* [Galene] Galène with PHP @ 2021-03-02 17:59 Rob Dean 2021-03-02 18:37 ` [Galene] " Juliusz Chroboczek 0 siblings, 1 reply; 6+ messages in thread From: Rob Dean @ 2021-03-02 17:59 UTC (permalink / raw) To: galene [-- Attachment #1: Type: text/plain, Size: 326 bytes --] Hi there everyone, I was wondering if it were possible to use Galène inside a PHP page, as we want to get our students to fill out some details before joining in, and we thought that we could use php SESSION cookies to check they've completed everything before letting them in. Best wishes and kind regards, Rob [-- Attachment #2: Type: text/html, Size: 431 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Galene] Re: Galène with PHP 2021-03-02 17:59 [Galene] Galène with PHP Rob Dean @ 2021-03-02 18:37 ` Juliusz Chroboczek 2021-03-02 20:48 ` Gabriel Kerneis 2021-03-05 11:49 ` Rob Dean 0 siblings, 2 replies; 6+ messages in thread From: Juliusz Chroboczek @ 2021-03-02 18:37 UTC (permalink / raw) To: Rob Dean; +Cc: galene > I was wondering if it were possible to use Galène inside a PHP page, as we want > to get our students to fill out some details before joining in, and we thought > that we could use php SESSION cookies to check they've completed everything > before letting them in. Sure. What you'll want to do depends on your security model, though. The simplest, but least secure, would be to check your session cookie in the galene.js file; look around line 2600, where it says document.getElementById('userform').onsubmit This is easily gamed by the user (they can edit the source code in the browser), but if the goal is simply to guide the students and has no influence on their grades, it's probably good enough. If, on the other hand, you want stronger security, you'll need to pass the session cookie to the server and do the validation there. You'll need to add a parameter to the serverConnect.join method, pass the value within the "value" field of the join message, and do the validation in the function handleClientMessage in webclient.go. -- Juliusz ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Galene] Re: Galène with PHP 2021-03-02 18:37 ` [Galene] " Juliusz Chroboczek @ 2021-03-02 20:48 ` Gabriel Kerneis 2021-03-05 11:49 ` Rob Dean 1 sibling, 0 replies; 6+ messages in thread From: Gabriel Kerneis @ 2021-03-02 20:48 UTC (permalink / raw) To: galene On Tue, 2 Mar 2021, at 19:37, Juliusz Chroboczek wrote: > > I was wondering if it were possible to use Galène inside a PHP page, as we want > > to get our students to fill out some details before joining in, and we thought > > that we could use php SESSION cookies to check they've completed everything > > before letting them in. > > Sure. What you'll want to do depends on your security model, though. Another option would be to write a PHP app that validates whatever requirements, and then updates the groups json file to allow the user in. Galene will automatically reload the json file when the PHP app updates it. Of course, you'll want to be really careful about atomically updating the file (I don't know PHP well enough to know whether this is possible, but my recollection from a couple decades ago is that it could use on-disk lock files). Gabriel ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Galene] Re: Galène with PHP 2021-03-02 18:37 ` [Galene] " Juliusz Chroboczek 2021-03-02 20:48 ` Gabriel Kerneis @ 2021-03-05 11:49 ` Rob Dean 2021-03-05 13:27 ` Juliusz Chroboczek 1 sibling, 1 reply; 6+ messages in thread From: Rob Dean @ 2021-03-05 11:49 UTC (permalink / raw) To: Juliusz Chroboczek; +Cc: galene [-- Attachment #1: Type: text/plain, Size: 2227 bytes --] Hi Everyone, I'm still wondering how to get PHP working on port 8443, so that I can run PHP and MYSQL alongside Galene. (e.g. https://www.servername.com:8443/test.php) Is this query beyond the scope of this group, and more of an Apache configuration issue? As you can tell there is a gap in my knowledge of this kind of architecture but from my testing, I definitely cannot have a host php page running on port 80 that attempts to create the websocket for Galene over on port 8443 via javascript. That definitely doesn't work, and therefore, for a successful Galene connection, I need to use an https uri request on port 8443, before the javascript makes the wss connection. This means therefore, for my design to work, I need PHP to run on port 8443. Any ideas how to get PHP running on port 8443? Hopefully we can forge an answer although I realise this is slightly leftfield to the amazing development of core Galène that you're all working on. Best wishes and kind regards, Rob On Tue, 2 Mar 2021 at 18:37, Juliusz Chroboczek <jch@irif.fr> wrote: > > I was wondering if it were possible to use Galčne inside a PHP page, as > we want > > to get our students to fill out some details before joining in, and we > thought > > that we could use php SESSION cookies to check they've completed > everything > > before letting them in. > > Sure. What you'll want to do depends on your security model, though. > > The simplest, but least secure, would be to check your session cookie in > the galene.js file; look around line 2600, where it says > > document.getElementById('userform').onsubmit > > This is easily gamed by the user (they can edit the source code in the > browser), but if the goal is simply to guide the students and has no > influence on their grades, it's probably good enough. > > If, on the other hand, you want stronger security, you'll need to pass the > session cookie to the server and do the validation there. You'll need to > add a parameter to the serverConnect.join method, pass the value within > the "value" field of the join message, and do the validation in the > function > handleClientMessage in webclient.go. > > -- Juliusz > [-- Attachment #2: Type: text/html, Size: 2852 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Galene] Re: Galène with PHP 2021-03-05 11:49 ` Rob Dean @ 2021-03-05 13:27 ` Juliusz Chroboczek 2021-03-05 15:56 ` Jeroen van Veen 0 siblings, 1 reply; 6+ messages in thread From: Juliusz Chroboczek @ 2021-03-05 13:27 UTC (permalink / raw) To: Rob Dean; +Cc: galene > I'm still wondering how to get PHP working on port 8443, so that I can run PHP > and MYSQL alongside Galene. (e.g. https://www.servername.com:8443/test.php) One way would be to run Galène behind a frontend proxy such as nginx or Apache. The frontend would need to proxy the WebSocket at /ws to Galène, and to proxy any PHP requests to a PHP interpreter, probably over fcgi. As to the static pages, it's probably best to have them served directly be the frontend. > I definitely cannot have a host php page running on port 80 that > attempts to create the websocket for Galene over on port 8443 via > javascript. You could probably do that. You'd just need to very slightly relax Galène's security checks, by doing something like the appended patch (untested). In case you want to understand what it does: by default, Galène accepts WebSocket connections if either they don't carry an Origin header, or they carry an Origin header that matches the host:port of the server; this avoids attacks where third-party Javascript is used to access a server that is behind a firewall. The attached patch relaxes the latter patch of the test, by only checking the hostname, not the port. You may tweak the test as needed. -- Juliusz diff --git a/webserver/webserver.go b/webserver/webserver.go index e336f88..9aaac4a 100644 --- a/webserver/webserver.go +++ b/webserver/webserver.go @@ -10,6 +10,7 @@ import ( "html" "io" "log" + "net" "net/http" "net/url" "os" @@ -440,6 +441,25 @@ func statsHandler(w http.ResponseWriter, r *http.Request, dataDir string) { var wsUpgrader = websocket.Upgrader{ HandshakeTimeout: 30 * time.Second, + CheckOrigin: func(r *http.Request) bool { + origin := r.Header["Origin"] + if len(origin) == 0 { + return true + } + u, err := url.Parse(origin[0]) + if err != nil { + return false + } + host1, _, err := net.SplitHostPort(u.Host) + if err != nil { + return false + } + host2, _, err := net.SplitHostPort(r.Host) + if err != nil { + return false + } + return strings.EqualFold(host1, host2) + }, } func wsHandler(w http.ResponseWriter, r *http.Request) { ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Galene] Re: Galène with PHP 2021-03-05 13:27 ` Juliusz Chroboczek @ 2021-03-05 15:56 ` Jeroen van Veen 0 siblings, 0 replies; 6+ messages in thread From: Jeroen van Veen @ 2021-03-05 15:56 UTC (permalink / raw) To: Juliusz Chroboczek; +Cc: Rob Dean, galene Not directly related to PHP & Nginx, but here is an example config of running Galene behind a Nginx proxy: https://github.com/garage44/pyrite/wiki/Proxy-Config - Jeroen ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ Op vrijdag, maart 5, 2021 2:27 PM, Juliusz Chroboczek <jch@irif.fr> schreef: > > I'm still wondering how to get PHP working on port 8443, so that I can run PHP > > > and MYSQL alongside Galene. (e.g. https://www.servername.com:8443/test.php) > > One way would be to run Galène behind a frontend proxy such as nginx or > Apache. The frontend would need to proxy the WebSocket at /ws to Galène, > and to proxy any PHP requests to a PHP interpreter, probably over fcgi. > As to the static pages, it's probably best to have them served directly be > the frontend. > > > I definitely cannot have a host php page running on port 80 that > > attempts to create the websocket for Galene over on port 8443 via > > javascript. > > You could probably do that. You'd just need to very slightly relax > Galène's security checks, by doing something like the appended patch > (untested). > > In case you want to understand what it does: by default, Galène accepts > WebSocket connections if either they don't carry an Origin header, or they > carry an Origin header that matches the host:port of the server; this > avoids attacks where third-party Javascript is used to access a server > that is behind a firewall. The attached patch relaxes the latter patch of > the test, by only checking the hostname, not the port. You may tweak the > test as needed. > > -- Juliusz > > diff --git a/webserver/webserver.go b/webserver/webserver.go > index e336f88..9aaac4a 100644 > --- a/webserver/webserver.go > +++ b/webserver/webserver.go > @@ -10,6 +10,7 @@ import ( > "html" > "io" > "log" > > - "net" > "net/http" > "net/url" > "os" > @@ -440,6 +441,25 @@ func statsHandler(w http.ResponseWriter, r *http.Request, dataDir string) { > > var wsUpgrader = websocket.Upgrader{ > HandshakeTimeout: 30 * time.Second, > > - CheckOrigin: func(r *http.Request) bool { > - origin := r.Header["Origin"] > > > - if len(origin) == 0 { > > > - return true > > > - } > > > - u, err := url.Parse(origin[0]) > > > - if err != nil { > > > - return false > > > - } > > > - host1, _, err := net.SplitHostPort(u.Host) > > > - if err != nil { > > > - return false > > > - } > > > - host2, _, err := net.SplitHostPort(r.Host) > > > - if err != nil { > > > - return false > > > - } > > > - return strings.EqualFold(host1, host2) > > > - }, > } > > func wsHandler(w http.ResponseWriter, r *http.Request) { > > > Galene mailing list -- galene@lists.galene.org > To unsubscribe send an email to galene-leave@lists.galene.org ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-03-05 15:56 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-03-02 17:59 [Galene] Galène with PHP Rob Dean 2021-03-02 18:37 ` [Galene] " Juliusz Chroboczek 2021-03-02 20:48 ` Gabriel Kerneis 2021-03-05 11:49 ` Rob Dean 2021-03-05 13:27 ` Juliusz Chroboczek 2021-03-05 15:56 ` Jeroen van Veen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox