simplewebrtc / signalmaster

simple socket.io server for webrtc signaling
Other
1.31k stars 486 forks source link

Load unsafe script - this page includes script from unauthenticated sources. #28

Closed shamun closed 9 years ago

shamun commented 10 years ago

My main link is HTTPS://WWW.Mydomain.com and i am running Signalmaster which is HTTP, as a result i get following:

screen shot 2014-08-22 at 10 02 13

How do i configure the natively Signalmaster to run as HTTPS (not as HTTP as it is right now) with my wild card certificates (CERT, KEY, CA files)? (or i should depend on Apache proxypass/stunnel, then it wont be so reliable)

bear commented 10 years ago

We use haproxy as a proxy forward server to do that.

haproxy routes all port 80 and 443 traffic to the signalmaster instance, here is the config we use for that:

global
    log 127.0.0.1 local0 debug
    maxconn 8000
    user    haproxy
    group   haproxy
defaults
    log     global
    option  httplog
    option  dontlognull
    option  http-server-close
    option  redispatch
    retries 3
    mode    http
    maxconn         5000
    timeout connect  5s
    timeout client  30s
    timeout server  30s
    timeout tunnel  12h
frontend www
    bind     :80
    option   forwardfor
    redirect scheme https if !{ ssl_fc }
frontend lb
    bind   :443 ssl crt /etc/haproxy/sslkeys/cert.pem ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA
    option forwardfor
    reqadd X-Forwarded-Proto:\ https
    default_backend  api
    acl is_websocket hdr(Upgrade)  -i WebSocket
    acl is_websocket hdr_beg(Host) -i ws
    acl is_api       hdr_beg(Host) -i api
    use_backend ws  if is_websocket
    use_backend api if is_api
backend api
    balance roundrobin
    server  service 127.0.0.1:5001 weight 1 maxconn 2500 check
backend ws
    balance roundrobin
    server  service 127.0.0.1:5001 weight 1 maxconn 2500 check
bear commented 10 years ago

Note, you could also use nginx and/or apache for that - I prefer haproxy because it is a more flexible proxy/ssl termination tool and, IMO, a better fit for the task

shamun commented 10 years ago

@bear: Thank you very much, i tested with: stunnel, Apache proxypass, haproxy, nginx all worked.