Detecting WebSockets with HAProxy in TCP mode - websocket

If I want to do SSL passthrough on HAProxy, I understand that I need to do use tcp mode. If I also want to detect WebSockets (previously done with acl is_websocket hdr(Upgrade) -i WebSocket) is there a way to do this when HAProxy is in TCP mode? I've tried a few different things without any luck. Any suggestions welcomed!

When doing SSL passthrough it is impossible to analyze the transferred data because the traffic is encrypted. Since the information about Websocket upgrade is only in the encrypted HTTP header detection is not possible.

Related

Does http3/quic fall back to tls 1.2 if the browser doesn't support quic?

Even after lots of googling, I'm pretty naive about quic.
I'm specifically looking into lucasclemente/go-quic.
Should quic servers use 443? If so, will it fallback to http2 & tls 1.2?
I'm speaking generally. Not for that specific go package. But if you have specifics for that go package, that would be great.
Yes, I realize quic is still young and not necessary yet. I'm simply curious and couldn't find that specific answer. Thanks!
Quic servers can use any port they want; 443 is often used, but this is not necessary at all. Note we're talking about UDP ports, not TCP ports.
A QUIC server cannot fallback to HTTP2 or TLS 1.2, because if the client sends a QUIC request, the server can only respond with a QUIC response. If the browser doesn't support QUIC, it will not send a QUIC request in the first place, so there is no issue at all.
I think you are assuming that a QUIC server runs (or can run) on the same port as HTTPS and therefore has to generate either a QUIC or an HTTPS response; this is not the case, as QUIC is running over UDP, not over TCP (like HTTP and HTTPS do). TCP ports and UDP ports are different address spaces, so one can run an HTTPS server on tcp port 443 and simultaneously run another QUIC server on udp port 443.

Relaying a HTTPS stream with Icecast2

I am trying to relay a stream that is being broadcasted over HTTPS, is there a way to be able to do that? The documentation describes how to broadcast with https using listen-socket which I think is not what I want. All the help would be appreciated
I tried relaying normal http streams and it works. But not with https
I tried doing it both with including https and without in the url
`<relay>
<server>https://streamingurl.com</server>
<port>800</port>
<mount>/f</mount>
<local-mount>/f</local-mount>
<on-demand>0</on-demand>
<relay-shoutcast-metadata>0</relay-shoutcast-metadata>
</relay>`
Unfortunately this is currently not possible.
A good workaround for this problem is to set up a reverse proxy using nginx. I did this to access a https stream over http and icecast2 is able to relay it without issues.
What is the origin server you are trying to relay? Another Icecast or something else?
The -kh fork if Icecast supports SSL and has a lot of extensions and may be able to relay a https stream. (Sorry I'm not more help with that) see https://karlheyes.github.io
You're not supposed to include http or https in the context, just the address.
<relay>
<server>sourceip</server>
<port>443</port>
<mount>/sourcemount</mount>
<local-mount>/localmount</local-mount>
<on-demand>0</on-demand>
<relay-shoutcast-metadata>1</relay-shoutcast-metadata>
</relay>
I just tested that with a -kh branch icecast server, and it worked, BUT I wasn't able to confirm it was actually making a SSL connection; but it is making a connection. The kh fork or Icecast will accept http or https over 80 or 443 (or any other port for that matter).

Shall I use WebSocket on ports other than 80?

