Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
* [Galene]  Re: Galène with PHP
       [not found] <CA+_U3xZq9jS05zbEz4HAQfX+oUAprigJR4uifQYPpHDzsTSP3Q@mail.gmail.com>
@ 2021-03-02 18:37 ` Juliusz Chroboczek
  2021-03-02 20:48   ` Gabriel Kerneis
       [not found]   ` <CA+_U3xavep8nMpdY5Sg1VmDUf24UfT0nx4+xXB2Q=dcvo2iq5Q@mail.gmail.com>
  0 siblings, 2 replies; 4+ messages in thread
From: Juliusz Chroboczek @ 2021-03-02 18:37 UTC (permalink / raw)
  To: Rob Dean; +Cc: galene

> I was wondering if it were possible to use Galène inside a PHP page, as we want
> to get our students to fill out some details before joining in, and we thought
> that we could use php SESSION cookies to check they've completed everything
> before letting them in.

Sure.  What you'll want to do depends on your security model, though.

The simplest, but least secure, would be to check your session cookie in
the galene.js file; look around line 2600, where it says

    document.getElementById('userform').onsubmit

This is easily gamed by the user (they can edit the source code in the
browser), but if the goal is simply to guide the students and has no
influence on their grades, it's probably good enough.

If, on the other hand, you want stronger security, you'll need to pass the
session cookie to the server and do the validation there.  You'll need to
add a parameter to the serverConnect.join method, pass the value within
the "value" field of the join message, and do the validation in the function
handleClientMessage in webclient.go.

-- Juliusz

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Galene] Re: Galène with PHP
  2021-03-02 18:37 ` [Galene] Re: Galène with PHP Juliusz Chroboczek
@ 2021-03-02 20:48   ` Gabriel Kerneis
       [not found]   ` <CA+_U3xavep8nMpdY5Sg1VmDUf24UfT0nx4+xXB2Q=dcvo2iq5Q@mail.gmail.com>
  1 sibling, 0 replies; 4+ messages in thread
From: Gabriel Kerneis @ 2021-03-02 20:48 UTC (permalink / raw)
  To: galene

On Tue, 2 Mar 2021, at 19:37, Juliusz Chroboczek wrote:
> > I was wondering if it were possible to use Galène inside a PHP page, as we want
> > to get our students to fill out some details before joining in, and we thought
> > that we could use php SESSION cookies to check they've completed everything
> > before letting them in.
> 
> Sure.  What you'll want to do depends on your security model, though.

Another option would be to write a PHP app that validates whatever requirements, and then updates the groups json file to allow the user in. Galene will automatically reload the json file when the PHP app updates it. Of course, you'll want to be really careful about atomically updating the file (I don't know PHP well enough to know whether this is possible, but my recollection from a couple decades ago is that it could use on-disk lock files).

Gabriel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Galene]  Re: Galène with PHP
       [not found]   ` <CA+_U3xavep8nMpdY5Sg1VmDUf24UfT0nx4+xXB2Q=dcvo2iq5Q@mail.gmail.com>
@ 2021-03-05 13:27     ` Juliusz Chroboczek
  2021-03-05 15:56       ` Jeroen van Veen
  0 siblings, 1 reply; 4+ messages in thread
From: Juliusz Chroboczek @ 2021-03-05 13:27 UTC (permalink / raw)
  To: Rob Dean; +Cc: galene

> I'm still wondering how to get PHP working on port 8443, so that I can run PHP
> and MYSQL alongside Galene. (e.g. https://www.servername.com:8443/test.php)

One way would be to run Galène behind a frontend proxy such as nginx or
Apache.  The frontend would need to proxy the WebSocket at /ws to Galène,
and to proxy any PHP requests to a PHP interpreter, probably over fcgi.
As to the static pages, it's probably best to have them served directly be
the frontend.

> I definitely cannot have a host php page running on port 80 that
> attempts to create the websocket for Galene over on port 8443 via
> javascript.

You could probably do that.  You'd just need to very slightly relax
Galène's security checks, by doing something like the appended patch
(untested).

In case you want to understand what it does: by default, Galène accepts
WebSocket connections if either they don't carry an Origin header, or they
carry an Origin header that matches the host:port of the server; this
avoids attacks where third-party Javascript is used to access a server
that is behind a firewall.  The attached patch relaxes the latter patch of
the test, by only checking the hostname, not the port.  You may tweak the
test as needed.

