Commit 31ed146a959ec7602b82e8573abe540cba4461df breaks Galène behind Apache reverse-proxy

jech / galene

The Galène videoconference server

https://galene.org

MIT License

944 stars 130 forks source link

Commit 31ed146a959ec7602b82e8573abe540cba4461df breaks Galène behind Apache reverse-proxy #148

Closed dfskoll closed 1 year ago

dfskoll commented 1 year ago

Hi,

I use Galène behind an Apache reverse-proxy. Apache does TLS termination and I use the -insecure argument to galene. Unfortunately, commit 31ed146a959ec7602b82e8573abe540cba4461df results in a browser error "The operation is insecure" because Galène is generating an http: URL instead of https.

dfskoll commented 1 year ago

This is the Apache config that I use:

<VirtualHost *:443>

  ServerName server.example.com
  Header always set Strict-Transport-Security "max-age=15811200 includeSubdomains;"

  SSLProtocol TLSv1 TLSv1.1 TLSv1.2
  SSLEngine on
  SSLProxyEngine on
  SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

  SSLHonorCipherOrder on
  Header set Strict-Transport-Security "max-age=31536000"

  ProxyPreserveHost on
  ProxyPass /ws ws://127.0.0.1:8443/ws
  ProxyPassReverse /ws ws://127.0.0.1:8443/ws

  ProxyPass / http://127.0.0.1:8443/
  ProxyPassReverse / http://127.0.0.1:8443/
</VirtualHost>

jech commented 1 year ago

Right. Our strategy of guessing the right URL from the request doesn't work if we're behind a reverse proxy.

Please upgrade to the latest master (https://github.com/jech/galene/commit/16e2888d56357ec7cd0007420911fa05084f238a) and create a file data/config.json with the following contents:

{
    "proxyURL": "https://proxy.example.org/"
}

where proxy.example.org is the address of your proxy. This should also work if you don't specify ProxyPreserveHost in your Apache conf.

Please confirm that this works for you, and please reopen the issue if it doesn't. Thanks for your help.

dfskoll commented 1 year ago

Hi,

Thanks; that fixed it. However, at first it would not compile. I received an error stating that the URL class did not have a JoinPath method. I upgraded from Go 1.17 to Go 1.19 and that must have pulled in a newer version of net/url because everything was fine after that.

Thanks for the quick fix.

Regards,

Dianne.

jech commented 1 year ago

Thanks. Let me fix that.

jech commented 1 year ago

Hopefully fixed in 10c57c7. Please test.

dfskoll commented 1 year ago

Unfortunately, I uninstalled Go 1.17 when I upgraded to 1.19, so I can't test against that version of Go. It does work fine with 1.19.

Regards,

Dianne.

jech commented 1 year ago

That's good enough, thanks.