Shall I use WebSocket on non-80 ports? Does it ruin the whole purpose of using existing web/HTTP infrastructures? And I think it no longer fits the name WebSocket on non-80 ports.
If I use WebSocket over other ports, why not just use TCP directly? Or is there any special benefits in the WebSocket protocol itself?
And since current WebSocket handshake is in the form of a HTTP UPGRADE request, does it mean I have to enable HTTP protocol on the port so that WebSocket handshake can be accomplished?
Shall I use WebSocket on non-80 ports? Does it ruin the whole purpose
of using existing web/HTTP infrastructures? And I think it no longer
fits the name WebSocket on non-80 ports.
You can run a webSocket server on any port that your host OS allows and that your client will be allowed to connect to.
However, there are a number of advantages to running it on port 80 (or 443).
Networking infrastructure is generally already deployed and open on port 80 for outbound connections from the places that clients live (like desktop computers, mobile devices, etc...) to the places that servers live (like data centers). So, new holes in the firewall or router configurations, etc... are usually not required in order to deploy a webSocket app on port 80. Configuration changes may be required to run on different ports. For example, many large corporate networks are very picky about what ports outbound connections can be made on and are configured only for certain standard and expected behaviors. Picking a non-standard port for a webSocket connection may not be allowed from some corporate networks. This is the BIG reason to use port 80 (maximum interoperability from private networks that have locked down configurations).
Many webSocket apps running from the browser wish to leverage existing security/login/auth infrastructure already being used on port 80 for the host web page. Using that exact same infrastructure to check authentication of a webSocket connection may be simpler if everything is on the same port.
Some server infrastructures for webSockets (such as socket.io in node.js) use a combined server infrastructure (single process, one listener) to support both HTTP requests and webSockets. This is simpler if both are on the same port.
If I use WebSocket over other ports, why not just use TCP directly? Or
is there any special benefits in the WebSocket protocol itself?
The webSocket protocol was originally defined to work from a browser to a server. There is no generic TCP access from a browser so if you want a persistent socket without custom browser add-ons, then a webSocket is what is offered. As compared to a plain TCP connection, the webSocket protocol offers the ability to leverage HTTP authentication and cookies, a standard way of doing app-level and end-to-end keep-alive ping/pong (TCP offers hop-level keep-alive, but not end-to-end), a built in framing protocol (you'd have to design your own packet formats in TCP) and a lot of libraries that support these higher level features. Basically, webSocket works at a higher level than TCP (using TCP under the covers) and offers more built-in features that most people find useful. For example, if using TCP, one of the first things you have to do is get or design a protocol (a means of expressing your data). This is already built-in with webSocket.
And since current WebSocket handshake is in the form of a HTTP UPGRADE
request, does it mean I have to enable HTTP protocol on the port so
that WebSocket handshake can be accomplished?
You MUST have an HTTP server running on the port that you wish to use webSocket on because all webSocket requests start with an HTTP request. It wouldn't have to be heavily featured HTTP server, but it does have to handle the initial HTTP request.
Yes - Use 443 (ie, the HTTPS port) instead.
There's little reason these days to use port 80 (HTTP) for anything other than a redirection to port 443 (HTTPS), as certification (via services like LetsEncrypt) are easy and free to set up.
The only possible exceptions to this rule are local development, and non-internet facing services.
Should I use a non-standard port?
I suspect this is the intent of your question. To this, I'd argue that doing so adds an unnecessary layer of complication with no obvious benefits. It doesn't add security, and it doesn't make anything easier.
But it does mean that specific firewall exceptions need to be made to host and connect to your websocket server. This means that people accessing your services from a corporate/school/locked down environment are probably not going to be able to use it, unless they can somehow convince management that it is mandatory. I doubt there are many good reasons to exclude your userbase in this way.
But there's nothing stopping you from doing it either...
In my opinion, yes you can. 80 is the default port, but you can change it to any as you like.

Persistent connection between a WAN and a LAN server

We need to have a persistent connection between servers on WAN and LAN. Basically multiple LAN servers have to register with a server on Internet and always keep an open connection, because we can not ask clients who own serves on LAN to set up port forwarding, and because there might be firewall issues.
What are my options here? I am thinking, either Websockets, or servers on LAN long polling our server on the Internet. Is there a better solution?
Your options are - considering you want to avoid problems with proxies and firewalls - probably:
Use websockets, either port 80 or 443
Use long polling (that's not really persistent, if you need bidirectional communication!) port 80 or 443
Encapsulate whatever data into a http request, using port 80
Use port 443 with ssl encryption, and do whatever you want on the protocol level. Normally, you won't have any problems using even some strange custom protocol as long as you use this port with ssl encryption, as neither firewalls nor proxies normally (try to) inspect what you're doing when they sense what they think is https.
Everything else is probably out of scope for you as far as I get the scenario, but you should be able to do what you need using port 443 with some protocol made for persistent connections (it's possible with websockets, but you'll run into other problems really fast (like missing ping/pong implementations) then if you don't custom build your code, which would probably make it pointless to use websockets in the first place)

free switch : what is tls_port?

I am beginner to free switch.I have gone through the configuration file vars.xml in free switch.
In this I have seen the following configurations.
<X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/>
<X-PRE-PROCESS cmd="set" data="internal_sip_port=5070"/>
<X-PRE-PROCESS cmd="set" data="internal_tls_port=5071"/>
<X-PRE-PROCESS cmd="set" data="internal_ssl_enable=false"/>
<X-PRE-PROCESS cmd="set" data="internal_ssl_dir=$${base_dir}/conf/ssl"/>
In the above I am having the doubt with tls_port.
What is the use of tls_port .I have searched about this in net and I have read that tls protocol is used for secure data transfer in network.
So please explain me about the communication in freeswitch.
Thanks in advance.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are two cryptographic protocols which permits to communicate safely and guarantee data integrity over TCP/IP networks, as Internet for example.
TLS e SSL cypher communication end-to-end at transport layer. Other well known protocols as TCP, UDP enable communication at the same layer.
So as TCP uses port 80 by defualt for communication, you must set a port for your TSL protocol in free switch. This is the meaning of tsl_port parameter previously.
Please keep in mind that TLS is disabled by default, set internal_ssl_enable and/or external_ssl_enable to "true" to enable.
if you don't know what TLS is, you just don't need it in freeswitch.
Freeswitch uses TLS to secure the SIP protocol, but SIP will usually work in clear without encryption and often it's also easier to debug SIP with tools such as wireshark without TLS.
Here you can find further information:
http://wiki.freeswitch.org/wiki/Tls#TLS.2C_SSL_and_SRTP_Encryption
In my view it's better if you don't bother with TLS and Secure RTP as long as you are just scratching the surface of FreeSWITCH, there are more interest things to learn first in my view.
Otherwise if you are on a production environment with very strict security requirements you should study not only FreeSWITCH but the relevant RFCs too! ;-)
I have read that Freeswitch has some mailing capability and many mail-server like gmail or yahoo requires the sending client to have TLS connection with them.

Resources