Set Up Stream Manager as SSL Proxy (for publishing/subscribing via WebRTC)

WebRTC publishing requires a valid SSL certificate. Because of the nature of autoscaling, it is impractical to install an SSL certificate on each origin server.

the problem:

proxy01

To address this, we have implemented the option of using the Stream Manager as an SSL proxy for WebRTC. The proxy communication layer allows for publishing and subscribing using secure WebSockets via the Stream Manager.

the solution:

proxy02

Overview

The Stream Manager uses Tyrus Client to establish a connection to the remote server internally. Once the user is connected to the Stream Manager WebSocket channel and the Tyrus Client is connected to the remote server, the proxy channel is said to be established.

All the data from the browser client is offloaded to the Tyrus Client, and the reverse is done for responses received from the host server.

The WebSocket layer is primarily used for relaying ICE Candidates, SDP, Status and Error messages between the browser client and the Red5 Pro node (edge/origin).

proxy02

Prerequisites

You will need to register a domain and obtain an SSL certificate for your Stream Manager. Set up SSL on Red5 Pro per this document.

Set Up Stream Manager as Proxy

Set up the Stream Manager per the instructions for your specific cloud platform, AWS or Google Cloud. Note that in addition to {red5prohome}/conf/autoscale.xml and {red5prohome}/plugins/red5pro-autoscale-plugin-<version>.jar, you must remove the {red5prohome}/plugins/red5pro-webrtc-plugin-<version>.jar file.

Proxy Configuration

Proxy configuration can be found in the {red5prohome}/webapps/streammanager/WEB-INF/red5-web.properties file. Set proxy.enabled to true (this is set to false by default).

## WebSocket PROXY SECTION
proxy.enabled=true
  • proxy.enabled : Enables / disables the WebSocket proxy service (Boolean)

Headers

The Red5 Pro Stream Manager provides certain information about the originating client using custom headers which can be used in identifying the originating client.

Headers Sent From Stream Manager Proxy to WebRTC Plugin on Red5 Pro

{Sec-WebSocket-Key=XsuhAp80WSWenevmuVlFeQ==, X-Forwarded-For-Meta-Port=52965, X-Forwarded-For-Meta-Type=WEB, User-Agent=Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0, Sec-WebSocket-Version=13, X-Forwarded-For=192.168.1.45, X-Forwarded-For-Meta-Secure=false, Sec-WebSocket-Protocol=json}

Custom Headers

  • X-Forwarded-For: Use if you want to know the IP address of the originating client.
  • X-Forwarded-For-Meta-Secure: Relay whether the client session is over secure connection (or not). This information is obtained through the WebSocket connection object.
  • X-Forwarded-For-Meta-Port: Relate the originating client’s port.
  • X-Forwarded-For-Meta-Type: Provides information about the originating client’s connection type. This information is derived from the WebSocket connection class on streammanager. Connection type can be DIRECT or WEB.

Client API for Usage

Broadcasters and subscribers need to use the Red5 Pro Stream Manager REST API to request an origin/edge for publish/subscribe operations. Once a server IP has been obtained, it can be used in conjunction with additional parameters to establish a connection with the remote Red5 Pro server node and begin stream operations. This is a two-step process, and the proxy operation is decoupled from Stream Manager internals. The publishing and subscribing is done using the Red5 Pro HTML5 Streaming SDK.

The base configuration object of the HTML5 client (on the Stream Manager instance) should look like this:

var baseConfiguration = {
    host: window.targetHost,
    app: 'streammanager',
    iceServers: iceServers,
    bandwidth: desiredBandwidth,
   connectionParams: {host:"<target-server-ip>", app:"<stream-scope>", context:"<optional-sub-scope>"}
  };

Connection parameters are required for the HTML5 client to attempt a connection with the remote Red5 Pro server via the Stream Manager proxy.

connectionParams: Connection parameters must include the proxy target server host and target scope app for publish and subscribe operations. Any optional connection parameters should also be included, to be forwarded to the target server. Subscopes can be targeted using the context parameter.

host: The target host must be a URL with a valid SSL certificate for proxy.

app: The application parameter should point to streammanager scope since all traffic will be routed through it.

* `host` : <target-server-url>,
* `app` : <stream-scope>,
* `context` : <optional-sub-scope>

Publish/Subscribe Process Via Proxy

PUBLISHER:

SIMPLE REQUEST http://{host}:{port}/streammanager/api/2.0/event/{scopeName}/{streamName}?action=broadcast

OR

REGION PRIORITY REQUEST http://{host}:{port}/streammanager/api/2.0/event/{scopeName}/{streamName}?action=broadcast&region={region-code}

RESPONSE DATA :

{
  "name": "<stream-name>",
  "scope": "<stream-scope>",
  "serverAddress": "<origin-host-address>",
  "region": "<region-code>"
}

GENERIC RED5PRO HTML5 SDK PUBLISHER CONFIGURATION

var baseConfiguration = {
    host: streammanager-host,
    app: 'streammanager',
    iceServers: iceServers,
    bandwidth: desiredBandwidth,
    connectionParams: {host:"<origin-host-address>", app:"<stream-scope>"}
  };

SUBSCRIBER:

SIMPLE REQUEST http://{host}:{port}/streammanager/api/2.0/event/{scopeName}/{streamName}?action=subscribe

OR

REGION PRIORITY REQUEST http://{host}:{port}/streammanager/api/1.0/event/{scopeName}/{streamName}?action=subscribe&region={region-code}

RESPONSE DATA :

{
  "name": "<stream-name>",
  "scope": "<stream-scope>",
  "serverAddress": "<edge-host-address>",
  "region": "<region-code>"
}

GENERIC RED5PRO HTML5 SDK SUBSCRIBER CONFIGURATION

var baseConfiguration = {
    host: streammanager-host,
    app: 'streammanager',
    iceServers: iceServers,
    bandwidth: desiredBandwidth,
    connectionParams: {host:"<edge-host-address>", app:"<stream-scope>"}
  };

SSL Proxy via Cloud Platform Load Balancer

If you want to load-balance multiple Stream Managers, then you can also use the AWS or Google Cloud to proxy the SSL Certificate. See the aforementioned docs for details.

Proxy Publish and Subscribe Streaming Examples

Publish - Stream Manager Proxy

Subscribe - Stream Manager Proxy

Note: the streaming-html5 examples testbed is included with the Red5 Pro server distribution, and can be accessed via your stream manager at https://your.server.url/webrtcexamples/.