jech / galene Goto Github PK
View Code? Open in Web Editor NEWThe Galène videoconference server
Home Page: https://galene.org
License: MIT License
The Galène videoconference server
Home Page: https://galene.org
License: MIT License
Galene is a videoconferencing server that is easy to deploy and requires moderate server resources. It is described at <https://galene.org>. # Installation See the file INSTALL in this directory for installation instructions. # Usage ## Locations There is a landing page at the root of the server. It contains a form for typing the name of a group, and a clickable list of public groups. Groups are available under `/group/groupname/`. You may share this URL with others, there is no need to go through the landing page. Recordings can be accessed under `/recordings/groupname/`. This is only available to the administrator of the group. Some statistics are available under `/stats.json`, with a human-readable version at `/stats.html`. This is only available to the server administrator. ## Main interface After logging in, the user is confronted with the main interface. ### Buttons There are up to three buttons at the top. The *Enable*/*Disable* button enables either or both the camera and the microphone (depending on the options set in the side menu, see below). The *Mute* button mutes or unmutes the microphone. The *Share Screen* button shares the screen or a window. ### Side menu There is a menu on the right of the user interface. This allows choosing the camera and microphone and setting the video throughput. The *Blackboard mode* checkbox increases resolution and sacrifices framerate in favour of image quality. The *Play local file* dialog allows streaming a video from a local file. ### User list There is a user list on the left. Clicking on a user opens a menu with actions that can be applied to that user. Clicking on ones own username opens a menu with actions that are global to the group. ### Chat pane Double-clicking on a message opens a contextual menu. ### Text box Typing a string in the text box at the bottom of the chat pane sends a broadcast message to all of the users in the group. Typing a line starting with a slash `/` in the text box causes a command to be sent to the server. Type `/help` to get the list of available commands; the output depends on whether you are an operator or not. # The global configuration file The server may be configured in the JSON file `data/config.json`. This file may look as follows: { "users":{"root": {"password":"secret", "permissions": "admin"}}, "canonicalHost": "galene.example.org" } The fields are as follows: - `users` defines the users allowed to administer the server, and has the same syntax as user definitions in groups (see below), except that the only meaningful permission is `"admin"`; - `writableGroups`: if true, then the API can modify group description files; by default, group files are treated as read-only; - `publicServer`: if true, then cross-origin access to the server is allowed. This is safe if the server is on the public Internet, but not necessarily so if it is on a private network. - `proxyURL`: if running behind a reverse proxy, this specifies the root URL that will be visible outside the proxy. - `canonicalHost`: the canonical name of the host running the server; this will cause clients to be redirected if they use a different hostname to access the server. # Group definitions Groups are defined by files in the `./groups` directory (this may be configured by the `-groups` command-line option, try `./galene -help`). The definition for the group called *groupname* is in the file `groups/groupname.json`; it does not contain the group name, which makes it easy to copy or link group definitions. You may use subdirectories: a file `groups/teaching/networking.json` defines a group called *teaching/networking*. ## Examples A typical group definition file looks like this: { "users":{ "jch": {"password":"1234", "permissions": "op"} }, "allow-recording": true, "auto-subgroups": true } This defines a group with the operator (administrator) username *jch* and password *1234*. The `allow-recording` entry says that the operator is allowed to record videos to disk, and the `auto-subgroups` entry says that subgroups will be created automatically. This particular group does not allow password login for ordinary users, and is suitable if you use invitations (see *Stateful Tokens* below) for ordinary users. In order to allow password login for ordinary users, add password entries with the permission `present`: { "users":{ "jch": {"password": "1234", "permissions": "op"} "john": {"password": "secret", "permissions": "present"} } } If the group is to be publicly accessible, you may allow logins with any username using the `wildcard-user` entry:: { "users":{ "jch": {"password":"1234", "permissions": "op"} }, "wildcard-user": {"password": "1234", "permissions": "present"}, "public": true } If you want to allow users to use any password, use a wildcard password: { "users":{ "jch": {"password":"1234", "permissions": "op"} }, "wildcard-user": {"password": {"type": "wildcard"}, "permissions": "present"}, "public": true } ## Reference Every group definition file contains a single JSON directory (a list of entries between `{' and `}'). All fields are optional, but unless you specify at least one user definition (`op`, `presenter`, or `other`), nobody will be able to join the group. The following fields are allowed: - `users`: is a dictionary that maps user names to dictionaries with entries `password` and `permissions`; `permissions` should be one of `op`, `present` or `passive`; - `wildcard-user` is a dictionaries with entries `password` and `permissions` that will be used for usernames with no matching entry in the `users` dictionary; - `authKeys`, `authServer` and `authPortal`: see *Authorisation* below; - `public`: if true, then the group is listed on the landing page; - `displayName`: a human-friendly version of the group name; - `description`: a human-readable description of the group; this is displayed on the landing page for public groups; - `contact`: a human-readable contact for this group, such as an e-mail address; - `comment`: a human-readable string; - `max-clients`: the maximum number of clients that may join the group at a time; - `max-history-age`: the time, in seconds, during which chat history is kept (default 14400, i.e. 4 hours); - `not-before` and `expires`: the times (in ISO 8601 or RFC 3339 format) between which joining the group is allowed; - `allow-recording`: if true, then recording is allowed in this group; - `unrestricted-tokens`: if true, then ordinary users (without the "op" privilege) are allowed to create tokens; - `allow-anonymous`: if true, then users may connect with an empty username; - `auto-subgroups`: if true, then subgroups of the form `group/subgroup` are automatically created when first accessed; - `autolock`: if true, the group will start locked and become locked whenever there are no clients with operator privileges; - `autokick`: if true, all clients will be kicked out whenever there are no clients with operator privileges; this is not recommended, prefer the `autolock` option instead; - `redirect`: if set, then attempts to join the group will be redirected to the given URL; most other fields are ignored in this case; - `codecs`: this is a list of codecs allowed in this group. The default is `["vp8", "opus"]`. Supported video codecs include: - `"vp8"` (compatible with all supported browsers); - `"vp9"` (better video quality, but incompatible with Safari); - `"av1"` (even better video quality, only supported by some browsers, recording is not supported, SVC is not supported); - `"h264"` (incompatible with Debian and with some Android devices, SVC is not supported). Supported audio codecs include `"opus"`, `"g722"`, `"pcmu"` and `"pcma"`. Only Opus can be recorded to disk. There is no good reason to use anything except Opus. ## Client Authorisation Galene implements three authorisation methods: a simple username/password authorisation scheme, a scheme using stateful tokens and a mechanism based on cryptographic tokens that are generated by an external server. The former two mechanism are intended to be used in standalone installations, while the server-based mechanism is designed to allow easy integration with an existing authorisation infrastructure (such as LDAP, OAuth2, or even Unix passwords). ### Password authorisation When password authorisation is used, authorised usernames and password are defined directly in the group configuration file, in the `users` and `fallback-users` entries. The `users` entry is a dictionary that maps user names to user descriptions; the `fallback-users` is a list of user descriptions that are used with usernames that don't appear in `users`. Every user description is a dictionary with fields `password` and `permissions`. The `password` field may be a literal password string, or a dictionary describing a hashed password or a wildcard. The `permissions` field should be one of `op`, `present` or `passive`. (An array of Galene's internal permissions is also allowed, but this is not recommended, since internal permissions may vary from version to version). For fexample, the entry "users": {"jch": {"password": "1234", "permissions": "op"}} specifies that user "jch" may login as operator with password "1234", while "fallback-users": [{"password": "1234", "permissions": "present"}] allows any username with password *1234*. Finally, "fallback-users": [ {"password": {"type": "wildcard"}, "permissions": "present"} ] allows any username with any password. ### Hashed passwords If you don't wish to store cleartext passwords on the server, you may generate hashed passwords with the `galene-password-generator` utility. A user entry with a hashed password looks like this: "users": { "jch": { "password": { "type": "pbkdf2", "hash": "sha-256", "key": "f591c35604e6aef572851d9c3543c812566b032b6dc083c81edd15cc24449913", "salt": "92bff2ace56fe38f", "iterations": 4096 }, "permissions": "op" } } ### Stateful tokens Stateful tokens allow to temporarily grant access to a user. In order to generate a stateful token, the group administrator types /invite user period where `user` is the username granted to the temporary user, and `period` is the time period for which the token will be valid (for example `2d` meaning 2 days). The server replies with a link, valid the given time period, that may be sent to the temporary user for example by e-mail. Tokens may also be granted without imposing a specific username: /invite '' 2d Stateful tokens are revokable (use the `/revoke` command) and their lifetime may be extended (use the `/reinvite` command). ### Authorisation servers Galene is able to delegate authorisation decisions to an external authorisation server. This makes it possible to integrate Galene with an existing authentication and authorisation infrastructure, such as LDAP, OAuth2 or even Unix passwords. When an authorisation server is used, the group configuration file specifies one or more public keys in JWK format. In addition, it may specify either an authorisation server or an authorisation portal. { "authKeys": [{ "kty": "oct", "alg": "HS256", "k": "MYz3IfCq4Yq-UmPdNqWEOdPl4C_m9imHHs9uveDUJGQ", "kid": "20211030" }, { "kty": "EC", "alg": "ES256", "crv": "P-256", "x": "dElK9qBNyCpRXdvJsn4GdjrFzScSzpkz_I0JhKbYC88", "y": "pBhVb37haKvwEoleoW3qxnT4y5bK35_RTP7_RmFKR6Q", "kid": "20211101" }] "authServer": "https://auth.example.org", } The `kid` field serves to distinguish among multiple keys, and must match the value provided by the authorisation server. If the server doesn't provide a `kid`, the first key with a matching `alg` field will be used. If an authorisation server is specified, then the default client, after it prompts for a password, will request a token from the authorisation server and will join the group using token authentication. The password is never communicated to the server. If an authorisation portal is specified, then the default client will redirect initial client connections to the authorisation portal. The authorisation portal is expected to authorise the client and then redirect it to Galene with the `username` and `token` query parameters set. # Further information Galène's web page is at <https://galene.org>. Answers to common questions and issues are at <https://galene.org/faq.html>. -- Juliusz Chroboczek <https://www.irif.fr/~jch/>
Hi,
On ARMv7 Linux, galène panics when calling 64-bit atomic functions (LoadingUint64
, StoreUint64
, ...).
An example when joining a group with two users:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x11ce8]
goroutine 213 [running]:
runtime/internal/atomic.goLoad64(0x8b62ac, 0x3828549, 0x3b9aca00)
/usr/local/go/src/runtime/internal/atomic/atomic_arm.go:131 +0x1c
github.com/jech/galene/rtpconn.sendSR(0x85d260, 0x910a58, 0x1)
/dir/to/galene/rtpconn/rtpconn.go:838 +0x174
github.com/jech/galene/rtpconn.rtcpUpListener(0xcc2a00, 0x8ae1c0, 0xd6a0c0)
/dir/to/galene/rtpconn/rtpconn.go:718 +0x508
created by github.com/jech/galene/rtpconn.newUpConn.func1
/dir/to/galene/rtpconn/rtpconn.go:476 +0x258
It seems to be a known bug of the atomic
package (https://golang.org/pkg/sync/atomic/#pkg-note-BU) which requires 64-bit values accessed atomically to be 64-bit aligned.
Hello,
I just discovered in the README:
What are subgroups?
Subgroup's are Galène's replacement for what other videoconferencing software calls break-out groups; we have found them to be useful for student practicals, where students work in groups of 2 or 3 people. A subgroup of a group G is simply a group with a name of the form G/H, i.e. the name of G followed by a slash followed by a string H. The administrator can get the list of all active (non-empty) subgroups of the current group with the command /subgroups.
There are two ways to create subgroups. The first is to create them manually, just like ordinary groups: the subgroup G/H is defined by the file groups/G/H.json, i.e. file H.json in a subdirectory of the groups directory. The second is to specify 'allow-subgroups': true in G's definition file. When this flag is specified, any subgroup of G will automatically be created whenever somebody attempts to join it. The created subgroup's configuration is an (almost) exact copy of the supergroup's: identical usernames, passwords and permissions.
This feature seems to be present since 29bd67c on November 22:
commit 29bd67cc2224d662ad8732395630ef43337beb76
Author: Juliusz Chroboczek <[email protected]>
Date: Sun Nov 22 19:54:54 2020 +0100
Implement subgroups.
README | 2 ++
group/group.go | 83 +++++++++++++++++++++++++++++++++++++++++++---------------
2 files changed, 64 insertions(+), 21 deletions(-)
Shame that I notice just now. Anyway, I have been trying the two different ways described by the README and none seems to do it for me:
groups/G/H.json
way simply does not show either G
or H
or G/H
.allow-subgroups
way shows a group that behaves as any normal group. In particular, no subgroup is created.I have been testing under cf6c120. for today (January 12). Is this supposed to be working or has this feature been removed from the software and not from the README? If the feature has worked one day, I can try to bisect you the commit at which it stops working for me. I will also gladly provide any extra information that you require.
Best,
— Nicolas
Hi I discovered galene yesterday and just love it. it's simple and very sober on ressources. I tried to install it on my litlle raspberry pi4, and succeed a simple install without turn server. But I use nginx and forced https. and when I go to my galene instance, it says : "Client sent an HTTP request to an HTTPS server."
What should I do to use it behind a nginx reverse proxy ?
Tx for this great software.
Question is about HAPROXY.
Galene is installed sucessfuly but can't see each other on a room.
I only see my own face. (users also see only their own face).
Configuration
Running Galene in a container with only a private IP ( 192.168.10.111)
Public IP is behind another container dedicated to haproxy (192.168.10.252 + PUblic IP ) which send the 443 traffic to Galene container on 8443 port.
Also some iptables redirect for 1194/UDP and 10000-65535 udp port from Haproxy container to Galene container.
when starting Galene:
# ./galene -turn PUBLIC_IP:1194
2021/01/22 11:51:01 Starting built-in TURN server
2021/01/22 11:51:21 Relay test failed: timeout
2021/01/22 11:51:21 Perhaps you didn't configure a TURN server?
2021/01/22 11:53:31 client: read tcp 192.168.10.111:8443->192.168.10.252:35850: read: connection reset by peer
As we can see, it shows Haproxy IP (192.168.10.252) instead of user IP. (X Forward For ?).
Does Galene support haproxy ?
thanks
Hi,
when a conference starts all the audio sliders are at full throttle. This means that if you are in a conference with N participants and one of them has an audio volume much lower than the others, then you have to lower the audio on N-1 participants and increase the overall volume
would it possible to start with all the audio sliders at half throttle so that in the previous case we can just increase the volume of the single problematic participant please
TIA
Beppe
I'm currently working on the context menu of Pyrite(https://github.com/garage44/pyrite/issues/15). To be able
to show the right options, I need to be able to tell what permissions other users have. I'll try to make a PR
out of it.
First of all, this is an amazing tool! Thank you!
I set up a public room on my server and the following two configs work fine:
{
"public": true,
"op": [{}],
"presenter": [{}],
"max-users": 100
}
{
"public": true,
"op": [{}],
"presenter": [],
"max-users": 100
}
But this last one does not work:
{
"public": true,
"op": [],
"presenter": [],
"max-users": 100
}
It reports the following when I try to log in with arbitrary user name and empty password:
The change was turning "op": [{}]
(working) into "op": []
. It is subtle and minor thing, and not really a problem, but I was surprised it is not working, especially given that an empty list seems like the semantically correct line. Given that it is a minor two-character change, I imagine I was not the only one who had a non-working public room on their first attempt.
Thanks for this amazing software!
I'm trying to test the record feature, but I keep having the error message "You are not allowed to record". I'm the op of the group, and I've added this to the group config:
"allow-recording": "true"
What am I doing wrong?
Thanks in advance
Regards
Galene looks very promising. I have just started testing it.
My question: Is there a ays to use Galene with Coturn's static-auth-secret, which does not require a user-name?
Thanks for your response!
Hi,
thanks for galene !
in full screen, the webcam is reversed,
is there an option ?
Hello,
I remember testing a very early version of Galène when it had no name yet, and didn't have CSS either. I also recall that it worked without needing javascript, but anyways...
I'm wondering if it would be possible to use Galène in a very basic mode when Javascript is disabled, the supported version of the browser is out of date, or the browser is not the latest Firefox, with for example only receiving the video and audio, while not being able to talk. It would make the server usable on old and less powerful hardware that some of the less fortune students use to follow there classes.
Hi folks,
Is it deliberate to omit .md
extensions from all the REAME files in project root folder? As a reader it was hurting my eyes to read non-rendered raw Markdown.
I had galene-0.1 working back in January. I recently upgraded to the latest code on GitHub, but now I can't start any audio, video, or screen sharing. I've tested with Firefox, Chromium, and Safari.
After I click on the Ready button and allow the camera and microphone, I get the error message, "The Server said: negotiation failed" in the browser. On the server I get the error, "gotOffer: SetRemoteDescription called with no ice-ufrag".
I get the same errors on galene-0.2. If I go back to version 0.1, everything works again.
Galene is configured to use a TURN server running Coturn on a Digital Ocean droplet. Coturn's use-auth-secret
option is commented out, so I did not specify "credentialType": "hmac-sha1"
in the ice-servers.json file.
Do I need to change my configuration in some way for version 0.2 and later?
Thanks.
Hello
Thanks/Merci for this amazing application, it works very fine.
I've some users who wants to create dynamically a room without registering it through json edition. (it is not user-friendly ^^).
What is the best way ? to create a default public room named "private" and allowing subgroups then the users have to add their room in the URL ?
Do you think it would be possible for future to allow users to create a new room through the root page ? (and to protect the room by a secret/password).
thanks again !
The code that writes a video to disk (diskwriter.go) has a number of limitations:
Fixing this will require changes to both the samplebuilder and webm libraries that the disk writer uses.
If one disable webrtc (about:config => media.peerconnection.enabled set to false), galene will silently fail with a error in the web console:
Uncaught (in promise) ReferenceError: RTCPeerConnection is not defined
newUpStream https://galene.example.org/protocol.js:406
newUpStream https://galene.example.org/galene.js:779
addLocalMedia https://galene.example.org/galene.js:1066
This setting is documented on https://wiki.mozilla.org/Media/WebRTC/Privacy
While that's not a default configuration, some people disable Webrtc for privacy (with https://addons.mozilla.org/en-US/firefox/addon/happy-bonobo-disable-webrtc/ , and afaik, the Tor browser do it).
go version
go version go1.15.6 linux/amd64
CGO_ENABLED=0 go build -ldflags='-s -w'
# runtime/internal/atomic
/usr/local/go/src/runtime/internal/atomic/atomic_amd64x.go:18:6: Load redeclared in this block
previous declaration at /usr/local/go/src/runtime/internal/atomic/atomic_amd64.go:16:24
/usr/local/go/src/runtime/internal/atomic/atomic_amd64x.go:24:6: Loadp redeclared in this block
previous declaration at /usr/local/go/src/runtime/internal/atomic/atomic_amd64.go:22:32
/usr/local/go/src/runtime/internal/atomic/atomic_amd64x.go:30:6: Load64 redeclared in this block
previous declaration at /usr/local/go/src/runtime/internal/atomic/atomic_amd64.go:28:26
/usr/local/go/src/runtime/internal/atomic/atomic_amd64x.go:36:6: LoadAcq redeclared in this block
previous declaration at /usr/local/go/src/runtime/internal/atomic/atomic_amd64.go:34:27
/usr/local/go/src/runtime/internal/atomic/atomic_amd64x.go:41:6: Xadd redeclared in this block
previous declaration at /usr/local/go/src/runtime/internal/atomic/atomic_amd64.go:39:37
/usr/local/go/src/runtime/internal/atomic/atomic_amd64x.go:44:6: Xadd64 redeclared in this block
previous declaration at /usr/local/go/src/runtime/internal/atomic/atomic_amd64.go:42:39
/usr/local/go/src/runtime/internal/atomic/atomic_amd64x.go:47:6: Xadduintptr redeclared in this block
previous declaration at /usr/local/go/src/runtime/internal/atomic/atomic_amd64.go:45:47
/usr/local/go/src/runtime/internal/atomic/atomic_amd64x.go:50:6: Xchg redeclared in this block
previous declaration at /usr/local/go/src/runtime/internal/atomic/atomic_amd64.go:48:36
/usr/local/go/src/runtime/internal/atomic/atomic_amd64x.go:53:6: Xchg64 redeclared in this block
previous declaration at /usr/local/go/src/runtime/internal/atomic/atomic_amd64.go:51:38
/usr/local/go/src/runtime/internal/atomic/atomic_amd64x.go:56:6: Xchguintptr redeclared in this block
previous declaration at /usr/local/go/src/runtime/internal/atomic/atomic_amd64.go:54:45
/usr/local/go/src/runtime/internal/atomic/atomic_amd64x.go:56:6: too many errors
The positioning of videos is not quite correct. The effect is most visible when there are exactly three videos in a tall, thin window: there are two rows, with two videos in the first row, and one in the second.
The issue lies in function resizePeers
in galene.js
, which simply chooses the square root of the number of videos as the number of rows. Something smarter is required.
Hi,
I think it would be nice to be able to customize the location of the certificates used by galene directly with flags on the command line, e.g. -cert /etc/galene/certificate.pem
and -key /etc/galene/key.pem
, instead of forcing them to have specific name and be in the data directory. Part of why I want this is to be able to integrate more nicely with my NixOS package attempt for galene ( NixOS/nixpkgs#109414 ). What do you think ?
Thanks,
Rémy
On Chrome, Safari all is working perfectely
On Firefox, user can connect but is not showing the video of other people. (other can see him).
Is it a general issue on FF ?
thanks
Hi,
After recording a session with several participants and screen shares, galene produces a .webm file for each video stream.
Do you have any plans/ideas about how to mix these files together to replay a session?
My use case is to replay a lecture so student who missed it can see it as it was.
Currently, managing Galène requires manually editing a bunch of JSON files. We need a user-friendly administrative interface.
A few thoughts:
recordings
directory (if you're not recording, Galène can be run from a read-only filesystem);With statik(https://github.com/rakyll/statik), so you juste have to deploy one binary.
The file LICENSE
is currently misspelled LICENCE
. Renaming the file will help detection in GitHub and distribution packaging (I am working on packaging for openSUSE).
Hi. I have a server setup and am proxying behind nginx.
I start the server with:
./galene --turn public.ip.address.here
And am seeing a bunch of errors printed to stdout
:
tls: client offered only unsupported versions: [300]
tls: no cipher suite supported by both client and server
error when handling datagram: failed to handle Allocate-request from 73.38.140.198:57891: relay already allocated for 5-TUPLE
turn ERROR: 2021/03/17 19:52:30 error when handling datagram: failed to create stun message from packet: unexpected EOF: not enough bytes to read header
2021/03/17 03:25:49 ICE: unknown id in ICE
2021/03/17 03:25:49 ICE: unknown id in ICE
2021/03/17 03:25:49 ICE: unknown id in ICE
2021/03/17 03:25:49 ICE: unknown id in ICE
2021/03/17 03:25:49 ICE: unknown id in ICE
2021/03/17 03:25:49 ICE: unknown id in ICE
2021/03/17 03:25:49 ICE: unknown id in ICE
2021/03/17 03:25:49 ICE: unknown id in ICE
2021/03/17 03:25:49 ICE: unknown id in ICE
2021/03/17 03:25:49 ICE: unknown id in ICE
2021/03/17 03:25:49 ICE: unknown id in ICE
2021/03/17 03:25:49 ICE: unknown id in ICE
2021/03/17 03:25:49 ICE: unknown id in ICE
2021/03/17 20:43:25 Relay test successful in 31.700699ms, RTT = 223.554µs
Should I be concerned about these?
Hi, thanks a lot for this great software !
I know it's not an issue with galene, but rather with apache config, but well, I'm a bit stuck:
I can have galene work well in insecure mode, but without sound and audio: I think I've understood this is normal ?
When I install galene behind apache (reverse proxy), TLS fails:
Any hint about how to configure galene behind apache as reverse proxy ?
Thanks a lot !
Here is my apache config:
<VirtualHost *:80>
ServerName audio.cerisara.fr
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8443/ flushpackets=on
ProxyPassReverse / http://127.0.0.1:8443/
RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:8443/$1 [P,L]
# RewriteCond %{SERVER_NAME} =audio.cerisara.fr
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost _default_:443>
ServerName audio.cerisara.fr
ProxyPreserveHost On
ProxyPass / https://127.0.0.1:8443/ flushpackets=on
ProxyPassReverse / https://127.0.0.1:8443/
# SSLCertificateFile /etc/letsencrypt/live/audio.cerisara.fr/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/audio.cerisara.fr/privkey.pem
# Include /etc/letsencrypt/options-ssl-apache.conf
RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:8443/$1 [P,L]
</VirtualHost>
I consistently noticed the following behavior:
What happens is that the "Ready" button does not disappear, even if you are no longer connected (see attached screenshot at the end)
But what is really interesting is that you can press the "Ready" button and the image appears. So this is a way to test your webcam without being connected.
If you press "Panic" when you are disconnected, then the "Ready" button no longer appears so you are back at point 1.
This suggests a feature. That is, if when you are disconnected the "Ready" button becomes a "Test video" button, and it is always on the connection page (that is, already at step 1) then you have a way to ... Test your video of course. The only modification that would be necessary is to have also the webcam selection menu in the setting part even when you are not connected (currently I just have the "Other settings" part)
Hi all,
I'm certainly doing something wrong but I don't manage to create a working group, even a very simple one, copying the default public group configuration. What happens is that the Op can log in, but nobody can join the group as the server seems to kick them : the group is locked.
The most simple configuration I tried is the following one, without further success:
{
"op": [{"username": "OP_USER", "password": "OP_PASSWORD"}],
"presenter": [{}]
}
I tried the various option of the documentation. I even tried to copy the public group's config in a new file. Even then I'm locked out of the group as a simple user.
What am I doing wrong?
Thanks.
Thanks for releasing galene. I am working on community galene packaging for openSUSE and it would help with certain packaging automation steps if the release tags used go module versions e.g. v0.1.0
and v0.2.0
. Would you consider adopting this convention?
I think it would work to add tags v0.1.0
and v0.2.0
at the same revisions as galene-0.1
and galene-0.2
and continue the future release sequence from there. This method works locally:
$ git for-each-ref refs/tags
4dc254d7822fcf5eb016a0152e773f83721adb74 tag refs/tags/galene-0.1
5f7455af5bf78c837008e80fe4b67809badce3c0 tag refs/tags/galene-0.2
$ git tag -a -m 'v0.1.0' v0.1.0 4dc254^{}
$ git tag -a -m 'v0.2.0' v0.2.0 5f7455^{}
$ git for-each-ref refs/tags
4dc254d7822fcf5eb016a0152e773f83721adb74 tag refs/tags/galene-0.1
5f7455af5bf78c837008e80fe4b67809badce3c0 tag refs/tags/galene-0.2
533ce3fe8b1cc735c700d6e4bc773a9a1ab0fe7a tag refs/tags/v0.1.0
a9747d99ac7c38217433a647f7f0e4cdc2965aad tag refs/tags/v0.2.0
Hi,
thank you for the software. I'm currently packaging galene for NixOS, and I'd like to know if you could put an example systemd service file directly in this repository to avoid shipping some "custom" one in the downstream package.
Thanks,
Rémy
Hi!
I could not start a meeting today because video streams were not transmitted.
I suspect my university's network is the culprit here, it is known to block some random (useful) ports.
Unfortunately, I'm new to this kind of debugging so I'd be glad if you could give some hints how to identify the problem.
Here is some context I think might be relevant:
Thanks in advance if you can give me some advice how to debug this and let me know if I can do something useful for Galène on this front.
Btw, thanks for making Galène, it is great! It is certainly one of the best open source options for videoconferencing at the moment.
Hi Juliusz,
Thanks for the project. Picked it up from a mention on HN the other day. I absolutely love how uncomplicated the setup is.
I did run into an issue when trying to log into Galene using Mobile Safari (iPad).
More specifically, using a Debian 10 VM with Go 1.15.2, cloned galene repo, built it, created a cert, started with ./galene.
In Firefox on Windows - can connect to https://$ip:8443 and log in. That is, works as expected.
In Safari on iPad - can connect to https://$ip:8443, but a log attempt fails with Couldn't connect to wss://$ip:8443/ws
.
I can however connect and log into your demo server at https://galene.org:8443.
Dug around a bit and found a comment saying that the iOS doesn't allow WSS with self-signed certs. Seemed like a long shot, but still symlinked ./data/cert.pem from ./static and added it to the iOS trust store (by visiting https://$ip:8443/cert.pem and following the prompts). This eliminated the "unknown cert" warning when opening the page, but the log in error remains.
This has gotta be some well-known caveat... Do you happen to know what the heck is going on here?
Regards,
Alex
Scenario causing the issue:
It would be nice to have consistent grid order between all clients as it would enable people to point to their partners, which is not something working well in other meeting software.
I did not look in details yet but I guess this is caused by the client receiving WebRTC tracks in disorder and then creating HTML elements (in disorder).
What is your opinion about explicitly ordering the grid with WebRTC track identifiers ? I might try writing a pull request if you consider this as useful.
Administrators need some clues while hosting galene services.
Something standard, from the outside (without joining any rooms).
Golang can expose pprof stuff as HTTP, providing some client tools.
Galene already has webrtc stats for each rooms
Prometheus is the de facto tool for exposing metrics.
It can be read with Prometheus and other time series collector, like telegraf.
Prometheus endpoint is human readable, with comments.
The draft use a private website, listening on localhost, authentication should be added
For now, there is no UI, just REST endpoints.
See #23
I've installed Galene a few days ago from GitHub. The README mentions -turn
command-line flag, but when trying to use it (both with arguments and without), I get
flag provided but not defined: -turn
Usage of ./galene:
-cpuprofile file
store CPU profile in file
-data directory
data directory (default "./data/")
-groups directory
group description directory (default "./groups/")
-http address
web server address (default ":8443")
-insecure
act as an HTTP server rather than HTTPS
-mdns
gather mDNS addresses
-memprofile file
store memory profile in file
-mutexprofile file
store mutex profile in file
-recordings directory
recordings directory (default "./recordings/")
-redirect host
redirect to canonical host
-relay-only
require use of TURN relays for all media traffic
-static directory
web server root directory (default "./static/")
Galène already has /stats
for some private room statistics. It would be great to add a Prometheus-formatted /metrics
HTTP endpoint that also exposes some useful metrics about the instance.
