...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; auth_basic "Restricted Area"; auth_basic_user_file /etc/nginx/.htpasswd; include /etc/nginx/conf.d/*.conf; server { listen 443 ssl; ssl_certificate /etc/pki/tls/yourdomain/yourdomain.crt; ssl_certificate_key /etc/pki/tls/yourdomain/yourdomain.key; server_name wcs.yourdomain.com; server_tokens off; client_max_body_size 500m; proxy_read_timeout 10m; include /etc/nginx/default.d/*.conf; location / { } location /wss { proxy_set_header Host $host; proxy_pass https://localhost:8443; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } } |
Reverse proxy setup with passing authentication token in cookies
Authentication parameters passing in URL is deprecated. However, browsers still does not support a ways to pass a custom headers (including Authorization header) when establishing Websocket connection. In this case, passing authentication token in cookies with cookie checking on nginx side may be alternative.
Client code
A client should set a cookie with authentication token before establishing websocket connection:
Code Block | ||||
---|---|---|---|---|
| ||||
setCookie("AUTH", token, {secure: true, 'max-age': 3600});
Flashphoner.createSession({urlServer: url}).on(SESSION_STATUS.ESTABLISHED, function (session) {
...
}); |
A sample code to set or change cookies in browser
Code Block | ||||
---|---|---|---|---|
| ||||
function setCookie(name, value, options = {}) {
options = {
path: '/',
...options
};
if (options.expires instanceof Date) {
options.expires = options.expires.toUTCString();
}
let updatedCookie = encodeURIComponent(name) + "=" + encodeURIComponent(value);
for (let optionKey in options) {
updatedCookie += "; " + optionKey;
let optionValue = options[optionKey];
if (optionValue !== true) {
updatedCookie += "=" + optionValue;
}
}
document.cookie = updatedCookie;
} |
Cookie may be cleaned when websocket session is closed or failed
Code Block | ||||
---|---|---|---|---|
| ||||
Flashphoner.createSession({urlServer: url}).on(SESSION_STATUS.ESTABLISHED, function (session) {
...
}).on(SESSION_STATUS.DISCONNECTED, function () {
setCookie("AUTH", "", {'max-age': -1});
...
}).on(SESSION_STATUS.FAILED, function () {
setCookie("AUTH", "", {'max-age': -1});
...
}); |
nginx configuration
1. Create a folder to store authentication tokens
Code Block | ||||
---|---|---|---|---|
| ||||
mkdir -p /var/lib/nginx/tokens |
and set nginx running user as owner
Code Block | ||||
---|---|---|---|---|
| ||||
chown -R nginx /var/lib/nginx/token |
2. Add tocken checking to nginx configuration file
Code Block | ||
---|---|---|
| ||
location /wss {
if (!-f /var/lib/nginx/tokens/$cookie_AUTH) {
return 403;
}
proxy_set_header Host $host;
proxy_pass https://localhost:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
} |
3. Restart nginx
Usage
Before connecting some client, authentication token file should be created
Code Block | ||||
---|---|---|---|---|
| ||||
touch /var/lib/nginx/tokens/ABCDEF1234565789
chown nginx /var/lib/nginx/tokens/ABCDEF1234565789 |
and the file name should be passed to the client to set it to cookie. A possible way to pass the token are out of the scope.
Known issues
For better security, Origin
header must be checked, and cookie should be applied from allowed domains only.
How to pass a real client IP address to WCS through the reverse proxy
...
Let's explore nginx and WCS configuration example to pass real client IP address.
nginx configuration
1. Add X-Client-IP header creation to Websocket proxy setup
...