.01.2023 um 13:42 schrieb Juliusz Chroboczek: >> Actually I'm running Galène in a docker container behind a Traefik >> reverse >> proxy (also in a docker container) since two years without problems, > Interesting. What's the networking setup? Are you using an external TURN > server? > >> see https://hub.docker.com/repository/docker/deburau/galene/general > It's asking me to login. > > -- Juliusz ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-12 13:55 ` Werner Fleck @ 2023-01-12 14:47 ` Juliusz Chroboczek 2023-01-12 15:01 ` [Galene] " Werner Fleck 2023-01-12 15:18 ` [Galene] Re: ANNOUNCE: galene-0.6.2 Fabrice Rouillier 1 sibling, 1 reply; 24+ messages in thread From: Juliusz Chroboczek @ 2023-01-12 14:47 UTC (permalink / raw) To: Werner Fleck; +Cc: galene > I`m running Coturn, also in a docker container. > The Coturn container runs in host network mode, i.e. with direct network > access. I found this necessary because it uses UDP ports 49152 to 65535 > which was a performance killer using bridged networking. Yes, there's no way around it: if you run Galene behind a NAT, you need something outside of the NAT to establish communication. > The Galène container runs in standard bridged mode but has no ports > exposed. It only gets docker internal traffic. Are you allowing unrestricted outgoing UDP traffic from the Galene container? If you don't, then all of the traffic will be routed through the TURN server, which will cause load on the TURN server and increase connection establishment delay by two seconds. If you do allow unrestricted traffic from Galene the Galene, then your solution is pretty good. However, it requires setting up an external TURN server, which I feel is more hassle than just running Galene directly exposed to the Internet. > The system runs very stable, but I only used it with less than > 8 participants. So I don´t know how it would behave with much more > clients. You should have no problems (as long as you're allowing unrestricted outgoing UDP). There's a slight increase in connection establishment time due to the STUN exchange with the TURN server, but it should be negligible. -- Juliusz ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-12 14:47 ` [Galene] Galene in Docker [was: ANNOUNCE: galene-0.6.2] Juliusz Chroboczek @ 2023-01-12 15:01 ` Werner Fleck 2023-01-12 15:29 ` Juliusz Chroboczek 0 siblings, 1 reply; 24+ messages in thread From: Werner Fleck @ 2023-01-12 15:01 UTC (permalink / raw) To: Juliusz Chroboczek; +Cc: galene Outgoing traffic is not restricted and I have not noticed a significant connection establishment delay. And yes, running the Galene container (or any other container) in host networking mode would be easier to setup. But since I have many services on my server and only a single IPv4 address, this is not possible if all services should be reachable at its own hostname on port 443. And running some ports in host mode and others in bridged mode is not possible afaik. Am 12.01.2023 um 15:47 schrieb Juliusz Chroboczek: >> I`m running Coturn, also in a docker container. >> The Coturn container runs in host network mode, i.e. with direct network >> access. I found this necessary because it uses UDP ports 49152 to 65535 >> which was a performance killer using bridged networking. > Yes, there's no way around it: if you run Galene behind a NAT, you need > something outside of the NAT to establish communication. > >> The Galène container runs in standard bridged mode but has no ports >> exposed. It only gets docker internal traffic. > Are you allowing unrestricted outgoing UDP traffic from the Galene > container? If you don't, then all of the traffic will be routed through > the TURN server, which will cause load on the TURN server and increase > connection establishment delay by two seconds. > > If you do allow unrestricted traffic from Galene the Galene, then your > solution is pretty good. However, it