[Galene] Re: Galene in Docker [was: ANNOUNCE: galene-0.6.2]

["Rémy Dernat" <remy.dernat@umontpellier.fr>]

[-- Attachment #1.1.1: Type: text/plain, Size: 2668 bytes --]

Hi,

My Galene server is running behind a Nginx RP for more than one year. I 
attached my galene server configuration on nginx. It is really simple.

It needs a Let's encrypt certificate, but you may be able to do it with 
ZeroSSL or whatever, or even in basic HTTP with no certs.

I have also a "/room" served from this php code : 
https://github.com/remyd1/galene_room

You can remove this part safely if not needed.

   - edit it and replace galene.example.tld with your FQDN

   - put this in /etc/nginx/sites-available, and do a symlink to it from 
/etc/nginx/sites-enabled

   - test it with "nginx -t"

   - if it is ok, it just should work as is after restarting the nginx 
service.


However, I have a cron job for LE renewals; when certs are changing, you 
may need to check permissions and reload your HTTP server (my server is 
running under a "galene" user, so this user is using acl ({get,set}facl) 
to access to /etc/letsencrypt [1][2]).


Best regards,


[1] in attachments, you can also find a galene.service file to put in 
/etc/systemd/system/, then do "systemctl daemon-reload" (...) "systemctl 
start galene" and an update bash script to update a galene server (my 
galene source code is in /opt/galene-src and galene is installed in 
~galene/...)

[2] To fix permissions after LE renewals, I have this in crontab

@weekly /root/crons/letsencrypt && /root/fix-perms.sh && 
/usr/bin/systemctl restart galene

with fix-perms.sh content :

#!/bin/bash
echo "Checking permissions..."
chown -R galene:galene ~galene
setfacl -R -m u:galene:rx /etc/letsencrypt/
for file in `ls /etc/letsencrypt/live/galene.example.tld/`
do
     setfacl -m u:galene:r /etc/letsencrypt/live/galene.example.tld/$file
done

Le 12/01/2023 à 16:34, Dianne Skoll a écrit :
> On Thu, 12 Jan 2023 16:29:05 +0100
> Juliusz Chroboczek <jch@irif.fr> wrote:
>
>> I think we're agreeing: running Galene in a Docker container is
>> possible, but it's not as convenient as with traditional web apps.  I
>> feel it's not worth the hassle, but reasonable people may disagree.
> If Galene were complicated to set up, that might argue for using
> Docker to reduce installation headaches... but it's a single
> executable with a pretty simple set of config files, so I don't see
> Docker buying much.
>
> Running behind an HTTP proxy, though, is very useful.
>
> Regards,
>
> Dianne.
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org

-- 
Chef de projet SI CNRS
Equipe ISI
ISEM UMR5554


[-- Attachment #1.1.2: galene.conf --]
[-- Type: text/plain, Size: 1618 bytes --]

server {
    listen 443 default_server ssl;
    listen [::]:443 default_server ssl;
    server_name galene.example.tld;
    ssl_certificate /etc/letsencrypt/live/galene.example.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/galene.example.tld/privkey.pem;

    location /room/api {
        root /var/www/html;
        deny all;
        return 404;
    }
    location /room {
        root /var/www/html;
        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswd;
        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        }
    }
    
    location /api {
        root /var/www/html/room/;
        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswdapi;
        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        }
    }
    
    location / {
    
      # Force usage of https
      if ($scheme = http) {
        rewrite ^ https://$server_name$request_uri? permanent;
      }
    
      proxy_pass        https://127.0.0.1:8443;
      proxy_redirect    off;
      proxy_set_header  Host $host;
      proxy_set_header  X-Real-IP $remote_addr;
      proxy_set_header  X-Forwarded-Proto $scheme;
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Host $server_name;
     

      # WebSocket support
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
    }
}

[-- Attachment #1.1.3: galene.service --]
[-- Type: text/x-dbus-service, Size: 290 bytes --]

# /etc/systemd/system/galene.service
[Unit]
Description=Galene
After=network.target

[Service]
Type=simple
WorkingDirectory=/home/galene
User=galene
Group=galene
EnvironmentFile=/etc/default/galene
ExecStart=/home/galene/galene $ARGS
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

[-- Attachment #1.1.4: update-galene.sh --]
[-- Type: application/x-shellscript, Size: 1043 bytes --]

[-- Attachment #1.1.5: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 2327 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]