From: "Rémy Dernat" <remy.dernat@umontpellier.fr>
To: galene@lists.galene.org
Subject: [Galene] Re: Installation Script
Date: Mon, 12 Apr 2021 09:56:40 +0200 [thread overview]
Message-ID: <833a546d-dbe2-00c4-273e-16bc6664a9f8@umontpellier.fr> (raw)
In-Reply-To: <AB725304-0B9D-4608-AA56-717A9BDC63D0@rouillier.fr>
[-- Attachment #1: Type: text/plain, Size: 6450 bytes --]
Hi Fabrice,
Thanks. That could be helpful.
Nevertheless, I have done a couple of things that could also be useful
for your script. If you want, feel free to pick things/change your
script accordingly.
First, there is a nginx configuration available from Yunohost package
here :
https://github.com/YunoHost-Apps/galene_ynh/blob/testing/conf/nginx.conf
This configuration file was very useful to me. I am using it for
proxying Galène on HTTPS. Here is a resulting configuration using it
in/etc/nginx/sites-enabled/galene :
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name galene.domain.tld visio.domain.tld;
ssl_certificate
/etc/letsencrypt/live/galene.domain.tld/fullchain.pem;
ssl_certificate_key
/etc/letsencrypt/live/galene.domain.tld/privkey.pem;
location / {
# Force usage of https
if ($scheme = http) {
rewrite ^ https://$server_name$request_uri? permanent;
}
proxy_pass https://127.0.0.1:8443;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
To avoid any issue with let's encrypt renew crons and scripts (that
would need another copy in ~galene/data), I added the acl package to
allow galene user to read /etc/letsencrypt/ (instead of just copying the
certs in /home/galene/data/:
apt-get install acl
setfacl -R -m u:galene:r /etc/letsencrypt
setfacl -m u:galene:x /etc/letsencrypt
setfacl -m u:galene:x /etc/letsencrypt/live
setfacl -m u:galene:x /etc/letsencrypt/live/galene.domain.tld
setfacl -m u:galene:x /etc/letsencrypt/archive/galene.domain.tld
setfacl -m u:galene:x /etc/letsencrypt/archive
ln -s /etc/letsencrypt/live/galene.domain.tld/chain.pem
~galene/data/chain.pem
ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem
~galene/data/key.pem
ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem
~galene/data/privkey.pem
ln -s /etc/letsencrypt/live/galene.domain.tld/cert.pem
~galene/data/cert.pem
ln -s /etc/letsencrypt/live/galene.domain.tld/fullchain.pem
~galene/data/fullchain.pem
Then, I also added a configuration file to source in
/etc/default/galene, containing (after creating the /var/log directories) :
ARGS=" -memprofile /var/log/galene/mem.log -cpuprofile
/var/log/galene/cpu.log"
But you could add your turn configuration or whatever option...
Modification to the systemd script is very simple; just change:
ExecStart=/home/galene/galene
to:
EnvironmentFile=/etc/default/galene
ExecStart=/home/galene/galene $ARGS
By the way, if anyone knows how to use these {cpu,mem} profile files ...?
Thanks,
Best regards,
Rémy
Le 12/04/2021 à 09:10, Fabrice Rouillier a écrit :
> Hi,
>
> I have implemented and tested a script to install Galene and a TURN
> that works behind a Router, even a domestic one.
>
> You can doowload it here :
> https://gitlab.inria.fr/rouillie/visio/-/tree/master/galene
> <https://gitlab.inria.fr/rouillie/visio/-/tree/master/galene>
>
> It works only for Ubuntu 20.04 or Debian buster for the moment, mainly
> because I am lazy :-) but it opens the door to an very easy deployment
> on a cloud or simply at home.
>
> Cheers,
>
> Fabrice
> -------------------------
> Fabrice Rouillier
> fabrice@rouillier.fr <mailto:fabrice@rouillier.fr>
>
> Bureau virtuel : https://www.rouillier
> <https://www.rouillier>.fr/visio/fabrice
>
>
>
>
>
>> Le 10 avr. 2021 à 16:41, Fabrice Rouillier <fabrice@rouillier.fr
>> <mailto:fabrice@rouillier.fr>> a écrit :
>>
>> Hi Juliusz,
>>
>> Thanks for your help.
>> See below for a simple setting that works with our external coturn.
>>
>>> The problem is probably that your NAT doesn't implement hairpinning, so
>>> Galène and the TURN server cannot communicate.
>>> Coturn is probably
>>> connecting over IPv6, which the built-in server doesn't handle.
>>
>> I have deactivated the IPV6 everywhere and double checked (inspecting
>> about:websocket <about:websocket>) in Firefox that it does not use IPV6.
>>
>>> Could you please check Galène's log for mentions of a relay test?
>>> If the
>>> server-side relay test (the one in Galène's log) fails, that's probably
>>> indicative of a problem with hairpinning.
>>
>> Server side : the relay-test do not fails.
>>
>> Client side :
>> - using the builtin turn, the relay test fails ,
>> - using coturn (on the same server) it works.
>>
>>> Fabrice — if your instance of Galène is behind NAT, then I strongly
>>> recommend running an instance of coturn on a host that is not behind
>>> NAT.
>>
>> The following works :
>>
>> - port forwarding from my router (Freebox) to a Linux 20.04 VM
>> (virtual box) :
>>
>> 49152-65535 (UDP/TCP)
>> 3478 (UDP/TCP)
>> 8443 (UDP/TCP)
>>
>> - coturn on the VM with the following configuration
>>
>> listening-port=3478
>> fingerprint
>> lt-cred-mech
>> user=<TURN USER>:<TURN PASSWD>
>> server-name=<TURN SERVER NAME>
>> realm=<DOMAINE>
>>
>> - galene on the VM launched with the option -turn auto
>> and data/ice-servers.json with the following contents
>>
>> [
>> {
>> "Urls": [
>> "turn:<TURN SERVER NAME>:3478",
>> « turn:<TURN SERVER NAME>:3478?transport=tcp"
>> ],
>> "username": "<TURN USER>",
>> "credential": "<TURN PASSWD>"
>> }
>> ]
>>
>
>
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org
--
Rémy Dernat
Chef de projet SI
IR CNRS - ISI / ISEM
[-- Attachment #2: Type: text/html, Size: 20844 bytes --]
next prev parent reply other threads:[~2021-04-12 7:57 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-09 14:37 [Galene] Galene Turn Fabrice Rouillier
2021-04-09 15:12 ` [Galene] " Alexandre IOOSS
2021-04-09 15:32 ` Fabrice Rouillier
2021-04-09 15:37 ` Fabrice Rouillier
2021-04-09 17:07 ` Alexandre IOOSS
2021-04-09 17:36 ` Fabrice Rouillier
2021-04-09 18:17 ` Fabrice Rouillier
2021-04-10 14:19 ` Juliusz Chroboczek
2021-04-10 14:41 ` Fabrice Rouillier
2021-04-12 7:10 ` [Galene] Installation Script Fabrice Rouillier
2021-04-12 7:56 ` Rémy Dernat [this message]
2021-04-12 8:07 ` [Galene] " Antonin Décimo
2021-04-12 8:47 ` Rémy Dernat
2021-04-12 11:31 ` Juliusz Chroboczek
2021-04-12 12:25 ` Dernat Rémy
2021-04-12 14:42 ` [Galene] Statistics [was: Installation Script] Juliusz Chroboczek
2021-04-12 15:38 ` [Galene] " Dernat Rémy
2021-04-12 16:07 ` Juliusz Chroboczek
2021-04-12 15:45 ` [Galene] Re: Statistics Michael Ströder
2021-04-12 16:10 ` Juliusz Chroboczek
2021-04-12 16:19 ` Michael Ströder
2021-04-12 16:44 ` [Galene] Re: Statistics [was: Installation Script] Alexandre IOOSS
2021-04-13 7:16 ` Dernat Rémy
2021-04-13 10:20 ` Juliusz Chroboczek
2021-04-13 12:02 ` Dernat Rémy
2021-04-13 12:11 ` Juliusz Chroboczek
2021-04-13 12:38 ` Dernat Rémy
2021-04-13 12:58 ` Michael Ströder
2021-04-12 9:49 ` [Galene] Re: Installation Script Fabrice Rouillier
2021-04-12 11:30 ` Juliusz Chroboczek
2021-04-12 14:40 ` Fabrice Rouillier
2021-04-12 14:44 ` Juliusz Chroboczek
2021-04-12 15:01 ` Toke Høiland-Jørgensen
2021-04-12 15:11 ` Michael Ströder
2021-04-12 15:17 ` Fabrice Rouillier
2021-04-12 15:14 ` [Galene] ephemeral port range config Michael Ströder
2021-04-13 7:09 ` [Galene] Re: Installation Script Fabrice Rouillier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=833a546d-dbe2-00c4-273e-16bc6664a9f8@umontpellier.fr \
--to=remy.dernat@umontpellier.fr \
--cc=galene@lists.galene.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox