<div dir="ltr"><div><div><div>Hi Guys,<br><br></div>Has anyone done this before with HA Proxy, I have been trying the same as mentioned above:<br><br>Browser >> WSS >> HA Proxy >>> WSS >> Kamailio->FS<br><br></div><div>I am getting TLS errors in Kamailio logs hence not even reaching my FS cluster.<br><br></div><div>My HA config looks like:<br><br><i>frontend public<br> bind *:10090 ssl crt /etc/haproxy/certs/cert.pem<br> acl is_websocket hdr_end(host) -i <a href="http://m1.some-domain.com">m1.some-domain.com</a><br> use_backend wss if is_websocket<br> default_backend wss<br><br>backend wss<br> timeout server 600s<br> server ws1 <a href="http://k1.some-domain.com:10090">k1.some-domain.com:10090</a><br> server ws1 <a href="http://k2.some-domain.com:10090">k2.some-domain.com:10090</a></i><br><br><br></div><div>Need some direction, thanks in advance.<br></div><div><br><br></div>Regards,<br></div>Jade<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 8, 2016 at 9:36 PM, Dan Edwards <span dir="ltr"><<a href="mailto:DEdwards@vertical.com" target="_blank">DEdwards@vertical.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Anton,<br>
<br>
I'm glad my input was useful. As for WSS vs WS, the fact you're using security bubbles up into the SIP messages themselves. I initially tried:<br>
<br>
<br>
Browser >> WSS >> Nginx >> WS >> FS<br>
<br>
<br>
FS does not like this because the protocol changes. You go from SIP/2.0/WSS to SIP/2.0/WS and FS won't allow that. Also, in some instances, you will get SIP URL changes. For example: <a href="mailto:sip%3A1234@domain.com">sip:1234@domain.com</a> vs. <a href="mailto:sips%3A1234@domain.com">sips:1234@domain.com</a>.<br>
<br>
The reason to go with WS to FS was to skip an encrypt/decrypt cycle on network traffic that never left the machine. I finally decided that trying to patch the SIP traffic was bound to fail at some point and we're only saving the encrypt/decrypt on the SIP traffic itself, so I went back to<br>
<br>
<br>
Browser >> WSS >> Nginx >>> WSS >> FS<br>
<span class="im HOEnZb"><br>
<br>
<br>
<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:freeswitch-users-bounces@lists.freeswitch.org">freeswitch-users-bounces@<wbr>lists.freeswitch.org</a> [mailto:<a href="mailto:freeswitch-users-bounces@lists.freeswitch.org">freeswitch-users-<wbr>bounces@lists.freeswitch.org</a>] On Behalf Of Anton<br>
</span><div class="HOEnZb"><div class="h5">Sent: Saturday, February 06, 2016 4:39 PM<br>
To: <a href="mailto:freeswitch-users@lists.freeswitch.org">freeswitch-users@lists.<wbr>freeswitch.org</a><br>
Subject: Re: [Freeswitch-users] WebSocket behind NGINX<br>
<br>
Hi,<br>
<br>
Sorry for not answering for a long time.<br>
<br>
Dan, thank you, your recommendation really helped me.<br>
<br>
So in order to proxy websocket request you need:<br>
1. Proxy websocket requests in this way WSS -> (NGINX) -> FS WSS or WS<br>
-> (NGINX) -> FS WS<br>
2. Modify local-network-acl<br>
3. Modify apply-candidate-acl if you would like to drop more rtp candidates<br>
<br>
PS: I highly recommend to watch this video about NAT issues and ACL<br>
configuration:<br>
<a href="https://www.youtube.com/watch?v=_WSx-T6TriI" rel="noreferrer" target="_blank">https://www.youtube.com/watch?<wbr>v=_WSx-T6TriI</a><br>
<br>
BR,<br>
Anton Voylenko<br>
<br>
On 01/30/2016 09:20 PM, Anton wrote:<br>
> Hello All,<br>
><br>
> I have to proxy all websocket requests though a nginx server. Right<br>
> now I am using next configuration:<br>
><br>
> map $http_upgrade $connection_upgrade {<br>
> default upgrade;<br>
> '' close;<br>
> }<br>
><br>
> server {<br>
> listen 443;<br>
> server_name <a href="http://wss.somedomain.com.ua" rel="noreferrer" target="_blank">wss.somedomain.com.ua</a>;<br>
><br>
> ssl on;<br>
> ssl_certificate /etc/nginx/cert.pem;<br>
> ssl_certificate_key /etc/nginx/private.key;<br>
><br>
> location / {<br>
> proxy_pass <a href="http://127.0.0.1:5066" rel="noreferrer" target="_blank">http://127.0.0.1:5066</a>;<br>
> proxy_http_version 1.1;<br>
> proxy_set_header Upgrade $http_upgrade;<br>
> proxy_set_header Connection $connection_upgrade;<br>
> proxy_read_timeout 86400s;<br>
> }<br>
><br>
> access_log /var/log/nginx/wss_access;<br>
> error_log /var/log/nginx/wss_error debug; }<br>
><br>
> I dumped traffic from nginx and found out that "switching protocol"<br>
> phrase was successful but INVITE message from my browser in pending<br>
> state.<br>
> Maybe FreeSWITCH wants real IP not loopback? Who have faced with<br>
> similar problem?<br>
><br>
> BR,<br>
> Anton<br>
<br>
<br>
______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<br>
______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
</div></div></blockquote></div><br></div>