Re: How to run openmeeting on RTMPS with nginx in frontend
Dear Hemant, In Darshit's case, [if] it is Nginx https + OM http. In such a case, the SSL will be terminated at Nginx. Only HTTP requests will be sent to Tomcat. This is exactly correct. This is independent of nginx. Could also be apache, lighttpd, haproxy or any other reverse proxy with SSL capabilities. In addition to Admin ->Config (flash.secure = true, flash.secure.proxy = none), does Darshit have to do the following: 1. red5/conf/jee-container.xml: UNComment Tomcat with SSL enabled section Red5/Openmeetings uses two different ports to communicate with the user. One is for HTML content (HTTP(S)) and the other for media (RTMP(T/S)). By uncommenting you only make tomcat listen on the RTMPS socket. 2. deal with keystore and truststore? I had the following problems, that in the stock installation of Archlinux AUR package: 1. The password of the truststore was wrong. I do not know it. I just recreated the truststore from the keystore after the keystore was set-up correctly. 2. I had to add my keys + certificate chain to the keystore. I hop this helps you with your setup Cheers Christian
Re: Problems with certificates with RMTPS
Dear Maxim, dear openmeetings list, > That is weird :( I know it is weird. This is the reason I asked here. > Maybe you can try to import chain as one file as described here: > https://stackoverflow.com/questions/16062072/how-to-add-certificate-chain-to-keystore In the meantime I tried a few things but non of them worked out correctly. Nevertheless what I found with my current configuration: - Firefox@Windows is working - Chrome@Linux is working - Firefox@Linux is failing - Konqueror@Linux is failing due to missing Flash (could be overcome) I thing the problem might be an old flash used in Firefox@Linux. I know there is pepperflash, but this is something I did not try yet (on the agenda still). I just wanted to give you a heads-up update. Thank you so far Christian PS: Further I wanted to ask some of you who are reading along this post to go on the site https://www2.wolf-stuttgart.net/openmeetings/ and simply click the "Network testing" button. The second test is the interesting one. Please report me shortly with your used Browser/OS. Thanks
Re: How to run openmeeting on RTMPS with nginx in frontend
Dear Darshit, you need to enable the RTMPS in /conf/jee-container.xml. It is there already but commented out. Also make sure that the keystore and truststore are correctly labeled (I had problems with them in the default configuration) and have the correct passwords. Cheers Christian Am 24.07.2018 um 06:22 schrieb Darshit Patel: Hi, I have deployed openmeeting(4.0.4) on a Linux server, having nginx in frontend which redirects all https requests to openmeeting instance running on localhost. On server, I want to keep open port number 443 only(all other ports will be close), but if I do that audio is not working. I look into openmeeting documentation to setup RTMPS tunneling. I have set following flash settings from openmeeting admin panel and close port 1935 but still audio is not working. flash.secure = true flash.secure.proxy = none Default port for RTMPS is 8443. This port will be close on server, so should I change it to 443 or any other settings are required in nginx configuration which handle request and redirect to respective port on localhost. Any suggestion to make thing works are appreciated. Thanks, Darshit
Re: Problems with certificates with RMTPS
Dear Hemant, I just found out, I neeeded two more modifications of the HTTP(S) headers. The added lines are RequestHeader edit Origin "https://example.com; "http://localhost:5080; Header edit Content-Security-Policy "ws://localhost:5080" "wss://example.com" Cheers Christian Am 18.07.2018 um 18:28 schrieb Coscend@OM: Hello Christian, Following yourguidance, here is whatthe config we have for SSL reverse proxyfor Apache HTTPD server. Is this correct? If yes, then we will create equivalent of this forthe differentproxy serverwe use—we do not use Apache HTTPD. Thank you for your guidance. SSL ServerAdminadmin ServerName SSLEngine on SSLCertificateFile /opt/red5403/cert/certserver.crt SSLCertificateKeyFile /opt/red5403/cert/certserver.key SSLProxyEngine On SSLProxyCheckPeerCN on SSLProxyCheckPeerExpire off ## ## Reverse proxy ProxyPreserveHost On ProxyRequests Off ProxyPass http://localhost:5080/openmeetings/ ProxyPassReverse http://localhost:5080/openmeetings/ RequestHeader edit Referer"https://www.example.com/openmeetings; "http://localhost:5080/openmeetings; RewriteEngine on RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC] RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P] ErrorLog /var/log/apache2/red5-error_log CustomLog /var/log/apache2/red5-access_log common # LogLevel info rewrite:trace5 # Require all denied ## Sincerely, Hemant K. Sabat ___www.Coscend.com_<http://www.coscend.com/> -- *Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…* -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at:_http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html_<http://www.coscend.com/Anchor/Common/Terms_and_Conditions.html> -Original Message- From: Christian Wolf Sent: Wednesday, July 18, 2018 3:00 AM To: user@openmeetings.apache.org Subject: Re: Problems with certificates with RMTPS Dear Hemant, Would you be kind enough to share the Apache SSL configuration? Wearefacing issues in connecting through “proxy HTTPS + OM HTTP”. We are using a different proxy server, but can learn from your Apache configuration to adapt to our proxy. I use it in a virtual subdirectory of the main server. This is also the reason for the reverse proxy need. ProxyPasshttp://localhost:5080/openmeetings/ ProxyPassReversehttp://localhost:5080/openmeetings/ RequestHeader edit Referer "https://www.example.com/openmeetings; "http://localhost:5080/openmeetings; RewriteEngine on RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC] RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P] # LogLevel info rewrite:trace5 # Require all denied How isyour configurationdifferent from this: _http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E_<http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E>? The only difference I see is the `RequestHeader` directive from the mod_headers. The problem was that the login was refused as OM/red5 detected some malicious setting due to unmatching domains. I hope this can help you. Christian -- Mit freundlichen Grüßen Christian Wolf Waldwiese 9-11 66123 Saarbrücken Mobil: 0178 776 79 39
Re: Problems with certificates with RMTPS
Dear Hemant, this looks good to me, although I did not try it out in an example environment. At best you keep a network sniffer at hand to see, what messages are passed between localhost:5080 and your reverse proxy. This makes your live a hell of much more easy. If it does not work out as expected, feel free to ask again. I will try to help as much as possible. Cheers Christian PS: I do not use the ProxyPreserveHost directive which is Off by default I think. This could make a small difference. Am 18.07.2018 um 18:28 schrieb Coscend@OM: Hello Christian, Following yourguidance, here is whatthe config we have for SSL reverse proxyfor Apache HTTPD server. Is this correct? If yes, then we will create equivalent of this forthe differentproxy serverwe use—we do not use Apache HTTPD. Thank you for your guidance. SSL ServerAdminadmin ServerName SSLEngine on SSLCertificateFile /opt/red5403/cert/certserver.crt SSLCertificateKeyFile /opt/red5403/cert/certserver.key SSLProxyEngine On SSLProxyCheckPeerCN on SSLProxyCheckPeerExpire off ## ## Reverse proxy ProxyPreserveHost On ProxyRequests Off ProxyPass http://localhost:5080/openmeetings/ ProxyPassReverse http://localhost:5080/openmeetings/ RequestHeader edit Referer"https://www.example.com/openmeetings; "http://localhost:5080/openmeetings; RewriteEngine on RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC] RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P] ErrorLog /var/log/apache2/red5-error_log CustomLog /var/log/apache2/red5-access_log common # LogLevel info rewrite:trace5 # Require all denied ## Sincerely, Hemant K. Sabat ___www.Coscend.com_<http://www.coscend.com/> -- *Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…* -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at:_http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html_<http://www.coscend.com/Anchor/Common/Terms_and_Conditions.html> -Original Message- From: Christian Wolf Sent: Wednesday, July 18, 2018 3:00 AM To: user@openmeetings.apache.org Subject: Re: Problems with certificates with RMTPS Dear Hemant, Would you be kind enough to share the Apache SSL configuration? Wearefacing issues in connecting through “proxy HTTPS + OM HTTP”. We are using a different proxy server, but can learn from your Apache configuration to adapt to our proxy. I use it in a virtual subdirectory of the main server. This is also the reason for the reverse proxy need. ProxyPasshttp://localhost:5080/openmeetings/ ProxyPassReversehttp://localhost:5080/openmeetings/ RequestHeader edit Referer "https://www.example.com/openmeetings; "http://localhost:5080/openmeetings; RewriteEngine on RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC] RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P] # LogLevel info rewrite:trace5 # Require all denied How isyour configurationdifferent from this: _http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E_<http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E>? The only difference I see is the `RequestHeader` directive from the mod_headers. The problem was that the login was refused as OM/red5 detected some malicious setting due to unmatching domains. I hope this can help you. Christian -- Mit freundlichen Grüßen Christian Wolf Waldwiese 9-11 66123 Saarbrücken Mobil: 0178 776 79 39
Re: Problems with certificates with RMTPS
Dear Maxim, On my Ubuntu FF uses CAs from /etc/ssl/certs/, Chrome seems to use internal CAs Can you check with keytool your keystore contains full chain (including CA)? Example https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html keytool -list -v -keystore keystore.jks My certificate chain is Root CA -> Intermediate CA from Let'e Encrypt -> RMTPS certificate. When looking into the keystore, I see only the Intermediate CA -> RMTPS certificate chain. The root CA is not included. Is it needed to be present as well to make everything working? I used these commands on the keystore: # keytool -importkeystore -srckeystore /openmeetings.p12 -srcstoretype PKCS12 -destkeystore /opt/openmeetings/conf/keystore.jmx -alias red5 # keytool -import -keystore /opt/openmeetings/conf/keystore.jmx -trustcacerts -file /etc/letsencrypt/live/openmeetings/chain.pem -alias letsencrypt When trying to add the root CA I got the message stating that that certificate was already known in the global CA keystore. I force-added it now to test out the effect. The result is the same: Firefox cannot connect. I did not redo my sniffing. I assume it will look similar. Thank you so far Christian
Re: Problems with certificates with RMTPS
Dear Maxim, Am 18.07.2018 um 12:40 schrieb Maxim Solodovnik: just re-read your initial email (wasn't practice in English for a long time, hard to read very long emails :(( ) Have you added full certificates chain to both keystore and truststore of red5? As far as I can tell, yes, there are chains in keystore. truststore is a simple copy of keystore at the moment. I tried to verify with the following command (in one line): $ openssl s_client -connect www2.wolf-stuttgart.net:8443 -showcerts -CApath /etc/ssl/certs/ < /dev/null This says, that the certificate could be successfully verified. I thus assume, this is running all right. Now I tried 2 browsers, firefox and chrome, to navigate to https://www2.wolf-stuttgart.net/openmeetings/hash?swf=network. Firefox --- The second port symbol (RTMP connection) is a red cross. Investigation with a network sniffer led to the problem, that the client refuses/does not find the CA of the cert and closes down the connection. Chrome -- The symbol is green as desired. The handshake of the client/server pair is visible. After that the connection is encrypted and only binary "random" data is transmitted that cannot be read (as desired) in a sniff. Cheers Christian
Re: Problems with certificates with RMTPS
Dear Maxim, both direct RTMS and tunneled RTMPTS should work as expected OK, then I prefer RTMPS. what values do you have in Admin->Config for flash.secure flash.secure.proxy http://openmeetings.apache.org/GeneralConfiguration.html I thing you are referring to the configuration within the web application, right? There I have flash.secure = true flash.secure.proxy = best Cheers Christian
Re: Problems with certificates with RMTPS
Dear Maxim, Am 17.07.2018 um 16:19 schrieb Maxim Solodovnik: I'm afraid in case of full secured proxied configuration you need to use RTPMTS (tunneled secured RTMP) example of RTMPT config can be found in mail archives, for ex here: https://markmail.org/message/l7oltgy74zxo2pjc I think I might not have been as specific as I should have been. It is ok to forward the RMTPS packets directly to the OM host. In fact this is already done. I read that RTMPT is introducing quite some unneeded latency. Thus I wanted to avoid that if possible. So I see the following options: 1. Let Flash pack every single RTMP packet into an HTTPS call and install a proxy to handle these packages. 2. Use native RTMP over SSL on a dedicated, publicly available port. When I tried option 1 I had the problem/impression that it was not working at all. I still got connections on either the RTMPS or the RTMP port. This could be a configuration issue. I would tackle this if option 2 is not possible. Otherwise I would prefer the direct approach. So are with the current version 4.0.4 of OM both options realizable? Thanks Christian
Re: Problems with certificates with RMTPS
Dear Hemant, Would you be kind enough to share the Apache SSL configuration? Wearefacing issues in connecting through “proxy HTTPS + OM HTTP”. We are using a different proxy server, but can learn from your Apache configuration to adapt to our proxy. I use it in a virtual subdirectory of the main server. This is also the reason for the reverse proxy need. ProxyPass http://localhost:5080/openmeetings/ ProxyPassReverse http://localhost:5080/openmeetings/ RequestHeader edit Referer "https://www.example.com/openmeetings; "http://localhost:5080/openmeetings; RewriteEngine on RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC] RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P] # LogLevel info rewrite:trace5 # Require all denied How isyour configurationdifferent from this: _http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E_<http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E>? The only difference I see is the `RequestHeader` directive from the mod_headers. The problem was that the login was refused as OM/red5 detected some malicious setting due to unmatching domains. I hope this can help you. Christian -- Mit freundlichen Grüßen Christian Wolf Waldwiese 9-11 66123 Saarbrücken Mobil: 0178 776 79 39
Problems with certificates with RMTPS
Dear community, I have a strange behavior with my installation of OM. I want to proxy the web interface through apache (with SSL). This is working. I can remotely access OM. All right. Now I want RMTP to be encrypted as well. Here I created another certificate from Let's Encrypt (LE) just for the RMTPS purpose. The common name (CN) is simply the host name just like e.g. for the https server. Then I wanted to adopt the configuration of OM accordingly. This is set up that I enabled in /conf/red5-core.conf the corresponding section, added in the global configuration (web frontend) flash.secure=true and flash.secure.proxy=best. I added the keys to the keystore exaclty as in https://markmail.org/message/j4gx2q6woidyqj7l#query:+page:1+mid:ik4qdhdychl364bp+state:results as far as I can tell. I tried the network test of OM and get still a red cross for the RTMP(S) port when using Firefox. A sniff with wireshark shows that the client connects to port 8443 as intended and an SSL session is started. The server sends the certificates I gave plus the intermediate certificate from LE. It does not send the root certificate. I do not know if this is right or wrong. Nevertheless, the client seems to refuse the certificate and shuts down the SSL connection with the reason "Unknown CA". This happen instantly after the server sent his certificate chain. When looking into this it looks as Chrome seemed to accept the certificate. I know that Chrome does many things "differently", thus it is possible that everything is a problem of my local configuration withing firefox/OS. When trying the connection with `openssl s_client ...` I can successfully connect and verify the certificate chain. Thus in general it seems to work. My interpretation is that the (flash) client refuses the LE root certificate for some reason and terminates the connection due to security concerns. Is my interpretation correct? How can I overcome this? Thank you and cheers Christian -- Mit freundlichen Grüßen Christian Wolf
Re: Newbie questions
Hello again, I am administrator of the room (either by setting or by being the first person in the room). OK, this I found using the second user. But if I am the admin, I need to click on the icon in the upper right corner to get the launcher running... I found finally the button to start recording using the admin. However I wonder about a few other things: The recording seems to be a screencast of my machine. I can restrict the area of recording but as far as I can tell this is of relative low quality and contains the tool bars as well. If I wanted to publish/archive the material for later use, it would be nice if a) Any background image like a PDF presentation is hi-res. b) No tool bar clobbers the view of the whiteborad in the recording. Especially no tool bar the visitors of the webinars/meetings do not know/recognize. Am I doing things wrong or is this intentionally implemented this way/a feature? What do you do in this topic? Are you post-processing the flv? I will see, if the recording is going to work (including audio) if I try it with a dummy user and multiple PCs. So far I used only one machine. With respect to "admin dashboard": This seems to be useful to me. I am looking forward to see this running. Thanks a lot so far for you valuable answer Christian smime.p7s Description: S/MIME Cryptographic Signature