Comments (54)
noci2012
commented on June 12, 2024
ok ^~ makes no difference, same result./webrtc works except for /webrtc/ws
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
For the complete picture there is a haproxy infront of this, which
session -> (haproxy) -> (nginx) -> site X/webrtc -> webrtc ...
(haproxy) -> (nginx) -> site X/* -> (php-fpm) -> nexcloud
haproxy is configured as transparant https, forwarding through SNI. (ie not stripping the encryption, just passing it on).
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
192.168.6.1 - - [10/Nov/2016:16:13:52 +0100] "GET /webrtc/extra/static/config/OwnCloudConfig.js HTTP/1.0" 200 503 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
192.168.6.1 - - [10/Nov/2016:16:13:53 +0100] "GET /webrtc/extra/static/ver=1478477015/img/logo-48x48.png HTTP/1.0" 200 829 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
192.168.6.1 - - [10/Nov/2016:16:13:53 +0100] "GET /webrtc/static/ver=1478477015/img/logo-small.png HTTP/1.0" 200 3761 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
192.168.6.1 - - [10/Nov/2016:16:13:53 +0100] "GET /webrtc/static/ver=1478477015/sounds/sprite1.ogg HTTP/1.0" 200 237130 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
192.168.6.1 - - [10/Nov/2016:16:13:54 +0100] "GET /webrtc/ws HTTP/1.0" 400 12 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
192.168.6.1 - - [10/Nov/2016:16:13:55 +0100] "GET /index.php/apps/spreedme/api/v1/user/config HTTP/1.0" 200 117 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
192.168.6.1 - - [10/Nov/2016:16:13:55 +0100] "GET /index.php/apps/spreedme/api/v1/user/token HTTP/1.0" 200 127 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
from nextcloud-spreedme.
leonklingele
commented on June 12, 2024
Please provide your nginx and haproxy config files
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
haproxy:
nxn & wxn are relevant here
global
log /dev/log local1 debug #warning
#log 127.0.0.1 #local1 notice
maxconn 4096
uid 0
gid 0
daemon
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option httpclose
option dontlognull
#option forwardfor
retries 3
#option http-use-proxy-header
option redispatch
#option http-server-close
maxconn 2000
timeout connect 61s
timeout client 50s
timeout server 50s
listen HAProxy-Statistics
bind *:3307
mode http
option httplog
option httpclose
stats enable
stats uri /haproxy?stats
stats refresh 20s
stats show-node
stats show-legends
stats show-desc Workaround haproxy for SSL
stats auth zzzzzzzzzzzzzzzzzzzzzzzzzzzzz
frontend fe_sni_ssl
bind :443
log global
mode tcp
option tcplog
tcp-request inspect-delay 10s
tcp-request content accept if { req_ssl_hello_type 1 }
acl chk_sandcats req_ssl_sni -m sub yyyyyy.sandcats.io
use_backend be_sandcats if chk_sandcats
use_backend be_vxn if { req_ssl_sni -m sub vpn.xxxxxxx.net }
use_backend be_wxn if { req_ssl_sni -m sub -i webrtc.xxxxxxx.net }
default_backend be_routing
backend be_sandcats
mode tcp
log global
server sr_sandcats_ssl 192.168.6.5:7443
backend be_vxn
mode tcp
log global
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
server nas_ssl 192.168.6.21:443
backend be_nxn
mode tcp
log global
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
server sr_nextcloud_ssl 192.168.6.5:443
backend be_wxn
mode tcp
log global
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
server sr_core_webrtc 192.168.6.5:5443
backend be_routing
mode tcp
log global
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
use-server sr_vpn if { req_ssl_sni -m sub -i vpn.xxxxxxx.net }
server sr_vpn 192.168.6.21:443 weight 0
use-server sr_owncloud_ssl if { req_ssl_sni -m sub -i oc.xxxxxxx.net }
server sr_owncloud_ssl 127.0.0.1:444 weight 0
use-server sr_xn_ssl if { req_ssl_sni -m sub -i xxxxxxx.net }
server sr_xn_ssl 127.0.0.1:444 weight 0
use-server sr_xo_ssl if { req_ssl_sni -m sub -i xxxxxxx.org }
server sr_xo_ssl 127.0.0.1:444 weight 0
use-server sr_localhost_ssl if { req_ssl_sni -m sub -i yyyy.zzzzz.nl }
server sr_localhost_ssl 127.0.0.1:444 weight 0
use-server sr_nxn if { req_ssl_sni -m sub -i nc.xxxxxxx.net }
server sr_nxn 192.168.6.5:443 weight 0
use-server sr_wxn if { req_ssl_sni -m sub -i webrtc.xxxxxxx.net }
server sr_wxn 192.168.6.5:5443 weight 0
use-server sr_bosh if { req_ssl_sni -m sub -i bosh.xxxxxxx.net }
