Works directly with Grumble websockets?

[poVoq]

Seems like Grumble supports websockets for a while now: https://github.com/mumble-voip/grumble/commit/1d0ca25f5aac1644a8f9ad128f04dfbd9574b67d @rubenseyer

Can anyone confirm this working and if so maybe the readme needs an update?

Thx!

[poVoq]

After setting it up it seems no, but I might have done something wrong.

Using the demo server my web-interface works fine, and I used this Docker image which seems recent enough to set up Grumble on my VPS: https://hub.docker.com/r/zalkeen/grumble

[rubenseyer]

It's been a long while since I worked on this, but to my knowledge it should still work. I cannot vouch for the Docker image but it should be recent enough.

I don't know if it's clear that (for complex reasons) Grumble supports WS over port 443 rather than 64738 which is used for "native" clients. Unfortunately, a low port like that might require additional system configuration to bind to, and I don't know enough about the Docker image to tell if that has been done. If you want to change the port to something higher you either have to manually edit the binary configs or use the mumble-voip/grumble/pull/26 changes. (Has it really been 14 months?! PR hasn't been merged yet because everyone involved has been busy with other things for a while...)

Another common pitfall is moody browsers that really, really want a valid certificate to talk over wss://, so make sure your client system accepts the server certificate (there are ways around this but if you're going to use this for real you're going to want a real certificate through e.g. Let's Encrypt anyway).

[poVoq]

Ok that definitely helps. I tried routing the 443 port from the Docker container through Traefik now. When I tried to connect from the mumble.web client it still fails, but the Grumble container log gives the following error: 2019/04/18 16:31:16.443392 http: TLS handshake error from 1.2.3.4:1234: tls: first record does not look like a TLS handshake (I changed the IP and port).

So it seems like Grumble gets a connection but due to the SSL connection being handled by Traefik (with Let's Encrypt certificate) it gets confused?

Can Grumble also do websocket connections through port 80 so that all the SSL stuff can be left to the reverse-proxy? Edit: no, at least this Docker image only listens on port 443 and 64738 :(

[rubenseyer]

No, without code modifications it would not be possible to use WS over plain HTTP. The (native) Mumble protocol requires a TLS handshake end-to-end anyway, so Grumble makes the assumption that TLS connections are possible for WS use too (so we are secure by default without a proxy).

Perhaps you can configure your proxy to speak HTTPS on the other end too (trusting the generated certificate)? The performance differences due to protocol are practically nonexistent.

[poVoq]

Awesome I got it to work! Good hint again although originally I thought that was not possible. TIL :+1:

For those interested how I got it to work: The Docker container needs to be started with the label: --label traefik.protocol=https

And in the main traefik.toml config this needs to be set: insecureSkipVerify = true (so that it allows using self-signed certificates)

Otherwise the label for the port need to point to 443 in the Grumble container and that's pretty much all.

I'll leave this issue open as the readme should probably be adapted to mention that it works with Grumble directly.

[croissong]

Hi guys, I'm in the process of setting this up myself and just wanted to let you know that your work and sharing these findings is very much appreciated :)

[dirkk0]

I can confirm that this works, and I wrote a somewhat lengthy description here. So, yes, the README needs an update.