"You didn't set up this ownCloud app."... except that I did.

[Bugsbane]

I'm getting the following error:

You didn't set up this ownCloud app. Please follow the instructions in the README.md file in the apps/spreedme folder.

The trouble is that I have gone through and edited both the spreed.me server.conf file and the ownCloud app's config.php file as outlined in readme.md. I've restarted the spreed.me server, and there are no errors in the command line or in the owncloud.log file.

I'm running Nextcloud 9.0.52 + Nginx + Php 7.0.2 + Spreedme ownCLoud app 0.1.6 (enabled from app screen). I'm running as an admin.

I've changed ownership of all the spreed.me server files to the same user that Nginx uses to run PHP / Nextcloud, and started the Spreed.me server with that same user.

[Bugsbane]

My configuration files (with secret tokens and absolute paths removed for security purposes):

; Spreed WebRTC server example configuration

[http]
; HTTP listener in format ip:port.
listen = 127.0.0.1:8080
; Full path to directory where to find the server web assets.
;root = /usr/share/spreed-webrtc-server/www
; HTTP socket read timeout in seconds.
;readtimeout = 10
; HTTP socket write timeout in seconds.
;writetimeout = 10
; Use basePath if the server does not run on the root path (/) of your server.
basePath = /spreed-webrtc/
; Set maximum number of open files (only works when run as root).
;maxfd = 32768
; Enable stats API /api/v1/stats for debugging (not for production use!).
;stats = false
; Enable HTTP listener for golang pprof module. See
; http://golang.org/pkg/net/http/pprof/ for details.
;pprofListen = 127.0.0.1:6060

[https]
; Native HTTPS listener in format ip:port.
;listen = 127.0.0.1:8443
; Full path to PEM encoded certificate chain.
;certificate = server.crt
; Full path to PEM encoded private key.
;key = server.key
; Mimimal supported encryption standard (SSLv3, TLSv1, TLSv1.1 or TLSv1.2).
;minVersion = SSLv3
; HTTPS socket read timeout in seconds.
;readtimeout = 10
; HTTPS socket write timeout in seconds.
;writetimeout = 10

[app]
; HTML page title
title = MyDomain.com Real Time Communication
; Version string to use for static resources. This defaults to the server
; version and should only be changed when you use your own way to invalidate
; long cached static resources.
;ver = 1234
; STUN server URIs in format host:port. You can provide multiple seperated by
; space. If you do not have one use a public one like stun.spreed.me:443. If
; you have a TURN server you do not need to set an STUN server as the TURN
; server will provide STUN services.
;stunURIs = stun:stun.spreed.me:443
; TURN server URIs in format host:port?transport=udp|tcp. You can provide
; multiple seperated by space. If you do not have at least one TURN server then
; some users will not be able to use the server as the peer to peer connection
; cannot be established without a TURN server due to firewall reasons. An open
; source TURN server which is fully supported can be found at
; https://code.google.com/p/rfc5766-turn-server/.
;turnURIs = turn:turnserver:port?transport=udp
; Shared secret authentication for TURN user generation if the TURN server is
; protected (which it should be).
; See http://tools.ietf.org/html/draft-uberti-behave-turn-rest-00 for details.
; A supported TURN server is https://code.google.com/p/rfc5766-turn-server/.
;turnSecret = the-default-turn-shared-secret-do-not-keep
; Enable renegotiation support. Set to true to tell clients that they can
; renegotiate peer connections when required. Firefox support is not complete,
; so do not enable if you want compatibility with Firefox clients.
;renegotiation = false
; Session secret to use for session id generator. 32 or 64 bytes of random data
; are recommented (hex encoded). A warning will be logged if hex decode fails.
; You can generate a secret easily with "xxd -ps -l 32 -c 32 /dev/random".
sessionSecret = XXXXXXXXXXXX
; Encryption secret protecting the data in generated server side tokens. Use
; 16, 24, or 32 bytes (hex encoded) to select AES-128, AES-192, or AES-256.
; When you change the encryption secret, stored authentications, sessions and
; contacts become invalid. A warning will be logged if hex decode fails. You
; can generate a secret easily with "xxd -ps -l 32 -c 32 /dev/random".
encryptionSecret = XXXXXXXXXXXX
; Full path to a text file containig client tokens which a user needs to enter
; when accessing the web client. Each line in this file represents a valid
; token.
;tokenFile = tokens.txt
; The name of a global room. If enabled it should be kept secret. Users in that
; room are visible in all other rooms.
;globalRoom = global
; The default room is the room at the root URL of the servers base address and
; all users will join this room if enabled. If it is disabled then a room join
; form will be shown instead.
;defaultRoomEnabled = true
; Whether a user account is required to join a room. This only has an effect
; if user accounts are enabled. Optional, defaults to false.
authorizeRoomJoin = true
; Whether a user account is required to create a room. This only has an effect
; if user accounts are enabled. Optional, defaults to false.
;authorizeRoomCreation = false
; Wether the pipelines API should be enabled. Optional, defaults to false.
;pipelinesEnabled = false
; Server token is a public random string which is used to enhance security of
; server generated security tokens. When the serverToken is changed all existing
; nonces become invalid. Use 32 or 64 characters (eg. 16 or 32 byte hex).
serverToken = i-did-not-change-the-public-token-boo
; The server realm is part of the validation chain of tokens and nonces and is
; added as suffix to server created user ids if user creation is enabled. When
; the realm is changed, all existing tokens and nonces become invalid.
serverRealm = local
; Full path to an extra templates directory. Templates in this directory ending
; with .html will be parsed on startup and can be used to fill the supported
; extra-* template slots. If the extra folder has a sub folder "static", the
; resources in this static folder will be available as /extra/static/filename
; relative to your servers base URL.
extra = /path/to/my/nextcloud/apps/spreedme/extra (<---- Changed obviously)
; URL relative to the servers base path for a plugin javascript file which is
; automatically loaded on web client start for all users. You can put your
; plugin in the extra/static folder (see above) or provide another folder using
; a front end webserver. Check the doc folder for more info about plugins and
; examples.
plugin = extra/static/owncloud.js
; Content-Security-Policy HTTP response header value.
; Spreed WebRTC requires inline styles, WebSocket connection to itself and
; data: URL for images.
; The currently recommended CSP is:
;   default-src 'self';
;   frame-src 'self' blob:;
;   style-src 'self' 'unsafe-inline';
;   img-src 'self' data: blob:;
;   connect-src 'self' wss://server:port/ws blob:;
;   font-src 'self' data: blob:;
;   media-src 'self' blob:;
;contentSecurityPolicy =
; Content-Security-Policy-Report-Only HTTP response header value. Use this
; to test your CSP before putting it into production.
;contentSecurityPolicyReportOnly =

[modules]
; Modules provide optional functionality. Modules are enabled by default and
; can be disabled by setting false to their corresponding configuration.
;screensharing = true
;youtube = true
;presentation = true
;contacts = true

[log]
;logfile = /var/log/spreed-webrtc-server.log

[users]
; Set to true to enable user functionality.
enabled = true
; Set users authorization mode.
; sharedsecret:
;   Validates the userid with a HMAC authentication secret.
;   The format goes like this:
;     BASE64(HMAC-SHA-256(secret, expirationTimestampInSeconds:userid))
; httpheader:
;   The userid is provided as an HTTP header. The server does not do any
;   validation. This usually only makes sense with a front end HTTPS proxy which
;   does the authentication and injects the user id as HTTP header for sessions
;   REST requests. In mode httpheader, allowRegistration should be false.
; certificate:
;   The userid is provided as CommonName with a certificate provided with TLS
;   client authentication. When you use this with a front end proxy for TLS
;   termination, that proxy has to validate the certificate and inject certain
;   headers into the proxy connection. In certificate mode the server can act as
;   a signing CA to sign incoming user certificate requests with a private key
;   when allowRegistration is true. While certificate mode offers the highest
;   security it is currently considered experimental and the user experience
;   varies between browsers and platforms.
mode = sharedsecret
; The shared secred for HMAC validation in "sharedsecret" mode. Best use 32 or
; 64 bytes of random data.
sharedsecret_secret = XXXXXXXXXXXX
; The HTTP header name where to find the userid in "httpheader" mode.
;httpheader_header = x-userid
; Full path to PEM encoded private key to use for user creation in "certificate"
; mode. Keep this commented if you do not want the server to sign certificate
; requests.
;certificate_key = userskey.key
; Full path to PEM encoded certificate to use for user validation in
; "certificate" mode. When allowRegistration is true and certificate_key is also
; set then the server will act as a CA and sign incoming user registrations and
; return certificates to users as registration.
;certificate_certificate = usersca.crt
; The HTTP header name where to find if the TLS client authentication was
; successfull. The value of this header is matched to
; certificate_verifiedHeaderValue and only if there is a match, the proxy
; handled TLS client authentication is accepted as success. Make sure to secure
; these headers with your front end proxy (always set them). Do not use these
; settings when not using a front end proxy.
;certificate_verifiedHeader = x-verified
;certificate_verifiedHeaderValue = SUCCESS
; The HTTP header name where to find the PEM encoded certificate authenticated
; by a front end proxy. With Nginx the required value is in $ssl_client_cert.
;certificate_certificateHeader = x-certificate
; The valid duration of generated certificates created in certificate mode when
; allowRegistration is enabled.
;certificate_validForDays = 365
; Organization to set into the created user certificates. Use a readable public
; name to make the certificate easily recognizable as certificate for your
; server so users can choose the correct certificate when prompted.
;certificate_organization= = My Spreed Server
; If enabled the server can create new userids. Set allowRegistration to true to
; enable userid creation/registration. Users are created according the settings
; of the currently configured mode (see above).
;allowRegistration = false

[nats]
; Set to true, to enable triggering channelling events via NATS
;channelling_trigger = false
;channelling_trigger_subject = channelling.trigger
; NATS server URL
;url = nats://127.0.0.1:4222
; NATS connect establish timeout in seconds
;establishTimeout = 60
; Use client_id to distinguish between multipe servers. The value is sent
; together with every NATS request. Defaults to empty.
;client_id =

Spreedme ownCloud app config:

<?php
/**
 * ownCloud - spreedme
 *
 * This file is licensed under the Affero General Public License version 3 or
 * later. See the COPYING file.
 *
 * @author Leon <leon@struktur.de>
 * @copyright struktur AG 2016
 */

namespace OCA\SpreedME\Config;

class Config {

        // Domain of your Spreed WebRTC server (including protocol and optional port number), examples:
        //const SPREED_WEBRTC_ORIGIN = 'https://myowncloudserver.com';
        //const SPREED_WEBRTC_ORIGIN = 'https://webrtc.myowncloudserver.com:8080';
        // If this is empty or only includes a port (e.g. :8080), host will automatically be determined (current host)
        const SPREED_WEBRTC_ORIGIN = 'https://mydomain.com'; <-- Changed for security

        // This has to be the same `basePath`
        // you already set in the [http] section of the `server.conf` file from Spreed WebRTC server
        const SPREED_WEBRTC_BASEPATH = '/spreed-webrtc/';

        // This has to be the same `sharedsecret_secret` (64-character HEX string)
        // you already set in the [users] section of the `server.conf` file from Spreed WebRTC server                                          
        const SPREED_WEBRTC_SHAREDSECRET = 'XXXXXXXXX';  <-- Changed for security                                

        // Set to true if you want to allow access to this app + spreed-webrtc for non-registered users who received a temporary password by an ownCloud admin.                                                                                                                               
        // You can generate such a temporary password at: /index.php/apps/spreedme/admin/tp (ownCloud admin user account required)             
        const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED = true;                                                                                

        // If 'OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED' is set to true, you also have to provide a signing key here (64-character HEX string)
        // Generate it using `xxd -ps -l 32 -c 32 /dev/random` (better) or `openssl rand -hex 32`
        const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY = 'xxxxxxxxxxxxxxx'; <-- Changed for security

        private function __construct() {

        }

}

Spreed-me log:

server 2016/07/10 15:24:54 Using '/spreed-webrtc/' base base path.
server 2016/07/10 15:24:54.059792 Enabled modules: [screensharing youtube presentation contacts]
server 2016/07/10 15:24:54.061098 Loaded extra templates from: /var/www/owncloud/apps/spreedme/extra
server 2016/07/10 15:24:54.061110 Using the number of CPU's (1) as GOMAXPROCS
server 2016/07/10 15:24:54.061115 Max open files are 65536
server 2016/07/10 15:24:54.061941 Enabled users handler 'sharedsecret'
server 2016/07/10 15:24:54.062121 Added URL handler /extra/static/... for static files in /var/www/owncloud/apps/spreedme/extra/static/...
server 2016/07/10 15:24:54 Starting HTTP server on 127.0.0.1:8080

Nextcloud log is empty.

[leonklingele]

Did you also set up the OwnCloudConfig.js as outlined in the README? How did you set up nginx? Please also check the output of /index.php/apps/spreedme/admin/debug and your browser developer console. Here's how to open the browser dev console:

1. Open the Spreed.ME app in ownCloud
2. Append ?debug to the URL, i.e. https://domain.com/index.php/apps/spreedme/?debug
3. Right click on the ownCloud site
4. Click "Inspect element" (very bottom)
5. Check what it says in the console and paste it here

[Op3rat0r]

Hi @leonklingele,

you have to use the Link https://domain.com/index.php/apps/spreedme/admin/debug when you use the link with /?debug it won't work!

Only when the Spreed-WebRTC Server runs standalone without Own-/Nextcloud this works!

Regards Daniel

[Bugsbane]

Ok, so I did miss the OwncloudCOnfig.js step. Now that I've done that, I'm getting a 403 error when I try to open the app, even when I 777 the spreed-webrtc folder.

The debug page passes the first two steps. The third says: Ran test #3 (testSpreedWebRTCAPI): Error: Unable to connect to WebRTC at https://mydomain.com/spreed-webrtc/. Did you set a correct SPREED_WEBRTC_ORIGIN and SPREED_WEBRTC_BASEPATH in config/config.php?

As far as I can see, I did set the basepath and origin correctly in apps/spreedme/config/config.php (see above, although I've substituted the name of my domain). but it doesn't change anything. I still get a 403.

I didn't modify nginx's setup at all as Nextcloud was already running (I run Yunohost which configured Nginx when I installed Nextcloud - then ownCloud )

[leonklingele]

Well, as spreed-webrtc listens on port 8080 for you, you need to configure nginx as a reverse proxy, so spreed-webrtc can also be reached on port 443. If for whatever reasons you can't modify the nginx setup, you need to set up spreed-webrtc to use https on e.g. port 8443. Then configure SPREED_WEBRTC_ORIGIN accordingly to use the new host.

[leonklingele]

Hi @Op3rat0r, https://domain.com/index.php/apps/spreedme/admin/debug != https://domain.com/index.php/apps/spreedme/?debug. The former URL can be used to debug the whole setup, to see if something isn't properly set up. The latter can be used to debug the "bridge" between ownCloud and spreed-webrtc, and spreed-webrtc itself.

[Bugsbane]

So basically, if I understand you right, the problem is that Nextcloud is set up to use SSL, so it's trying to contact spreed through port 443, while spreed is listening on 8080, right?

So is there any advantage to configuring this through Nginx rather than through SPreed's server.conf? I ask because the second option sounds a lot easier...

I'm also wondering if I may have another issue... My spreed directory is a subdirectory of where I have Nextcloud installed. I noticed that if I make another new folder there with a test index.html and (temporarily) chmod both to 777, that I'm able to view the index.html file, but if I try to view the directory, it also gets a 403 error. Spreed's access URL appears to be a directory, rather than a direct file link. Could the same thing be happening here? ie:

mydomain.com/testdirectory/index.htm - 200 mydomain.com/testdirectory/ -403 mydomain.com/spreed-webrtc/ - 403 (for the same reason as above?)

[leonklingele]

@Bugsbane yes, that's correct.

Yes, as stated in README, you will not be able to use Screensharing if you use the second option (spreed-webrtc and ownCloud on two different domain+port combintations).

spreed-webrtc should not live in a directory which is accessible via nginx. The only thing that should go into a folder accessible via nginx is this ownCloud plugin (owncloud-spreedme).

See this setup as an example: spreed-webrtc: /home/leon/develop/git/spreed-webrtc ownCloud: /var/www/vhosts/clouddomain.com/owncloud/ (the ownCloud stuff) owncloud-spreedme: /var/www/vhosts/clouddomain.com/owncloud/apps/spreedme/ spreed-webrtc listens on 8080 (internally), nginx on :80 and :443. nginx rewrites https://clouddomain.com/webrtc internally to use port 8080 as an upstream resource, so any requests to this URL go directly to spreed-webrtc.

[Op3rat0r]

@Bugsbane @leonklingele, don't want to hijackthe discussion. Hope it's ok to ask the ?debug question into this thread.

I thought that the link https://domain.com/index.php/apps/spreedme/?debug has n effect, because I didn't see any output. Neither in the Server Log, or the browser window. The only thing that happens is that the logged on user is logged off and once again registered.

Thanks + Regards

[leonklingele]

The ?debug URL can be used to debug the setup via the browser developer console.

[Op3rat0r]

@leonklingele I realy don't know how to get the ?debug behind the '/' maybe you mean https://domain.com/index.php/apps/spreedme?debug without the leading slash?

[leonklingele]

It doesn't matter if you use a slash after '/spreedme' or not. Just copy and paste the URL I posted above and replace the domain name with yours.

Am 11.07.2016 um 15:06 schrieb Daniel notifications@github.com:

@leonklingele I realy don't know how to get the ?debug behind the '/' maybe you mean https://domain.com/index.php/apps/spreedme?debug without the leading slash?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[longsleep]

I assume this is resolved.