Problems with certificates with RMTPS
Dear community, I have a strange behavior with my installation of OM. I want to proxy the web interface through apache (with SSL). This is working. I can remotely access OM. All right. Now I want RMTP to be encrypted as well. Here I created another certificate from Let's Encrypt (LE) just for the RMTPS purpose. The common name (CN) is simply the host name just like e.g. for the https server. Then I wanted to adopt the configuration of OM accordingly. This is set up that I enabled in /conf/red5-core.conf the corresponding section, added in the global configuration (web frontend) flash.secure=true and flash.secure.proxy=best. I added the keys to the keystore exaclty as in https://markmail.org/message/j4gx2q6woidyqj7l#query:+page:1+mid:ik4qdhdychl364bp+state:results as far as I can tell. I tried the network test of OM and get still a red cross for the RTMP(S) port when using Firefox. A sniff with wireshark shows that the client connects to port 8443 as intended and an SSL session is started. The server sends the certificates I gave plus the intermediate certificate from LE. It does not send the root certificate. I do not know if this is right or wrong. Nevertheless, the client seems to refuse the certificate and shuts down the SSL connection with the reason "Unknown CA". This happen instantly after the server sent his certificate chain. When looking into this it looks as Chrome seemed to accept the certificate. I know that Chrome does many things "differently", thus it is possible that everything is a problem of my local configuration withing firefox/OS. When trying the connection with `openssl s_client ...` I can successfully connect and verify the certificate chain. Thus in general it seems to work. My interpretation is that the (flash) client refuses the LE root certificate for some reason and terminates the connection due to security concerns. Is my interpretation correct? How can I overcome this? Thank you and cheers Christian -- Mit freundlichen Grüßen Christian Wolf
Re: Problems with certificates with RMTPS
I'm afraid in case of full secured proxied configuration you need to use RTPMTS (tunneled secured RTMP) example of RTMPT config can be found in mail archives, for ex here: https://markmail.org/message/l7oltgy74zxo2pjc On Tue, Jul 17, 2018 at 8:31 PM Christian Wolf wrote: > > Dear community, > > I have a strange behavior with my installation of OM. I want to proxy > the web interface through apache (with SSL). This is working. I can > remotely access OM. All right. > > Now I want RMTP to be encrypted as well. Here I created another > certificate from Let's Encrypt (LE) just for the RMTPS purpose. The > common name (CN) is simply the host name just like e.g. for the https > server. > > Then I wanted to adopt the configuration of OM accordingly. This is set > up that I enabled in /conf/red5-core.conf the corresponding section, > added in the global configuration (web frontend) flash.secure=true and > flash.secure.proxy=best. I added the keys to the keystore exaclty as in > https://markmail.org/message/j4gx2q6woidyqj7l#query:+page:1+mid:ik4qdhdychl364bp+state:results > as far as I can tell. I tried the network test of OM and get still a red > cross for the RTMP(S) port when using Firefox. > > A sniff with wireshark shows that the client connects to port 8443 as > intended and an SSL session is started. The server sends the > certificates I gave plus the intermediate certificate from LE. It does > not send the root certificate. I do not know if this is right or wrong. > Nevertheless, the client seems to refuse the certificate and shuts down > the SSL connection with the reason "Unknown CA". This happen instantly > after the server sent his certificate chain. > > When looking into this it looks as Chrome seemed to accept the > certificate. I know that Chrome does many things "differently", thus it > is possible that everything is a problem of my local configuration > withing firefox/OS. > When trying the connection with `openssl s_client ...` I can > successfully connect and verify the certificate chain. Thus in general > it seems to work. > > My interpretation is that the (flash) client refuses the LE root > certificate for some reason and terminates the connection due to > security concerns. > > Is my interpretation correct? How can I overcome this? > > Thank you and cheers > Christian > > -- > Mit freundlichen Grüßen > Christian Wolf -- WBR Maxim aka solomax
RE: Problems with certificates with RMTPS
Hello Christian, >> I want to proxy the web interface through apache (with SSL). This is >> working. I can remotely access OM. Would you be kind enough to share the Apache SSL configuration? We are facing issues in connecting through “proxy HTTPS + OM HTTP”. We are using a different proxy server, but can learn from your Apache configuration to adapt to our proxy. How is your configuration different from this: http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E? Thank you. Sincerely, Hemant K. Sabat www.Coscend.com <http://www.coscend.com/> -- Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html -Original Message- From: Maxim Solodovnik [mailto:solomax...@gmail.com] Sent: Tuesday, July 17, 2018 9:19 AM To: Openmeetings user-list Subject: Re: Problems with certificates with RMTPS I'm afraid in case of full secured proxied configuration you need to use RTPMTS (tunneled secured RTMP) example of RTMPT config can be found in mail archives, for ex here: https://markmail.org/message/l7oltgy74zxo2pjc On Tue, Jul 17, 2018 at 8:31 PM Christian Wolf mailto:christianlu...@gmx.de> > wrote: > > Dear community, > > I have a strange behavior with my installation of OM. I want to proxy > the web interface through apache (with SSL). This is working. I can > remotely access OM. All right. > > Now I want RMTP to be encrypted as well. Here I created another > certificate from Let's Encrypt (LE) just for the RMTPS purpose. The > common name (CN) is simply the host name just like e.g. for the https > server. > > Then I wanted to adopt the configuration of OM accordingly. This is > set up that I enabled in /conf/red5-core.conf the corresponding > section, added in the global configuration (web frontend) > flash.secure=true and flash.secure.proxy=best. I added the keys to the > keystore exaclty as in > https://markmail.org/message/j4gx2q6woidyqj7l#query:+page:1+mid:ik4qdh > dychl364bp+state:results as far as I can tell. I tried the network > test of OM and get still a red cross for the RTMP(S) port when using > Firefox. > > A sniff with wireshark shows that the client connects to port 8443 as > intended and an SSL session is started. The server sends the > certificates I gave plus the intermediate certificate from LE. It does > not send the root certificate. I do not know if this is right or wrong. > Nevertheless, the client seems to refuse the certificate and shuts > down the SSL connection with the reason "Unknown CA". This happen > instantly after the server sent his certificate chain. > > When looking into this it looks as Chrome seemed to accept the > certificate. I know that Chrome does many things "differently", thus > it is possible that everything is a problem of my local configuration > withing firefox/OS. > When trying the connection with `openssl s_client ...` I can > successfully connect and verify the certificate chain. Thus in general > it seems to work. > > My interpretation is that the (flash) client refuses the LE root > certificate for some reason and terminates the connection due to > security concerns. > > Is my interpretation correct? How can I overcome this? > > Thank you and cheers > Christian > > -- > Mit freundlichen Grüßen > Christian Wolf -- WBR Maxim aka solomax --- This email has been checked for viruses by AVG. https://www.avg.com
Re: Problems with certificates with RMTPS
Dear Hemant,
Would you be kind enough to share the Apache SSL configuration?
Wearefacing issues in connecting through “proxy HTTPS + OM HTTP”. We are
using a different proxy server, but can learn from your Apache
configuration to adapt to our proxy.
I use it in a virtual subdirectory of the main server. This is also the
reason for the reverse proxy need.
ProxyPass http://localhost:5080/openmeetings/
ProxyPassReverse http://localhost:5080/openmeetings/
RequestHeader edit Referer
"https://www.example.com/openmeetings"; "http://localhost:5080/openmeetings";
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P]
# LogLevel info rewrite:trace5
# Require all denied
How isyour configurationdifferent from this:
_http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E_?
The only difference I see is the `RequestHeader` directive from the
mod_headers. The problem was that the login was refused as OM/red5
detected some malicious setting due to unmatching domains.
I hope this can help you.
Christian
--
Mit freundlichen Grüßen
Christian Wolf
Waldwiese 9-11
66123 Saarbrücken
Mobil: 0178 776 79 39
RE: Problems with certificates with RMTPS
Dear Christian,
Thank you for your prompt guidance. We will translate it to equivalent config
for our proxy.
