search

ant-media / Ant-Media-Server

Ant Media Server is a live streaming engine software that provides adaptive, ultra low latency streaming by using WebRTC technology with ~0.5 seconds latency. Ant Media Server is auto-scalable and it can run on-premise or on-cloud.
https://antmedia.io
Other
4.31k stars 637 forks source link

HTTP 403 when deployed behind an Azure Application Gateway #6838

Open jantekb opened 4 days ago

jantekb commented 4 days ago

Short description

1) Ant Media Server 2.11.3 is deployed behind an Azure Application Gateway 2) User loads the "WebRTC Publish & WebRTC Play" through the gateway, the browser makes a request for /favicon.ico 3) This error gets logged and http 403 is returned

2024-11-27 19:29:45,816 [http-nio2-0.0.0.0-5080-exec-4] ERROR io.antmedia.filter.AbstractFilter - error java.net.UnknownHostException: 162.243.205.137:45530: invalid IPv6 address literal at java.base/java.net.InetAddress.invalidIPv6LiteralException(InetAddress.java:1390) at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1360) at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1306) at java.base/java.net.InetAddress.getByName(InetAddress.java:1256) at io.antmedia.filter.AbstractFilter.checkCIDRList(AbstractFilter.java:67) at io.antmedia.filter.IPFilterDashboard.isAllowedDashboard(IPFilterDashboard.java:34) at io.antmedia.filter.IPFilterDashboard.doFilter(IPFilterDashboard.java:22) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) at org.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:331) at org.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:158) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) at io.antmedia.valves.DataTransferValve.invoke(DataTransferValve.java:31) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:663) at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:731)

Environment

Steps to reproduce

See above

Expected behavior

No errors

Actual behavior

Weird error gets logged with misleading message

Root cause analysis

The Azure Application gateway sends an X-Forwarded-For HTTP header that does not only contain the IP of the client, but the port as well. Tomcat's RemoteIpValve is not capable to recognize this and ends up populating the HTTP Request object with a remoteAddr attribute that goes against the specification and contains "ip:port" instead of ip only.

IPFilterDashboard in Ant Media Server can't handle this scenario and the code execution ends up in this branch of AbstractFilter:

} catch (UnknownHostException e) {
  // This should be in the 'could never happen' category but handle it
  // to be safe.
  logger.error("error", e);
}

While it can be worked around with advanced configuration options in Azure Application Gateway I recommend handling this in Ant Media Server too, stripping off the port part in forwarded request scenarios.

muratugureminoglu commented 4 days ago

Hi @jantekb

Did you add the following lines into Custom Data section ?

Document Link: https://antmedia.io/docs/guides/clustering-and-scaling/azure/setup-ams-clustering-at-azure/

    #!/bin/bash
    sudo sed -i '/org.apache.catalina.valves.RemoteIpValve/d' /usr/local/antmedia/conf/jee-container.xml
    cd /usr/local/antmedia/
    ./change_server_mode.sh cluster your-mongodb-ip-address

jee-container.xml must have the following line.

    sudo sed -i '/org.apache.catalina.valves.RemoteIpValve/d' /usr/local/antmedia/conf/jee-container.xml
mekya commented 4 days ago

Hi Guys, I've discussed with @jantekb and he said that he'll fix the bug in the code and also change the documentation https://antmedia.io/docs/guides/clustering-and-scaling/azure/setup-ams-clustering-at-azure/

It was his kindness and proactivity of him. Thank you @jantekb 👏 🚀

Cheers

burak-58 commented 1 day ago

Thanks @jantekb.