connection establishment problem

tharunram

New Member
Hi Team ,

As we are having security issues on flashphoner dashboard page we have created the loadbalancer in aws which redirects from 8444(default) to 443(https).We got the security issue resolved but in the dashboard player we are unable to establish the connection.

I am attching the snippet please check it.

Thanks,
 

Attachments

Max

Administrator
Staff member
Good day.
Please reproduce the issue, then collect a report as described here using reposrt.sh script. Send the report archive using this form.
 

Max

Administrator
Staff member
Please check if you're opening 8444 port as HTTPS, not HTTP. Or set LB to redirect HTTP to the port 8081. See LB setup example here, p 2.3.
 

tharunram

New Member
Hi Max ,

How can we encrypt the Flashphoner dashboard page ? Because when we are integrating it in the application we are getting like it is not secure.
Suggest a solution
encrypt.PNG
 

tharunram

New Member
Hi Max,

In future if we go for autoscaling the flashphoner instances should we take certificate for each and every instance or one SSL certificate is valid.
Because all the instances run on different ip's.Please provide a solution

Thanks,
 

Max

Administrator
Staff member
1. Regarding ports.

8444 - dashboard panel HTTPS
8081 - dashboard panel HTTP

8443 - websocket WSS
8080 - websocket WS

So if you set AWS loadbalancer, it should forward ports, i.e.

8444 > 8081
8443 > 8080

or

8444 > 8444
8443 > 8443

In such a case you set SSL certificates on Load balancer only.

Make sure your load balancer supports receiving of HTTPS traffic and forwarding to HTTP.
Not sure if AWS load balancers support such forwarding.

See also auto-scaling article:

>We got the security issue resolved but in the dashboard player we are unable to establish the connection.
This is because player uses two different ports: 8444 (player page), 8443 (websocket connection for player)

2. Regarding SSL certs.

>In future if we go for autoscaling the flashphoner instances should we take certificate for each and every instance or one SSL certificate is valid.
The wildcard certificate can be applied for all instances.

For example, you have N instances:
1.company.com
2.company.com
...
etc

You import wildcard SSL certificate *.company.com into the first instance. Then you copy SSL config /usr/local/FlashphonerWebCallServer/conf/wss.jks across all instances or modify auto-scaling scripts to provision this file during auto-scale instance deployment.

3. It seems you are doing something wrong because you are trying to use WCS server as a web server in production. WCS is not tuned for serving and rendering web pages. Its primary purpose is handling 8443 websocket port and WebRTC streams.

This is the best practice:

1. Use your favorite web server like nginx.
2. Copy code of Player into your nginx-web dir, i.e:
These files are located in /usr/local/FlashphonerWebCallServer/client2/examples/demo/streaming/player
And dependencies. See Minimal Player embedding sample.
3. Open player.html page on your nginx server
4. Connect from your player page to your instance i.e. wss://1.company.com:8443
As you can see in such a case you are using just single port 8443 and don't need access to dashboard panel in production.
Player page and associated scripts are completely under your control and web server nginx. Just single port websocket connection is open to WCS server 8443 either via AWS LB or directly.
 

tharunram

New Member
Hi Max ,

Can we have own domain name replacing with the ip of the flashphoner if we buy an ssl certificate ? Will the connection is being established in the player ?

Eg: flashphoner.dev.com replacing with 123.14.152(ip)
 

Max

Administrator
Staff member
Can we have own domain name replacing with the ip of the flashphoner if we buy an ssl certificate ? Will the connection is being established in the player ?

Eg: flashphoner.dev.com replacing with 123.14.152(ip)
If you've imported SSL certificate for domain, the IP address becomes unsecure at browser point, even if this is the address bound to domain name.
So no, you should not replace a valid domain name with IP address.
 

Max

Administrator
Staff member
What is the private key in SSL certificate uploading! , Should we choose generate a key
Every SSL certificate consists of domain certificate, authority center (CA) certificate and private key. You should get this from your certificate provider. Please read also this article.
 
Top