[Galene] Galène with PHP

[Galene] Galène with PHP

[Rob Dean]

[-- Attachment #1: Type: text/plain, Size: 326 bytes --]

Hi there everyone,

I was wondering if it were possible to use Galène inside a PHP page, as we
want to get our students to fill out some details before joining in, and we
thought that we could use php SESSION cookies to check they've completed
everything before letting them in.

Best wishes and kind regards,

Rob

[-- Attachment #2: Type: text/html, Size: 431 bytes --]

[Galene] Re: Galène with PHP

[Juliusz Chroboczek]

> I was wondering if it were possible to use Galène inside a PHP page, as we want
> to get our students to fill out some details before joining in, and we thought
> that we could use php SESSION cookies to check they've completed everything
> before letting them in.

Sure.  What you'll want to do depends on your security model, though.

The simplest, but least secure, would be to check your session cookie in
the galene.js file; look around line 2600, where it says

    document.getElementById('userform').onsubmit

This is easily gamed by the user (they can edit the source code in the
browser), but if the goal is simply to guide the students and has no
influence on their grades, it's probably good enough.

If, on the other hand, you want stronger security, you'll need to pass the
session cookie to the server and do the validation there.  You'll need to
add a parameter to the serverConnect.join method, pass the value within
the "value" field of the join message, and do the validation in the function
handleClientMessage in webclient.go.

-- Juliusz

[Galene] Re: Galène with PHP

[Gabriel Kerneis]

On Tue, 2 Mar 2021, at 19:37, Juliusz Chroboczek wrote:
> > I was wondering if it were possible to use Galène inside a PHP page, as we want
> > to get our students to fill out some details before joining in, and we thought
> > that we could use php SESSION cookies to check they've completed everything
> > before letting them in.
> 
> Sure.  What you'll want to do depends on your security model, though.

Another option would be to write a PHP app that validates whatever requirements, and then updates the groups json file to allow the user in. Galene will automatically reload the json file when the PHP app updates it. Of course, you'll want to be really careful about atomically updating the file (I don't know PHP well enough to know whether this is possible, but my recollection from a couple decades ago is that it could use on-disk lock files).

Gabriel

[Galene] Re: Galène with PHP

[Rob Dean]

[-- Attachment #1: Type: text/plain, Size: 2227 bytes --]

Hi Everyone,

I'm still wondering how to get PHP working on port 8443, so that I can run
PHP and MYSQL alongside Galene. (e.g.
https://www.servername.com:8443/test.php)

Is this query beyond the scope of this group, and more of an Apache
configuration issue?

As you can tell there is a gap in my knowledge of this kind of architecture
but from my testing, I definitely cannot have a host php page running on
port 80 that attempts to create the websocket for Galene over on port 8443
via javascript. That definitely doesn't work, and therefore, for a
successful Galene connection, I need to use an https uri request on port
8443, before the javascript makes the wss connection.
This means therefore, for my design to work, I need PHP to run on port 8443.
Any ideas how to get PHP running on port 8443?

Hopefully we can forge an answer although I realise this is slightly
leftfield to the amazing development of core Galène that you're all working
on.

Best wishes and kind regards,
Rob

On Tue, 2 Mar 2021 at 18:37, Juliusz Chroboczek <jch@irif.fr> wrote:

> > I was wondering if it were possible to use Galčne inside a PHP page, as
> we want
> > to get our students to fill out some details before joining in, and we
> thought
> > that we could use php SESSION cookies to check they've completed
> everything
> > before letting them in.
>
> Sure.  What you'll want to do depends on your security model, though.
>
> The simplest, but least secure, would be to check your session cookie in
> the galene.js file; look around line 2600, where it says
>
>     document.getElementById('userform').onsubmit
>
> This is easily gamed by the user (they can edit the source code in the
> browser), but if the goal is simply to guide the students and has no
> influence on their grades, it's probably good enough.
>
> If, on the other hand, you want stronger security, you'll need to pass the
> session cookie to the server and do the validation there.  You'll need to
> add a parameter to the serverConnect.join method, pass the value within
> the "value" field of the join message, and do the validation in the
> function
> handleClientMessage in webclient.go.
>
> -- Juliusz
>

[-- Attachment #2: Type: text/html, Size: 2852 bytes --]

[Galene] Re: Galène with PHP

[Juliusz Chroboczek]

> I'm still wondering how to get PHP working on port 8443, so that I can run PHP
> and MYSQL alongside Galene. (e.g. https://www.servername.com:8443/test.php)

One way would be to run Galène behind a frontend proxy such as nginx or
Apache.  The frontend would need to proxy the WebSocket at /ws to Galène,
and to proxy any PHP requests to a PHP interpreter, probably over fcgi.
As to the static pages, it's probably best to have them served directly be
the frontend.

> I definitely cannot have a host php page running on port 80 that
> attempts to create the websocket for Galene over on port 8443 via
> javascript.

You could probably do that.  You'd just need to very slightly relax
Galène's security checks, by doing something like the appended patch
(untested).

In case you want to understand what it does: by default, Galène accepts
WebSocket connections if either they don't carry an Origin header, or they
carry an Origin header that matches the host:port of the server; this
avoids attacks where third-party Javascript is used to access a server
that is behind a firewall.  The attached patch relaxes the latter patch of
the test, by only checking the hostname, not the port.  You may tweak the
test as needed.

-- Juliusz

diff --git a/webserver/webserver.go b/webserver/webserver.go
index e336f88..9aaac4a 100644
--- a/webserver/webserver.go
+++ b/webserver/webserver.go
@@ -10,6 +10,7 @@ import (
 	"html"
 	"io"
 	"log"
+	"net"
 	"net/http"
 	"net/url"
 	"os"
@@ -440,6 +441,25 @@ func statsHandler(w http.ResponseWriter, r *http.Request, dataDir string) {
 
 var wsUpgrader = websocket.Upgrader{
 	HandshakeTimeout: 30 * time.Second,
+	CheckOrigin: func(r *http.Request) bool {
+		origin := r.Header["Origin"]
+		if len(origin) == 0 {
+			return true
+		}
+		u, err := url.Parse(origin[0])
+		if err != nil {
+			return false
+		}
+		host1, _, err := net.SplitHostPort(u.Host)
+		if err != nil {
+			return false
+		}
+		host2, _, err := net.SplitHostPort(r.Host)
+		if err != nil {
+			return false
+		}
+		return strings.EqualFold(host1, host2)
+	},
 }
 
 func wsHandler(w http.ResponseWriter, r *http.Request) {

[Galene] Re: Galène with PHP

[Jeroen van Veen]

Not directly related to PHP & Nginx, but here is an example config of running
Galene behind a Nginx proxy: https://github.com/garage44/pyrite/wiki/Proxy-Config

- Jeroen



‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Op vrijdag, maart 5, 2021 2:27 PM, Juliusz Chroboczek <jch@irif.fr> schreef:

> > I'm still wondering how to get PHP working on port 8443, so that I can run PHP
>
> > and MYSQL alongside Galene. (e.g. https://www.servername.com:8443/test.php)
>
> One way would be to run Galène behind a frontend proxy such as nginx or
> Apache. The frontend would need to proxy the WebSocket at /ws to Galène,
> and to proxy any PHP requests to a PHP interpreter, probably over fcgi.
> As to the static pages, it's probably best to have them served directly be
> the frontend.
>
> > I definitely cannot have a host php page running on port 80 that
> > attempts to create the websocket for Galene over on port 8443 via
> > javascript.
>
> You could probably do that. You'd just need to very slightly relax
> Galène's security checks, by doing something like the appended patch
> (untested).
>
> In case you want to understand what it does: by default, Galène accepts
> WebSocket connections if either they don't carry an Origin header, or they
> carry an Origin header that matches the host:port of the server; this
> avoids attacks where third-party Javascript is used to access a server
> that is behind a firewall. The attached patch relaxes the latter patch of
> the test, by only checking the hostname, not the port. You may tweak the
> test as needed.
>
> -- Juliusz
>
> diff --git a/webserver/webserver.go b/webserver/webserver.go
> index e336f88..9aaac4a 100644
> --- a/webserver/webserver.go
> +++ b/webserver/webserver.go
> @@ -10,6 +10,7 @@ import (
> "html"
> "io"
> "log"
>
> -   "net"
>     "net/http"
>     "net/url"
>     "os"
>     @@ -440,6 +441,25 @@ func statsHandler(w http.ResponseWriter, r *http.Request, dataDir string) {
>
>     var wsUpgrader = websocket.Upgrader{
>     HandshakeTimeout: 30 * time.Second,
>
> -   CheckOrigin: func(r *http.Request) bool {
> -         origin := r.Header["Origin"]
>
>
> -         if len(origin) == 0 {
>
>
> -         	return true
>
>
> -         }
>
>
> -         u, err := url.Parse(origin[0])
>
>
> -         if err != nil {
>
>
> -         	return false
>
>
> -         }
>
>
> -         host1, _, err := net.SplitHostPort(u.Host)
>
>
> -         if err != nil {
>
>
> -         	return false
>
>
> -         }
>
>
> -         host2, _, err := net.SplitHostPort(r.Host)
>
>
> -         if err != nil {
>
>
> -         	return false
>
>
> -         }
>
>
> -         return strings.EqualFold(host1, host2)
>
>
> -   },
>     }
>
>     func wsHandler(w http.ResponseWriter, r *http.Request) {
>
>
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org