requires setting up an external TURN > server, which I feel is more hassle than just running Galene directly > exposed to the Internet. > >> The system runs very stable, but I only used it with less than >> 8 participants. So I don´t know how it would behave with much more >> clients. > You should have no problems (as long as you're allowing unrestricted > outgoing UDP). There's a slight increase in connection establishment time > due to the STUN exchange with the TURN server, but it should be > negligible. > > -- Juliusz ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-12 15:01 ` [Galene] " Werner Fleck @ 2023-01-12 15:29 ` Juliusz Chroboczek 2023-01-12 15:32 ` Fabrice Rouillier 2023-01-12 15:34 ` Dianne Skoll 0 siblings, 2 replies; 24+ messages in thread From: Juliusz Chroboczek @ 2023-01-12 15:29 UTC (permalink / raw) To: Werner Fleck; +Cc: galene > And yes, running the Galene container (or any other container) in host > networking mode would be easier to setup. But since I have many services > on my server and only a single IPv4 address, this is not possible if all > services should be reachable at its own hostname on port 443. And running > some ports in host mode and others in bridged mode is not possible afaik. I think we're agreeing: running Galene in a Docker container is possible, but it's not as convenient as with traditional web apps. I feel it's not worth the hassle, but reasonable people may disagree. I second Fabrice's request: it'd be helpful if you could publish your config. -- Juliusz ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-12 15:29 ` Juliusz Chroboczek @ 2023-01-12 15:32 ` Fabrice Rouillier 2023-01-12 15:34 ` Dianne Skoll 1 sibling, 0 replies; 24+ messages in thread From: Fabrice Rouillier @ 2023-01-12 15:32 UTC (permalink / raw) To: Juliusz Chroboczek; +Cc: Werner Fleck, galene > > I second Fabrice's request: it'd be helpful if you could publish your config. > I will try it on a Mac mini M1 behind a Freebox pop (supposed tu support hairpinning) with already installed services using docker and Traefik Fabrice. > -- Juliusz > _______________________________________________ > Galene mailing list -- galene@lists.galene.org > To unsubscribe send an email to galene-leave@lists.galene.org ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-12 15:29 ` Juliusz Chroboczek 2023-01-12 15:32 ` Fabrice Rouillier @ 2023-01-12 15:34 ` Dianne Skoll 2023-01-12 18:08 ` Rémy Dernat 2023-01-12 20:50 ` Fabrice Rouillier 1 sibling, 2 replies; 24+ messages in thread From: Dianne Skoll @ 2023-01-12 15:34 UTC (permalink / raw) To: galene On Thu, 12 Jan 2023 16:29:05 +0100 Juliusz Chroboczek <jch@irif.fr> wrote: > I think we're agreeing: running Galene in a Docker container is > possible, but it's not as convenient as with traditional web apps. I > feel it's not worth the hassle, but reasonable people may disagree. If Galene were complicated to set up, that might argue for using Docker to reduce installation headaches... but it's a single executable with a pretty simple set of config files, so I don't see Docker buying much. Running behind an HTTP proxy, though, is very useful. Regards, Dianne. ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-12 15:34 ` Dianne Skoll @ 2023-01-12 18:08 ` Rémy Dernat 2023-01-12 18:16 ` Dianne Skoll 2023-01-12 20:50 ` Fabrice Rouillier 1 sibling, 1 reply; 24+ messages in thread From: Rémy Dernat @ 2023-01-12 18:08 UTC (permalink / raw) To: galene [-- Attachment #1.1.1: Type: text/plain, Size: 2668 bytes --] Hi, My Galene server is running behind a Nginx RP for more than one year. I attached my galene server configuration on nginx. It is really simple. It needs a Let's encrypt certificate, but you may be able to do it with ZeroSSL or whatever, or even in basic HTTP with no certs. I have also a "/room" served from this php code : https://github.com/remyd1/galene_room You can remove this part safely