[Freeswitch-users] WebSocket behind NGINX

Dan Edwards DEdwards at vertical.com
Mon Feb 8 19:36:50 MSK 2016 

Anton,

I'm glad my input was useful. As for WSS vs WS, the fact you're using security bubbles up into the SIP messages themselves. I initially tried:


Browser >> WSS >> Nginx >> WS >> FS


FS does not like this because the protocol changes. You go from SIP/2.0/WSS to SIP/2.0/WS and FS won't allow that. Also, in some instances, you will get SIP URL changes. For example: sip:1234 at domain.com vs. sips:1234 at domain.com.

The reason to go with WS to FS was to skip an encrypt/decrypt cycle on network traffic that never left the machine. I finally decided that trying to patch the SIP traffic was bound to fail at some point and we're only saving the encrypt/decrypt on the SIP traffic itself, so I went back to 


Browser >> WSS >> Nginx >>> WSS >> FS





-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Anton
Sent: Saturday, February 06, 2016 4:39 PM
To: freeswitch-users at lists.freeswitch.org
Subject: Re: [Freeswitch-users] WebSocket behind NGINX

Hi,

Sorry for not answering for a long time.

Dan, thank you, your recommendation really helped me.

So in order to proxy websocket request you need:
1. Proxy websocket requests in this way WSS -> (NGINX) -> FS WSS or WS 
-> (NGINX) -> FS WS
2. Modify local-network-acl
3. Modify apply-candidate-acl if you would like to drop more rtp candidates

PS: I highly recommend to watch this video about NAT issues and ACL
configuration:
https://www.youtube.com/watch?v=_WSx-T6TriI

BR,
Anton Voylenko

On 01/30/2016 09:20 PM, Anton wrote:
> Hello All,
>
> I have to proxy all websocket requests though a nginx server. Right 
> now I am using next configuration:
>
> map $http_upgrade $connection_upgrade {
>     default upgrade;
>     ''      close;
> }
>
> server {
>     listen 443;
>     server_name  wss.somedomain.com.ua;
>
>     ssl on;
>     ssl_certificate      /etc/nginx/cert.pem;
>     ssl_certificate_key  /etc/nginx/private.key;
>
>     location / {
>         proxy_pass http://127.0.0.1:5066;
>         proxy_http_version 1.1;
>         proxy_set_header Upgrade $http_upgrade;
>         proxy_set_header Connection $connection_upgrade;
>         proxy_read_timeout 86400s;
>    }
>
>     access_log /var/log/nginx/wss_access;
>     error_log /var/log/nginx/wss_error debug; }
>
> I dumped traffic from nginx and found out that "switching protocol" 
> phrase was successful but INVITE message from my browser in pending 
> state.
> Maybe FreeSWITCH wants real IP not loopback? Who have faced with 
> similar problem?
>
> BR,
> Anton


_________________________________________________________________________
Professional FreeSWITCH Consulting Services: 
consulting at freeswitch.org
http://www.freeswitchsolutions.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list