amazon-chime-sdk-js icon indicating copy to clipboard operation
amazon-chime-sdk-js copied to clipboard

Published 20 hours ago verified publisher icon aws

How can we proxy all Chime client communication through our servers?

Open BLineBrian opened this issue 1 year ago • 3 comments

What are you trying to do?

We'd like to route all web meeting networking between the browser SDK and chime through a proxy. There are a handful of reasons one could want to do something like this, but in our case we are looking to limit the number of domains and IPs required by our application. Our users are often on sensitive networks that require an IT team to explicitly allow every outbound IP, hostname, and port. Chime requires over a hundred IP ranges to be opened, or open the wildcard *.chime.aws (which is equally problematic in this case).

How can the documentation be improved to help your use case?

The documentation very briefly mentions proxying and suggests using url rewriting to do it. As written, it says clearly that media can be proxied (over TCP), and implies that everything can be proxied. It's not clear to me if that's actually possible. Forwarding all of the necessary data is not trivial and there are no examples.

In our minimal case, which is to have a web conference and record it - without any filters or other magic - we would want the following to be proxied:

  1. TURN listeners, e.g. turns:ice.m1.ue1.app.chime.aws?transport=tcp. These URLs are passed to the pluggable urlRewriter which implies this should be possible. We tried to proxy these a handful of different ways (generally inspired by work others have done proxying CoTURN, which I think is analogous) and were not able to get it working.
  2. Signaling endpoints, e.g. signal.m1.ue1.app.chime.aws. We were able to get this working using the urlRewriter, with an approach similar to the one here: https://github.com/aws/amazon-chime-sdk-js/issues/951
  3. Static assets at https://static.sdkassets.chime.aws. These URLs are not passed to the pluggable urlRewriter so I don't see any obvious way to do this without editing source code.
  4. WebRTC media. I'm unclear if we need to do anything additional here. From testing, it appears the Chime peer is at a private 10.3.X.X IP, which I assume is hole punching behavior that I don't completely understand. Maybe this works itself out if we proxy the turn listener, I'm not sure.

More documentation on exactly what is possible with proxying, and more information on how to do it, would be very valuable.

Has anyone had success with any of the above?

What documentation have you looked at so far?

Github FAQs, API docs, and source code. See above.

BLineBrian avatar Jun 07 '24 16:06 BLineBrian