[Freeswitch-users] WebSocket behind NGINX

António Silva asilva at wirelessmundi.com
Mon Dec 4 12:34:58 UTC 2017


Hi Dan,

dig you get it work? Is it possible to use:  wss -> nginx --> ws -> fs ?

I see the same behaviour, the VIA header that arrives to fs in the ws 
port contains SIP/2.0/WSS and of course, fs will reject the request 
because its a different protocol...


nta.c:3146 agent_check_request_via() nta: Via check: invalid transport 
"SIP/2.0/WSS" from 192.168.10.5:54074


I guess that what we need here is some sort of "helper" in nignx that 
replaces WSS to WS.



On 02/08/2016 05:36 PM, Dan Edwards wrote:
> Anton,
>
> I'm glad my input was useful. As for WSS vs WS, the fact you're using security bubbles up into the SIP messages themselves. I initially tried:
>
>
> Browser >> WSS >> Nginx >> WS >> FS
>
>
> FS does not like this because the protocol changes. You go from SIP/2.0/WSS to SIP/2.0/WS and FS won't allow that. Also, in some instances, you will get SIP URL changes. For example: sip:1234 at domain.com vs. sips:1234 at domain.com.
>
> The reason to go with WS to FS was to skip an encrypt/decrypt cycle on network traffic that never left the machine. I finally decided that trying to patch the SIP traffic was bound to fail at some point and we're only saving the encrypt/decrypt on the SIP traffic itself, so I went back to
>
>
> Browser >> WSS >> Nginx >>> WSS >> FS
>
>
>
>
>
> -----Original Message-----
> From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Anton
> Sent: Saturday, February 06, 2016 4:39 PM
> To: freeswitch-users at lists.freeswitch.org
> Subject: Re: [Freeswitch-users] WebSocket behind NGINX
>
> Hi,
>
> Sorry for not answering for a long time.
>
> Dan, thank you, your recommendation really helped me.
>
> So in order to proxy websocket request you need:
> 1. Proxy websocket requests in this way WSS -> (NGINX) -> FS WSS or WS
> -> (NGINX) -> FS WS
> 2. Modify local-network-acl
> 3. Modify apply-candidate-acl if you would like to drop more rtp candidates
>
> PS: I highly recommend to watch this video about NAT issues and ACL
> configuration:
> https://www.youtube.com/watch?v=_WSx-T6TriI
>
> BR,
> Anton Voylenko
>
> On 01/30/2016 09:20 PM, Anton wrote:
>> Hello All,
>>
>> I have to proxy all websocket requests though a nginx server. Right
>> now I am using next configuration:
>>
>> map $http_upgrade $connection_upgrade {
>>      default upgrade;
>>      ''      close;
>> }
>>
>> server {
>>      listen 443;
>>      server_name  wss.somedomain.com.ua;
>>
>>      ssl on;
>>      ssl_certificate      /etc/nginx/cert.pem;
>>      ssl_certificate_key  /etc/nginx/private.key;
>>
>>      location / {
>>          proxy_pass http://127.0.0.1:5066;
>>          proxy_http_version 1.1;
>>          proxy_set_header Upgrade $http_upgrade;
>>          proxy_set_header Connection $connection_upgrade;
>>          proxy_read_timeout 86400s;
>>     }
>>
>>      access_log /var/log/nginx/wss_access;
>>      error_log /var/log/nginx/wss_error debug; }
>>
>> I dumped traffic from nginx and found out that "switching protocol"
>> phrase was successful but INVITE message from my browser in pending
>> state.
>> Maybe FreeSWITCH wants real IP not loopback? Who have faced with
>> similar problem?
>>
>> BR,
>> Anton
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-- 
Saludos / Regards / Cumprimentos
António Silva




More information about the FreeSWITCH-users mailing list