From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) by mail.toke.dk (Postfix) with ESMTPS id 9395B82A78E for ; Mon, 12 Apr 2021 11:49:07 +0200 (CEST) Authentication-Results: mail.toke.dk; dkim=pass (2048-bit key) header.d=rouillier-fr.20150623.gappssmtp.com header.i=@rouillier-fr.20150623.gappssmtp.com header.b=tUj+LUXb Received: by mail-wm1-x334.google.com with SMTP id w203-20020a1c49d40000b029010c706d0642so7695739wma.0 for ; Mon, 12 Apr 2021 02:49:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rouillier-fr.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ufxLpOXwzyA6dlYEijoaAhI3k2nH7ff+mpH0/XqY4JA=; b=tUj+LUXbJTwwYCZ0qR6WJW/qPtr5iB7H+/AFcRhR4Dz7J46yJIxmhfrikJWftKRZSb M1rzSoATO81wFHG6WBdmpDTykKz0eQvWxkKXC/R2VBH8IUE1aI0gArQtRRxxfEbpd3hK GLtGDYK50homsgYRCAnDhU93ewhHGaRxnfTpOE8QAbwLpKIJI86TWFB+M8qfwlcnpthx BDoiu08fTGcadFRpTTzTCAoXjLhS9ka+X5l+ovGR8C68zbara8HDx2JvpxGuPUt/2ws/ RU+17XLzuUj5QOGOXqhL1FniwWvmo28m5U7syd9tiSnvQdlnnOCLBsdCyfXr8tLy60Cg 3rcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ufxLpOXwzyA6dlYEijoaAhI3k2nH7ff+mpH0/XqY4JA=; b=Bq/o5do3y3eFbvZjIh0Lgj5MAYdmEumRKLgJXNtqInMTboTMr/jWYq5Y6TLW/BUUSy q5cDvqeXIdQJrTtxQjrRjz1DRD4b9dGFJ+YLCifiWfFJLMXJlmWjni+xfn0tsyvdRpsW d3xEgboPg8GzsYNy4TcsC4eNmZfAIAW0HjiJ2ndso0TjqrxiuUF/ApQVRuoPcNbrRuqU 4KFVw3LPvyiHG3HSmWGDQcAe4JTaBCvNEq2igE8NhZ3UP419BYls8Xi6FZcDjnBIg1N4 wWe8LgYhg4/9WJYv/dB1QzODsukAI/axVfALIYcwClVls7WRqh403Nuu+WS7jxiGM6K5 HXEQ== X-Gm-Message-State: AOAM533QmGujFEh9vgPP+Rb4R8VF9QA5VA+Hhn/o5ZUzIKYfGMu9vIDR XgHsUgfnagdCmpbz1YbZFB2RRA== X-Google-Smtp-Source: ABdhPJz/Qj1e0vXaDhEFVT2CSPsBG/S5rXQ2WeQMIangQogTNn29HLPyXR8hda0L3Waf5Am9FTUlFA== X-Received: by 2002:a7b:c1cf:: with SMTP id a15mr18615215wmj.168.1618220945266; Mon, 12 Apr 2021 02:49:05 -0700 (PDT) Received: from ?IPv6:2a01:e0a:29d:45e0:ed66:3b45:eb17:69b0? ([2a01:e0a:29d:45e0:ed66:3b45:eb17:69b0]) by smtp.gmail.com with ESMTPSA id u3sm11548584wmg.48.2021.04.12.02.49.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Apr 2021 02:49:04 -0700 (PDT) From: Fabrice Rouillier Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_C19B8377-9CF7-4318-AAC8-8FDE9B34AC6C" Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) Date: Mon, 12 Apr 2021 11:49:03 +0200 In-Reply-To: <833a546d-dbe2-00c4-273e-16bc6664a9f8@umontpellier.fr> To: =?utf-8?Q?R=C3=A9my_Dernat?= References: <6AF7B2D8-D370-432F-BCB8-C714C1DED4CC@rouillier.fr> <2bf5e895-c758-62d4-68a1-1c747268bb26@crans.org> <09B3386F-42F0-4A30-A1F9-B65CCC106A4E@rouillier.fr> <2540d5d9-6ac8-d6f6-f468-565e98853d43@crans.org> <21640176-922A-4715-A0E3-DE5BEFECD720@rouillier.fr> <87v98uz0fv.wl-jch@irif.fr> <833a546d-dbe2-00c4-273e-16bc6664a9f8@umontpellier.fr> X-Mailer: Apple Mail (2.3654.60.0.2.21) Message-ID-Hash: R2DJHQBLEPNKH6WIRNIXWIE7XCLHLWRC X-Message-ID-Hash: R2DJHQBLEPNKH6WIRNIXWIE7XCLHLWRC X-MailFrom: fabrice@rouillier.fr X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: galene@lists.galene.org X-Mailman-Version: 3.3.4 Precedence: list Subject: [Galene] Re: Installation Script List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --Apple-Mail=_C19B8377-9CF7-4318-AAC8-8FDE9B34AC6C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Remy, Thanks Note that you might directly contribute to the gitlab if you want. For NGINX : great, this