server sr_bosh 127.0.0.1:5281 weight 0
use-server sr_xmpp if { req_ssl_sni -m sub -i xmpp.xxxxxx.net }
server sr_xmpp 127.0.0.1:5223 weight 0
The complete nginx is quite large... So i'll include only the relevant nxn part here:
upstream php-handler {
#server unix:/var/run/php5-fpm.sock;
# or
server 127.0.0.1:9000;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 192.168.6.5:443 ssl http2;
server_name nc.xxxxxxx.net;
#proxy set_header Host nc.xxxxxxx.net:443 ;
ssl_certificate /etc/letsencrypt/live/www.xxxxxxx.net/fullchain.pem ;
ssl_certificate_key /etc/letsencrypt/live/www.xxxxxxx.net/privkey.pem ;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
# Path to the root of your installation
root /var/www/nc.xxxxxxx.net/htdocs/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /data/htaccesstest.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/http-bind/ {
proxy_pass http://firewall:5280 ;
}
# Spreed WebRTC
location ^~ /webrtc {
proxy_pass http://127.0.0.1:5080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering on;
proxy_ignore_client_abort off;
proxy_redirect off;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
}
# cache_purge (with $http_cookies we have unique keys for the user)
fastcgi_cache_key $http_cookie$request_method$host$request_uri;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info ;
fastcgi_param HTTPS on;
fastcgi_pass php-handler;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
# removed because they are added twice... causing warnings
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
# add_header X-Content-Type-Options nosniff;
# add_header X-Frame-Options "SAMEORIGIN";
# add_header X-XSS-Protection "1; mode=block";
# add_header X-Robots-Tag none;
# add_header X-Download-Options noopen;
# add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
@leonklingele i posted the requested data.
from nextcloud-spreedme.
leonklingele
commented on June 12, 2024
After looking at your config, some questions still remain:
- Under which domain do you access spreed-webrtc?
nc.xxxxxxx.netorwebrtc.xxxxxxx.net? Requests to webrtc.xx… are processed by a different port (5443). Intentionally? - Are you sure that the requests you posted really end up in the
192.168.6.5:443nginx server? - Can you please verify that both
$http_upgradeand$connection_upgrade(in the /webrtc block) are non-empty for the /webrtc/ws request?
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
-
at first webrtc.xxxxxxx.net, now nc.xxxxxxx.net/webrtc (first configuration had more troubles), after that i setup webrtc through nginx.
-
Yes see log in the first post
-
These are all values from one run:
"-" "close"
"-" "close"
"-" "close"
"-" "close"
"-" "close"
"-" "close"
I added the $URI and reloaded....
"-" "close" "/index.php/apps/spreedme/"
"-" "close" "/index.php/core/js/oc.js"
"-" "close" "/webrtc/"
"-" "close" "/ocs/v2.php/apps/notifications/api/v1/notifications"
"-" "close" "/webrtc/ws"
"-" "close" "/index.php/apps/spreedme/api/v1/user/config"
"-" "close" "/index.php/apps/spreedme/api/v1/user/token"
"-" "close" "/index.php/avatar/adminnb/256"
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
A hardcoded $connection_upgrade to "upgrade" makes no difference.
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
"-" "close" "/webrtc/ws"
if this is supposed to show the output of $http_upgrade, then it means that the Upgrade HTTP header does not reach Nginx (see http://nginx.org/en/docs/http/ngx_http_core_module.html#var_http_). Make sure its not filtered along the way somewhere.
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
"-" "close" "/webrtc/ws"
this is resp. $http_upgrade $connection_upgrade (derived through mapping), $uri
In the logging (on toppost, from nginx) 192.168.6.1 is the address of the haproxy.
The query is Browser -> haproxy (SNI mode, so it cannot access content) -> nginx -> webrtc...
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
Please use the following log_format with the access_log configuration.
log_format upgrade '$request $status .$http_upgrade. $connection_upgrade';
It should produce something like this for the /ws endpoint.
GET /ws HTTP/1.1 101 .websocket. upgrade
If it does not, like your previous log does indicate, then either the browser is not sending it or something filters it on the way.
