[Freeswitch-users] WebSocket behind NGINX

Jade SZ jitterbuffer at gmail.com
Thu Feb 2 14:08:16 MSK 2017 

Hi Guys,

Has anyone done this before with HA Proxy, I have been trying the same as
mentioned above:

Browser >> WSS >> HA Proxy >>> WSS >> Kamailio->FS

I am getting TLS errors in Kamailio logs hence not even reaching my FS
cluster.

My HA config looks like:










*frontend public  bind *:10090 ssl crt /etc/haproxy/certs/cert.pem  acl
is_websocket hdr_end(host) -i m1.some-domain.com
<http://m1.some-domain.com>  use_backend wss if is_websocket
default_backend wssbackend wss  timeout server 600s  server ws1
k1.some-domain.com:10090 <http://k1.some-domain.com:10090>  server ws1
k2.some-domain.com:10090 <http://k2.some-domain.com:10090>*


Need some direction, thanks in advance.


Regards,
Jade

On Mon, Feb 8, 2016 at 9:36 PM, Dan Edwards <DEdwards at vertical.com> wrote:

> Anton,
>
> I'm glad my input was useful. As for WSS vs WS, the fact you're using
> security bubbles up into the SIP messages themselves. I initially tried:
>
>
> Browser >> WSS >> Nginx >> WS >> FS
>
>
> FS does not like this because the protocol changes. You go from
> SIP/2.0/WSS to SIP/2.0/WS and FS won't allow that. Also, in some instances,
> you will get SIP URL changes. For example: sip:1234 at domain.com vs.
> sips:1234 at domain.com.
>
> The reason to go with WS to FS was to skip an encrypt/decrypt cycle on
> network traffic that never left the machine. I finally decided that trying
> to patch the SIP traffic was bound to fail at some point and we're only
> saving the encrypt/decrypt on the SIP traffic itself, so I went back to
>
>
> Browser >> WSS >> Nginx >>> WSS >> FS
>
>
>
>
>
> -----Original Message-----
> From: freeswitch-users-bounces at lists.freeswitch.org [mailto:
> freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Anton
> Sent: Saturday, February 06, 2016 4:39 PM
> To: freeswitch-users at lists.freeswitch.org
> Subject: Re: [Freeswitch-users] WebSocket behind NGINX
>
> Hi,
>
> Sorry for not answering for a long time.
>
> Dan, thank you, your recommendation really helped me.
>
> So in order to proxy websocket request you need:
> 1. Proxy websocket requests in this way WSS -> (NGINX) -> FS WSS or WS
> -> (NGINX) -> FS WS
> 2. Modify local-network-acl
> 3. Modify apply-candidate-acl if you would like to drop more rtp candidates
>
> PS: I highly recommend to watch this video about NAT issues and ACL
> configuration:
> https://www.youtube.com/watch?v=_WSx-T6TriI
>
> BR,
> Anton Voylenko
>
> On 01/30/2016 09:20 PM, Anton wrote:
> > Hello All,
> >
> > I have to proxy all websocket requests though a nginx server. Right
> > now I am using next configuration:
> >
> > map $http_upgrade $connection_upgrade {
> >     default upgrade;
> >     ''      close;
> > }
> >
> > server {
> >     listen 443;
> >     server_name  wss.somedomain.com.ua;
> >
> >     ssl on;
> >     ssl_certificate      /etc/nginx/cert.pem;
> >     ssl_certificate_key  /etc/nginx/private.key;
> >
> >     location / {
> >         proxy_pass http://127.0.0.1:5066;
> >         proxy_http_version 1.1;
> >         proxy_set_header Upgrade $http_upgrade;
> >         proxy_set_header Connection $connection_upgrade;
> >         proxy_read_timeout 86400s;
> >    }
> >
> >     access_log /var/log/nginx/wss_access;
> >     error_log /var/log/nginx/wss_error debug; }
> >
> > I dumped traffic from nginx and found out that "switching protocol"
> > phrase was successful but INVITE message from my browser in pending
> > state.
> > Maybe FreeSWITCH wants real IP not loopback? Who have faced with
> > similar problem?
> >
> > BR,
> > Anton
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170202/94fd9a12/attachment.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list