Hi Remy,

Thanks

Note that you might directly contribute to the gitlab if you want.

For NGINX : great, this allow to type a simpler url without premising the 8443 port. I did try traffic which works also well as a reverse proxy, especially behind a domestic router with a unique IP ….

For certbot : yep this is also a good complement to have the automatic renewal.


Cheers,

Fabrice.
 
-------------------------
Fabrice Rouillier
fabrice@rouillier.fr

Bureau virtuel : https://www.rouillier <https://www.rouillier/>.fr/visio/fabrice





> Le 12 avr. 2021 à 09:56, Rémy Dernat <remy.dernat@umontpellier.fr> a écrit :
> 
> Hi Fabrice,
> 
> Thanks. That could be helpful.
> 
> Nevertheless, I have done a couple of things that could also be useful for your script. If you want, feel free to pick things/change your script accordingly.
> 
> First, there is a nginx configuration available from Yunohost package here : https://github.com/YunoHost-Apps/galene_ynh/blob/testing/conf/nginx.conf <https://github.com/YunoHost-Apps/galene_ynh/blob/testing/conf/nginx.conf>
> This configuration file was very useful to me. I am using it for proxying Galène on HTTPS. Here is a resulting configuration using it in/etc/nginx/sites-enabled/galene :
> 
> server {
>     listen 443 ssl default_server;
>     listen [::]:443 ssl default_server;
>     server_name galene.domain.tld visio.domain.tld;
>     ssl_certificate /etc/letsencrypt/live/galene.domain.tld/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/galene.domain.tld/privkey.pem;
> 
>     location / {
>     
>       # Force usage of https
>       if ($scheme = http) {
>         rewrite ^ https://$server_name$request_uri <https://$server_name$request_uri/>? permanent;
>       }
>     
>       proxy_pass        https://127.0.0.1:8443 <https://127.0.0.1:8443/>;
>       proxy_redirect    off;
>       proxy_set_header  Host $host;
>       proxy_set_header  X-Real-IP $remote_addr;
>       proxy_set_header  X-Forwarded-Proto $scheme;
>       proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
>       proxy_set_header  X-Forwarded-Host $server_name;
>       
>       # WebSocket support
>       proxy_http_version 1.1;
>       proxy_set_header Upgrade $http_upgrade;
>       proxy_set_header Connection "upgrade";
>     }
> }
> 
> To avoid any issue with let's encrypt renew crons and scripts (that would need another copy in ~galene/data), I added the acl package to allow galene user to read /etc/letsencrypt/ (instead of just copying the certs in /home/galene/data/:
> 
> apt-get install acl
> 
> setfacl -R -m u:galene:r /etc/letsencrypt
> 
> setfacl -m u:galene:x /etc/letsencrypt
> 
> setfacl -m u:galene:x /etc/letsencrypt/live
> 
> setfacl -m u:galene:x /etc/letsencrypt/live/galene.domain.tld
> 
> setfacl -m u:galene:x /etc/letsencrypt/archive/galene.domain.tld
> 
> setfacl -m u:galene:x /etc/letsencrypt/archive
> 
> ln -s /etc/letsencrypt/live/galene.domain.tld/chain.pem ~galene/data/chain.pem
> 
> ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem ~galene/data/key.pem
> 
> ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem ~galene/data/privkey.pem
> 
> ln -s /etc/letsencrypt/live/galene.domain.tld/cert.pem ~galene/data/cert.pem
> 
> ln -s /etc/letsencrypt/live/galene.domain.tld/fullchain.pem ~galene/data/fullchain.pem
> 
> 
> 
> Then, I also added a configuration file to source in /etc/default/galene, containing (after creating the /var/log directories) :
> 
> ARGS=" -memprofile /var/log/galene/mem.log  -cpuprofile /var/log/galene/cpu.log"
> 
> But you could add your turn configuration or whatever option...
> 
> Modification to the systemd script is very simple; just change:
> 
> ExecStart=/home/galene/galene
> 
> to:
> 
> EnvironmentFile=/etc/default/galene
> ExecStart=/home/galene/galene $ARGS
> 
> 
> 
> By the way, if anyone knows how to use these {cpu,mem} profile files ...?
> 
> Thanks,
> 
> Best regards,
> 
> Rémy
> 
> Le 12/04/2021 à 09:10, Fabrice Rouillier a écrit :
>> Hi,
>> 
>> I have implemented and tested a script to install Galene and a TURN that works behind a Router, even a domestic one.
>> 
>> You can doowload it here : https://gitlab.inria.fr/rouillie/visio/-/tree/master/galene <https://gitlab.inria.fr/rouillie/visio/-/tree/master/galene>
>> 
>> It works only for Ubuntu 20.04 or Debian buster for the moment, mainly because I am lazy :-) but it opens the door to an very easy deployment on a cloud or simply at home.
>> 
>> Cheers,
>> 
>> Fabrice
>> -------------------------
>> Fabrice Rouillier
>> fabrice@rouillier.fr <mailto:fabrice@rouillier.fr>
>> 
>> Bureau virtuel : https://www.rouillier <https://www.rouillier/>.fr/visio/fabrice
>> 
>> 
>> 
>> 
>> 
>>> Le 10 avr. 2021 à 16:41, Fabrice Rouillier <fabrice@rouillier.fr <mailto:fabrice@rouillier.fr>> a écrit :
>>> 
>>> Hi Juliusz,
>>> 
>>> Thanks for your help.
>>> See below for a simple setting that works with our external coturn.
>>> 
>>>> The problem is probably that your NAT doesn't implement hairpinning, so
>>>> Galène and the TURN server cannot communicate.
>>>>  Coturn is probably
>>>> connecting over IPv6, which the built-in server doesn't handle.
>>> 
>>> I have deactivated the IPV6 everywhere and double checked (inspecting about:websocket <about:websocket>) in Firefox that it does not use IPV6.
>>> 
>>>> Could you please check Galène's log for mentions of a relay test?  If the
>>>> server-side relay test (the one in Galène's log) fails, that's probably
>>>> indicative of a problem with hairpinning.
>>> 
>>> Server side : the relay-test do not fails.
>>> 
>>> Client side : 
>>>    - using the builtin turn, the relay test fails , 
>>>    - using coturn (on the same server) it works.
>>> 
>>>> Fabrice — if your instance of Galène is behind NAT, then I strongly
>>>> recommend running an instance of coturn on a host that is not behind NAT.
>>> 
>>> The following works : 
>>> 
>>> - port forwarding from my router (Freebox) to a Linux 20.04  VM (virtual box) : 
>>> 
>>>    49152-65535 (UDP/TCP)
>>>    3478 (UDP/TCP) 
>>>    8443 (UDP/TCP) 
>>> 
>>> - coturn on the VM with the following configuration
>>> 
>>>   listening-port=3478
>>>   fingerprint
>>>   lt-cred-mech
>>>   user=<TURN USER>:<TURN PASSWD>
>>>   server-name=<TURN SERVER NAME>
>>>   realm=<DOMAINE>
>>> 
>>> - galene on the VM launched with the option -turn auto 
>>>   and data/ice-servers.json with the following contents
>>> 
>>> [
>>>     {
>>>         "Urls": [
>>>             "turn:<TURN SERVER NAME>:3478",
>>>             « turn:<TURN SERVER NAME>:3478?transport=tcp"
>>>         ],
>>>         "username": "<TURN USER>",
>>>         "credential": "<TURN PASSWD>"
>>>     }
>>> ]
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> Galene mailing list -- galene@lists.galene.org <mailto:galene@lists.galene.org>
>> To unsubscribe send an email to galene-leave@lists.galene.org <mailto:galene-leave@lists.galene.org>
> -- 
> Rémy Dernat
> Chef de projet SI
> IR CNRS - ISI / ISEM
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org