Hi Fabrice,

Thanks. That could be helpful.

Nevertheless, I have done a couple of things that could also be useful for your script. If you want, feel free to pick things/change your script accordingly.

First, there is a nginx configuration available from Yunohost package here : https://github.com/YunoHost-Apps/galene_ynh/blob/testing/conf/nginx.conf

This configuration file was very useful to me. I am using it for proxying Galène on HTTPS. Here is a resulting configuration using it in/etc/nginx/sites-enabled/galene :

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    server_name galene.domain.tld visio.domain.tld;
    ssl_certificate /etc/letsencrypt/live/galene.domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/galene.domain.tld/privkey.pem;

    location / {
   
      # Force usage of https
      if ($scheme = http) {
        rewrite ^ https://$server_name$request_uri? permanent;
      }
   
      proxy_pass        https://127.0.0.1:8443;
      proxy_redirect    off;
      proxy_set_header  Host $host;
      proxy_set_header  X-Real-IP $remote_addr;
      proxy_set_header  X-Forwarded-Proto $scheme;
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Host $server_name;
     
      # WebSocket support
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
    }
}

To avoid any issue with let's encrypt renew crons and scripts (that would need another copy in ~galene/data), I added the acl package to allow galene user to read /etc/letsencrypt/ (instead of just copying the certs in /home/galene/data/:

apt-get install acl

setfacl -R -m u:galene:r /etc/letsencrypt

setfacl -m u:galene:x /etc/letsencrypt

setfacl -m u:galene:x /etc/letsencrypt/live

setfacl -m u:galene:x /etc/letsencrypt/live/galene.domain.tld

setfacl -m u:galene:x /etc/letsencrypt/archive/galene.domain.tld

setfacl -m u:galene:x /etc/letsencrypt/archive

ln -s /etc/letsencrypt/live/galene.domain.tld/chain.pem ~galene/data/chain.pem

ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem ~galene/data/key.pem

ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem ~galene/data/privkey.pem

ln -s /etc/letsencrypt/live/galene.domain.tld/cert.pem ~galene/data/cert.pem

ln -s /etc/letsencrypt/live/galene.domain.tld/fullchain.pem ~galene/data/fullchain.pem

Then, I also added a configuration file to source in /etc/default/galene, containing (after creating the /var/log directories) :

ARGS=" -memprofile /var/log/galene/mem.log  -cpuprofile /var/log/galene/cpu.log"

But you could add your turn configuration or whatever option...

Modification to the systemd script is very simple; just change:

ExecStart=/home/galene/galene

to:

EnvironmentFile=/etc/default/galene
ExecStart=/home/galene/galene $ARGS

By the way, if anyone knows how to use these {cpu,mem} profile files ...?

Thanks,

Best regards,

Rémy

Hi,

I have implemented and tested a script to install Galene and a TURN that works behind a Router, even a domestic one.

You can doowload it here : https://gitlab.inria.fr/rouillie/visio/-/tree/master/galene

It works only for Ubuntu 20.04 or Debian buster for the moment, mainly because I am lazy :-) but it opens the door to an very easy deployment on a cloud or simply at home.

Cheers,

Fabrice

-------------------------

Fabrice Rouillier

fabrice@rouillier.fr

Bureau virtuel : https://www.rouillier.fr/visio/fabrice

Le 10 avr. 2021 à 16:41, Fabrice Rouillier <fabrice@rouillier.fr> a écrit :

Hi Juliusz,

Thanks for your help.

See below for a simple setting that works with our external coturn.

The problem is probably that your NAT doesn't implement hairpinning, so
Galène and the TURN server cannot communicate.

 Coturn is probably
connecting over IPv6, which the built-in server doesn't handle.

I have deactivated the IPV6 everywhere and double checked (inspecting about:websocket) in Firefox that it does not use IPV6.

Could you please check Galène's log for mentions of a relay test?  If the
server-side relay test (the one in Galène's log) fails, that's probably
indicative of a problem with hairpinning.

Server side : the relay-test do not fails.

Client side : 

   - using the builtin turn, the relay test fails , 

   - using coturn (on the same server) it works.

Fabrice — if your instance of Galène is behind NAT, then I strongly
recommend running an instance of coturn on a host that is not behind NAT.

The following works : 

- port forwarding from my router (Freebox) to a Linux 20.04  VM (virtual box) : 

   49152-65535 (UDP/TCP)

   3478 (UDP/TCP) 

   8443 (UDP/TCP) 

- coturn on the VM with the following configuration

  listening-port=3478

  fingerprint

  lt-cred-mech

  user=<TURN USER>:<TURN PASSWD>

  server-name=<TURN SERVER NAME>

  realm=<DOMAINE>

- galene on the VM launched with the option -turn auto 

  and data/ice-servers.json with the following contents

[

    {

        "Urls": [

            "turn:<TURN SERVER NAME>:3478",

            « turn:<TURN SERVER NAME>:3478?transport=tcp"

        ],

        "username": "<TURN USER>",

        "credential": "<TURN PASSWD>"

    }

]

_______________________________________________
Galene mailing list -- galene@lists.galene.org
To unsubscribe send an email to galene-leave@lists.galene.org

-- 
Rémy Dernat
Chef de projet SI
IR CNRS - ISI / ISEM