nginx receives wrong configuration for virtual background

[plorenz-etes]

Describe the bug We have published our self-developed OpenVidu app which now includes the OpenVidu virtual background feature. However, many customers reported that the virtual background wouldn't work. After some investigation, we could actually find out that OpenVidu rejects downloading the /openvidu/virtual-background/openvidu-virtual-background.js file with HTTP error 403 (forbidden).

Expected behavior When activating the virtual background, the mentioned JS file should be downloaded and the background should initialize.

Wrong current behavior Access to /openvidu/virtual-background/openvidu-virtual-background.js is blocked for most IPs. See below for a detailed investigation of the issue.

OpenVidu tutorial where to replicate the error

1. Set up an OpenVidu server using docker
2. Use one of the basic tutorials to create and join a session, but make sure that your IP address is not whitelisted for API access
3. Try applying the virtual background to your stream via dev tools
4. You should now receive a 403 error and the virtual background does not start showing

Important: This is not reproducible with demo.openvidu.io, although I'm not quite sure why (maybe this works without openvidu-proxy).

OpenVidu deployment info

• Docker container as explained in OpenVidu tutorials

Client device info (if applicable) This issue affects any client device.

Screenshots This is a screenshot of a customer who was affected by this issue. Please note: while our customer couldn't even open the shown URL manually in her browser, we could access it because our IPs are whitelisted for API access:

Additional context We found out that openvidu-proxy contains the nginx config default_nginx_conf/global/pro/new_api_pro.conf. There, the following location is defined:

    location /openvidu/virtual-background {
        {rules_acess_api}
        deny all;
        proxy_pass http://openviduserver;
    }

This basically means that only IP addresses with API access are allowed to receive content from /openvidu/virtual-background. In my opinion, this block should be replaced with:

    location /openvidu/virtual-background {
        allow all;
        proxy_pass http://openviduserver;
    }

[cruizba]

Hello @plorenz-etes , are you using this environment variable? ALLOWED_ACCESS_TO_RESTAPI

In that case you are correct and we should be less restrictive with that endpoint. I'll fix it and create a beta docker image for your deployment

[cruizba]

@plorenz-etes

Here is the commit: https://github.com/OpenVidu/openvidu/commit/94bb69c4185335b4da917dc3808e9562de4d071a And here is the docker image: openvidu/openvidu-proxy:2.27.0-beta1

Could you check it?

[plorenz-etes]

Hi @cruizba , thank you for providing a test image. I can confirm it's working great. We are indeed using ALLOWED_ACCESS_TO_RESTAPI.

[cruizba]

Nice!, next version will have this bug fixed. For now, use 2.27.0-beta1