[Freeswitch-users] WebRTC SSL termination on Nginx

Eugene Prokopiev enp at itx.ru
Mon Feb 24 17:08:14 UTC 2020 

Hi,

I tried to terminate WebRTC SSL before FreeSWITCH on Nginx in this way:

server {
  server_name mydomain.com;
  listen 443 ssl;
  ssl_certificate         /etc/nginx/certs/fullchain;
  ssl_certificate_key     /etc/nginx/certs/key;
  ssl_trusted_certificate /etc/nginx/certs/cert;
  location / {
    proxy_pass http://10.0.0.10:5070;
    proxy_http_version 1.1;
    proxy_set_header Host $http_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
  }
}

FreeSWITCH configuration looks like:

<configuration name="sofia.conf">
  <global_settings>
    <param name="log-level" value="9"/>
  </global_settings>
  <profiles>
    <profile name="webrtc">
      <domains>
        <domain name="all" alias="false" parse="false"/>
      </domains>
      <settings>
        <param name="context" value="webrtc"/>
        <param name="sip-port" value="5060"/>
        <param name="dialplan" value="XML"/>
        <param name="sip-ip" value="10.0.0.10"/>
        <param name="rtp-ip" value="10.0.0.10"/>
        <param name="auth-calls" value="true"/>
        <param name="ws-binding" value=":5070"/>
      </settings>
    </profile>
  </profiles>
</configuration>

But I see this error:

nta.c:2880 agent_recv_request() nta: received REGISTER sip:10.0.0.10
SIP/2.0 (CSeq 1)
nta.c:3146 agent_check_request_via() nta: Via check: invalid transport
"SIP/2.0/WSS" from 10.0.0.1:40568
nta.c:2990 agent_recv_request() nta: REGISTER (1) has invalid Via

No wonder really, it is not encripted WS between Nginx and FreeSWITCH,
WSS with encription is before Nginx only, but WSS defined in REGISTER
Via header.

But with wss-binding param instead of ws-binding I see another error:

tport.c:2622 tport_accept() tport_accept(0x7f8290005180): incoming
secondary on wss/10.0.0.10:5070/sips failed. reason = WS_INIT

No wonder again, FreeSWITCH waiting for WSS, but receiving not encriped WS

But I'm confused. Maybe it is possible to rewrite Via header? Or
FreeSWITCH can't work behind WSS proxy with not encripted WS between
proxy and FreeSWITCH?

--
WBR,
Eugene Prokopiev

More information about the FreeSWITCH-users mailing list