Hi Remy,
Thanks
Note that you might directly contribute to the gitlab if you want.
For NGINX : great, this allow to type a simpler url without premising the 8443 port. I did try traffic which works also well as a reverse proxy, especially behind a domestic router with a unique IP ….
For certbot : yep this is also a good complement to have the automatic renewal.
Cheers,
Fabrice.
-------------------------
Fabrice Rouillier
fabrice@rouillier.fr
Bureau virtuel : https://www.rouillier .fr/visio/fabrice
> Le 12 avr. 2021 à 09:56, Rémy Dernat a écrit :
>
> Hi Fabrice,
>
> Thanks. That could be helpful.
>
> Nevertheless, I have done a couple of things that could also be useful for your script. If you want, feel free to pick things/change your script accordingly.
>
> First, there is a nginx configuration available from Yunohost package here : https://github.com/YunoHost-Apps/galene_ynh/blob/testing/conf/nginx.conf
> This configuration file was very useful to me. I am using it for proxying Galène on HTTPS. Here is a resulting configuration using it in/etc/nginx/sites-enabled/galene :
>
> server {
> listen 443 ssl default_server;
> listen [::]:443 ssl default_server;
> server_name galene.domain.tld visio.domain.tld;
> ssl_certificate /etc/letsencrypt/live/galene.domain.tld/fullchain.pem;
> ssl_certificate_key /etc/letsencrypt/live/galene.domain.tld/privkey.pem;
>
> location / {
>
> # Force usage of https
> if ($scheme = http) {
> rewrite ^ https://$server_name$request_uri ? permanent;
> }
>
> proxy_pass https://127.0.0.1:8443 ;
> proxy_redirect off;
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Host $server_name;
>
> # WebSocket support
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
> }
> }
>
> To avoid any issue with let's encrypt renew crons and scripts (that would need another copy in ~galene/data), I added the acl package to allow galene user to read /etc/letsencrypt/ (instead of just copying the certs in /home/galene/data/:
>
> apt-get install acl
>
> setfacl -R -m u:galene:r /etc/letsencrypt
>
> setfacl -m u:galene:x /etc/letsencrypt
>
> setfacl -m u:galene:x /etc/letsencrypt/live
>
> setfacl -m u:galene:x /etc/letsencrypt/live/galene.domain.tld
>
> setfacl -m u:galene:x /etc/letsencrypt/archive/galene.domain.tld
>
> setfacl -m u:galene:x /etc/letsencrypt/archive
>
> ln -s /etc/letsencrypt/live/galene.domain.tld/chain.pem ~galene/data/chain.pem
>
> ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem ~galene/data/key.pem
>
> ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem ~galene/data/privkey.pem
>
> ln -s /etc/letsencrypt/live/galene.domain.tld/cert.pem ~galene/data/cert.pem
>
> ln -s /etc/letsencrypt/live/galene.domain.tld/fullchain.pem ~galene/data/fullchain.pem
>
>
>
> Then, I also added a configuration file to source in /etc/default/galene, containing (after creating the /var/log directories) :
>
> ARGS=" -memprofile /var/log/galene/mem.log -cpuprofile /var/log/galene/cpu.log"
>
> But you could add your turn configuration or whatever option...
>
> Modification to the systemd script is very simple; just change:
>
> ExecStart=/home/galene/galene
>
> to:
>
> EnvironmentFile=/etc/default/galene
> ExecStart=/home/galene/galene $ARGS
>
>
>
> By the way, if anyone knows how to use these {cpu,mem} profile files ...?
>
> Thanks,
>
> Best regards,
>
> Rémy
>
> Le 12/04/2021 à 09:10, Fabrice Rouillier a écrit :
>> Hi,
>>
>> I have implemented and tested a script to install Galene and a TURN that works behind a Router, even a domestic one.
>>
>> You can doowload it here : https://gitlab.inria.fr/rouillie/visio/-/tree/master/galene
>>
>> It works only for Ubuntu 20.04 or Debian buster for the moment, mainly because I am lazy :-) but it opens the door to an very easy deployment on a cloud or simply at home.
>>
>> Cheers,
>>
>> Fabrice
>> -------------------------
>> Fabrice Rouillier
>> fabrice@rouillier.fr
>>
>> Bureau virtuel : https://www.rouillier .fr/visio/fabrice
>>
>>
>>
>>
>>
>>> Le 10 avr. 2021 à 16:41, Fabrice Rouillier > a écrit :
>>>
>>> Hi Juliusz,
>>>
>>> Thanks for your help.
>>> See below for a simple setting that works with our external coturn.
>>>
>>>> The problem is probably that your NAT doesn't implement hairpinning, so
>>>> Galène and the TURN server cannot communicate.
>>>> Coturn is probably
>>>> connecting over IPv6, which the built-in server doesn't handle.
>>>
>>> I have deactivated the IPV6 everywhere and double checked (inspecting about:websocket ) in Firefox that it does not use IPV6.
>>>
>>>> Could you please check Galène's log for mentions of a relay test? If the
>>>> server-side relay test (the one in Galène's log) fails, that's probably
>>>> indicative of a problem with hairpinning.
>>>
>>> Server side : the relay-test do not fails.
>>>
>>> Client side :
>>> - using the builtin turn, the relay test fails ,
>>> - using coturn (on the same server) it works.
>>>
>>>> Fabrice — if your instance of Galène is behind NAT, then I strongly
>>>> recommend running an instance of coturn on a host that is not behind NAT.
>>>
>>> The following works :
>>>
>>> - port forwarding from my router (Freebox) to a Linux 20.04 VM (virtual box) :
>>>
>>> 49152-65535 (UDP/TCP)
>>> 3478 (UDP/TCP)
>>> 8443 (UDP/TCP)
>>>
>>> - coturn on the VM with the following configuration
>>>
>>> listening-port=3478
>>> fingerprint
>>> lt-cred-mech
>>> user=:
>>> server-name=
>>> realm=
>>>
>>> - galene on the VM launched with the option -turn auto
>>> and data/ice-servers.json with the following contents
>>>
>>> [
>>> {
>>> "Urls": [
>>> "turn::3478",
>>> « turn::3478?transport=tcp"
>>> ],
>>> "username": "",
>>> "credential": ""
>>> }
>>> ]
>>>
>>
>>
>>
>> _______________________________________________
>> Galene mailing list -- galene@lists.galene.org
>> To unsubscribe send an email to galene-leave@lists.galene.org
> --
> Rémy Dernat
> Chef de projet SI
> IR CNRS - ISI / ISEM
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org