if not needed. - edit it and replace galene.example.tld with your FQDN - put this in /etc/nginx/sites-available, and do a symlink to it from /etc/nginx/sites-enabled - test it with "nginx -t" - if it is ok, it just should work as is after restarting the nginx service. However, I have a cron job for LE renewals; when certs are changing, you may need to check permissions and reload your HTTP server (my server is running under a "galene" user, so this user is using acl ({get,set}facl) to access to /etc/letsencrypt [1][2]). Best regards, [1] in attachments, you can also find a galene.service file to put in /etc/systemd/system/, then do "systemctl daemon-reload" (...) "systemctl start galene" and an update bash script to update a galene server (my galene source code is in /opt/galene-src and galene is installed in ~galene/...) [2] To fix permissions after LE renewals, I have this in crontab @weekly /root/crons/letsencrypt && /root/fix-perms.sh && /usr/bin/systemctl restart galene with fix-perms.sh content : #!/bin/bash echo "Checking permissions..." chown -R galene:galene ~galene setfacl -R -m u:galene:rx /etc/letsencrypt/ for file in `ls /etc/letsencrypt/live/galene.example.tld/` do setfacl -m u:galene:r /etc/letsencrypt/live/galene.example.tld/$file done Le 12/01/2023 à 16:34, Dianne Skoll a écrit : > On Thu, 12 Jan 2023 16:29:05 +0100 > Juliusz Chroboczek <jch@irif.fr> wrote: > >> I think we're agreeing: running Galene in a Docker container is >> possible, but it's not as convenient as with traditional web apps. I >> feel it's not worth the hassle, but reasonable people may disagree. > If Galene were complicated to set up, that might argue for using > Docker to reduce installation headaches... but it's a single > executable with a pretty simple set of config files, so I don't see > Docker buying much. > > Running behind an HTTP proxy, though, is very useful. > > Regards, > > Dianne. > _______________________________________________ > Galene mailing list -- galene@lists.galene.org > To unsubscribe send an email to galene-leave@lists.galene.org -- Chef de projet SI CNRS Equipe ISI ISEM UMR5554 [-- Attachment #1.1.2: galene.conf --] [-- Type: text/plain, Size: 1618 bytes --] server { listen 443 default_server ssl; listen [::]:443 default_server ssl; server_name galene.example.tld; ssl_certificate /etc/letsencrypt/live/galene.example.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/galene.example.tld/privkey.pem; location /room/api { root /var/www/html; deny all; return 404; } location /room { root /var/www/html; auth_basic "Restricted Content"; auth_basic_user_file /etc/nginx/.htpasswd; location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.4-fpm.sock; } } location /api { root /var/www/html/room/; auth_basic "Restricted Content"; auth_basic_user_file /etc/nginx/.htpasswdapi; location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.4-fpm.sock; } } location / { # Force usage of https if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; } proxy_pass https://127.0.0.1:8443; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; # WebSocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } [-- Attachment #1.1.3: galene.service --] [-- Type: text/x-dbus-service, Size: 290 bytes --] # /etc/systemd/system/galene.service [Unit] Description=Galene After=network.target [Service] Type=simple WorkingDirectory=/home/galene User=galene Group=galene EnvironmentFile=/etc/default/galene ExecStart=/home/galene/galene $ARGS LimitNOFILE=65536 [Install] WantedBy=multi-user.target [-- Attachment #1.1.4: update-galene.sh --] [-- Type: application/x-shellscript, Size: 1043 bytes --] [-- Attachment #1.1.5: OpenPGP public key --] [-- Type: application/pgp-keys, Size: 2327 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 495 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-12 18:08 ` Rémy Dernat @ 2023-01-12 18:16 ` Dianne Skoll 2023-01-12 21:30 ` Juliusz Chroboczek 0 siblings, 1 reply; 24+ messages in thread From: Dianne Skoll @ 2023-01-12 18:16 UTC (permalink / raw) To: galene [-- Attachment #1: Type: text/plain, Size: 1353 bytes --] On Thu, 12 Jan 2023 19:08:15 +0100 Rémy Dernat <remy.dernat@umontpellier.fr> wrote: > My Galene server is running behind a Nginx RP for more than one year. > I attached my galene server configuration on nginx. It is really > simple. I run it behind an Apache reverse-proxy. Config is below. You need the mod_proxy_wstunnel module to proxy the Websocket traffic. #----------------------------------------------------------------------- # Apache snippet to reverse-proxy galene running on port 8443 ProxyPreserveHost on ProxyPass /ws ws://127.0.0.1:8443/ws ProxyPassReverse /ws ws://127.0.0.1:8443/ws ProxyPass / http://127.0.0.1:8443/ ProxyPassReverse / http://127.0.0.1:8443/ #----------------------------------------------------------------------- And this is my systemd unit: #----------------------------------------------------------------------- [Unit] Description=Galene After=network.target [Service] Type=simple WorkingDirectory=/home/galene User=galene Group=galene ExecStart=/home/galene/galene -turn ip.of.my.box:1194 -insecure -http 127.0.0.1:8443 LimitNOFILE=65536 [Install] WantedBy=multi-user.target #----------------------------------------------------------------------- I use the -insecure option because Apache handles the TLS termination for me. Regards, Dianne. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-12 18:16 ` Dianne Skoll @ 2023-01-12 21:30 ` Juliusz Chroboczek 2023-01-15 21:16 ` Fabrice Rouillier 0 siblings, 1 reply; 24+ messages in thread From: Juliusz Chroboczek @ 2023-01-12 21:30 UTC (permalink / raw) To: Dianne Skoll; +Cc: galene >> My Galene server is running behind a Nginx RP for more than one year. >> I attached my galene server configuration on nginx. It is really >> simple. > I run it behind an Apache reverse-proxy. Config is below. You need > the mod_proxy_wstunnel module to proxy the Websocket traffic. What both of you are doing is reverse proxying Galene's web server and WebSocket endpoint while leaving the media endpoints exposed to the Internet. That's fine, and there are many circumstances where it is useful. On the other hand, what people used to web applications are requesting is the ability to put Galene into a container isolated from the Internet, with all the traffic going through a proxy. That's not going to work, at least not efficiently, and not without a lot of hassle. In short: the Internet is more than just HTTP. -- Juliusz ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-12 21:30 ` Juliusz Chroboczek @ 2023-01-15 21:16 ` Fabrice Rouillier 2023-01-27 9:11 ` Fabrice Rouillier 0 siblings, 1 reply; 24+ messages in thread From: Fabrice Rouillier @ 2023-01-15 21:16 UTC (permalink / raw) To: Juliusz Chroboczek; +Cc: Dianne Skoll, galene [-- Attachment #1: Type: text/plain, Size: 1379 bytes --] > > What both of you are doing is reverse proxying Galene's web server and > WebSocket endpoint while leaving the media endpoints exposed to the > Internet. That's fine, and there are many circumstances where it is > useful. > Here a way to do it using Traefik version 2 , galene not running in a container on a machine of local address 192.168.1.10 and of external public name THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER The DMZ of my nat (Freebox pop internet box) is set to 192.168.1.10 In the docker-compose that contains the traefik service description , in the label section just add - "traefik.http.routers.visio.entrypoints=web,websecure" - "traefik.http.routers.visio.service=visio@file" - "traefik.http.routers.visio.rule=Host(`THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER`)" Now in the file that describe the external service (in my case service.toml: [http] [http.services] [http.services.visio] [http.services.visio.loadBalancer] [[http.services.visio.loadBalancer.servers]] url = "http://192.168.1.10:8443/" Now, in galene data/config.json, put : { "proxyURL": "https://THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER/" } From the galene installation directory run : ./galene -insecure -turn THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER:1194 All the best Fabrice. [-- Attachment #2: Type: text/html, Size: 5061 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-15 21:16 ` Fabrice Rouillier @ 2023-01-27 9:11 ` Fabrice Rouillier 2023-01-27 11:50 ` Juliusz Chroboczek 0 siblings, 1 reply; 24+ messages in thread From: Fabrice Rouillier @ 2023-01-27 9:11 UTC (permalink / raw) To: Juliusz Chroboczek; +Cc: Dianne Skoll, galene [-- Attachment #1: Type: text/plain, Size: 2293 bytes --] Hi all, Some observations about this configuration behind a freebox after two weeks of use : - does not work with firefox - works fine with all the the other navigators we have tested (chrome, safari, chromium, brave, etc.) on all networks where ports 443 and 1194 are open, in particular … eduroam. So my question is : what’s wrong with firefox ? The dream : replacing port 1194 with 443 for the turn server in order to work with even more restrictive networks (for example the wired network of sorbonne university) All the best, Fabrice. ------------------------- Fabrice Rouillier fabrice@rouillier.fr Bureau virtuel : http://visio-fabrice.rouillier.fr <http://visio-fabrice.rouillier.fr/> > Le 15 janv. 2023 à 22:16, Fabrice Rouillier <fabrice@rouillier.fr> a écrit : > >> >> What both of you are doing is reverse proxying Galene's web server and >> WebSocket endpoint while leaving the media endpoints exposed to the >> Internet. That's fine, and there are many circumstances where it is >> useful. >> > > Here a way to do it using Traefik version 2 , galene not running in a container on a machine of local address 192.168.1.10 and of external public name THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER > > The DMZ of my nat (Freebox pop internet box) is set to 192.168.1.10 > > In the docker-compose that contains the traefik service description , in the label section just add > > - "traefik.http.routers.visio.entrypoints=web,websecure" > - "traefik.http.routers.visio.service=visio@file" > - "traefik.http.routers.visio.rule=Host(`THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER`)" > > Now in the file that describe the external service (in my case service.toml: > > [http] > [http.services] > [http.services.visio] > [http.services.visio.loadBalancer] > [[http.services.visio.loadBalancer.servers]] > url = "http://192.168.1.10:8443/" > > Now, in galene data/config.json, put : > > { > "proxyURL": "https://THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER/" > } > > > From the galene installation directory run : > > ./galene -insecure -turn THE_PUBLIC_HOSTNAME_OF_THE_GALENE_SERVER:1194 > > > > All the best > > Fabrice. > > [-- Attachment #2: Type: text/html, Size: 8921 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-27 9:11 ` Fabrice Rouillier @ 2023-01-27 11:50 ` Juliusz Chroboczek 2023-01-27 11:56 ` Fabrice Rouillier 0 siblings, 1 reply; 24+ messages in thread From: Juliusz Chroboczek @ 2023-01-27 11:50 UTC (permalink / raw) To: Fabrice Rouillier; +Cc: galene > - does not work with firefox Please go to "about:webrtc", then "show details" and show us the "ICE Statss" table. -- Juliusz ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-27 11:50 ` Juliusz Chroboczek @ 2023-01-27 11:56 ` Fabrice Rouillier 0 siblings, 0 replies; 24+ messages in thread From: Fabrice Rouillier @ 2023-01-27 11:56 UTC (permalink / raw) To: Juliusz Chroboczek; +Cc: galene [-- Attachment #1: Type: text/plain, Size: 491 bytes --] Ok. Might take time since today all the networks I access are using IPV6 … Fabrice. ------------------------- Fabrice Rouillier fabrice@rouillier.fr Bureau virtuel : http://visio-fabrice.rouillier.fr <http://visio-fabrice.rouillier.fr/> > Le 27 janv. 2023 à 12:50, Juliusz Chroboczek <jch@irif.fr> a écrit : > >> - does not work with firefox > > Please go to "about:webrtc", then "show details" and show us the > "ICE Statss" table. > > -- Juliusz [-- Attachment #2: Type: text/html, Size: 3743 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-12 15:34 ` Dianne Skoll 2023-01-12 18:08 ` Rémy Dernat @ 2023-01-12 20:50 ` Fabrice Rouillier 2023-01-12 21:37 ` Juliusz Chroboczek 1 sibling, 1 reply; 24+ messages in thread From: Fabrice Rouillier @ 2023-01-12 20:50 UTC (permalink / raw) To: Dianne Skoll; +Cc: galene > If Galene were complicated to set up, that might argue for using > Docker to reduce installation headaches... but it's a single > executable with a pretty simple set of config files, so I don't see > Docker buying much. > > Running behind an HTTP proxy, though, is very useful. > Right. it is not the matter of running galène in a container but running galène behind traefik , in a container or not and, in particular handling with the ws protocole correctly. The point is that traefik is designed to be very powerful with docker containers and has the key advantage to manage automatically the LE certificates. Another point might also to configure the turn server in order to listen to the 443 port for users on restricted networks using galène in an other network (for example from Sorbonne University….) Regards Fabrice > Regards, > > Dianne. > _______________________________________________ > Galene mailing list -- galene@lists.galene.org > To unsubscribe send an email to galene-leave@lists.galene.org ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2] 2023-01-12 20:50 ` Fabrice Rouillier @ 2023-01-12 21:37 ` Juliusz Chroboczek 0 siblings, 0 replies; 24+ messages in thread From: Juliusz Chroboczek @ 2023-01-12 21:37 UTC (permalink / raw) To: Fabrice Rouillier; +Cc: Dianne Skoll, galene > Another point might also to configure the turn server in order to listen > to the 443 port for users on restricted networks using galène in an > other network (for example from Sorbonne University….) That's an important point. A TURN server on an unrestricted port is essential in order for Galene to work on networks managed by the kind of people who still believe that blocking ports is going to improve security. The reason why Galene puts its TURN server on port 1194 by default is that 1194 is reserved for OpenVPN, and that the Eduroam policy document¹ requires that outgoing traffic to port 1194 must be allowed. 443 is even more likely to be open, but it's a privileged port, and hence not suitable for the default configuration. (A nice side-effect of putting a TURN server on a carefully chosen port is that Galene works over TOR. But shhh...) ¹ https://www.eduroam.org/wp-content/uploads/2016/05/GN3-12-192_eduroam-policy-service-definition_ver28_26072012.pdf -- Juliusz ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: ANNOUNCE: galene-0.6.2 2023-01-12 13:55 ` Werner Fleck 2023-01-12 14:47 ` [Galene] Galene in Docker [was: ANNOUNCE: galene-0.6.2] Juliusz Chroboczek @ 2023-01-12 15:18 ` Fabrice Rouillier 2023-01-12 17:00 ` Werner Fleck 1 sibling, 1 reply; 24+ messages in thread From: Fabrice Rouillier @ 2023-01-12 15:18 UTC (permalink / raw) To: Werner Fleck; +Cc: galene [-- Attachment #1: Type: text/plain, Size: 1684 bytes --] Please, could you export you full configuration (for example docker-compose.yml) ? All the best Fabrice. ------------------------- Fabrice Rouillier fabrice@rouillier.fr Bureau virtuel : http://visio-fabrice.rouillier.fr <http://visio-fabrice.rouillier.fr/> > Le 12 janv. 2023 à 14:55, Werner Fleck <galene.org@flexoft.net> a écrit : > > I`m running Coturn, also in a docker container. > > The Coturn container runs in host network mode, i.e. with direct network access. I found this necessary because it uses UDP ports 49152 to 65535 which was a performance killer using bridged networking. > > The Galène container runs in standard bridged mode but has no ports exposed. It only gets docker internal traffic. > > The Traefik container is the entry point for all my HTTP and HTTPS containers and does automatic certificate management. The Galène container gets its traffic on port 80. > > The system runs very stable, but I only used it with less than 8 participants. So I don´t know how it would behave with much more clients. > > > > Am 12.01.2023 um 13:42 schrieb Juliusz Chroboczek: >>> Actually I'm running Galène in a docker container behind a Traefik reverse >>> proxy (also in a docker container) since two years without problems, >> Interesting. What's the networking setup? Are you using an external TURN >> server? >> >>> see https://hub.docker.com/repository/docker/deburau/galene/general >> It's asking me to login. >> >> -- Juliusz > _______________________________________________ > Galene mailing list -- galene@lists.galene.org > To unsubscribe send an email to galene-leave@lists.galene.org [-- Attachment #2: Type: text/html, Size: 5025 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: ANNOUNCE: galene-0.6.2 2023-01-12 15:18 ` [Galene] Re: ANNOUNCE: galene-0.6.2 Fabrice Rouillier @ 2023-01-12 17:00 ` Werner Fleck 2023-01-17 13:55 ` Werner Fleck 0 siblings, 1 reply; 24+ messages in thread From: Werner Fleck @ 2023-01-12 17:00 UTC (permalink / raw) To: galene [-- Attachment #1: Type: text/plain, Size: 2054 bytes --] I updated my Github repository https://github.com/deburau/galene-docker/tree/main/example-configuration Am 12.01.2023 um 16:18 schrieb Fabrice Rouillier: > Please, could you export you full configuration (for example > docker-compose.yml) ? > > > All the best > > Fabrice. > ------------------------- > Fabrice Rouillier > fabrice@rouillier.fr > > Bureau virtuel :http://visio-fabrice.rouillier.fr > > > > > > >> Le 12 janv. 2023 à 14:55, Werner Fleck <galene.org@flexoft.net> a écrit : >> >> I`m running Coturn, also in a docker container. >> >> The Coturn container runs in host network mode, i.e. with direct >> network access. I found this necessary because it uses UDP ports >> 49152 to 65535 which was a performance killer using bridged networking. >> >> The Galène container runs in standard bridged mode but has no ports >> exposed. It only gets docker internal traffic. >> >> The Traefik container is the entry point for all my HTTP and HTTPS >> containers and does automatic certificate management. The Galène >> container gets its traffic on port 80. >> >> The system runs very stable, but I only used it with less than 8 >> participants. So I don´t know how it would behave with much more clients. >> >> >> >> Am 12.01.2023 um 13:42 schrieb Juliusz Chroboczek: >>>> Actually I'm running Galène in a docker container behind a Traefik >>>> reverse >>>> proxy (also in a docker container) since two years without problems, >>> Interesting. What's the networking setup? Are you using an external TURN >>> server? >>> >>>> see https://hub.docker.com/repository/docker/deburau/galene/general >>> It's asking me to login. >>> >>> -- Juliusz >> _______________________________________________ >> Galene mailing list -- galene@lists.galene.org >> To unsubscribe send an email to galene-leave@lists.galene.org > > > _______________________________________________ > Galene mailing list --galene@lists.galene.org > To unsubscribe send an email togalene-leave@lists.galene.org [-- Attachment #2: Type: text/html, Size: 9041 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* [Galene] Re: ANNOUNCE: galene-0.6.2 2023-01-12 17:00 ` Werner Fleck @ 2023-01-17 13:55 ` Werner Fleck 0 siblings, 0 replies; 24+ messages in thread From: Werner Fleck @ 2023-01-17 13:55 UTC (permalink / raw) To: galene [-- Attachment #1: Type: text/plain, Size: 2788 bytes --] A follow up: inspired by this discussion, I changed my setup to use the internal turn server instead of coturn. This way the configuration is much simpler. I also updated the README https://github.com/deburau/galene-docker/blob/main/README.md#complete-docker-compose-example. Besides a running reverse proxy (traefik), only two configuration files are necessary, i.e. docker-compose.yml and config.json -- Werner Am 12.01.2023 um 18:00 schrieb Werner Fleck: > > I updated my Github repository > https://github.com/deburau/galene-docker/tree/main/example-configuration > > > Am 12.01.2023 um 16:18 schrieb Fabrice Rouillier: >> Please, could you export you full configuration (for example >> docker-compose.yml) ? >> >> >> All the best >> >> Fabrice. >> ------------------------- >> Fabrice Rouillier >> fabrice@rouillier.fr >> >> Bureau virtuel :http://visio-fabrice.rouillier.fr >> >> >> >> >> >> >>> Le 12 janv. 2023 à 14:55, Werner Fleck <galene.org@flexoft.net> a >>> écrit : >>> >>> I`m running Coturn, also in a docker container. >>> >>> The Coturn container runs in host network mode, i.e. with direct >>> network access. I found this necessary because it uses UDP ports >>> 49152 to 65535 which was a performance killer using bridged networking. >>> >>> The Galène container runs in standard bridged mode but has no ports >>> exposed. It only gets docker internal traffic. >>> >>> The Traefik container is the entry point for all my HTTP and HTTPS >>> containers and does automatic certificate management. The Galène >>> container gets its traffic on port 80. >>> >>> The system runs very stable, but I only used it with less than 8 >>> participants. So I don´t know how it would behave with much more >>> clients. >>> >>> >>> >>> Am 12.01.2023 um 13:42 schrieb Juliusz Chroboczek: >>>>> Actually I'm running Galène in a docker container behind a Traefik >>>>> reverse >>>>> proxy (also in a docker container) since two years without problems, >>>> Interesting. What's the networking setup? Are you using an external >>>> TURN >>>> server? >>>> >>>>> see https://hub.docker.com/repository/docker/deburau/galene/general >>>> It's asking me to login. >>>> >>>> -- Juliusz >>> _______________________________________________ >>> Galene mailing list -- galene@lists.galene.org >>> To unsubscribe send an email to galene-leave@lists.galene.org >> >> >> _______________________________________________ >> Galene mailing list --galene@lists.galene.org >> To unsubscribe send an email togalene-leave@lists.galene.org > > _______________________________________________ > Galene mailing list --galene@lists.galene.org > To unsubscribe send an email togalene-leave@lists.galene.org [-- Attachment #2: Type: text/html, Size: 11549 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2023-01-27 11:57 UTC | newest] Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-01-11 18:57 [Galene] ANNOUNCE: galene-0.6.2 Juliusz Chroboczek 2023-01-11 19:20 ` [Galene] " Juliusz Chroboczek 2023-01-12 7:07 ` Fabrice Rouillier 2023-01-12 12:13 ` Juliusz Chroboczek 2023-01-12 12:18 ` Werner Fleck 2023-01-12 12:42 ` Juliusz Chroboczek 2023-01-12 13:55 ` Werner Fleck 2023-01-12 14:47 ` [Galene] Galene in Docker [was: ANNOUNCE: galene-0.6.2] Juliusz Chroboczek 2023-01-12 15:01 ` [Galene] " Werner Fleck 2023-01-12 15:29 ` Juliusz Chroboczek 2023-01-12 15:32 ` Fabrice Rouillier 2023-01-12 15:34 ` Dianne Skoll 2023-01-12 18:08 ` Rémy Dernat 2023-01-12 18:16 ` Dianne Skoll 2023-01-12 21:30 ` Juliusz Chroboczek 2023-01-15 21:16 ` Fabrice Rouillier 2023-01-27 9:11 ` Fabrice Rouillier 2023-01-27 11:50 ` Juliusz Chroboczek 2023-01-27 11:56 ` Fabrice Rouillier 2023-01-12 20:50 ` Fabrice Rouillier 2023-01-12 21:37 ` Juliusz Chroboczek 2023-01-12 15:18 ` [Galene] Re: ANNOUNCE: galene-0.6.2 Fabrice Rouillier 2023-01-12 17:00 ` Werner Fleck 2023-01-17 13:55 ` Werner Fleck
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox