I want to establish a UDP Connection from a terminal device to My App On Cloud Foundry.
all output from applications on Cloud Foundry is delivered by proxy via a web server (nginx) and as far as I know only http and https are open.
Perhaps you should look at alternative ways of communicating with your console application, what kind of communication are you trying to achieve?
Using the CF_HOST:UDP_PORT from your terminal device should be OK. I suppose that an application (Java, Perl, etc) is deployed on your terminal device and on the CF server an application with a UDP channel is deployed.
This is an old post but i've had a similar problem when porting my app to pivotal's cloud foundry platform.
Turns out you can continue to use tcp or udp for any outgoing traffic without doing any special configuration (e.g. service binding, etc) but only http or https for incoming traffic. However, there is an interesting workaround proposed here
Related
I currently have the following network setup and would like to be able to make WebRTC calls between the two clients in different networks.
I enabled IPv4 forwarding on the openSuse Leap 15.2 server and both devices have either 192.168.2.1 or 192.168.4.1 as their default gateway. The web application as well as the signaling service are both hosted on this server as well.
With the Firewall disabled the call works as suspected, but with the Firewall on the call no longer works. I thought about hosting a Coturn STUN/TURN server on this server, as I've read that you should provision one, if you run into troubles with a firewall.
Is a setup like this doable with lets say Coturn and what would the configuration look like for a scenario like this?
I ended up solving it as I describe in my GitHub issue for this matter.
I have developed a WebRTC based application along with Kurento-Media-Server.
Problems with this application is:
It works but only on open network (i.e. if run on a network without firewall).
When in firewall it runs sometimes (once out of 10 attempts).
I have tried several things with the firewall, I have disabled all kind of incoming/outgoing traffic. I have created a port-forwarding for my application as well as Kurento-media server.
I am not sure how much useful this information might be but I am deploying my
application on the same physical box along with Kurento-Media-Server. I have configured google's STUN server on my client.js, I have also configured same STUN servers on kurento using code. I haven't configured TURN server.
Just confirming this, signaling server can be behind firewall along with rest of the application, correct?
I am not sure what to look for now, any help in this area would be great.
EDIT-1
From this link I learned that my current network on which my isn't working it has issues with plain websocket connection, it doesn't allow it, it only allows secure Websocket connections.
EDIT-2
Image of netscan:
In my phone network where my app works fine I see all greens in Websocket's "plain" column.
EDIT-3 Solved
Finally found the problem, We were using a router for testing and development and I found that the router had issues, I used LAN cable on the same router and everything worked fine. Calls from application were working just fine. Firewall related details help in configuring the firewall later on.
Based on your problem description it seems all the UDP traffic is not open in your firewall. WebRTC media run on UDP ports.As you mentioned it works one out of 10 times whch means only few UDP ports are open in your firewall.You are lucky when traffic comes via tose ports.You can open port-range in your firewall and configure the same in kurento-media-server config.Your job should be done.
Even if you configure TURN server you need to open certain ports for outgoing and incoming UDP traffic.For TURN server default port is 3478 or 8443 for sending data towards it but for incoming traffic you need to configure port-range on your TURN server and open those ports in your firewall. Always remember TURN server is assured way to connect but it's always costly.
I have an ARM embedded processor that talks to a .net WCF SOA (SOAP) web service application. The ARM device is remotely located and web service is hosted in a WS2k8 cloud server. I am having some protocol issues with the ARM code and would like to run Fiddler on my WS2k8 machine to observer the SOAP exchange between the embedded device and the web service application. I installed Fiddler Web Debugger V4.4.8 on the server but it does not capture any http requests. I know the ARM device is talking to my web services as it responds to several good SOAP exchanges. Anyone know how to set up Fiddler to work in the configuration I have explained?
Best Regards,
Steve Mansfield
Fiddler is a proxy, it captures any requests sent to it. If your ARM device supports a proxy, then point its proxy settings at the Fiddler endpoint on the Windows Server, port 8888. Also tick Allow Remote Clients to Connect in the Tools > Fiddler Options > Connections tab, and restart Fiddler.
If the client doesn't support configuring a proxy, you need to Use Fiddler as a Reverse Proxy.
They way I fixed it was to set in the client application to use a proxy (http://127.0.0.1:8888) so now the calls are redirected to fiddler and fiddler call the services, so I can see the traffic. Hope it helps someone
I have some small questions of which I think they're quite easy to answer for a WCF expert, but which I don't exactly know. I'm hoping they're not to obvious:
Does transport security (http with
ssl) work in conjunction with
streaming? If no, how can I transfer
large data in a secure way to the
client?
If I am not completely off the track
an IDuplexSessionChannel requires
the client to open a port too, so
that the service can contact the
client via a callback. Does this
also affect an IDuplexSessionChannel
which comunicates via http? Port 80
should be open by default, shouldn't
it?
Yes streaming works with HTTPS (basicHttpBinding).
Yes duplex session channel requires port opened on the client because duplex communication over HTTP really means one connection from the client to the server and one reverse connection from the server to the client. Port 80 doesn't have to be opened by default on the client - if it is, it is most probably already associated with some web server so it cannot be used for the communication. Duplex communication is also WCF specific (it is not interoperable) and it leads to other consequences. For example in Windows Vista \ Windows 7 \ Windows 2008 Server with UAC you must run the client with elevated privileges or allow listening on the port by using netsh command line utility.
I'm not sure how these two questions are related but wsDualHttpBinding (implementation of IDuplexSessionChannel) doesn't support streaming or transport security.
Not sure if i'm really up-to-date, but i'm looking in a way to convert my existing project to use HTML5 websockets.
Here's my situation :
- Client runs a modified java vnc applet with extra parameter (CONNECT).
- Modified stunnel listenin on webserver (with both public, private IP) port 443
- Client connects to 443 and sends (prior to RFB) a HTTP packet like :
'CONNECT 10.0.0.1:4001'
- Stunnel opens a new stream to 10.0.0.1:4001 using SSL wrapper
- VNC Server (#10.0.0.1:4001) responds, connection is established.
Now I want to get rid of the Java Applet and switch to Websocket using NoVNC.
I want to be able to :
- Open a single port on the webserver (HTTPS preferably)
- Have client connect using HTML5 only (no more java applet)
I cannot change :
- VNCServer will still be listening on private LAN only.
- VNCServer will still listen to a bunch of ports, each corresponding to
a virtual server
Questions are :
- How to give NoVNC the notion of target HOST:PORT ?
- Is stunnel still be usable ? Or should I change to websocket proxy ?
If anyone has a starting point, i'd really appreciate !
Disclaimer: I created noVNC so my answer may be heavily biased ;-)
I'll answer you second question first:
stunnel cannot be used directly by noVNC. The issue is that the WebSockets protocol has an HTTP-like initial handshake and the messages are framed. In addition, until binary payload support is added to WebSockets, the payload is base64 encoded by the websockets proxy (websockify). Adding the necessary support to stunnel would be non-trivial but certainly doable. In fact noVNC issue #37 is an aspirational feature to add this support to stunnel.
First question:
noVNC already has a concept of HOST:PORT via the RFB.connect(host, port, password) method. The file vnc_auto.html at the top level shows how to get noVNC to automatically connect on page load based on the host, port and password specified as URL query string parameters.
However, I think what you are really asking is how do you get noVNC to connect to alternate VNC server ports on the backend. This problem is not directly addressed by noVNC and websockify. There are several ways to solve this and it usually involves an out-of-band setup/authorization mechanism so that the proxy can't be used to launch attacks by arbitrary hosts. For example, at my company we have a web based management framework that integrates noVNC and when the user wants to connect to the console, an authenticated AJAX call is used to configure the proxy for that particular user and the system they want to connect to. Our web management interface is internal only.
Ganeti Web Manager uses a similar model and the source is available. They have a fork of VNCAuthProxy that has WebSockets support. They use a control channel from the web interface to the VNCAuthProxy to setup a temporary password associated with a specific VNC server host:port.
Also OpenStack (Nova) integrates noVNC uses a similar out-of-band token based model to allow access with their nova-vncproxy.
Some links:
Ganeti Web Manager
Wiki page about how noVNC works in Ganeti Web Manager
Ganeti Web Manager sources
Ganeti Web Manager VNCAUthProxy sources
Using noVNC in Nova/OpenStack
OpenStack fork of noVNC
Old nova-vnc-proxy code
Current nova vnc proxy code