Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
From: Juliusz Chroboczek <jch@irif.fr>
To: Rob Dean <robdeanmzl@gmail.com>
Cc: galene@lists.galene.org
Subject: [Galene]  Re: Galène with PHP
Date: Fri, 05 Mar 2021 14:27:57 +0100	[thread overview]
Message-ID: <87k0ql3f36.wl-jch@irif.fr> (raw)
In-Reply-To: <CA+_U3xavep8nMpdY5Sg1VmDUf24UfT0nx4+xXB2Q=dcvo2iq5Q@mail.gmail.com>

> I'm still wondering how to get PHP working on port 8443, so that I can run PHP
> and MYSQL alongside Galene. (e.g. https://www.servername.com:8443/test.php)

One way would be to run Galène behind a frontend proxy such as nginx or
Apache.  The frontend would need to proxy the WebSocket at /ws to Galène,
and to proxy any PHP requests to a PHP interpreter, probably over fcgi.
As to the static pages, it's probably best to have them served directly be
the frontend.

> I definitely cannot have a host php page running on port 80 that
> attempts to create the websocket for Galene over on port 8443 via
> javascript.

You could probably do that.  You'd just need to very slightly relax
Galène's security checks, by doing something like the appended patch
(untested).

In case you want to understand what it does: by default, Galène accepts
WebSocket connections if either they don't carry an Origin header, or they
carry an Origin header that matches the host:port of the server; this
avoids attacks where third-party Javascript is used to access a server
that is behind a firewall.  The attached patch relaxes the latter patch of
the test, by only checking the hostname, not the port.  You may tweak the
test as needed.

-- Juliusz

diff --git a/webserver/webserver.go b/webserver/webserver.go
index e336f88..9aaac4a 100644
--- a/webserver/webserver.go
+++ b/webserver/webserver.go
@@ -10,6 +10,7 @@ import (
 	"html"
 	"io"
 	"log"
+	"net"
 	"net/http"
 	"net/url"
 	"os"
@@ -440,6 +441,25 @@ func statsHandler(w http.ResponseWriter, r *http.Request, dataDir string) {
 
 var wsUpgrader = websocket.Upgrader{
 	HandshakeTimeout: 30 * time.Second,
+	CheckOrigin: func(r *http.Request) bool {
+		origin := r.Header["Origin"]
+		if len(origin) == 0 {
+			return true
+		}
+		u, err := url.Parse(origin[0])
+		if err != nil {
+			return false
+		}
+		host1, _, err := net.SplitHostPort(u.Host)
+		if err != nil {
+			return false
+		}
+		host2, _, err := net.SplitHostPort(r.Host)
+		if err != nil {
+			return false
+		}
+		return strings.EqualFold(host1, host2)
+	},
 }
 
 func wsHandler(w http.ResponseWriter, r *http.Request) {

  reply	other threads:[~2021-03-05 13:28 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-02 17:59 [Galene] " Rob Dean
2021-03-02 18:37 ` [Galene] " Juliusz Chroboczek
2021-03-02 20:48   ` Gabriel Kerneis
2021-03-05 11:49   ` Rob Dean
2021-03-05 13:27     ` Juliusz Chroboczek [this message]
2021-03-05 15:56       ` Jeroen van Veen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87k0ql3f36.wl-jch@irif.fr \
    --to=jch@irif.fr \
    --cc=galene@lists.galene.org \
    --cc=robdeanmzl@gmail.com \
    --subject='[Galene]  Re: Galène with PHP' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox