Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
From: Juliusz Chroboczek <>
To: Rob Dean <>
Subject: [Galene]  Re: Galène with PHP
Date: Fri, 05 Mar 2021 14:27:57 +0100
Message-ID: <> (raw)
In-Reply-To: <>

> I'm still wondering how to get PHP working on port 8443, so that I can run PHP
> and MYSQL alongside Galene. (e.g.

One way would be to run Galène behind a frontend proxy such as nginx or
Apache.  The frontend would need to proxy the WebSocket at /ws to Galène,
and to proxy any PHP requests to a PHP interpreter, probably over fcgi.
As to the static pages, it's probably best to have them served directly be
the frontend.

> I definitely cannot have a host php page running on port 80 that
> attempts to create the websocket for Galene over on port 8443 via
> javascript.

You could probably do that.  You'd just need to very slightly relax
Galène's security checks, by doing something like the appended patch

In case you want to understand what it does: by default, Galène accepts
WebSocket connections if either they don't carry an Origin header, or they
carry an Origin header that matches the host:port of the server; this
avoids attacks where third-party Javascript is used to access a server
that is behind a firewall.  The attached patch relaxes the latter patch of
the test, by only checking the hostname, not the port.  You may tweak the
test as needed.

-- Juliusz

diff --git a/webserver/webserver.go b/webserver/webserver.go
index e336f88..9aaac4a 100644
--- a/webserver/webserver.go
+++ b/webserver/webserver.go
@@ -10,6 +10,7 @@ import (
+	"net"
@@ -440,6 +441,25 @@ func statsHandler(w http.ResponseWriter, r *http.Request, dataDir string) {
 var wsUpgrader = websocket.Upgrader{
 	HandshakeTimeout: 30 * time.Second,
+	CheckOrigin: func(r *http.Request) bool {
+		origin := r.Header["Origin"]
+		if len(origin) == 0 {
+			return true
+		}
+		u, err := url.Parse(origin[0])
+		if err != nil {
+			return false
+		}
+		host1, _, err := net.SplitHostPort(u.Host)
+		if err != nil {
+			return false
+		}
+		host2, _, err := net.SplitHostPort(r.Host)
+		if err != nil {
+			return false
+		}
+		return strings.EqualFold(host1, host2)
+	},
 func wsHandler(w http.ResponseWriter, r *http.Request) {

  parent reply	other threads:[~2021-03-05 13:28 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <>
2021-03-02 18:37 ` Juliusz Chroboczek
2021-03-02 20:48   ` Gabriel Kerneis
     [not found]   ` <>
2021-03-05 13:27     ` Juliusz Chroboczek [this message]
2021-03-05 15:56       ` Jeroen van Veen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

  List information:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Galène videoconferencing server discussion list archives

This inbox may be cloned and mirrored by anyone:

	git clone --mirror

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 galene galene/ \
	public-inbox-index galene

Example config snippet for mirrors.

AGPL code for this site: git clone