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
GET /ocs/v2.php/apps/notifications/api/v1/notifications?format=json HTTP/1.0 200 .-. close
GET /webrtc/static/ver=1478477015/css/bootstrap.min.css HTTP/1.0 200 .-. close
GET /webrtc/static/ver=1478477015/css/font-awesome.min.css HTTP/1.0 200 .-. close
GET /webrtc/static/ver=1478477015/css/main.min.css HTTP/1.0 200 .-. close
GET /webrtc/extra/static/ver=1478477015/css/owncloud.css HTTP/1.0 200 .-. close
GET /webrtc/static/ver=1478477015/js/libs/require/require.js HTTP/1.0 200 .-. close
GET /webrtc/static/ver=1478477015/img/bg-tiles.jpg HTTP/1.0 200 .-. close
GET /webrtc/extra/static/ver=1478477015/img/logo.svg HTTP/1.0 200 .-. close
GET /webrtc/static/ver=1478477015/fonts/fontawesome-webfont.woff?v=4.1.0 HTTP/1.0 200 .-. close
GET /webrtc/static/ver=1478477015/js/main.js HTTP/1.0 200 .-. close
GET /webrtc/static/ver=1478477015/js/base.js HTTP/1.0 200 .-. close
GET /webrtc/extra/static/owncloud.js HTTP/1.0 200 .-. close
GET /webrtc/static/ver=1478477015/js/app.js HTTP/1.0 200 .-. close
GET /webrtc/extra/static/PostMessageAPI.js HTTP/1.0 200 .-. close
GET /webrtc/extra/static/config/OwnCloudConfig.js HTTP/1.0 200 .-. close
GET /webrtc/extra/static/ver=1478477015/img/logo-48x48.png HTTP/1.0 200 .-. close
GET /webrtc/static/ver=1478477015/img/logo-small.png HTTP/1.0 200 .-. close
GET /webrtc/static/ver=1478477015/sounds/sprite1.ogg HTTP/1.0 200 .-. close
GET /index.php/apps/spreedme/api/v1/user/token HTTP/1.0 200 .-. close
GET /index.php/apps/spreedme/api/v1/user/config HTTP/1.0 200 .-. close
GET /index.php/avatar/adminnb/256?requesttoken=ACQkOShPGiQKMzA%2FJwMvf30KBw4EDWcmVzN3JQ8rAQA%3D%3A3VwUpvVOzYEvD5GO%2BRDl%2B9Snar%2FqENL3%2FqtVR7XgS6Q%3D HTTP/1.0 200 .-. close
GET /webrtc/ws HTTP/1.0 400 .-. close
GET /webrtc/ws HTTP/1.0 400 .-. close
GET /webrtc/ws HTTP/1.0 400 .-. close
GET /webrtc/ws HTTP/1.0 400 .-. close
GET /ocs/v2.php/apps/notifications/api/v1/notifications?format=json HTTP/1.0 200 .-. close
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
the browser is chromium , with uMatrix, Ghostery, https everywhere, cooky manager as extensions.
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
OK that shows the reason. For whatever reason, Nginx does HTTP/1.0 only. That might be related to NPN or ALPN not correctly passed through. It needs to be HTTP/1.1 for Websocket upgrade to work.
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
I did some more research on this, and i think that HAProxy needs to advertise http/1.1. You also use http/2 in your Nginx config so something like
bind *:443 ssl crt /etc/ssl/dummy.pem alpn h2,http/1.1
in your haproxy listeners for http should do the trick.
Might be required. See http://m12.io/blog/http-2-with-haproxy-and-nginx-guide for some guides. I guess its safe to say that when http/2 works then websockets would work too.
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
@longsleep, please note HAPROXY is using SNI forward, it CANNOT look into the stream as it has no certificates,
It sees the Server Name Indication in the hello packet and then forwards the encrypted stream...
so there is NO way the haproxy can modify the stream.... except for the source address.
It cannot add / remove headers.
the stream is just passed on as encrypted stream, the nginx is the one that does the decoding.
(There are about 5 different services behind this haproxy distingished by name..)
See: http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
Look for: Choose a server using SNI: aka SSL routing
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
oops wrong button
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
fyi: excerpt from Qualsys ssl labs:
Chrome 49 / XP SP3 RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
Chrome 51 / Win 7 R RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
Firefox 31.3.0 ESR / Win 7 RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
Firefox 47 / Win 7 R RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
Firefox 49 / XP SP3 RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
Firefox 49 / Win 7 R RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
Googlebot Feb 2015 RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
IE 6 / XP No FS 1 No SNI 2 Server closed connection
IE 7 / Vista RSA 2048 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp256r1 FS
IE 8 / XP No FS 1 No SNI 2 Server closed connection
IE 8-10 / Win 7 R RSA 2048 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp256r1 FS
IE 11 / Win 7 R RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS
IE 11 / Win 8.1 R RSA 2048 (SHA256) TLS 1.2 > http/1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS
IE 10 / Win Phone 8.0 RSA 2048 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp256r1 FS
IE 11 / Win Phone 8.1 R RSA 2048 (SHA256) TLS 1.2 > http/1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS
IE 11 / Win Phone 8.1 Update R RSA 2048 (SHA256) TLS 1.2 > http/1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS
IE 11 / Win 10 R RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
Edge 13 / Win 10 R RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
Edge 13 / Win Phone 10 R RSA 2048 (SHA256) TLS 1.2 > h2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
I tried to reproduce with your configuration without success. It just works for me with the same setup. This leads me to think that the problem might be client side. Can you check what request the browser actually sends to the /ws endpoint. Did you try with another browser (eg. Firefox?).
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
I did try with firefox, same result.
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
JQMIGRATE: Migrate is installed, version 1.4.0
5jsxc.js?v=53cb9a7…:8384 Unable to create user prefixgetPrefix @ jsxc.js?v=53cb9a7…:8384
app.js:219 WebSocket connection to 'wss://nc.xxxxxx.net/webrtc/ws' failed: Error during WebSocket handshake: Unexpected response code: 400o.connect @ app.js:219
DevTools failed to parse SourceMap: https://nc.xxxxx.net/core/vendor/jquery/dist/jquery.min.map
when accessing the URL directly without authenticating in nextcould i get redirected back to nextcloud. after logon it fails.
from nextcloud-spreedme.
leonklingele
commented on June 12, 2024
when accessing the URL directly
Which URL? `https://nc.xxxxxx.net/webrtc/ws'`?
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
No the https://nc.xxxxxx.net/index.php/apps/spreedme it will show the backend screen, and then revert to nextcloud login.
using .../webrtc/ws just delivers "Bad Request."
oh btw, i here the webrtc log:
server 2016/11/18 11:48:04 Using '/webrtc/' base base path.
server 2016/11/18 11:48:04.495720 Enabled modules: [youtube presentation contacts screensharing]
server 2016/11/18 11:48:04.495820 Using room type Conference for ^conference/.+
server 2016/11/18 11:48:05.216699 Loaded extra templates from: /rawstore/www/nc.xxxxxxx.net/htdocs/apps/spreedme/extra
server 2016/11/18 11:48:05.216762 Max open files are 4096
server 2016/11/18 11:48:05.218898 Enabled users handler 'sharedsecret'
server 2016/11/18 11:48:05.219343 Added URL handler /extra/static/... for static files in /rawstore/www/nc.xxxxxxx.net/htdocs/apps/spreedme/extra/static/...
server 2016/11/18 11:48:05 Starting HTTP server on 127.0.0.1:5080
from nextcloud-spreedme.
leonklingele
commented on June 12, 2024
backend screen
Which backend screen?
i get redirected back to nextcloud
This sounds odd. Mind sharing your Spreed.ME Nextcloud app config?
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
backend screen
Which backend screen?
white bar, with on the right grey buttons for sound, video, settings,
dark grey bar with Room: Main and 50% grey patern background, initial with spreed me logo, later a green retry button comes into the white bar.
i get redirected back to nextcloud
This sounds odd. Mind sharing your Spreed.ME Nextcloud app config?
Here follows (secrets & identifying stuff removed, https not used, also removed).
Almost default... Comments removed
; Spreed WebRTC server example configuration
[http]
listen = 127.0.0.1:5080
root = /usr/share/spreed-webrtc-server/www
readtimeout = 10
writetimeout = 10
basePath=/webrtc
[app]
title = Spreed WebRTC
stunURIs = stun:stun.spreed.me:443
sessionSecret = a........8
encryptionSecret = f......f
authorizeRoomJoin = true
serverToken = e......2
serverRealm = local
extra = /rawstore/www/nc.xxxxxx.net/htdocs/apps/spreedme/extra
plugin = extra/static/owncloud.js
[modules]
[log]
logfile = /var/log/spreed-webrtc/server.log
[users]
enabled = true
mode = sharedsecret
sharedsecret_secret = d.......d
[nats]
[roomtypes]
^conference/.+ = Conference
from nextcloud-spreedme.
leonklingele
commented on June 12, 2024
I was referring to the Spreed.ME Nextcloud app config (not the one from Spreed WebRTC)
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
SPREED_WEBRTC_CONFIG:Generate Spreed WebRTC config
SPREED_WEBRTC_SHAREDSECRET:Generate new shared secret
SPREED_WEBRTC_ORIGIN: https://nc.xxxxxxx.net
SPREED_WEBRTC_BASEPATH: /webrtc/
SPREED_WEBRTC_IS_SHARED_INSTANCE: v
OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED: o
OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY:Generate new signing keySave settings
extra/static/config/OwnCloudConfig.js was found.
If you want to change some of the options listed below, you need to edit the file by yourself.
OWNCLOUD_ORIGIN:
from nextcloud-spreedme.
leonklingele
commented on June 12, 2024
This also looks fine, small recommendation though: Set `SPREED_WEBRTC_ORIGIN` to an empty string (as spreed-webrtc is located on the same domain, you don’t need to configure this)
The SSLLabs test reports HTTP/2 support, but nginx still logs HTTP/1.0? How is that even possible?
Have you tried to reproduce the problem without using HAProxy in between?
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
I will remove the origin.
Isn't that the http/1.0 response from webrtc? (As the status is also shown)
Without haproxy the other sites become unreachable..., which is quite troublesome.
Besides that the webserver is not running on the firewall while the HAproxy is. (The firewall is not the next CPE, so there is quite some changes needed)
Note on the side: the webrtc secrets cannot be easily verified unless they are regenerated... there is no easy way to get them.
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
Maybe there is something else in between like a decrypting MITM proxy or something which only does HTTP/1.0 ?
Please check the network panel in your browser and copy the request to /ws endpoint as cURL (right click on it in Chrome).