-- Juliusz

diff --git a/webserver/webserver.go b/webserver/webserver.go
index e336f88..9aaac4a 100644
--- a/webserver/webserver.go
+++ b/webserver/webserver.go
@@ -10,6 +10,7 @@ import (
 	"html"
 	"io"
 	"log"
+	"net"
 	"net/http"
 	"net/url"
 	"os"
@@ -440,6 +441,25 @@ func statsHandler(w http.ResponseWriter, r *http.Request, dataDir string) {
 
 var wsUpgrader = websocket.Upgrader{
 	HandshakeTimeout: 30 * time.Second,
+	CheckOrigin: func(r *http.Request) bool {
+		origin := r.Header["Origin"]
+		if len(origin) == 0 {
+			return true
+		}
+		u, err := url.Parse(origin[0])
+		if err != nil {
+			return false
+		}
+		host1, _, err := net.SplitHostPort(u.Host)
+		if err != nil {
+			return false
+		}
+		host2, _, err := net.SplitHostPort(r.Host)
+		if err != nil {
+			return false
+		}
+		return strings.EqualFold(host1, host2)
+	},
 }
 
 func wsHandler(w http.ResponseWriter, r *http.Request) {

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Galene] Re: Galène with PHP
  2021-03-05 13:27     ` Juliusz Chroboczek
@ 2021-03-05 15:56       ` Jeroen van Veen
  0 siblings, 0 replies; 4+ messages in thread
From: Jeroen van Veen @ 2021-03-05 15:56 UTC (permalink / raw)
  To: Juliusz Chroboczek; +Cc: Rob Dean, galene

Not directly related to PHP & Nginx, but here is an example config of running
Galene behind a Nginx proxy: https://github.com/garage44/pyrite/wiki/Proxy-Config

- Jeroen



‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Op vrijdag, maart 5, 2021 2:27 PM, Juliusz Chroboczek <jch@irif.fr> schreef:

> > I'm still wondering how to get PHP working on port 8443, so that I can run PHP
>
> > and MYSQL alongside Galene. (e.g. https://www.servername.com:8443/test.php)
>
> One way would be to run Galène behind a frontend proxy such as nginx or
> Apache. The frontend would need to proxy the WebSocket at /ws to Galène,
> and to proxy any PHP requests to a PHP interpreter, probably over fcgi.
> As to the static pages, it's probably best to have them served directly be
> the frontend.
>
> > I definitely cannot have a host php page running on port 80 that
> > attempts to create the websocket for Galene over on port 8443 via
> > javascript.
>
> You could probably do that. You'd just need to very slightly relax
> Galène's security checks, by doing something like the appended patch
> (untested).
>
> In case you want to understand what it does: by default, Galène accepts
> WebSocket connections if either they don't carry an Origin header, or they
> carry an Origin header that matches the host:port of the server; this
> avoids attacks where third-party Javascript is used to access a server
> that is behind a firewall. The attached patch relaxes the latter patch of
> the test, by only checking the hostname, not the port. You may tweak the
> test as needed.
>
> -- Juliusz
>
> diff --git a/webserver/webserver.go b/webserver/webserver.go
> index e336f88..9aaac4a 100644
> --- a/webserver/webserver.go
> +++ b/webserver/webserver.go
> @@ -10,6 +10,7 @@ import (
> "html"
> "io"
> "log"
>
> -   "net"
>     "net/http"
>     "net/url"
>     "os"
>     @@ -440,6 +441,25 @@ func statsHandler(w http.ResponseWriter, r *http.Request, dataDir string) {
>
>     var wsUpgrader = websocket.Upgrader{
>     HandshakeTimeout: 30 * time.Second,
>
> -   CheckOrigin: func(r *http.Request) bool {
> -         origin := r.Header["Origin"]
>
>
> -         if len(origin) == 0 {
>
>
> -         	return true
>
>
> -         }
>
>
> -         u, err := url.Parse(origin[0])
>
>
> -         if err != nil {
>
>
> -         	return false
>
>
> -         }
>
>
> -         host1, _, err := net.SplitHostPort(u.Host)
>
>
> -         if err != nil {
>
>
> -         	return false
>
>
> -         }
>
>
> -         host2, _, err := net.SplitHostPort(r.Host)
>
>
> -         if err != nil {
>
>
> -         	return false
>
>
> -         }
>
>
> -         return strings.EqualFold(host1, host2)
>
>
> -   },
>     }
>
>     func wsHandler(w http.ResponseWriter, r *http.Request) {
>
>
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-03-05 15:56 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <CA+_U3xZq9jS05zbEz4HAQfX+oUAprigJR4uifQYPpHDzsTSP3Q@mail.gmail.com>
2021-03-02 18:37 ` [Galene] Re: Galène with PHP Juliusz Chroboczek
2021-03-02 20:48   ` Gabriel Kerneis
     [not found]   ` <CA+_U3xavep8nMpdY5Sg1VmDUf24UfT0nx4+xXB2Q=dcvo2iq5Q@mail.gmail.com>
2021-03-05 13:27     ` Juliusz Chroboczek
2021-03-05 15:56       ` Jeroen van Veen

Galène videoconferencing server discussion list archives

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://lists.galene.org/galene

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 galene galene/ https://lists.galene.org/galene \
		galene@lists.galene.org
	public-inbox-index galene

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git