Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Installation behind proxy server w/o SSL #757

Open
keithkhl opened this issue Oct 24, 2024 · 3 comments
Open

Installation behind proxy server w/o SSL #757

keithkhl opened this issue Oct 24, 2024 · 3 comments

Comments

@keithkhl
Copy link

I try to install BBB v3.0 beta release on a hard machine / via a docker (v.2.7.3 for this)

I have proxy server that handles all SSL handshaking and pass the traffic to backend.
Reading this doc(https://docs.bigbluebutton.org/administration/cluster-proxy/), I thought my set up is supported.

First, I tried to install BBB without SSL, so with -d option.

Though it is recommended to use different URL for each installations behind the proxy, I thought it is just an illustration purpose. I usually do this with backend stream block in Nginx. For this one, plz let me know if I really have to set diferent sub-domains for each BBB installation and keep the clean sub-domain at proxy server.

then, after the hard machine installation, I get connection failure for HTTP/2 (so HTTPS). I changed all nginx configurations in /etc/nginx/sites-enabled/bigbluebutton, but it did not work.

So, I gave up and run without -d and added back -e [email protected] in the installation command. It will do double SSL handshakes, so websites should be slower, but I can respect BBB style.

Now, even after that, I still cannot see the website.

What other configuration setting modification(s) is/are needed?

I have

  • Cloudflare delivers SSL handshaked traffic
  • Router OS that cleans away all traffic but 80/443 TCP and 443 UDP, but essentially only 443 due to Cloudflare
  • Nginx proxy server's 2nd SSL handshake and it delivers all internal traffic at 80, unless specified

for other required UDP ports, 16384 - 32768, I also added them to Router OS, but they all go to proxy server. Not sure what should be done. At least, I cannot load balance them in my Router OS. It has to be done at Nginx proxy, but have no clue for this.

In case relevant, I have two BBB servers at the backend, each with 30 cores 100 GB RAM, and I want them to share the traffic.

When it comes to video storage, I am going to use S3 compatible internal video/stream server.

I guess I just need to change a little big of setting, but can't figure out from the docs.

@keithkhl
Copy link
Author

Many great open source solutions lack in support for custom installations, and I think BBB is no exception. The instruction given in the doc is awfully confusing. I was going to say it is wrong, but since I am not an expert, I will reserve that claim for now. Below is the proxy server installation insturctions.

From the above link, I can feel that it is written by an extremely highly experienced Nginx dev or a complete novice.

For starters, you can't have another URL in proxy pass without a defined server block, at lesat in my best of knowledge. But in below code lines for Nginx,

location /bbb-01/html5client/ {
proxy_pass https://bbb-01.example.com/bbb-01/html5client/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}

Either the author assumed that 'bbb-01.example.com' is pre-defined in the proxy server, or must have used it as an alias. I checked both cases.

Case 1: Predefined downstream server specific subdomain for BBB
If you assumed predefined server block in the proxy server, what was the bbb-01.example.com's forwarding port to the downstream servers? Is it port 80 and 443? In the hard machine installation of BBB, I can see port 80 is redirected to port 81 and 82 in Nginx server blocks, but it also mentions HA proxy handles other ports. But, whichever the port that I forward from proxy to downstream, I get no connection error on 443. There must be 443 open and it redirects to port 81 or 82 on Nginx, but with below, I could not make it work.

server {
listen 80;
server_name bbb-01.example.com;

location / {
    proxy_pass http://192.168.1.1:80;
    include /etc/nginx/all_other_forward.conf;
}  

}

server {
listen 443;
server_name bbb-01.example.com;

include /etc/nginx/sss.conf; #For both privkey and cert
location / {
    proxy_pass https://192.168.1.1:443;
    include /etc/nginx/all_other_forward.conf;
}  

}

Case 2: Alias
In this case, I just have to change the proxy_pass value to backend server's internal IPs and ports.

server {
listen 80;
listen 443 ssl;
server_name bbb-proxy.example.com;

include /etc/nginx/sss.conf; #For both privkey and cert
location / {
    proxy_pass http://192.168.1.1:80;
    include /etc/nginx/all_other_forward.conf;
} 

}

The problem in this case is that, in the backend, all traffics to port 80 is forwarded to backend server's port 443 and later to 81 and 82, depending on the logic in 'HA proxy'. Here, since the SSL port (443) is also defined in proxy server, backend port 80's forward to 443 will bring the traffic back to proxy server. Then, proxy brings traffic to backend, and again and again. Redirection loop creates error in the end.

Why don't I exclude 'listen 443 SSL' in the proxy? Then, where should that traffic go? How should I response to that traffic? I also set to send proxy's 443 traffic directly to backend's 81 and/or 82, but it also did not work.

In either way, the recommended code does not make sense, at least to best of my knowledge.

I typically define upstream variables in the proxy server to point backend server's internal IPs and ports. This way, I can make sure that Nginx does the load balancing properly.

upstream example_backend {
ip_hash;
server 192.168.1.1:80 max_fails=3 fail_timeout=30s;
server 192.168.1.2:80 max_fails=3 fail_timeout=30s;
}

I am not saying that my version is right. It's just that the proposed version seems missing details while it does not take the load balanching into the consideration, in addition to the security issues that the author mentioned at the end of the document.

For services like this, you need a lot of ports. I get that. HA Proxy, yes, I can understand that. But the proposed solution for proxy server case does not make sense, or at least highly confusing.

I can make it work with Docker installations, but I really want to try this 3.0-dev version on my existing server, not on a clean machine.

@srkn0
Copy link

srkn0 commented Nov 7, 2024

@keithkhl

Thank you for sharing the details of your setup. I’m trying to configure BigBlueButton behind a Traefik reverse proxy using only HTTP, intending to handle SSL termination at the proxy level. However, I haven’t found documentation on setting it up without SSL. Has anyone managed to get a similar setup working, or are there any tips on how to approach this? Any insights would be very helpful.

Additionally, is the documentation you mentioned (https://docs.bigbluebutton.org/administration/cluster-proxy/) the one I should be looking at for this configuration?

@keithkhl
Copy link
Author

keithkhl commented Nov 7, 2024

@srkn0 hey, I gave up installing non-docker version on private IP behind the firewall. The installer sh's SSL setting is one thing and coturn server was another.

The only setting that I was able to make it working is to install coturn on a standalone server with public IP and to install Docker version BBB on backend servers behind proxy. I do SSL handshake at the proxy server.

I wish I dont have to rely on the docker version, but it was too much for me. Plz share your findings if you can find any better solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants