Commit ba24b034 authored by Popi's avatar Popi


parent d4f28c75
......@@ -10,95 +10,4 @@ Being peer-to-peer and only browser-dependant (meaning no other software require
Thankfully, **ICE protocol** and coturn's TURN/STUN server came to the rescue. A **TURN** server is what it says : Traversal Using Relays around NAT. It is the only way to manage WebRTC connection through the NAT. The TURN server is in charge of relaying each and every packets between the two nodes (goodbye peer-to-peer and hello overhead on TURN server).
So, it's not perfect, but can be the only way (if any) depending of you local network.
### Why this project
Being a happy user of SOGo, I early on activated Turn configuration with long-term credentials. Problem is: the secret password of my turn user was visible and downloadable from the js script. Not optimal. I learnt that ephemeral credentials was the way to go to solve that issue.
[](JSXC)'s github community helped me understand how to set it up and test it.
There is already a **PHP** script included with jsxc (might not be up-to-date on sjsxc) which enables dynamic creation of ephemeral credentials (timestamp is part of the equation, so it has to be on-demand).
SOGo being objective-C, the server I got it running on has no PHP installed on it.
This was the perfect opportunity to write a little python script and install uwsgi to be able to call that script through nginx.
Some extra info :
* integration of jsxc in SOGo (sjsxc) documentation can be found on jsxc's github Wiki under [](Install sjsxc (SOGo))
* a coturn server's configuration example can also be found on jsxc's github Wiki [](WebRTC How To)
### How it works
The cgi-bin directory contains all python-related files. Actual python files as well as the config files for uswgi and TURN authentication. Once everything is set up, anything reaching `/cgi-bin/*` will invariably result in a call to the python script, which itself is a callable for ``.
In the meantime, might be good to protect your config files from outsiders by adding in your nginx SOGo's configuration file :
# Turn credentials / config files
location ~ "(.*\.inc|.*\.json)$" { deny all; }
Now, install uwsgi, clone repository and start uwsgi daemon with provided config file:
apt-get install uwsgi uwsgi-core uwsgi-plugin-python
cd /usr/lib/GNUstep/SOGo/WebServerResources/sjsxc/ajax
git clone .
mv cgi-bin/sjsxc.json /etc/apps-available/
ln -s /etc/uwsgi/apps-available/sjsxc.json /etc/uwsgi/apps-enabled/sjsxc.json
service uwsgi start sjsxc
Now you just have to tell Nginx to send everything addressed to `/cgi-bin` to the uwsgi daemon.
At the end of SOGo's vhost, add:
location ~ /cgi-bin
uwsgi_pass unix:/tmp/uwsgi.sock;
include uwsgi_params;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
Here we use a unix socket to connect to **uwsgi**.
Reload nginx:
service nginx configtest
service nginx reload
Test via curl or browser:
{"iceServers": [{"urls": ["", ""]}, {"username": "1483455638:userWebrtc", "credential": "wOk4VXXXXXXXXXO90=", "urls": ["", ""]}], "ttl": 86400}
note : here the credential is a _hash_, not the **real** shared secret. The hash is generated from the secret and the username, which itself is a gathering of timestamp and username.
Finally, in you sjsxc/js folder on SOGo's server, modify **sjsxc.js** RTCPeedConfig url's setting.
Go to directory and make a copy:
cd /usr/lib/GNUstep/SOGo/WebServerResources/sjsxc/js
cp -p sjsxc.js sjsxc.js.orig
Create the patch file **sjsxc.patch** containing:
--- sjsxc.js
+++ sjsxc.js
@@ -174 +174 @@
- url: '/SOGo.woa/WebServerResources/sjsxc/ajax/getturncredentials.php'
+ url: '/SOGo.woa/WebServerResources/sjsxc/ajax/cgi-bin/wsgi'
Apply patch:
patch -u < sjsxc.patch
That's it, reload you SOGo login page, you should be all set.
### Conclusion
You should now have a symmetrical NAT-proofed WebRTC visio solution based on ephemeral credentials to authenticate your server on the TURN server.
See the Wiki section for howto install and deploy the scripts and requirements associated on your SOGo server.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment