WebRTC over HTTPS

[yne]

Context

I'm trying to use the WebRTC example over an HTTPS connection on a separate machine.

Issue

The secure demo page display correctly and the "start button" trigger the mic request but it stay stuck at the "connecting" stage even if the POST /offer reply is okay.

The same docker command on a my local machine (with custom certif) worked.

hypothesis

WebRTC need to open a dynamic for the voice streaming, which is not compatible with the docker static port configuration.

Steps to reproduce

• Start the official image : docker run -v $PWD/certif:/certif -it -p 443:443 alphacep/kaldi-en:latest /bin/bash
• Manually install aio : pip install aiohttp aiortc
• Run the sample in HTTPS mode VOSK_MODEL_PATH=/opt/vosk-model-en/model/ VOSK_SERVER_PORT=443 VOSK_CERT_FILE=/https/fullchain.pem VOSK_KEY_FILE=/https/privkey.pem /opt/vosk-server/webrtc/asr_server_webrtc.py
• Goes into the index.html page
• Click on the "Start" button
• Accept the Microphone request
• Observe in the debugger the following POST /offer reply

  v=0
  o=- 3872783668 3872783668 IN IP4 0.0.0.0
  s=-
  t=0 0
  a=group:BUNDLE 0 1
  a=msid-semantic:WMS *
  m=audio 36142 UDP/TLS/RTP/SAVPF 111 0 8
  c=IN IP4 172.17.0.2
  a=recvonly
  a=extmap:1 urn:ietf:params:rtp-hdrext:ssrc-audio-level
  a=extmap:4 urn:ietf:params:rtp-hdrext:sdes:mid
  a=mid:0
  a=msid:2087ff83-fd37-49d5-99d6-ea276b0e88b2 8324919e-e32a-4a30-85fa-d41af4335b2e
  a=rtcp:9 IN IP4 0.0.0.0
  a=rtcp-mux
  a=ssrc:667571976 cname:a8286fac-12c4-44f9-bdd3-c78dd573e7d2
  a=rtpmap:111 opus/48000/2
  a=rtpmap:0 PCMU/8000
  a=rtpmap:8 PCMA/8000
  a=candidate:9333c84bcc1b0bf56713df9036e6b4d9 1 udp 2130706431 172.17.0.2 36142 typ host
  a=candidate:c58f5770074e5a6227e87732712d9300 1 udp 1694498815 51.79.xxx.xxx 36142 typ srflx raddr 172.17.0.2 rport 36142
  a=end-of-candidates
  a=ice-ufrag:FR8f
  a=ice-pwd:QWZL98JdtQg41WcW0y73Bf
  a=fingerprint:sha-256 1B:F1:0F:03:6E:78:3D:22:8A:48:D7:6D:73:9A:13:59:3F:80:0B:CE:4D:7C:8F:51:98:F6:9A:22:42:99:B8:92
  a=setup:active
  m=application 36142 UDP/DTLS/SCTP webrtc-datachannel
  c=IN IP4 172.17.0.2
  a=mid:1
  a=sctp-port:5000
  a=max-message-size:65536
  a=candidate:9333c84bcc1b0bf56713df9036e6b4d9 1 udp 2130706431 172.17.0.2 36142 typ host
  a=candidate:c58f5770074e5a6227e87732712d9300 1 udp 1694498815 51.79.xxx.xxx 36142 typ srflx raddr 172.17.0.2 rport 36142
  a=end-of-candidates
  a=ice-ufrag:FR8f
  a=ice-pwd:QWZL98JdtQg41WcW0y73Bf
  a=fingerprint:sha-256 1B:F1:0F:03:6E:78:3D:22:8A:48:D7:6D:73:9A:13:59:3F:80:0B:CE:4D:7C:8F:51:98:F6:9A:22:42:99:B8:92
  a=setup:active

[nshmyrev]

Yes, you need to forward/open other webrtc ports on docker at least these:

30000:60000/udp ALLOW Anywhere
1544,5060,5090,8060/tcp ALLOW Anywhere
1544,5060,5090,8060/udp ALLOW Anywhere

It is probably easier to try without docker first and disable firewall

[yne]

Thanks for the confirmations,

Is there any shorter port range than 30000-60000 ?

Every docker port is handled by a docker-proxy process, so having a -p 30000-60000 in my docker run argument would spawn ~30.000 processes which my kernel don't seems to appreciate past 4900 PID

I tried with docker run -v $PWD/cert:/cert -it -p 30000:30000 -p 80:80 -p 443:443 -p 1544:1544 -p 5060:5060 -p 5090:5090 -p 8060:8060 alphacep/kaldi-en:latest /bin/bash without success tho

Anecdotally, I see those warning (but it's probably nothing important)

/usr/local/lib/python3.9/dist-packages/aiortc/rtcdtlstransport.py:211: CryptographyDeprecationWarning: This version of cryptography contains a temporary pyOpenSSL fallback path. Upgrade pyOpenSSL now.
  _openssl_assert(lib.SSL_CTX_use_certificate(ctx, self._cert._x509) == 1)  # type: ignore
/usr/local/lib/python3.9/dist-packages/aiortc/rtcdtlstransport.py:186: CryptographyDeprecationWarning: This version of cryptography contains a temporary pyOpenSSL fallback path. Upgrade pyOpenSSL now.
  value=certificate_digest(self._cert._x509),  # type: ignore

[nshmyrev]

yes, it is a common problem with rtp port ranges, see

https://www.engagespark.com/blog/rtp-port-ranges-for-freeswitch-in-docker

telephony guys don't like docker.

for ssl it is harmless, but we recommend to use nginx frontend for ssl actually and run the server without ssl

[yne]

Yes, the original setup use Nginx but to find the culprit I tried a more standalone approach.

In the end it was docker (and sadly --network=host did not worked for me).

Thanks for your lights

[nothingcomeseasy]

hey guys. i'm loving vosk-server!

Followed the instrunctions of WebRTC and vosk-server worked properly on localhost and in another machine on my LAN!

Now I'm wondering if is it possible to open it outside, for "the internet"? Could someone point me any direction?

Thanks!

[yne]

You'll need to configure your router to forward the ports listed here https://github.com/alphacep/vosk-server/issues/200#issuecomment-1254259061

[nothingcomeseasy]

@yne Yes. It's already working on my LAN environment, but let's say I already have a web host and a personal domain (.com).

I understand that apache and other "famous" servers have some kind of easy integration with SSL certificates.

I wonder if it the same applies to vosk-server? Can I run it under a real domain and make the microphone work? I'm having a hardtime to make it work on a digitalocean host. The pair domain/vosk-server runs good under the standard http 80 port (but in that case microphone isn't working) and I understand that it needs to run under https (443) to make the microphone work and will require a real SSL certificate.

[yne]

You can either use nginx as SSL proxy to your app (and keep the app in HTTP)

Or you simply use the app while providing the 2 needed env variables: https://github.com/alphacep/vosk-server/blob/master/webrtc/asr_server_webrtc.py#L22-L23

[nothingcomeseasy]

will try these!

thank you @yne :)

[yne]

no problem, I successfully switched a vosk project from webRTC to to webSocket. see: stt.js + nginx.conf

[nothingcomeseasy]

Could you elaborate? :)

What are the benefits of switching from webRTC to webSocket?

[yne]

In my case I needed an easy way to deploy and run my components (database, backend, speech-to-text, frontend ...). So I used a docker-compose which start my (postgress, postgrest, vosk, vue ...)

The issue is that webRTC use a wide range of ports, which is not compatible with my docker and VPS approach.

switching to websocket allowed me to keep a realtime approach (text appear as the user speak), while keeping the port range constrained (only 80+443 needed)

[nothingcomeseasy]

thanks for explaining @yne, sounds interesting! I'll read a little bit more about websockets, I'm not a dev, just an enthusiast prototyping a mvp with vosk-server.

I finally made webRTC to work with a real domain, following this thread, thanks for sharing your attemps, helped me a lot!

Do you think it's possible to make a scalable application using vosk-server through webRTC (aka handle multiple requests at the same time)?

[yne]

It would be an horrible design if vosk could only handle 1 request at a time