OvenMediaEngine icon indicating copy to clipboard operation
OvenMediaEngine copied to clipboard

Published 20 hours ago verified publisher icon AirenSoft

OvenMediaEngine behind loadbalancer/proxy signature problem

Open ditogam opened this issue 1 year ago • 1 comments
trafficstars

When running OvenMediaEngine behind proxy, system do not detect origin address and verifies signature against local url

Docker run command docker run -e OME_VIDEO_BITRATE=2000000 -e OME_VIDEO_WIDTH=1280 -e OME_VIDEO_HEIGHT=720 -p 1935:1935 -p 3333:3333 -p 9999:9999/udp -p 8080:8080 -p 9000:9000/tcp -p 10000-10005:10000-10005/udp -p 8081:8081 -p 1111:80 -e OME_API_SECRET='test' -e OME_SIGNATURE='Lx9Mgz4f4W' test:1.1

Configuration Server.xml

Running apache server and configured it to redirect traffic to OvenMediaEngine

<Proxy balancer://ovswsbalancer>
    BalancerMember ws://localhost:3333 route=jvm1
    ProxySet lbmethod=byrequests stickysession=JSESSIONID
</Proxy>

ProxyPass /ovswss balancer://ovswsbalancer stickysession=JSESSIONID
ProxyPassReverse /ovswss balancer://ovswsbalancer stickysession=JSESSIONID

and was accession player using url wss://mydomain/ovswss/app/testStream?policy=xxx&signature=yyy

I saw error like this:

[33m[2024-01-15 13:22:46.732] W [SPRtcSig-t3333:96] WebRTC Publisher | webrtc_publisher.cpp:244 | Signature value is invalid(expected : XXXXX | input : YYYYYYYYYY

I added additional logs in src/projects/modules/access_control/signed_policy/signed_policy.cpp

at if(signature_base64 != signature_query_value) statement to see base_url

SetError(ErrCode::INVALID_SIGNATURE, ov::String::FormatString("Signature value is invalid(expected : %s | input : %s base_url : %s)." , signature_base64.CStr(), signature_query_value.CStr(), base_url.CStr()));

and build with Dockerfile.local

the output was WebRTC Publisher | webrtc_publisher.cpp:244 | Signature value is invalid(expected : XXXX | input : TTTT base_url : ws://localhost:3333/app/testStream?policy=ZZZZ)

wo, origin URL is ignoring . After generation signature using 'ws://localhost:3333/app/testStream?policy=ZZZZ', everything worked perfectly, even allow_ip with CIDR worked

Can you help to resolve this issue?

Thanks

ditogam avatar Jan 15 '24 16:01 ditogam

It seems like you have resolved it the same way I did. I use an apache web server as the front-end to OME websocket traffic, but in calculating the signature value I use http://0.0.0.0:{OME_API_PORT}/app/testStream?policy=ZZZZ as the base url, regardless of what the origin URL is. Works like a charm 👍

bchah avatar Jan 15 '24 18:01 bchah

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 15 '24 21:03 stale[bot]