Sincerely,
Hemant K. Sabat
www.Coscend.com
--
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly…
--
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages
from Coscend Communications Solutions' posted at:
http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
-Original Message-
From: Christian Wolf
Sent: Wednesday, July 18, 2018 3:00 AM
To: user@openmeetings.apache.org
Subject: Re: Problems with certificates with RMTPS
Dear Hemant,
> Would you be kind enough to share the Apache SSL configuration?
> Wearefacing issues in connecting through “proxy HTTPS + OM HTTP”. We
> are using a different proxy server, but can learn from your Apache
> configuration to adapt to our proxy.
I use it in a virtual subdirectory of the main server. This is also the reason
for the reverse proxy need.
ProxyPass http://localhost:5080/openmeetings/
ProxyPassReverse http://localhost:5080/openmeetings/
RequestHeader edit Referer
"https://www.example.com/openmeetings"; "http://localhost:5080/openmeetings";
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P]
# LogLevel info rewrite:trace5
# Require all denied
> How isyour configurationdifferent from this:
> _http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E_<http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E>?
The only difference I see is the `RequestHeader` directive from the
mod_headers. The problem was that the login was refused as OM/red5 detected
some malicious setting due to unmatching domains.
I hope this can help you.
Christian
--
Mit freundlichen Grüßen
Christian Wolf
Waldwiese 9-11
66123 Saarbrücken
Mobil: 0178 776 79 39
Re: Problems with certificates with RMTPS
Dear Maxim, Am 17.07.2018 um 16:19 schrieb Maxim Solodovnik: I'm afraid in case of full secured proxied configuration you need to use RTPMTS (tunneled secured RTMP) example of RTMPT config can be found in mail archives, for ex here: https://markmail.org/message/l7oltgy74zxo2pjc I think I might not have been as specific as I should have been. It is ok to forward the RMTPS packets directly to the OM host. In fact this is already done. I read that RTMPT is introducing quite some unneeded latency. Thus I wanted to avoid that if possible. So I see the following options: 1. Let Flash pack every single RTMP packet into an HTTPS call and install a proxy to handle these packages. 2. Use native RTMP over SSL on a dedicated, publicly available port. When I tried option 1 I had the problem/impression that it was not working at all. I still got connections on either the RTMPS or the RTMP port. This could be a configuration issue. I would tackle this if option 2 is not possible. Otherwise I would prefer the direct approach. So are with the current version 4.0.4 of OM both options realizable? Thanks Christian
Re: Problems with certificates with RMTPS
Hello Christian, both direct RTMS and tunneled RTMPTS should work as expected what values do you have in Admin->Config for flash.secure flash.secure.proxy http://openmeetings.apache.org/GeneralConfiguration.html ? On Wed, Jul 18, 2018 at 5:25 PM Christian Wolf wrote: > > Dear Maxim, > > Am 17.07.2018 um 16:19 schrieb Maxim Solodovnik: > > I'm afraid in case of full secured proxied configuration you need to > > use RTPMTS (tunneled secured RTMP) > > example of RTMPT config can be found in mail archives, for ex here: > > https://markmail.org/message/l7oltgy74zxo2pjc > > I think I might not have been as specific as I should have been. It is > ok to forward the RMTPS packets directly to the OM host. In fact this is > already done. > I read that RTMPT is introducing quite some unneeded latency. Thus I > wanted to avoid that if possible. > > So I see the following options: > > 1. Let Flash pack every single RTMP packet into an HTTPS call and > install a proxy to handle these packages. > > 2. Use native RTMP over SSL on a dedicated, publicly available port. > > When I tried option 1 I had the problem/impression that it was not > working at all. I still got connections on either the RTMPS or the RTMP > port. This could be a configuration issue. > I would tackle this if option 2 is not possible. Otherwise I would > prefer the direct approach. > > So are with the current version 4.0.4 of OM both options realizable? > > Thanks > Christian -- WBR Maxim aka solomax
