|
Title: Let nginx do ssl and load balancing Post by: Star5 on August 24, 2019, 05:02:19 PM Let nginx do ssl and load balancing, we only deal with http, more stable, and no need to waste money for streamsec, SecureBlackbox.
Attach the nginx configuration case, the code is as follows: # Precautions: # webpascal configuration (SrvConfig.ini), Srv > SrvSSL=0 (disable ssl), Redirect entry disabled (set to blank) # This example was tested under nginx-1.16.1 and nginx-1.17.3, demonstrating a single IP binding multi-domain multi-DVSSL certificate. # The number of working processes, cpu core * 2 almost worker_processes 4; events { # Number of working connections worker_connections 65535; } http { include mime.types; default_type application/octet-stream; # Sendfile is a higher performance system interface than read and write sendfile on; keepalive_timeout 65; # If there is only a static page, just open gzip here. If you use webpascal, because there will be an interface, don't open gzip here. #gzip on; server { listen 80; server_name www.zjoss.com zjoss.com; # The official said that rewrite is inefficient, so use 301 # rewrite ^/(.*)$ https://www.zjoss.com:443/$1 permanent; if ($server_port = 80 ) { return 301 https://$server_name$request_uri; } if ($scheme = http ) { return 301 https://$server_name$request_uri; } error_page 497 https://$server_name$request_uri; } server { listen 443; server_name www.zjoss.com zjoss.com; ssl on; ssl_certificate zjoss.com.pem; ssl_certificate_key zjoss.com.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; location / { # Use the proxy to jump to webpascal based on the port. X-Real-IP and X-Forwarded-For will be read in webpascal 3.6 or later. proxy_pass http://localhost:8080; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-Port $remote_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { listen 80; server_name www.webpascal.com webpascal.com; # rewrite ^/(.*)$ https://www.webpascal.com:443/$1 permanent; if ($server_port = 80 ) { return 301 https://$server_name$request_uri; } if ($scheme = http ) { return 301 https://$server_name$request_uri; } error_page 497 https://$server_name$request_uri; } server { listen 443; server_name www.webpascal.com webpascal.com; ssl on; ssl_certificate webpascal.com.pem; ssl_certificate_key webpascal.com.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; location / { proxy_pass http://localhost:8080; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-Port $remote_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } } Title: Re: Let nginx do ssl and load balancing Post by: Star5 on August 24, 2019, 05:13:07 PM Although SecureBlackbox works well with RealThinClientSDK, it is expensive, and StreamSecII is not well used in projects.
I am completing more web development orders, using webpascal (rtcDP+rtcScript), I think this is a good development direction, RealThinClentSDK should not waste time on unfamiliar work such as ssl, these things let other mature tools Go and do it. Title: Re: Let nginx do ssl and load balancing Post by: K. Okada (RTC) on September 27, 2019, 06:36:32 PM StreamSec IV is the latest one. not StreamSec II.
If you want to add SSL support to your RTC based web application, there are some ways: 1. Use a general porpose web server as reverse proxy . The above post by Start5 describes an example of using nginx as a reverse proxy. You can also use Apache or any other product. 2. Build your RTC web server as an ISAPI dll, and use it from IIS, or Apache + mod_isapi. Maybe this is more easy to deploy. 3. Build your RTC application server with StreamSec IV or SecureBlackBox. This would cost you more, but it gives you more control . We're actually using StreamSec IV and we've implemented Windows Integrated Authentication over SSL . It works on TCP connection keepalive and it doesn't work well with a proxy server. |