From: Fabrice Rouillier <fabrice@rouillier.fr>
To: "Rémy Dernat" <remy.dernat@umontpellier.fr>
Cc: galene@lists.galene.org
Subject: [Galene] Re: Installation Script
Date: Mon, 12 Apr 2021 11:49:03 +0200 [thread overview]
Message-ID: <C5F382A7-0156-4062-8BE5-5CE3C5B79763@rouillier.fr> (raw)
In-Reply-To: <833a546d-dbe2-00c4-273e-16bc6664a9f8@umontpellier.fr>
[-- Attachment #1: Type: text/plain, Size: 7402 bytes --]
Hi Remy,
Thanks
Note that you might directly contribute to the gitlab if you want.
For NGINX : great, this allow to type a simpler url without premising the 8443 port. I did try traffic which works also well as a reverse proxy, especially behind a domestic router with a unique IP ….
For certbot : yep this is also a good complement to have the automatic renewal.
Cheers,
Fabrice.
-------------------------
Fabrice Rouillier
fabrice@rouillier.fr
Bureau virtuel : https://www.rouillier <https://www.rouillier/>.fr/visio/fabrice
> Le 12 avr. 2021 à 09:56, Rémy Dernat <remy.dernat@umontpellier.fr> a écrit :
>
> Hi Fabrice,
>
> Thanks. That could be helpful.
>
> Nevertheless, I have done a couple of things that could also be useful for your script. If you want, feel free to pick things/change your script accordingly.
>
> First, there is a nginx configuration available from Yunohost package here : https://github.com/YunoHost-Apps/galene_ynh/blob/testing/conf/nginx.conf <https://github.com/YunoHost-Apps/galene_ynh/blob/testing/conf/nginx.conf>
> This configuration file was very useful to me. I am using it for proxying Galène on HTTPS. Here is a resulting configuration using it in/etc/nginx/sites-enabled/galene :
>
> server {
> listen 443 ssl default_server;
> listen [::]:443 ssl default_server;
> server_name galene.domain.tld visio.domain.tld;
> ssl_certificate /etc/letsencrypt/live/galene.domain.tld/fullchain.pem;
> ssl_certificate_key /etc/letsencrypt/live/galene.domain.tld/privkey.pem;
>
> location / {
>
> # Force usage of https
> if ($scheme = http) {
> rewrite ^ https://$server_name$request_uri <https://$server_name$request_uri/>? permanent;
> }
>
> proxy_pass https://127.0.0.1:8443 <https://127.0.0.1:8443/>;
> proxy_redirect off;
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Host $server_name;
>
> # WebSocket support
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
> }
> }
>
> To avoid any issue with let's encrypt renew crons and scripts (that would need another copy in ~galene/data), I added the acl package to allow galene user to read /etc/letsencrypt/ (instead of just copying the certs in /home/galene/data/:
>
> apt-get install acl
>
> setfacl -R -m u:galene:r /etc/letsencrypt
>
> setfacl -m u:galene:x /etc/letsencrypt
>
> setfacl -m u:galene:x /etc/letsencrypt/live
>
> setfacl -m u:galene:x /etc/letsencrypt/live/galene.domain.tld
>
> setfacl -m u:galene:x /etc/letsencrypt/archive/galene.domain.tld
>
> setfacl -m u:galene:x /etc/letsencrypt/archive
>
> ln -s /etc/letsencrypt/live/galene.domain.tld/chain.pem ~galene/data/chain.pem
>
> ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem ~galene/data/key.pem
>
> ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem ~galene/data/privkey.pem
>
> ln -s /etc/letsencrypt/live/galene.domain.tld/cert.pem ~galene/data/cert.pem
>
> ln -s /etc/letsencrypt/live/galene.domain.tld/fullchain.pem ~galene/data/fullchain.pem
>
>
>
> Then, I also added a configuration file to source in /etc/default/galene, containing (after creating the /var/log directories) :
>
> ARGS=" -memprofile /var/log/galene/mem.log -cpuprofile /var/log/galene/cpu.log"
>
> But you could add your turn configuration or whatever option...
>
> Modification to the systemd script is very simple; just change:
>
> ExecStart=/home/galene/galene
>
> to:
>
> EnvironmentFile=/etc/default/galene
> ExecStart=/home/galene/galene $ARGS
>
>
>
> By the way, if anyone knows how to use these {cpu,mem} profile files ...?
>
> Thanks,
>
> Best regards,
>
> Rémy
>
> Le 12/04/2021 à 09:10, Fabrice Rouillier a écrit :
>> Hi,
>>
>> I have implemented and tested a script to install Galene and a TURN that works behind a Router, even a domestic one.
>>
>> You can doowload it here : https://gitlab.inria.fr/rouillie/visio/-/tree/master/galene <https://gitlab.inria.fr/rouillie/visio/-/tree/master/galene>
>>
>> It works only for Ubuntu 20.04 or Debian buster for the moment, mainly because I am lazy :-) but it opens the door to an very easy deployment on a cloud or simply at home.
>>
>> Cheers,
>>
>> Fabrice
>> -------------------------
>> Fabrice Rouillier
>> fabrice@rouillier.fr <mailto:fabrice@rouillier.fr>
>>
>> Bureau virtuel : https://www.rouillier <https://www.rouillier/>.fr/visio/fabrice
>>
>>
>>
>>
>>
>>> Le 10 avr. 2021 à 16:41, Fabrice Rouillier <fabrice@rouillier.fr <mailto:fabrice@rouillier.fr>> a écrit :
>>>
>>> Hi Juliusz,
>>>
>>> Thanks for your help.
>>> See below for a simple setting that works with our external coturn.
>>>
>>>> The problem is probably that your NAT doesn't implement hairpinning, so
>>>> Galène and the TURN server cannot communicate.
>>>> Coturn is probably
>>>> connecting over IPv6, which the built-in server doesn't handle.
>>>
>>> I have deactivated the IPV6 everywhere and double checked (inspecting about:websocket <about:websocket>) in Firefox that it does not use IPV6.
>>>
>>>> Could you please check Galène's log for mentions of a relay test? If the
>>>> server-side relay test (the one in Galène's log) fails, that's probably
>>>> indicative of a problem with hairpinning.
>>>
>>> Server side : the relay-test do not fails.
>>>
>>> Client side :
>>> - using the builtin turn, the relay test fails ,
>>> - using coturn (on the same server) it works.
>>>
>>>> Fabrice — if your instance of Galène is behind NAT, then I strongly
>>>> recommend running an instance of coturn on a host that is not behind NAT.
>>>
>>> The following works :
>>>
>>> - port forwarding from my router (Freebox) to a Linux 20.04 VM (virtual box) :
>>>
>>> 49152-65535 (UDP/TCP)
>>> 3478 (UDP/TCP)
>>> 8443 (UDP/TCP)
>>>
>>> - coturn on the VM with the following configuration
>>>
>>> listening-port=3478
>>> fingerprint
>>> lt-cred-mech
>>> user=<TURN USER>:<TURN PASSWD>
>>> server-name=<TURN SERVER NAME>
>>> realm=<DOMAINE>
>>>
>>> - galene on the VM launched with the option -turn auto
>>> and data/ice-servers.json with the following contents
>>>
>>> [
>>> {
>>> "Urls": [
>>> "turn:<TURN SERVER NAME>:3478",
>>> « turn:<TURN SERVER NAME>:3478?transport=tcp"
>>> ],
>>> "username": "<TURN USER>",
>>> "credential": "<TURN PASSWD>"
>>> }
>>> ]
>>>
>>
>>
>>
>> _______________________________________________
>> Galene mailing list -- galene@lists.galene.org <mailto:galene@lists.galene.org>
>> To unsubscribe send an email to galene-leave@lists.galene.org <mailto:galene-leave@lists.galene.org>
> --
> Rémy Dernat
> Chef de projet SI
> IR CNRS - ISI / ISEM
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org
[-- Attachment #2: Type: text/html, Size: 25342 bytes --]
next prev parent reply other threads:[~2021-04-12 9:49 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-09 14:37 [Galene] Galene Turn Fabrice Rouillier
2021-04-09 15:12 ` [Galene] " Alexandre IOOSS
2021-04-09 15:32 ` Fabrice Rouillier
2021-04-09 15:37 ` Fabrice Rouillier
2021-04-09 17:07 ` Alexandre IOOSS
2021-04-09 17:36 ` Fabrice Rouillier
2021-04-09 18:17 ` Fabrice Rouillier
2021-04-10 14:19 ` Juliusz Chroboczek
2021-04-10 14:41 ` Fabrice Rouillier
2021-04-12 7:10 ` [Galene] Installation Script Fabrice Rouillier
2021-04-12 7:56 ` [Galene] " Rémy Dernat
2021-04-12 8:07 ` Antonin Décimo
2021-04-12 8:47 ` Rémy Dernat
2021-04-12 11:31 ` Juliusz Chroboczek
2021-04-12 12:25 ` Dernat Rémy
2021-04-12 14:42 ` [Galene] Statistics [was: Installation Script] Juliusz Chroboczek
2021-04-12 15:38 ` [Galene] " Dernat Rémy
2021-04-12 16:07 ` Juliusz Chroboczek
2021-04-12 15:45 ` [Galene] Re: Statistics Michael Ströder
2021-04-12 16:10 ` Juliusz Chroboczek
2021-04-12 16:19 ` Michael Ströder
2021-04-12 16:44 ` [Galene] Re: Statistics [was: Installation Script] Alexandre IOOSS
2021-04-13 7:16 ` Dernat Rémy
2021-04-13 10:20 ` Juliusz Chroboczek
2021-04-13 12:02 ` Dernat Rémy
2021-04-13 12:11 ` Juliusz Chroboczek
2021-04-13 12:38 ` Dernat Rémy
2021-04-13 12:58 ` Michael Ströder
2021-04-12 9:49 ` Fabrice Rouillier [this message]
2021-04-12 11:30 ` [Galene] Re: Installation Script Juliusz Chroboczek
2021-04-12 14:40 ` Fabrice Rouillier
2021-04-12 14:44 ` Juliusz Chroboczek
2021-04-12 15:01 ` Toke Høiland-Jørgensen
2021-04-12 15:11 ` Michael Ströder
2021-04-12 15:17 ` Fabrice Rouillier
2021-04-12 15:14 ` [Galene] ephemeral port range config Michael Ströder
2021-04-13 7:09 ` [Galene] Re: Installation Script Fabrice Rouillier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C5F382A7-0156-4062-8BE5-5CE3C5B79763@rouillier.fr \
--to=fabrice@rouillier.fr \
--cc=galene@lists.galene.org \
--cc=remy.dernat@umontpellier.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox