RTC Forums
March 28, 2024, 10:28:45 PM *
Welcome, Guest. Please login or register.

Login with username, password and session length
 
   Home   Help Login Register  
Pages: [1]
  Print  
Author Topic: Let nginx do ssl and load balancing  (Read 3511 times)
Star5
RTC Expired
*
Posts: 27


« on: August 24, 2019, 05:02:19 PM »

Let nginx do ssl and load balancing, we only deal with http, more stable, and no need to waste money for streamsec, SecureBlackbox.

Attach the nginx configuration case, the code is as follows:


# Precautions:
# webpascal configuration (SrvConfig.ini), Srv > SrvSSL=0 (disable ssl), Redirect entry disabled (set to blank)
# This example was tested under nginx-1.16.1 and nginx-1.17.3, demonstrating a single IP binding multi-domain multi-DVSSL certificate.

# The number of working processes, cpu core * 2 almost
worker_processes  4;

events {
    # Number of working connections
    worker_connections  65535;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    # Sendfile is a higher performance system interface than read and write
    sendfile        on;

    keepalive_timeout  65;

    # If there is only a static page, just open gzip here. If you use webpascal, because there will be an interface, don't open gzip here.
    #gzip  on;

    server {
        listen       80;
        server_name  www.zjoss.com zjoss.com;
        # The official said that rewrite is inefficient, so use 301
        # rewrite ^/(.*)$ https://www.zjoss.com:443/$1 permanent;
        if ($server_port = 80 ) {
        return 301 https://$server_name$request_uri;
        }
        if ($scheme = http ) {
        return 301 https://$server_name$request_uri;
        }
        error_page 497 https://$server_name$request_uri;
    }
    server {
        listen       443;
        server_name  www.zjoss.com zjoss.com;

        ssl on;
        ssl_certificate      zjoss.com.pem;
        ssl_certificate_key  zjoss.com.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;

        location / {
            # Use the proxy to jump to webpascal based on the port. X-Real-IP and X-Forwarded-For will be read in webpascal 3.6 or later.
            proxy_pass http://localhost:8080;
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Real-Port $remote_port;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }

    server {
        listen       80;
        server_name  www.webpascal.com webpascal.com;
        # rewrite ^/(.*)$ https://www.webpascal.com:443/$1 permanent;
        if ($server_port = 80 ) {
        return 301 https://$server_name$request_uri;
        }
        if ($scheme = http ) {
        return 301 https://$server_name$request_uri;
        }
        error_page 497 https://$server_name$request_uri;
    }
    server {
        listen       443;
        server_name  www.webpascal.com webpascal.com;

        ssl on;
        ssl_certificate      webpascal.com.pem;
        ssl_certificate_key  webpascal.com.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;

        location / {
            proxy_pass http://localhost:8080;
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Real-Port $remote_port;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }

}
Logged
Star5
RTC Expired
*
Posts: 27


« Reply #1 on: August 24, 2019, 05:13:07 PM »

Although SecureBlackbox works well with RealThinClientSDK, it is expensive, and StreamSecII is not well used in projects.

I am completing more web development orders, using webpascal (rtcDP+rtcScript), I think this is a good development direction, RealThinClentSDK should not waste time on unfamiliar work such as ssl, these things let other mature tools Go and do it.
Logged
K. Okada (RTC)
Administrator
*****
Posts: 11


« Reply #2 on: September 27, 2019, 06:36:32 PM »

StreamSec IV is the latest one. not StreamSec II.

If you want to add SSL support to your RTC based web application,
there are some ways:

1. Use a general porpose web server as reverse proxy .
   The above post by Start5 describes an example of using nginx as a reverse proxy.
   You can also use Apache or any other product.

2. Build your RTC web server as an ISAPI dll, and use it from IIS, or Apache + mod_isapi.
  Maybe this is more easy to deploy.

3. Build your RTC application server with StreamSec IV or SecureBlackBox.
  This would cost you more, but it gives you more control .
  We're actually using StreamSec IV and we've implemented Windows Integrated Authentication
  over SSL . It works on TCP connection keepalive and it doesn't work well with a proxy server.





Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.025 seconds with 17 queries.