Users can configure which port uses which services for Hubs Cloud boxes

[robinkwilson]

Either via Cloudformation template, configuration file inside an app server box, or via admin panel (aws parameter store) users can configure which ports are using which services safely.

This would help our Enterprise customers who have specific requirements with security inside their organization.

From user: We realize there is traffic directly hitting app and streaming instances on port 80 and 443 coming from outside of our VPC without going through the load balancer. Is there a configuration file where we can specify what port we want to run services on? Looking at Greg’s response on discord, seems like both port 80 and 443 were by design opened with TLS enabled.

┆Issue is synchronized with this Jira Task

[Arko7777]

How far is this issue and how may I help to solve this?

[bemyevent]

Hello, It will be a great features for our professional customer because It is complicated to deploy hubs for them beacause the port 80 . We try to change the security rules in EC2 and restrict the access of hubs for a range of IP but https and port 80 is a big problem and we can't deploy the solution for them .

[Arko7777]

Hello, It will be a great features for our professional customer because It is complicated to deploy hubs for them beacause the port 80 . We try to change the security rules in EC2 and restrict the access of hubs for a range of IP but https and port 80 is a big problem and we can't deploy the solution for them .

The question I have mainly if we can solve it from the AWS settings? I am facing the same issue on digital ocean. That's a huge issue and should be maintained in a high priority. All the universities trying to access Mozilla Hubs they can't because all of them use private networks which are critical against :80 port on a secure server.

[bemyevent]

I hope it could be solve very quickly to deploy the solution for professional event . Https and 80 port are not secure for lots of company security system .

[Arko7777]

I am working on it and will give you an update as soon as I have solved it.

[bemyevent]

keep me in touch if I can help and do some test

[rawnsley]

I'm pretty sure I'm seeing this problem with a customer. They can connect to Mozilla Hubs, but not to my Hubs Cloud. This pull request has more details.

@robinkwilson is it possible to temporarily switch my Hubs Cloud to use port 443 instead? Even if it wasn't a permanent part of the template it would at least help me confirm it as a fix.

[Arko7777]

I think I found the issue. 

The issue was on client side (firewall). The firewall is blocking all the unknown types of files f.e. 3D models like glb or other files.  We still haven’t test this, however that’s pretty sure the only thing which may happen. 

Am 13.04.2021 um 12:26 schrieb Rupert Rawnsley @. @.> >:

I'm pretty sure I'm seeing this problem with a customer. They can connect to Mozilla Hubs, but not to my Hubs Cloud. This pull request has more details.

@robinkwilson is it possible to temporarily switch my Hubs Cloud to use port 443 instead? Even if it wasn't a permanent part of the template it would at least help me confirm it as a fix.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[Utopiah]

FWIW I modified the template via the designer to change the signal external port from 80 to 2080. I then updated the stack which seemed to moved the traffic to port 2080. Unfortunately I'm getting via the console a CORS error then subsequent wss traffic failing.

[Utopiah]

For those trying to get behind corporate firewalls/proxies I just tried PeerJS WebSocket on http behind port 9000 and it went through but behind port 80 it was blocked. For wss 443 worked but 80 failed. Here is the basic server to test https://gist.github.com/Utopiah/34e6ce90cbeecb0bce1d89474d770d28 could be used with few more endpoints with multiple ports, errors in JSON and then could lead to automated testing with e.g. https://github.com/mozilla/hubs/pull/4133 Ideally generating the template itself.

PS: you'll probably get a PeerID being already used but, counter intuitively enough that means it worked.

[Dayk0]

Hello, can anyone find a solution to change the port on their cloud hubs? I've heard that some people have successfully hacked their AWS setup.

Thank you.

[Utopiah]

Load the CloudFormation template in AWS editor. Modify the port on the top of the ~44k lines template and try. Some modifications do work, others don't.

[Dayk0]

Load the CloudFormation template in AWS editor. Modify the port on the top of the ~44k lines template and try. Some modifications do work, others don't.

En effet, j'ai remarqué qu'il était possible de modifier la template mais je ne trouve pas la ligne que tu m'as indiqué et en fouillant toute la template, le port 80 et 443 apparait de nombreuses fois.. est-ce que tu pourrais m'apporter plus de précisions ? Je te remercie.

Indeed, I noticed that it was possible to modify the template but I can not find the line that you indicated to me and by searching all the template, the port 80 and 443 appear many times .. is it that you could give me more details? I thank you.