Will result as something like this:
curl 'https://redemption.intranet.struktur.de:8444/ws' -H 'Pragma: no-cache' -H 'Origin: https://redemption.intranet.struktur.de:8444' -H 'Accept-Encoding: gzip, deflate, sdch, br' -H 'Accept-Language: en-US,en;q=0.8,de;q=0.6' -H 'Sec-WebSocket-Key: HcE5iHMv0LBfyYB0U61o6w==' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.44 Safari/537.36' -H 'Upgrade: websocket' -H 'Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits' -H 'Cache-Control: no-cache' -H 'Connection: Upgrade' -H 'Sec-WebSocket-Version: 13' -H 'DNT: 1' --compressed
Then add the -v parameter and run it from your various locations (fix the URL as required).
This should look like this:
curl -v 'https://redemption.intranet.struktur.de:8444/ws' -H 'Pragma: no-cache' -H 'Origin: https://redemption.intranet.struktur.de:8444' -H 'Accept-Encoding: gzip, deflate, sdch, br' -H 'Accept-Language: en-US,en;q=0.8,de;q=0.6' -H 'Sec-WebSocket-Key: HcE5iHMv0LBfyYB0U61o6w==' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.44 Safari/537.36' -H 'Upgrade: websocket' -H 'Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits' -H 'Cache-Control: no-cache' -H 'Connection: Upgrade' -H 'Sec-WebSocket-Version: 13' -H 'DNT: 1' --compressed
* Hostname was NOT found in DNS cache
* Trying 10.1.1.201...
* Connected to redemption.intranet.struktur.de (10.1.1.201) port 8444 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=DE; ST=Baden-Wuerttemberg; L=Stuttgart; OU=struktur AG IT; CN=redemption.intranet.struktur.de
* start date: 2016-05-31 07:25:16 GMT
* expire date: 2017-05-31 07:25:16 GMT
* subjectAltName: redemption.intranet.struktur.de matched
* issuer: C=DE; ST=Baden-Wuerttemberg; L=Stuttgart; O=struktur AG; OU=IT; CN=struktur AG Server CA (2013); [email protected]
* SSL certificate verify ok.
> GET /ws HTTP/1.1
> Host: redemption.intranet.struktur.de:8444
> Accept: */*
> Pragma: no-cache
> Origin: https://redemption.intranet.struktur.de:8444
> Accept-Encoding: gzip, deflate, sdch, br
> Accept-Language: en-US,en;q=0.8,de;q=0.6
> Sec-WebSocket-Key: HcE5iHMv0LBfyYB0U61o6w==
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.44 Safari/537.36
> Upgrade: websocket
> Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
> Cache-Control: no-cache
> Connection: Upgrade
> Sec-WebSocket-Version: 13
> DNT: 1
>
< HTTP/1.1 101 Switching Protocols
* Server nginx is not blacklisted
< Server: nginx
< Date: Fri, 18 Nov 2016 12:39:42 GMT
< Connection: upgrade
< Upgrade: websocket
< Sec-WebSocket-Accept: 798KWVopbQxtvY0tBojT2Job/x4=
..... websocket data follows
and then post your output - maybe that gives any clues. The above output goes through haproxy to Nginx same as yoursetup using haproxy 1.5.14 and 1.10.2. Client is Chrome 55.0.2883.44 on Linux amd64.
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
* Trying zzz.zzz.zzz.zzz...
* TCP_NODELAY set
* Connected to nc.xxxxxxx.net (zzz.zzz.zzz.zzz) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=www.xxxxxxx.net
* start date: Sep 29 19:59:00 2016 GMT
* expire date: Dec 28 19:59:00 2016 GMT
* subjectAltName: host "nc.xxxxxxx.net" matched cert's "nc.xxxxxxx.net"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET /webrtc/ws HTTP/1.1
> Host: nc.xxxxxxx.net
> Accept: */*
> Pragma: no-cache
> Origin: https://nc.xxxxxxx.net
> Accept-Encoding: gzip, deflate, sdch, br
> Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4
> Sec-WebSocket-Key: WQU..../dg==
> User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2902.0 Safari/537.36
> Upgrade: websocket
> Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
> Cache-Control: no-cache
> Cookie: oc_sessionPassphrase=faM......J; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; i18next=nl; ocuinqirkrns=284.....qf4
> Connection: Upgrade
> Sec-WebSocket-Version: 13
> DNT: 1
>
< HTTP/1.1 400 Bad Request
< Server: nginx/1.10.1
< Date: Fri, 18 Nov 2016 13:23:31 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 12
< Connection: keep-alive
< Keep-Alive: timeout=20
< Sec-Websocket-Version: 13
< X-Content-Type-Options: nosniff
<
Bad Request
* Curl_http_done: called premature == 0
* Connection #0 to host nc.xxxxxxx.net left intact
haproxy = 1.6.9, nginx = 1.10.1, Chromium (not Chrome) various (Windows, Linux,)
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
Ok, let me see if can find newer stuff which can do alpn - its the only difference i see and it might be relevant as Chrome also is doing alpn.
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
Also no luck with ALPN .. works just fine.
curl -k -v 'https://redemption.intranet.struktur.de:8444/ws' -H 'Pragma: no-cache' -H 'Origin: https://redemption.intranet.struktur.de:8444' -H 'Accept-Encoding: gzip, deflate, sdch, br' -H 'Accept-Language: en-US,en;q=0.8,de;q=0.6' -H 'Sec-WebSocket-Key: HcE5iHMv0LBfyYB0U61o6w==' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.44 Safari/537.36' -H 'Upgrade: websocket' -H 'Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits' -H 'Cache-Control: no-cache' -H 'Connection: Upgrade' -H 'Sec-WebSocket-Version: 13' -H 'DNT: 1' --compressed
* Trying 10.1.1.201...
* Connected to redemption.intranet.struktur.de (10.1.1.201) port 8444 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 703 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: redemption.intranet.struktur.de (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=DE,ST=Baden-Wuerttemberg,L=Stuttgart,OU=struktur AG IT,CN=redemption.intranet.struktur.de
* start date: Tue, 31 May 2016 07:25:16 GMT
* expire date: Wed, 31 May 2017 07:25:16 GMT
* issuer: C=DE,ST=Baden-Wuerttemberg,L=Stuttgart,O=struktur AG,OU=IT,CN=struktur AG Server CA (2013),[email protected]
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET /ws HTTP/1.1
> Host: redemption.intranet.struktur.de:8444
> Accept: */*
> Pragma: no-cache
> Origin: https://redemption.intranet.struktur.de:8444
> Accept-Encoding: gzip, deflate, sdch, br
> Accept-Language: en-US,en;q=0.8,de;q=0.6
> Sec-WebSocket-Key: HcE5iHMv0LBfyYB0U61o6w==
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.44 Safari/537.36
> Upgrade: websocket
> Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
> Cache-Control: no-cache
> Connection: Upgrade
> Sec-WebSocket-Version: 13
> DNT: 1
>
< HTTP/1.1 101 Switching Protocols
< Server: nginx
< Date: Fri, 18 Nov 2016 13:34:33 GMT
< Connection: upgrade
< Upgrade: websocket
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
@noci2012 i am pretty much out of ideas. Can you try to run curl from your inner network and see if it works when directly going to Nginx?
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
Here is a tshark dump from between nginx and webrtc....
T-Shark snip on port 5080
Request:
GET /webrtc/ws HTTP/1.1
Connection: upgrade
X-Forwarded-Proto: https
Host:nc.xxxxxxx.net:443
X-Real-IP: 192.168.6.1
X-Forwarded-For: 192.168.6.1
Pragma: no-cache
Cache-Control: no-cache
Origin: https://nc.xxxxxxx.net
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2902.0 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: oc_sessionPassphrase=faMS........HJhKQJ; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; i18next=nl; ocuinqirkrns=2845....4
Sec-WebSocket-Key: y1XD...........jg==
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Answer:
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Sec-Websocket-Version: 13
X-Content-Type-Options: nosniff
Date: Fri, 18 Nov 2016 13:43:31 GMT
Content-Length: 12
for some reason webrtc is dismissing this request. I just left out the SYN/SYN-ACK/ACK & FIN/FIN-ACK/ACK sequences, & tcp flags. This is monitored from the internal port.
Problem is webrtc log also shows nothing...
I hope then X-Real-IP and X-Forwarded-For don't matter
AFAICT this has not a lot to do with nginx or haproxy..., except for the source address which apears to be local.
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
Ok, thats helpful - so where did you get your spreed-webrtc build? Do you use a precompiled binary our built yourself? If you built yourself, can you provide the version/gitrev of the https://github.com/gorilla/websocket you are using. If you have downloaded it from somewhere please let us know from where and what version. Thanks!
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
from the webspreed site? (the one linked from the cube that was offered in the past) about 6-8 weeks ago.
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
from the webspreed site? (the one linked from the cube that was offered in the past)
Sorry i do not know what that might be. Package or source code? Can you be more specific?
