Web Call Server 5.2 - EN
Space shortcuts
Page tree

Versions Compared

Old Version 1

changes.mady.by.user admin

Saved on

compared with

New Version 2

changes.mady.by.user admin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
themeRDark
titleFull nginx configuration file
collapsetrue
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    auth_basic "Restricted Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
    
    include /etc/nginx/conf.d/*.conf;
    
    server {
		listen 443 ssl;
		ssl_certificate /etc/pki/tls/yourdomain/yourdomain.crt;
		ssl_certificate_key /etc/pki/tls/yourdomain/yourdomain.key;
		server_name wcs.yourdomain.com;
		server_tokens off;
		client_max_body_size 500m;
		proxy_read_timeout 10m;

        include /etc/nginx/default.d/*.conf;

        location / {
        }

        location /wss {
            proxy_set_header Host $host;
            proxy_pass https://localhost:8443;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_read_timeout 86400;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
        
    }
}

Reverse proxy setup with passing authentication token in cookies

Authentication parameters passing in URL is deprecated. However, browsers still does not support a ways to pass a custom headers (including Authorization header) when establishing Websocket connection. In this case, passing authentication token in cookies with cookie checking on nginx side may be alternative.

Client code

A client should set a cookie with authentication token before establishing websocket connection:

Code Block
languagejs
themeRDark
    setCookie("AUTH", token, {secure: true, 'max-age': 3600});
    Flashphoner.createSession({urlServer: url}).on(SESSION_STATUS.ESTABLISHED, function (session) {
        ...
    });

A sample code to set or change cookies in browser

Code Block
languagejs
themeRDark
function setCookie(name, value, options = {}) {
  options = {
    path: '/',
    ...options
  };

  if (options.expires instanceof Date) {
    options.expires = options.expires.toUTCString();
  }

  let updatedCookie = encodeURIComponent(name) + "=" + encodeURIComponent(value);

  for (let optionKey in options) {
    updatedCookie += "; " + optionKey;
    let optionValue = options[optionKey];
    if (optionValue !== true) {
      updatedCookie += "=" + optionValue;
    }
  }

  document.cookie = updatedCookie;
}

Cookie may be cleaned when websocket session is closed or failed

Code Block
languagejs
themeRDark
     Flashphoner.createSession({urlServer: url}).on(SESSION_STATUS.ESTABLISHED, function (session) {
        ...
    }).on(SESSION_STATUS.DISCONNECTED, function () {
        setCookie("AUTH", "", {'max-age': -1});
        ...
     }).on(SESSION_STATUS.FAILED, function () {
        setCookie("AUTH", "", {'max-age': -1});
        ...
     });

nginx configuration

1. Create a folder to store authentication tokens

Code Block
languagebash
themeRDark
mkdir -p /var/lib/nginx/tokens

and set nginx running user as owner

Code Block
languagebash
themeRDark
chown -R nginx /var/lib/nginx/token

2. Add tocken checking to nginx configuration file

Code Block
themeRDark
        location /wss {
            if (!-f /var/lib/nginx/tokens/$cookie_AUTH) {
               return 403;
            }
            proxy_set_header Host $host;
            proxy_pass https://localhost:8443;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_read_timeout 86400;
        }

3. Restart nginx

Usage

Before connecting some client, authentication token file should be created

Code Block
languagebash
themeRDark
touch /var/lib/nginx/tokens/ABCDEF1234565789
chown nginx /var/lib/nginx/tokens/ABCDEF1234565789

and the file name should be passed to the client to set it to cookie.  A possible way to pass the token are out of the scope.

Known issues

For better security, Origin header must be checked, and cookie should be applied from allowed domains only.

How to pass a real client IP address to WCS through the reverse proxy

...

Let's explore nginx and WCS configuration example to pass real client IP address.

nginx configuration

1. Add X-Client-IP header creation to Websocket proxy setup

...