allow to type a simpler url without premising = the 8443 port. I did try traffic which works also well as a reverse = proxy, especially behind a domestic router with a unique IP =E2=80=A6. For certbot : yep this is also a good complement to have the automatic = renewal. Cheers, Fabrice. =20 ------------------------- Fabrice Rouillier fabrice@rouillier.fr Bureau virtuel : https://www.rouillier = .fr/visio/fabrice > Le 12 avr. 2021 =C3=A0 09:56, R=C3=A9my Dernat = a =C3=A9crit : >=20 > Hi Fabrice, >=20 > Thanks. That could be helpful. >=20 > Nevertheless, I have done a couple of things that could also be useful = for your script. If you want, feel free to pick things/change your = script accordingly. >=20 > First, there is a nginx configuration available from Yunohost package = here : = https://github.com/YunoHost-Apps/galene_ynh/blob/testing/conf/nginx.conf = = > This configuration file was very useful to me. I am using it for = proxying Gal=C3=A8ne on HTTPS. Here is a resulting configuration using = it in/etc/nginx/sites-enabled/galene : >=20 > server { > listen 443 ssl default_server; > listen [::]:443 ssl default_server; > server_name galene.domain.tld visio.domain.tld; > ssl_certificate = /etc/letsencrypt/live/galene.domain.tld/fullchain.pem; > ssl_certificate_key = /etc/letsencrypt/live/galene.domain.tld/privkey.pem; >=20 > location / { > =20 > # Force usage of https > if ($scheme =3D http) { > rewrite ^ https://$server_name$request_uri = ? permanent; > } > =20 > proxy_pass https://127.0.0.1:8443 = ; > proxy_redirect off; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Host $server_name; > =20 > # WebSocket support > proxy_http_version 1.1; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection "upgrade"; > } > } >=20 > To avoid any issue with let's encrypt renew crons and scripts (that = would need another copy in ~galene/data), I added the acl package to = allow galene user to read /etc/letsencrypt/ (instead of just copying the = certs in /home/galene/data/: >=20 > apt-get install acl >=20 > setfacl -R -m u:galene:r /etc/letsencrypt >=20 > setfacl -m u:galene:x /etc/letsencrypt >=20 > setfacl -m u:galene:x /etc/letsencrypt/live >=20 > setfacl -m u:galene:x /etc/letsencrypt/live/galene.domain.tld >=20 > setfacl -m u:galene:x /etc/letsencrypt/archive/galene.domain.tld >=20 > setfacl -m u:galene:x /etc/letsencrypt/archive >=20 > ln -s /etc/letsencrypt/live/galene.domain.tld/chain.pem = ~galene/data/chain.pem >=20 > ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem = ~galene/data/key.pem >=20 > ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem = ~galene/data/privkey.pem >=20 > ln -s /etc/letsencrypt/live/galene.domain.tld/cert.pem = ~galene/data/cert.pem >=20 > ln -s /etc/letsencrypt/live/galene.domain.tld/fullchain.pem = ~galene/data/fullchain.pem >=20 >=20 >=20 > Then, I also added a configuration file to source in = /etc/default/galene, containing (after creating the /var/log = directories) : >=20 > ARGS=3D" -memprofile /var/log/galene/mem.log -cpuprofile = /var/log/galene/cpu.log" >=20 > But you could add your turn configuration or whatever option... >=20 > Modification to the systemd script is very simple; just change: >=20 > ExecStart=3D/home/galene/galene >=20 > to: >=20 > EnvironmentFile=3D/etc/default/galene > ExecStart=3D/home/galene/galene $ARGS >=20 >=20 >=20 > By the way, if anyone knows how to use these {cpu,mem} profile files = ...? >=20 > Thanks, >=20 > Best regards, >=20 > R=C3=A9my >=20 > Le 12/04/2021 =C3=A0 09:10, Fabrice Rouillier a =C3=A9crit : >> Hi, >>=20 >> I have implemented and tested a script to install Galene and a TURN = that works behind a Router, even a domestic one. >>=20 >> You can doowload it here : = https://gitlab.inria.fr/rouillie/visio/-/tree/master/galene = >>=20 >> It works only for Ubuntu 20.04 or Debian buster for the moment, = mainly because I am lazy :-) but it opens the door to an very easy = deployment on a cloud or simply at home. >>=20 >> Cheers, >>=20 >> Fabrice >> ------------------------- >> Fabrice Rouillier >> fabrice@rouillier.fr >>=20 >> Bureau virtuel : https://www.rouillier = .fr/visio/fabrice >>=20 >>=20 >>=20 >>=20 >>=20 >>> Le 10 avr. 2021 =C3=A0 16:41, Fabrice Rouillier = > a =C3=A9crit : >>>=20 >>> Hi Juliusz, >>>=20 >>> Thanks for your help. >>> See below for a simple setting that works with our external coturn. >>>=20 >>>> The problem is probably that your NAT doesn't implement = hairpinning, so >>>> Gal=C3=A8ne and the TURN server cannot communicate. >>>> Coturn is probably >>>> connecting over IPv6, which the built-in server doesn't handle. >>>=20 >>> I have deactivated the IPV6 everywhere and double checked = (inspecting about:websocket ) in Firefox that it does = not use IPV6. >>>=20 >>>> Could you please check Gal=C3=A8ne's log for mentions of a relay = test? If the >>>> server-side relay test (the one in Gal=C3=A8ne's log) fails, that's = probably >>>> indicative of a problem with hairpinning. >>>=20 >>> Server side : the relay-test do not fails. >>>=20 >>> Client side :=20 >>> - using the builtin turn, the relay test fails ,=20 >>> - using coturn (on the same server) it works. >>>=20 >>>> Fabrice =E2=80=94 if your instance of Gal=C3=A8ne is behind NAT, = then I strongly >>>> recommend running an instance of coturn on a host that is not = behind NAT. >>>=20 >>> The following works :=20 >>>=20 >>> - port forwarding from my router (Freebox) to a Linux 20.04 VM = (virtual box) :=20 >>>=20 >>> 49152-65535 (UDP/TCP) >>> 3478 (UDP/TCP)=20 >>> 8443 (UDP/TCP)=20 >>>=20 >>> - coturn on the VM with the following configuration >>>=20 >>> listening-port=3D3478 >>> fingerprint >>> lt-cred-mech >>> user=3D: >>> server-name=3D >>> realm=3D >>>=20 >>> - galene on the VM launched with the option -turn auto=20 >>> and data/ice-servers.json with the following contents >>>=20 >>> [ >>> { >>> "Urls": [ >>> "turn::3478", >>> =C2=AB turn::3478?transport=3Dtcp" >>> ], >>> "username": "", >>> "credential": "" >>> } >>> ] >>>=20 >>=20 >>=20 >>=20 >> _______________________________________________ >> Galene mailing list -- galene@lists.galene.org = >> To unsubscribe send an email to galene-leave@lists.galene.org = > --=20 > R=C3=A9my Dernat > Chef de projet SI > IR CNRS - ISI / ISEM > _______________________________________________ > Galene mailing list -- galene@lists.galene.org > To unsubscribe send an email to galene-leave@lists.galene.org --Apple-Mail=_C19B8377-9CF7-4318-AAC8-8FDE9B34AC6C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi = Remy,

Thanks

Note that you might = directly contribute to the gitlab if you want.

For NGINX : great, this allow to type a = simpler url without premising the 8443 port. I did try traffic which = works also well as a reverse proxy, especially behind a domestic router = with a unique IP =E2=80=A6.

For certbot : yep this is also a good complement to have the = automatic renewal.


Cheers,

Fabrice.
 
-------------------------
Fabrice Rouillier

Bureau virtuel = : https://www.rouillier.fr/visio/fabrice





Le 12 avr. 2021 =C3=A0 09:56, R=C3=A9my Dernat <remy.dernat@umontpellier.fr> a =C3=A9crit :

=20 =20

Hi Fabrice,

Thanks. = That could be helpful.

Nevertheless, I have done a couple of things that = could also be useful for your script. If you want, feel free to pick things/change your script accordingly.

First, there is a nginx configuration available = from Yunohost package here : https://github.com/YunoHost-Apps/galene_ynh/blob/testing/conf/ngin= x.conf

This configuration file was very useful to = me. I am using it for proxying Gal=C3=A8ne on HTTPS. Here is a resulting configuration = using it in/etc/nginx/sites-enabled/galene :

server {
    listen 443 ssl default_server;
=     listen [::]:443 ssl default_server;
    server_name galene.domain.tld = visio.domain.tld;
    ssl_certificate /etc/letsencrypt/live/galene.domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/galene.domain.tld/privkey.pem;

    location / {
   
      # Force usage of https
      if ($scheme =3D http) {
        rewrite ^ https://$server_name$request_ur= i? permanent;
      }
   
      = proxy_pass        https://127.0.0.1:8443;
      = proxy_redirect    off;
      proxy_set_header  Host = $host;
      proxy_set_header  = X-Real-IP $remote_addr;
      proxy_set_header  = X-Forwarded-Proto $scheme;
      proxy_set_header  = X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header  = X-Forwarded-Host $server_name;
     
      # WebSocket support
      proxy_http_version 1.1;
      proxy_set_header Upgrade = $http_upgrade;
      proxy_set_header Connection = "upgrade";
    }
}

To avoid any issue with let's encrypt = renew crons and scripts (that would need another copy in ~galene/data), I added the acl package to allow galene user to read /etc/letsencrypt/ (instead of just copying the certs in /home/galene/data/:

apt-get install acl

setfacl -R -m u:galene:r /etc/letsencrypt

setfacl -m u:galene:x = /etc/letsencrypt

setfacl -m u:galene:x /etc/letsencrypt/live

setfacl -m u:galene:x = /etc/letsencrypt/live/galene.domain.tld

setfacl -m u:galene:x /etc/letsencrypt/archive/galene.domain.tld

setfacl -m u:galene:x = /etc/letsencrypt/archive

ln -s = /etc/letsencrypt/live/galene.domain.tld/chain.pem ~galene/data/chain.pem

ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem ~galene/data/key.pem

ln -s /etc/letsencrypt/live/galene.domain.tld/privkey.pem ~galene/data/privkey.pem

ln -s = /etc/letsencrypt/live/galene.domain.tld/cert.pem ~galene/data/cert.pem

ln -s /etc/letsencrypt/live/galene.domain.tld/fullchain.pem ~galene/data/fullchain.pem


Then, I also added a configuration file = to source in /etc/default/galene, containing (after creating the /var/log directories) :

ARGS=3D" -memprofile /var/log/galene/mem.log  -cpuprofile /var/log/galene/cpu.log"

But you could add your turn configuration = or whatever option...

Modification to the systemd = script is very simple; just change:

ExecStart=3D/home/galene/galene

to:

EnvironmentFile=3D/etc/default/galene
ExecStart=3D/home/galene/galene $ARGS


By the way, if anyone knows how to use these = {cpu,mem} profile files ...?

Thanks,

Best regards,

R=C3=A9my

Le 12/04/2021 =C3=A0 09:10, Fabrice Rouillier a =C3=A9crit :
= Hi,

I have implemented and tested a script to install Galene and a TURN that works behind a Router, even a domestic one.


It works only for Ubuntu 20.04 or Debian buster = for the moment, mainly because I am lazy :-) but it opens the door to an very easy deployment on a cloud or simply at home.

Cheers,

Fabrice
-------------------------
Fabrice Rouillier

Bureau virtuel : https://www.rouillier.fr/visio/fabrice





Le 10 avr. 2021 =C3=A0 16:41, Fabrice = Rouillier <fabrice@rouillier.fr> a =C3=A9crit :

Hi Juliusz,

Thanks for your help.
See below for a simple setting that = works with our external coturn.

The problem is probably that your NAT doesn't implement hairpinning, so
Gal=C3=A8ne and the TURN server cannot = communicate.
 Coturn is probably
connecting over IPv6, which the built-in server doesn't handle.

I have deactivated the IPV6 everywhere and double checked (inspecting about:websocket) in Firefox that it does not use IPV6.

Could you please check Gal=C3=A8ne's= log for mentions of a relay test?  If the
server-side relay test (the one in Gal=C3=A8ne's = log) fails, that's probably
indicative of a problem with hairpinning.

Server side : the relay-test do not fails.

Client side : 
   - using the builtin turn, = the relay test fails , 
   - using coturn (on the same = server) it works.

Fabrice =E2=80=94 if your instance = of Gal=C3=A8ne is behind NAT, then I strongly
recommend running an instance of coturn on a host that is not behind NAT.

The following works : 

- port forwarding from my router = (Freebox) to a Linux 20.04  VM (virtual box) : 

   49152-65535 (UDP/TCP)
   3478 (UDP/TCP) 
   8443 (UDP/TCP) 

- coturn on the VM with the following configuration

  listening-port=3D3478
  fingerprint
  lt-cred-mech
  user=3D<TURN USER>:<TURN PASSWD>
  server-name=3D<TURN SERVER = NAME>
  realm=3D<DOMAINE>

- galene on the VM launched with the option -turn auto 
  and data/ice-servers.json with the following contents

[
    = {
    =     "Urls": [
    =         "turn:<TURN SERVER NAME>:3478",
    =         =C2=AB turn:<TURN SERVER NAME>:3478?transport=3Dtcp"
    =     ],
    =     "username": "<TURN USER>",
    =     "credential": "<TURN PASSWD>"
    = }
]



_______________________________________________
Galene mailing list -- galene@lists.galene.org
To unsubscribe send an email to galene-leave@lists.galene.or=
g
--=20
R=C3=A9my Dernat
Chef de projet SI
IR CNRS - ISI / ISEM
_______________________________________________
Galene = mailing list -- galene@lists.galene.org
To unsubscribe send = an email to galene-leave@lists.galene.org

= --Apple-Mail=_C19B8377-9CF7-4318-AAC8-8FDE9B34AC6C--