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
gentoo ebuild script: built on (03:43:35 09/29/16)
I followed some links and finaly built it using gentoo's buildsystem. Ultimate source is github
cat /usr/local/portage/www-apps/spreed-webrtc/spreed-webrtc-9999.ebuild
# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/app-portage/epm/epm-1.33.ebuild,v 1.7 2012/05/16 15:46:54 fuzzyray Exp $
inherit git-r3 user
DESCRIPTION="Spreed.me webrtc server"
HOMEPAGE="https://github.com/strukturag/spreed-webrtc"
EGIT_REPO_URI="https://github.com/strukturag/spreed-webrtc.git"
LICENSE="AGPL"
SLOT="0"
KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sparc x86 ~sparc-fbsd ~x86-fbsd"
IUSE="intl"
DEPEND="net-misc/curl >=dev-lang/go-1.4.0 >=net-libs/nodejs-0.6.0 "
RDEPEND="${DEPEND}"
src_compile() {
./autogen.sh
econf
emake
}
pkg_setup() {
enewgroup spreed-webrtc
enewuser spreed-webrtc -1 -1 -1 spreed-webrtc
}
src_install() {
emake dc_destdir=$D DESTDIR=$D install
insinto /etc/spreed-webrtc
newins $FILESDIR/server.conf server.conf
newinitd $FILESDIR/spreed-webrtc.initd spreed-webrtc
newconfd $FILESDIR/spreed-webrtc.confd spreed-webrtc
insinto /var/log/spreed-webrtc
fowners spreed-webrtc:spreed-webrtc /var/log/spreed-webrtc
}
files/spreed-webrtc.confd
WEBRTC_CONF=/etc/spreed-webrtc/server.conf
WEBRTC_LOG=/var/log/spreed-webrtc/server.log
WEBRTC_NOFILE=4096
WEBRTC_GOMAXPROCS=5
WEBRTC_ARGS=""
files/spreed-webrtc.initd
#!/sbin/openrc-run
DESC='Spreed Speak Freely'
NAME=spreed-webrtc
DAEMON=/usr/sbin/spreed-webrtc-server
SCRIPTNAME=/etc/init.d/$NAME
# Exit if the package is not installed
[ -x $DAEMON ] || exit 0
WEBRTC_PID=/run/spreed-webrtc/spreed-webrtc.pid
WEBRTC_RUN_DIR=/run/spreed-webrtc
WEBRTC_USER=spreed-webrtc
WEBRTC_GROUP=spreed-webrtc
#
# Function that starts the daemon/service
#
start()
{
ebegin Start $NAME
start-stop-daemon --start \
--quiet \
--pidfile $WEBRTC_PID \
--startas $DAEMON \
--test > /dev/null \
|| return 1
# Create the run directory.
test -e $WEBRTC_RUN_DIR || mkdir -p $WEBRTC_RUN_DIR || true
chown -R $WEBRTC_USER:$WEBRTC_GROUP $WEBRTC_RUN_DIR || true
chmod 770 $WEBRTC_RUN_DIR || true
# Set some performance parameters
ulimit -n $WEBRTC_NOFILE
export GOMAXPROCS=$WEBRTC_GOMAXPROCS
start-stop-daemon --start \
--quiet \
--background \
--make-pidfile \
--pidfile $WEBRTC_PID \
--chuid $WEBRTC_USER \
--group $WEBRTC_GROUP \
--startas $DAEMON \
-- \
-c $WEBRTC_CONF \
-l $WEBRTC_LOG \
$WEBRTC_ARGS
eend $?
}
#
# Function that stops the daemon/service
#
stop()
{
ebegin Stop $NAME
start-stop-daemon --stop \
--quiet \
--retry=TERM/30/KILL/5 \
--pidfile $WEBRTC_PID \
--name $NAME
RETVAL="$?"
[ "$RETVAL" != 2 ] && rm -f $WEBRTC_PID
eend "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
do_stop
do_start
return 0
}
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
Ok - i looked at the code and the reason Spreed WebRTC is returning a 400 is that the "Upgrade" header is lost on the way. Please check the Nginx configuration as it must get lost there. The header is Upgrade: websocket as shown in your curl request above, but not seen in your tshark dump.
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
So this fails:
location ^~ /webrtc {
proxy_pass http://127.0.0.1:5080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
Yes looks like $http_upgrade is empty, it needs to be 'websocket' when its a websocket request, like it is sent with the curl command.
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
If it is passed into nginx it doesn't come out. So probably a modules is missing from nginx can you show the list of modules you have?
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
2>&1 nginx -V | xargs -n1
--with-cc-opt=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
--with-ld-opt=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now
--prefix=/usr/share/nginx
--conf-path=/etc/nginx/nginx.conf
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log
--lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi
--with-debug
--with-pcre-jit
--with-ipv6
--with-http_ssl_module
--with-http_stub_status_module
--with-http_realip_module
--with-http_auth_request_module
--with-http_addition_module
--with-http_dav_module
--with-http_geoip_module
--with-http_gunzip_module
--with-http_gzip_static_module
--with-http_image_filter_module
--with-http_v2_module
--with-http_sub_module
--with-http_xslt_module
--with-stream
--with-stream_ssl_module
--with-mail
--with-mail_ssl_module
--with-threads
--add-module=/build/nginx-H0pUyB/nginx-1.10.2/debian/modules/nginx-auth-pam
--add-module=/build/nginx-H0pUyB/nginx-1.10.2/debian/modules/nginx-dav-ext-module
--add-module=/build/nginx-H0pUyB/nginx-1.10.2/debian/modules/nginx-echo
--add-module=/build/nginx-H0pUyB/nginx-1.10.2/debian/modules/nginx-upstream-fair
--add-module=/build/nginx-H0pUyB/nginx-1.10.2/debian/modules/ngx_http_substitutions_filter_module
Thats the compile time flags for the Nginx i use for testing.
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
Btw, the http_ variables are provided by the http://nginx.org/en/docs/http/ngx_http_core_module.html and that one is not optional afaict.
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
Both Upgrade & Connection header tags are hop-hop only.
So it must go wrong in nginx.... The curl request has the header fields.., which is pipelined into nginx...
And when the server matching code decodes the SSL link it is missing.
I tried some explicit headers for /webrtc/ws (proxy_set_header Upgrade websocket ; proxy_set_headerConnection upgrade; ) and then it does work, so why is $http_upgrade undefined.
I need to do more testing with curl vs. chromium... wrt. nginx
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
Yes indeed strange. I have no idea how the http header would be lost when received by Nginx (as the $http_upgrade variable is empty, which usually means it is lost). Could be an issue with Nginx parsing the headers .. who knows. It should be ok to always send the Upgrade: websocket header for the /ws endpoint even if it was not received by Nginx before. No other than websocket requests are made to that endpoint.
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
curl requests that bypass the haproxy still have the Upgrade & Connection header.
Somehow when the same curl request is sent through haproxy (which cannot touch the content) the headers are not picked up by nginx..., ok i'll try to unearth that onethere, may take a while though the nginx code isn't exactly easy to read.
Thanks for the ack on my (intermediate) solution.
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
Curl Request:
GET /webrtc/ws?curl HTTP/1.1
Host: nc.xxxxxxx.net
Accept: /
Pragma: no-cache
Origin: https://nc.xxxxxxx.net
Accept-Encoding: gzip, deflate, sdch, br
Sec-WebSocket-Version: 13
Accept-Language: en-US,en;q=0.8,nl;q=0.6
Sec-WebSocket-Key: QBKcxyaLv5Om+scMeDUbBg==
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36
Upgrade: websocket
Cache-Control: no-cache
Cookie: oc_sessionPassphrase=XcOZFOaPnqqbv1
Connection: Upgrade
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
DNT: 1
Parsed by nginx:
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Host: nc.xxxxxxx.net:443"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Connection: close"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Accept: /"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Pragma: no-cache"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Origin: https://nc.xxxxxxx.net"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Accept-Encoding: gzip, deflate, sdch, br"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Sec-WebSocket-Version: 13"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Accept-Language: en-US,en;q=0.8,nl;q=0.6"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Sec-WebSocket-Key: QBKcxcxxxcxcxyaLv5Om+scMeDUbBg=="
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Cache-Control: no-cache"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Cookie: oc_sessionPassphrase=XcOZ9q5bYP%
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "DNT: 1"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header done
The UserAgent & Cookie get followed by Upgrade & Connection resp.
but they are NOT seen/parsed by nginx code....
from nextcloud-spreedme.
longsleep
commented on June 12, 2024
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Connection: close"
Where does this "Connection: close" come from? I guess it is related and something on the way injects this.
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
The close is inserted by the mapping done based on upgrade, the default value for Connection is upgrade unless Upgrade: is missing which is the case.
I am currently building an nginx daemon with extra debug statements which will show the header lines BEFORE processing (possibly filtering them). The nginx debug only shows endresults....
So the cause may very well be a filter function on header lines.
My guess is that the hop-hop fields like upload: either are removed before the symbols get created
or get removed on some condition.
I also posted a query on the NGINX forum about this.
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
And a recompiled nginx seems to work all right??, just added a debug statement.
from nextcloud-spreedme.
noci2012
commented on June 12, 2024
Solved.... (well probably a browser issue)..
It looks like if chromium finds that it has a link to a.domain.tld and then b.domain.tld (both ending up on the same [proxy] server [ip wise] ) that the request is forwarded to the existing link. And is then forwarded to the a.domain.tld backend... [ nginx] , which happens to still have a rule to forward a request for b.domain.tld ( although WITHOUT the upgrade handling ) , effectively lossing the upgrade capability if this route is followed.
Only on establishing the link a SNI certificate is verified for the Servername.
A recent removal of the entry for b.domain.tld on the a.domain.tld config brought this to light.
I didn't try to find out [yet] if this is a specific http/2 issue or not.
from nextcloud-spreedme.
Related Issues (20)
- ldap backend
- where view all rooms?
- file sharing
- Cannot generate temporary password from iPhone app HOT 1
- An error occurred
- Error when upgrading spreed from NC 12.0.5 to 13.0.0. - shared hosting HOT 1
- Error accessing WebRTC Server via NC
- Failing to join call with "defective webcam"
- spreedme stays at 'initializing'
- 'please sign in to create chat rooms' message HOT 1
- Generate Temporary Password without group-admin HOT 4
- Compatibility with Nextcloud 14 HOT 5
- when click on spreedme in nextcloud,it returns a same nextcloud sreen in the nextcloud
- Spreedme detailed manual for snap installs
- Repository ubuntu cosmic Release does not have a Release file. Disabled. Unable to locate package.
- Download link not working HOT 2
- feature request: recording
- Error logged when User who never logged in is in a conversation: [files_sharing] Error: OCP\Files\NotFoundException: / not found while trying to get owner at <<closure>> HOT 1
- remove this obsolete app from apps.nextcloud.com please
- audio issue in office network HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nextcloud-spreedme.