Proxy settings for Ant Media Server running behind a firewall - ssl-certificate

I have Ant Media Server community edition running on a KVM VM server on onsite server hardware (testing for now) and would like to serve up staff how-to videos for an intranet to those inside and outside the firewall for our little NPO. We do this with a number of different web, chat, wiki, code-library, etc. servers and functions using an nginx proxy server that manages Lets Encrypt certs for each and provides access to people onsite or at home. We have the port forwarding set up correctly on the router and it all runs pretty nice.
When I proxy Ant Media Server this way it works fine to get to the admin gui--it comes right up on port 443, proxied from port 5080. But streaming does not work through the proxy---either inside or outside the firewall---with all ports open in both media and proxy server. It shows the webpage with the "Stream will start playing automatically when it is live" message for a VOD link and then just stops---does not start player or stream video. The VOD video plays correctly when accessed directly via port 5080.
I realize that maybe you've taken steps to make sure people cannot do what I am trying to do--- which circumvents the community edition license features that do not include the SSL feature. If so, just let me know.
I am aware that there is a feature to allow SSL via Lets Encrypt directly on Ant Media Server. But I cannot keep public port 80 forwarding to Ant Media Server to allow for Lets Encrypt cert updating---port 80 is forwarded to the dedicated proxy/cert machine that I mentioned above and which does this job very well for us.
Otherwise, if this should work and anyone can look at my settings and tell me what's awry, here are my proxy_pass settings:
---------------proxy_pass directive--------------------
server {
listen 443 ssl http2;
server_name antmedia.my.org;
add_header 'Access-Control-Allow-Origin' '*';
location / {
proxy_pass http://192.168.254.194:5080;
proxy_redirect http://192.168.254.194:5080 https://antmedia.my.org;
}
}
Thanks so much!! I think it's really cool that Ant Media is giving Wowza such a run for their money!!
The nginx.conf settings are stock/default for this docker---which is optimized for the reverse proxy role. Here they are with only the active lines listed:
user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
variables_hash_max_size 2048;
large_client_header_buffers 4 16k;
client_max_body_size 0;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /config/log/nginx/access.log;
error_log /config/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
include /etc/nginx/conf.d/*.conf;
include /config/nginx/site-confs/*;
lua_load_resty_core off;
}

Can you try please as follows?
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
server_name yourdomain.com;
location / {
proxy_pass http://192.168.254.194:5080;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

Related

Nginx reverse proxy https to https

I have a QNAP TS-253A with its admin interface exposed to the internet.
The qnap has it's own certificate installed by a dedicated tool (ie. I don't know exactly where to locate the certificate).
https://mydomain.myqnapcloud.com points to my static IP, and my router has a firewall rule, which forwards port 443 to 192.168.200.6 which is the internal address of my QNAP.
That all works as it should.
Now I have spun up a Docker container on 192.168.200.18, which I would like to expose to https://identity.someotherdomain.com.
My Idea was to spin up another container with an Nginx reverse proxy (192.168.200.8), and change the firewall rule to forward 443 (and 80) to the reverse proxy.
There are lots of guides to use nginx to sit in front of a http server and add SSL certificate thereby converting an existing http site to https. But my use case should be even simpler as the server i forward to, is already https.
I have tried this, which doesn't work:
upstream qnap {
server 192.168.200.6:443;
}
server {
listen 192.168.200.8:443;
server_name mydomainmyqnapcloud.com;
location / {
proxy_pass https://qnap;
}
}
How do I configure nginx to forward traffic intended for https://mydomain.myqnapcloud.com to https://192.168.200.6
and traffic intended for https://identity.someotherdomain.com to https://192.168.200.18
The way I got this working was to locate the certificate and key on the Qnap (in /etc/stunnel) and copy them to a folder shared into the reverse proxy docker image and include them in the nginx.conf:
server {
listen 443 ssl;
server_name mydomain.myqnapcloud.com;
ssl_certificate /etc/ssl/private/backup.cert;
ssl_certificate_key /etc/ssl/private/backup.key;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://192.168.200.6;
proxy_read_timeout 90;
proxy_redirect https://192.168.200.6 https://mydomain.myqnapcloud.com;
}
}

sni-support-required-for-valid-ssl error with AWS EC2 instance while implementing ssl with openresty

I have built a web app app.mywebapp.com. I'm planning to implement white labeling for my users.
User example website: userwebsite.com. I want to point their subdomain to my app.
Example: dashboard.userwebsite.com should point to app.mywebapp.com
I have added a CNAME record in my users DNS settings
I'm using openresty to implement the dynamic SSL certificates handling via reverse proxy.
My webapp is running on one AWS EC2 instance with SSL being handled by loadbalancer.
I have created another EC2 instance with a loadbalancer to handle the SSL requests from my user websites.
When I type EC2 instance Public DNS in browser, I'm getting insecure SSL error with message
"sni-support-required-for-valid-ssl" certificate is not trusted
Here is the nginx.conf file for handling SSL via openresty
user www-data;
events {
worker_connections 1024;
}
http {
lua_shared_dict auto_ssl 1m;
lua_shared_dict auto_ssl_settings 64k;
resolver 8.8.8.8 ipv6=off;
init_by_lua_block {
auto_ssl = (require "resty.auto-ssl").new()
auto_ssl:set("allow_domain", function(domain)
return true
end)
auto_ssl:init()
}
init_worker_by_lua_block {
auto_ssl:init_worker()
}
server {
listen 443 ssl;
ssl_certificate_by_lua_block {
auto_ssl:ssl_certificate()
}
ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
proxy_ssl_server_name on;
location / {
proxy_set_header Host app.mywebapp.com;
proxy_set_header Referer $host$uri;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Accept-Language $http_accept_language;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 5m;
proxy_pass https://app.mywebapp.com;
}
}
server {
listen 80;
location /.well-known/acme-challenge/ {
content_by_lua_block {
auto_ssl:challenge_server()
}
}
location /{
return 301 https://$host$request_uri;
}
}
server {
listen 127.0.0.1:8999;
client_body_buffer_size 128k;
client_max_body_size 128k;
location / {
content_by_lua_block {
auto_ssl:hook_server()
}
}
}
}
This happens because, for some reason, your server failed to obtain new certificates. I cannot fully debug your setup, but I can assure you that the documentation at https://github.com/GUI/lua-resty-auto-ssl works, but may be not easy to debug.
Protip; watch your logs
Your question is incomplete, but most of the time, when using OpenResty, you should watch your error logs files for what it will tell you. But most of the time, these will be common errors:
Too many requests
GUI/lua-resty-auto-ssl will retry very, very fast. It means that if you deploy a wrong configuration, you very likely will reach Let's Encript Limits. If you are doing heavy debug, really recommend you use another subdomain to not saturate you main domain
Directory permissions
If the openresty cannot write, it will fail. But in some cases, you OpenResty/Nginx still be able to work, but the Deydrated will fail
Issues with redirects and or not have the GUI/lua-resty-auto-ssl on the exact place
This is hard to debug, but explaining very simple, go step by step when implementing redirects (like forced HTTP to HTTPS) because you may able to obtain a new certificate, then not renew it.
By "exact place" means that
if the Let's encrypt will try on port 80, you need have GUI/lua-resty-auto-ssl snippet there
if the Let's encrypt will try on domain example.com, you need have GUI/lua-resty-auto-ssl snippet there
Final comments:
If you can, try the very minimum examples from GUI/lua-resty-auto-ssl, then each change you make, try again, steps by steps, and watch your logs files. If you do this, may take you 30~60min more, but can save you days of debugging, in special if you are using for the first time.

Nginx reverse proxy apache on centos 7, configuring both http and https

I am configuring nginx at port 80 as proxy server to Apache server on port 8080, using Centos 7.
I successfully configure both for http, but after installing lets encrypt certificate for Apache, I see Apache is directly receiving traffic for https. I tried to make nginx receive traffic for all HTTP and HTTPS, but face issue,
I do a lot of changes like disable apache to listen on port 443, and only listen to 8080.
I configure nginx to listen both at 80 and 443, additionally I remove certificate for apache and add to nginx configuration files. currently.
nginx configuration is as follow:
server {
listen 80;
listen [::]:80 default_server;
#server_name _;
server_name www.example.com;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://my.server.ip.add:8080;
root /usr/share/nginx/html;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 443 default_server;
server_name www.example.com;
root /usr/share/nginx/html;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.example.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
#ssl_dhparam /etc/pki/nginx/dh2048.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA--REMOVED-SOME-HERE-SHA';
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
Note: I am using php 7.0
currently site is working on both https and http with 1 known issue i.e. User images are not loading. but I am not sure it is served by apache or nginx, in RESPONSE I can see "nginx/1.10.2"
What I was actually going to implement: I was trying to run both
node.js and apache using nginx. I donot start node yet.
My questions:
Is it really beneficial to use nginx in front and apache at the backend? (I read it protect from dDos attacks).
Where should we put certificate at nginx or apache?
How can I add node.js in nginx configuration? I already installed node js.
What can be best configuration of using both nginx and apache?
Good evening,
First of all all the considerations you have made at the infrastructure level are very good and in my opinion the proxy configuration despite the difficulties of implementation at this time is the best.
I've been using it for some time now and the benefits are enormous. However, I would like to ask you what type of cloud infrastructure you are using because there are so many things that change depending on the technical infrastructure. For example, I use only Google Cloud Platform that is completely different from CloudFlare or Other AWS.
The configuration made is too articulated and unclear from the point of view of the structure. You should try this way:First, enter the http context with the upstream domain name directive and inside the server IP address with Apache, and then make declarations for server and location contexts by including the parameters of the proxy_params file and snippet ssl.
If you want and help me understand the infrastructure we adopt, we can see how to make the configuration together but so it is imminent because each infrastructure responds to a different configuration.
It also applies to php7.0. For example, configuring PrestaShop 1.7.1.1 with php7.0 I had to make a lot of changes to the php.ini code of the CMS as I did not use CGI in FPM but this as I said was very varied.
see https://www.webfoobar.com/node/35

Nginx load balancing with Node.js and Google Oauth

I created a Node.js site that uses Google authentication. The site is used by 100+ users concurrently which affect the performance. So I understand that Nginx could help in scaling the site by creating multiple instance of the Node.js app in multiple ports and then we use Nginx as a load balancer.
So, I configured Nginx, but the issue is that it dose not seem to work with Google authentication. I am able to see the first page of my site and I am able to to login via Google but it is dose not work after this point.
Any suggestions to what could be missing to make this work.
This is my configuration file:
upstream my_app
{
least_conn; # Use Least Connections strategy
server ip:3001; # NodeJS Server 2 I changed the actual ip
server ip:3002; # NodeJS Server 3
server ip:3003; # NodeJS Server 4
server ip:3004; # NodeJS Server 5
keepalive 256;
}
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
expires epoch;
add_header Cache-Control "no-cache, public, must-revalidate, proxy-revalidate";
server_name ip;
access_log /var/log/nginx/example.com-access.log;
error_log /var/log/nginx/example.com-error.log error;
# Browser and robot always look for these
# Turn off logging for them
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; }
# pass the request to the node.js server
# with some correct headers for proxy-awareness
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_buffers 8 16k;
proxy_buffer_size 32k;
proxy_pass http://my_app ;
proxy_redirect off ;
add_header Pragma "no-cache";
# Handle Web Socket connections
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
I just started learning about nginx, I checked when the upstream have only one ip address and it is working. i.e it works as a reverse proxy but not as a load balancer and my guess is due to google authentication nature.
And the error I receive in the error log is connection refused.
Thanks.
I figure out what was wrong. least_conn load balancing technique was not the right to choose since it dose not persist session. I changed it to
hash $remote_addr or hash_ip and it is working.

Nginx on SSL (443)

My goal is to redirect from port 80 to 443 (force https), but can't manage to get a working https configuration first. I get a 503 Server Error and nothing appears in the logs. I've looked at all the posts on SO and SF, none of them worked (X_FORWARDED_PROTO, X-Forwarded-For headers don't make a difference.). I'm on EC2 behind a load balancer, and so I don't need to use the SSL-related directives as I've configured my certificate on the ELB already. I'm using Tornado for a web server.
Here's the config, if anyone has ideas, thank you!
http {
# Tornado server
upstream frontends {
server 127.0.0.1:8002;
}
server {
listen 443;
client_max_body_size 50M;
root <redacted>/static;
location ^~/static/ {
root <redacted>/current;
if ($query_string) {
expires max;
}
}
location / {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://frontends;
}
}
}
Well, there are two different tasks:
If you need to redirect all your http traffic to https, you'll need to create http server in nginx:
server {
listen 80;
server_name example.com;
return 301 https://example.com$request_uri;
}
Second note, if your SSL is terminated at ELB than you dont need ssl enabled nginx server at all. Simply pass traffic from ELB to your server 80 port.