I believe we want /metrics
to show only anonymous data such as total number of users (only public rooms ?) and total number of WebRTC session exchanged. These metrics can then be pulled by a Prometheus server or other monitoring services.
I already implemented something similar here : https://github.com/erdnaxe/ghostream/blob/dev/internal/monitoring/monitoring.go. If you are positive about adding such feature, I would enjoy writing a pull request for Galène.
Best regards,
The current authentication and authorisation scheme is simple and expressive, but has some limitations:
On the latter point, one must carefully distinguish between authentication and authorisation. Protocols such as OAuth2 delegate authentication — they say e.g. that a user has authentic Github credentials, but they say nothing about whether said user is allowed to access a given instance of Galène.
Please refrain from commenting about how horrible OAuth2 is. This is true, but quite besides the point.
I was wondering whether you would consider a contribution of a docker-compose config for nginx/coturn and possibly galene itself. Do you think it may be useful for people who want to give Galene a quick try?
This sounds really intriguing! But for end users, self-build is something to "scare them away" – especially with installing all the Go dependencies.
Would it be possible to provide an AppImage? That would remove those "fears" and makes it easy to try out Galene. Installation would then be pretty easy: download the AppImage, make it executable, run it.
Thanks in advance for considering!
It does not seem the mailing list has a publicly visible archive. The tone of the webpage and hacker news postings imply that the mailing list is the preferred way to contact the developers, but I was hopeful I can read through the archive before asking redundant questions. I tried without and with making an account at https://lists.galene.org/postorius/lists/galene.lists.galene.org/ but the archive did not seem visible anywhere (hopefully I did not miss something obvious).
Any plans to make the archive visible?
In a group with "presenter": [{}]
I can login with the same username multiple times (from different browsers). This makes it impossible for an op to distinguish them for a user-targeting command like /kick
or /mute
.
Could it be possible to enforce the uniqueness of usernames in such groups? The user could be given a message like for example "This username is already taken, please chose another one".
For example, there is a user named: Joe Dae.
The command /msg Joe Dae Hello!
will not work.
This was initially reported by @tohojo.
Galène will automatically pick up any changes to its configuration files. It will not pick up a change to the TLS keys — the only way to rotate keys is to restart the server.
I can see two ways of doing graceful key rotation. The simple one is to stop the TLS listener and then start a new one; this will involve a couple of seconds of downtime, but will not interrupt currently connected users. The other one would be mutate the TLS configuration of the current listener (see (*tls.Certificate).GetCertificate
), as is done by the letsencrypt library.
kerneis:/usr/local/src/galene$ cat /etc/debian_version
10.7
kerneis:/usr/local/src/galene$ CGO_ENABLED=0 go build -ldflags='-s -w'
build github.com/jech/galene: cannot find module for path crypto/ed25519
kerneis:/usr/local/src/galene$ go version
go version go1.11.6 linux/amd64
It would be nice if the README specified the minimal required version of the compiler.
With hard coded Coturn account, you can reuse the TURN service, even if your application account is revoked.
Coturn can use a simple hmac password with timestamp and a sercret salt :
https://github.com/coturn/coturn/blob/060bf187879fd1a6386012f4c5a7494824ebe5c8/README.turnserver#L180-L193
With that, galene can compute a coturn account, usable for few hours, for every user, without creating explicit account on coturn side.
Using a lib like logrus or zap (or any other), outputing to a file, STDOUT or fluentd.
Hello!
Is there any plan to support several languages?
Please ping me when it will be possible!
Google Congestion Control (GCC) consists of the combination of two controllers: a loss-based one in the sender, and one delay-based in the receiver. Galène implements both controllers for server->client streams, but only the loss-based controller for client->server streams. Fixing that would allow us to increase the default video quality (in the absence of congestion).
GCC is described in https://tools.ietf.org/html/draft-ietf-rmcat-gcc
It would be useful if Galene could sanity-check the config on startup. In particular:
This would make it easier to be sure that the config works after a change/restart. Maybe even (optionally?) fail to startup if there's an error, so the failure can be picked up by 'systemctl restart'?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.