Re: Problems with certificates with RMTPS
Dear Maxim, both direct RTMS and tunneled RTMPTS should work as expected OK, then I prefer RTMPS. what values do you have in Admin->Config for flash.secure flash.secure.proxy http://openmeetings.apache.org/GeneralConfiguration.html I thing you are referring to the configuration within the web application, right? There I have flash.secure = true flash.secure.proxy = best Cheers Christian
Re: Problems with certificates with RMTPS
just re-read your initial email (wasn't practice in English for a long time, hard to read very long emails :(( ) Have you added full certificates chain to both keystore and truststore of red5? On Wed, Jul 18, 2018 at 5:37 PM Christian Wolf wrote: > > Dear Maxim, > > > both direct RTMS and tunneled RTMPTS should work as expected > > OK, then I prefer RTMPS. > > > what values do you have in Admin->Config for > > flash.secure > > flash.secure.proxy > > http://openmeetings.apache.org/GeneralConfiguration.html > > I thing you are referring to the configuration within the web > application, right? There I have > > flash.secure = true > flash.secure.proxy = best > > Cheers > Christian -- WBR Maxim aka solomax
Re: Problems with certificates with RMTPS
Dear Maxim, Am 18.07.2018 um 12:40 schrieb Maxim Solodovnik: just re-read your initial email (wasn't practice in English for a long time, hard to read very long emails :(( ) Have you added full certificates chain to both keystore and truststore of red5? As far as I can tell, yes, there are chains in keystore. truststore is a simple copy of keystore at the moment. I tried to verify with the following command (in one line): $ openssl s_client -connect www2.wolf-stuttgart.net:8443 -showcerts -CApath /etc/ssl/certs/ < /dev/null This says, that the certificate could be successfully verified. I thus assume, this is running all right. Now I tried 2 browsers, firefox and chrome, to navigate to https://www2.wolf-stuttgart.net/openmeetings/hash?swf=network. Firefox --- The second port symbol (RTMP connection) is a red cross. Investigation with a network sniffer led to the problem, that the client refuses/does not find the CA of the cert and closes down the connection. Chrome -- The symbol is green as desired. The handshake of the client/server pair is visible. After that the connection is encrypted and only binary "random" data is transmitted that cannot be read (as desired) in a sniff. Cheers Christian
Re: Problems with certificates with RMTPS
On my Ubuntu FF uses CAs from /etc/ssl/certs/, Chrome seems to use internal CAs Can you check with keytool your keystore contains full chain (including CA)? Example https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html keytool -list -v -keystore keystore.jks On Wed, Jul 18, 2018 at 6:00 PM Christian Wolf wrote: > > Dear Maxim, > > Am 18.07.2018 um 12:40 schrieb Maxim Solodovnik: > > just re-read your initial email (wasn't practice in English for a long > > time, hard to read very long emails :(( ) > > > > Have you added full certificates chain to both keystore and truststore of > > red5? > > As far as I can tell, yes, there are chains in keystore. truststore is a > simple copy of keystore at the moment. > > I tried to verify with the following command (in one line): > $ openssl s_client -connect www2.wolf-stuttgart.net:8443 -showcerts > -CApath /etc/ssl/certs/ < /dev/null > This says, that the certificate could be successfully verified. I thus > assume, this is running all right. > > Now I tried 2 browsers, firefox and chrome, to navigate to > https://www2.wolf-stuttgart.net/openmeetings/hash?swf=network. > > Firefox > --- > The second port symbol (RTMP connection) is a red cross. > > Investigation with a network sniffer led to the problem, that the client > refuses/does not find the CA of the cert and closes down the connection. > > Chrome > -- > The symbol is green as desired. > > The handshake of the client/server pair is visible. After that the > connection is encrypted and only binary "random" data is transmitted > that cannot be read (as desired) in a sniff. > > Cheers > Christian -- WBR Maxim aka solomax
Re: Problems with certificates with RMTPS
Dear Maxim, On my Ubuntu FF uses CAs from /etc/ssl/certs/, Chrome seems to use internal CAs Can you check with keytool your keystore contains full chain (including CA)? Example https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html keytool -list -v -keystore keystore.jks My certificate chain is Root CA -> Intermediate CA from Let'e Encrypt -> RMTPS certificate. When looking into the keystore, I see only the Intermediate CA -> RMTPS certificate chain. The root CA is not included. Is it needed to be present as well to make everything working? I used these commands on the keystore: # keytool -importkeystore -srckeystore /openmeetings.p12 -srcstoretype PKCS12 -destkeystore /opt/openmeetings/conf/keystore.jmx -alias red5 # keytool -import -keystore /opt/openmeetings/conf/keystore.jmx -trustcacerts -file /etc/letsencrypt/live/openmeetings/chain.pem -alias letsencrypt When trying to add the root CA I got the message stating that that certificate was already known in the global CA keystore. I force-added it now to test out the effect. The result is the same: Firefox cannot connect. I did not redo my sniffing. I assume it will look similar. Thank you so far Christian
Re: Problems with certificates with RMTPS
That is weird :( Maybe you can try to import chain as one file as described here: https://stackoverflow.com/questions/16062072/how-to-add-certificate-chain-to-keystore On Wed, Jul 18, 2018 at 8:08 PM Christian Wolf wrote: > > Dear Maxim, > > > On my Ubuntu FF uses CAs from /etc/ssl/certs/, Chrome seems to use internal > > CAs > > Can you check with keytool your keystore contains full chain (including CA)? > > > > Example > > https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html > > > > keytool -list -v -keystore keystore.jks > My certificate chain is Root CA -> Intermediate CA from Let'e Encrypt -> > RMTPS certificate. > > When looking into the keystore, I see only the Intermediate CA -> RMTPS > certificate chain. The root CA is not included. Is it needed to be > present as well to make everything working? > > I used these commands on the keystore: > # keytool -importkeystore -srckeystore /openmeetings.p12 > -srcstoretype PKCS12 -destkeystore /opt/openmeetings/conf/keystore.jmx > -alias red5 > # keytool -import -keystore /opt/openmeetings/conf/keystore.jmx > -trustcacerts -file /etc/letsencrypt/live/openmeetings/chain.pem -alias > letsencrypt > > When trying to add the root CA I got the message stating that that > certificate was already known in the global CA keystore. I force-added > it now to test out the effect. > The result is the same: Firefox cannot connect. I did not redo my > sniffing. I assume it will look similar. > > Thank you so far > Christian -- WBR Maxim aka solomax
RE: Problems with certificates with RMTPS
Hello Christian,
Following your guidance, here is what the config we have for SSL reverse proxy
for Apache HTTPD server. Is this correct? If yes, then we will create
equivalent of this for the different proxy server we use — we do not use Apache
HTTPD. Thank you for your guidance.
SSL
ServerAdmin admin
ServerName
SSLEngine on
SSLCertificateFile /opt/red5403/cert/certserver.crt
SSLCertificateKeyFile /opt/red5403/cert/certserver.key
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire off
##
## Reverse proxy
ProxyPreserveHost On
ProxyRequests Off
ProxyPass
http://localhost:5080/openmeetings/
ProxyPassReverse
http://localhost:5080/openmeetings/
RequestHeader edit Referer
"https://www.example.com/openmeetings"; "http://localhost:5080/openmeetings";
RewriteEngine on
RewriteCond %{HTTP:UPGRADE}
^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION}
Upgrade$ [NC]
RewriteRule .*
ws://localhost:5080%{REQUEST_URI} [P]
ErrorLog /var/log/apache2/red5-error_log
CustomLog /var/log/apache2/red5-access_log common
# LogLevel info rewrite:trace5
# Require all denied
##
Sincerely,
Hemant K. Sabat
www.Coscend.com <http://www.coscend.com/>
--
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly…
--
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages
from Coscend Communications Solutions' posted at:
http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
-Original Message-
From: Christian Wolf
Sent: Wednesday, July 18, 2018 3:00 AM
To: user@openmeetings.apache.org
Subject: Re: Problems with certificates with RMTPS
Dear Hemant,
> Would you be kind enough to share the Apache SSL configuration?
> Wearefacing issues in connecting through “proxy HTTPS + OM HTTP”. We
> are using a different proxy server, but can learn from your Apache
> configuration to adapt to our proxy.
I use it in a virtual subdirectory of the main server. This is also the reason
for the reverse proxy need.
ProxyPass http://localhost:5080/openmeetings/
ProxyPassReverse http://localhost:5080/openmeetings/
RequestHeader edit Referer
"https://www.example.com/openmeetings"; "http://localhost:5080/openmeetings";
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P]
# LogLevel info rewrite:trace5
# Require all denied
> How isyour configurationdifferent from this:
> _http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E_<http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E>?
The only difference I see is the `RequestHeader` directive from the
mod_headers. The problem was that the login was refused as OM/red5 detected
some malicious setting due to unmatching domains.
I hope this can help you.
Christian
--
Mit freundlichen Grüßen
Christian Wolf
Waldwiese 9-11
66123 Saarbrücken
Mobil: 0178 776 79 39
Re: Problems with certificates with RMTPS
Dear Hemant,
this looks good to me, although I did not try it out in an example
environment. At best you keep a network sniffer at hand to see, what
messages are passed between localhost:5080 and your reverse proxy. This
makes your live a hell of much more easy.
If it does not work out as expected, feel free to ask again. I will try
to help as much as possible.
Cheers
Christian
PS: I do not use the ProxyPreserveHost directive which is Off by default
I think. This could make a small difference.
Am 18.07.2018 um 18:28 schrieb Coscend@OM:
Hello Christian,
Following yourguidance, here is whatthe config we have for SSL reverse
proxyfor Apache HTTPD server. Is this correct? If yes, then we will
create equivalent of this forthe differentproxy serverwe use—we do not
use Apache HTTPD. Thank you for your guidance.
SSL
ServerAdminadmin
ServerName
SSLEngine on
SSLCertificateFile /opt/red5403/cert/certserver.crt
SSLCertificateKeyFile /opt/red5403/cert/certserver.key
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire off
##
## Reverse proxy
ProxyPreserveHost On
ProxyRequests Off
ProxyPass http://localhost:5080/openmeetings/
ProxyPassReverse
http://localhost:5080/openmeetings/
RequestHeader edit
Referer"https://www.example.com/openmeetings";
"http://localhost:5080/openmeetings";
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .*
ws://localhost:5080%{REQUEST_URI} [P]
ErrorLog /var/log/apache2/red5-error_log
CustomLog /var/log/apache2/red5-access_log common
# LogLevel info rewrite:trace5
# Require all denied
##
Sincerely,
Hemant K. Sabat
___www.Coscend.com_<http://www.coscend.com/>
--
*Real-time, Interactive Video Collaboration, Tele-healthcare,
Tele-education, Telepresence Services, on the fly…*
--
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted
at:_http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html_<http://www.coscend.com/Anchor/Common/Terms_and_Conditions.html>
-Original Message-
From: Christian Wolf
Sent: Wednesday, July 18, 2018 3:00 AM
To: user@openmeetings.apache.org
Subject: Re: Problems with certificates with RMTPS
Dear Hemant,
Would you be kind enough to share the Apache SSL configuration?
Wearefacing issues in connecting through “proxy HTTPS + OM HTTP”. We
are using a different proxy server, but can learn from your Apache
configuration to adapt to our proxy.
I use it in a virtual subdirectory of the main server. This is also the
reason for the reverse proxy need.
ProxyPasshttp://localhost:5080/openmeetings/
ProxyPassReversehttp://localhost:5080/openmeetings/
RequestHeader edit Referer
"https://www.example.com/openmeetings"; "http://localhost:5080/openmeetings";
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P]
# LogLevel info rewrite:trace5
# Require all denied
How isyour configurationdifferent from this:
_http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E_<http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E>?
The only difference I see is the `RequestHeader` directive from the
mod_headers. The problem was that the login was refused as OM/red5
detected some malicious setting due to unmatching domains.
I hope this can help you.
Christian
--
Mit freundlichen Grüßen
Christian Wolf
Waldwiese 9-11
66123 Saarbrücken
Mobil: 0178 776 79 39
Re: Problems with certificates with RMTPS
Dear Hemant,
I just found out, I neeeded two more modifications of the HTTP(S)
headers. The added lines are
RequestHeader edit Origin "https://example.com"; "http://localhost:5080";
Header edit Content-Security-Policy "ws://localhost:5080"
"wss://example.com"
Cheers
Christian
Am 18.07.2018 um 18:28 schrieb Coscend@OM:
Hello Christian,
Following yourguidance, here is whatthe config we have for SSL reverse
proxyfor Apache HTTPD server. Is this correct? If yes, then we will
create equivalent of this forthe differentproxy serverwe use—we do not
use Apache HTTPD. Thank you for your guidance.
SSL
ServerAdminadmin
ServerName
SSLEngine on
SSLCertificateFile /opt/red5403/cert/certserver.crt
SSLCertificateKeyFile /opt/red5403/cert/certserver.key
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire off
##
## Reverse proxy
ProxyPreserveHost On
ProxyRequests Off
ProxyPass http://localhost:5080/openmeetings/
ProxyPassReverse
http://localhost:5080/openmeetings/
RequestHeader edit
Referer"https://www.example.com/openmeetings";
"http://localhost:5080/openmeetings";
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .*
ws://localhost:5080%{REQUEST_URI} [P]
ErrorLog /var/log/apache2/red5-error_log
CustomLog /var/log/apache2/red5-access_log common
# LogLevel info rewrite:trace5
# Require all denied
##
Sincerely,
Hemant K. Sabat
___www.Coscend.com_<http://www.coscend.com/>
--
*Real-time, Interactive Video Collaboration, Tele-healthcare,
Tele-education, Telepresence Services, on the fly…*
--
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted
at:_http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html_<http://www.coscend.com/Anchor/Common/Terms_and_Conditions.html>
-Original Message-
From: Christian Wolf
Sent: Wednesday, July 18, 2018 3:00 AM
To: user@openmeetings.apache.org
Subject: Re: Problems with certificates with RMTPS
Dear Hemant,
Would you be kind enough to share the Apache SSL configuration?
Wearefacing issues in connecting through “proxy HTTPS + OM HTTP”. We
are using a different proxy server, but can learn from your Apache
configuration to adapt to our proxy.
I use it in a virtual subdirectory of the main server. This is also the
reason for the reverse proxy need.
ProxyPasshttp://localhost:5080/openmeetings/
ProxyPassReversehttp://localhost:5080/openmeetings/
RequestHeader edit Referer
"https://www.example.com/openmeetings"; "http://localhost:5080/openmeetings";
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:5080%{REQUEST_URI} [P]
# LogLevel info rewrite:trace5
# Require all denied
How isyour configurationdifferent from this:
_http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E_<http://mail-archives.apache.org/mod_mbox/openmeetings-user/201805.mbox/%3Ctrinity-46cc4ce2-542c-4f5a-872b-ae86bbb100c4-1526140744656@3c-app-mailcom-bs02%3E>?
The only difference I see is the `RequestHeader` directive from the
mod_headers. The problem was that the login was refused as OM/red5
detected some malicious setting due to unmatching domains.
I hope this can help you.
Christian
--
Mit freundlichen Grüßen
Christian Wolf
Waldwiese 9-11
66123 Saarbrücken
Mobil: 0178 776 79 39
Re: Problems with certificates with RMTPS
Dear Maxim, dear openmeetings list, > That is weird :( I know it is weird. This is the reason I asked here. > Maybe you can try to import chain as one file as described here: > https://stackoverflow.com/questions/16062072/how-to-add-certificate-chain-to-keystore In the meantime I tried a few things but non of them worked out correctly. Nevertheless what I found with my current configuration: - Firefox@Windows is working - Chrome@Linux is working - Firefox@Linux is failing - Konqueror@Linux is failing due to missing Flash (could be overcome) I thing the problem might be an old flash used in Firefox@Linux. I know there is pepperflash, but this is something I did not try yet (on the agenda still). I just wanted to give you a heads-up update. Thank you so far Christian PS: Further I wanted to ask some of you who are reading along this post to go on the site https://www2.wolf-stuttgart.net/openmeetings/ and simply click the "Network testing" button. The second test is the interesting one. Please report me shortly with your used Browser/OS. Thanks
Re: Problems with certificates with RMTPS
Ubuntu 16.04 All versions are latest with all updates Chrome -> All green FF -> Port fail Cromium -> All green Opera -> All green will try to reproduce this configuration on my test server (hopefully this week) ... On Tue, Jul 24, 2018 at 1:23 PM Christian Wolf wrote: > > Dear Maxim, > dear openmeetings list, > > > That is weird :( > > I know it is weird. This is the reason I asked here. > > > Maybe you can try to import chain as one file as described here: > > > https://stackoverflow.com/questions/16062072/how-to-add-certificate-chain-to-keystore > > In the meantime I tried a few things but non of them worked out > correctly. Nevertheless what I found with my current configuration: > > - Firefox@Windows is working > - Chrome@Linux is working > - Firefox@Linux is failing > - Konqueror@Linux is failing due to missing Flash (could be overcome) > > I thing the problem might be an old flash used in Firefox@Linux. I know > there is pepperflash, but this is something I did not try yet (on the > agenda still). > > I just wanted to give you a heads-up update. > > Thank you so far > Christian > > PS: > Further I wanted to ask some of you who are reading along this post to > go on the site https://www2.wolf-stuttgart.net/openmeetings/ and simply > click the "Network testing" button. The second test is the interesting > one. Please report me shortly with your used Browser/OS. Thanks -- WBR Maxim aka solomax
Re: Problems with certificates with RMTPS
Win 10 FF/Chrome/Edge -- All green It might be the issue with TLS 1.2 support ... :((( Not sure yet how to check/fix it :((( On Tue, Jul 24, 2018 at 1:31 PM Maxim Solodovnik wrote: > > Ubuntu 16.04 > > All versions are latest with all updates > Chrome -> All green > FF -> Port fail > Cromium -> All green > Opera -> All green > > will try to reproduce this configuration on my test server (hopefully > this week) ... > > On Tue, Jul 24, 2018 at 1:23 PM Christian Wolf > wrote: > > > > Dear Maxim, > > dear openmeetings list, > > > > > That is weird :( > > > > I know it is weird. This is the reason I asked here. > > > > > Maybe you can try to import chain as one file as described here: > > > > > https://stackoverflow.com/questions/16062072/how-to-add-certificate-chain-to-keystore > > > > In the meantime I tried a few things but non of them worked out > > correctly. Nevertheless what I found with my current configuration: > > > > - Firefox@Windows is working > > - Chrome@Linux is working > > - Firefox@Linux is failing > > - Konqueror@Linux is failing due to missing Flash (could be overcome) > > > > I thing the problem might be an old flash used in Firefox@Linux. I know > > there is pepperflash, but this is something I did not try yet (on the > > agenda still). > > > > I just wanted to give you a heads-up update. > > > > Thank you so far > > Christian > > > > PS: > > Further I wanted to ask some of you who are reading along this post to > > go on the site https://www2.wolf-stuttgart.net/openmeetings/ and simply > > click the "Network testing" button. The second test is the interesting > > one. Please report me shortly with your used Browser/OS. Thanks > > > > -- > WBR > Maxim aka solomax -- WBR Maxim aka solomax
