Websocket traffic proxying for WebRTC publishing/playing¶
Sometimes, it is necessary to hide Websocket WCS port behind proxy server, for example, for security reasons. A reverse proxy setup based on nginx and correcponding WCS setup examples are described below.
## Reverse proxy setup with basic authentication for Websocket
1. Enable basic authentication by login and password in nginx settings
2. Configure nginx to listen HTTPS (WebRTC publishing and playback work only through secure connection in the most browsers)
3. Configure proxy to WCS Websocket port (suppose nginx to be installed on the same server as WCS)
4. Restart nginx
5. Use the following Websocket URL to connect from browser
??? example "Full nginx configuration file"
server {
listen 443 ssl;
ssl_certificate /etc/pki/tls/yourdomain/yourdomain.crt;
ssl_certificate_key /etc/pki/tls/yourdomain/yourdomain.key;
server_name wcs.yourdomain.com;
server_tokens off;
client_max_body_size 500m;
proxy_read_timeout 10m;
root /usr/share/nginx/html;
...
}
location /wss {
proxy_set_header Host $host;
proxy_pass https://localhost:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/.htpasswd;
include /etc/nginx/conf.d/*.conf;
server {
listen 443 ssl;
ssl_certificate /etc/pki/tls/yourdomain/yourdomain.crt;
ssl_certificate_key /etc/pki/tls/yourdomain/yourdomain.key;
server_name wcs.yourdomain.com;
server_tokens off;
client_max_body_size 500m;
proxy_read_timeout 10m;
include /etc/nginx/default.d/*.conf;
location / {
}
location /wss {
proxy_set_header Host $host;
proxy_pass https://localhost:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}