/

Mixed Content Acessibility via NodeJS

One of our clients required calling the Red5 Pro server API from a client page. The API is exposed by Red5 Pro autoscale nodes and as such accessible only through HTTP. Therefore, it is not possible to call it from web pages served over HTTPS because of mixed content errors.

Our solution was to propose adding a proxy in their NodeJS backend server, which has an SSL certificate, to proxy the HTTPS calls to the Red5 Pro nodes over HTTP. Using this approach prevents the mixed content errors while also avoiding exposing the security token required for the Red5 Pro server API. Using the proxy solution, the client could make a call to the proxy endpoint, which would forward to the correct Red5 Pro node while also appending the security token. In this way, the security token is never exposed to front-end clients.

The NodeJS server can implement a general proxy endpoint which receives the details of the request to make, and proxy it to the destination server while returning back the response. The proxy endpoint can be as follows:

{
	“url”: ”<destination-url>”,
	“destination-node”: ”<IP:PORT-of-destination-node>”,
	“method”: “GET|POST|PUT|DELETE”,
	“body”: “<json-body>”
}

When a request is received, the proxy endpoint will use the url and destination-node to create the endpoint to call and append to it the access token as a query parameter, make a request to it using the specified method and optionally providing the specified body and return the response to the original caller.

Using the unpublish stream API as an example, the effective request to make to the server is:

Therefore, the proxy request would have format:

{
	“url”: ”/api/v1/applications/{appname}/streams/{streamname}/action/unpublish”,
	“destination-node”:127.0.0.1:5080,
	“method”: “GET”
}

Which would result in a GET call to: http://127.0.0.1:5080/api/v1/applications/{appname}/streams/{streamname}/action/unpublish?accessToken={security-token}