Crossbar REST forwarding and ip/header access
118 views
Skip to first unread message
Yury Sobolev
Jan 6, 2015, 9:45:58 AM1/6/15
to autob...@googlegroups.com
I would like to accomplish the following things:
1) I would like a REST server to run alongside crossbar. I noticed there was a forwarder in the documentation, however I am a little confused about its usage. Can it do per user authentication? I would like individual users to be able to HMAC sign their posts and submit them to the forwarder which would then run RPC on their behalf. The documentation seems to imply this only works for events, not RPC, and that I would need a config entry for each user. Do I need to write a separate forwarder myself?
2) I would like access to both the IP and "proxied for" IP. Some services such as CloudFlare offer WebSocket proxying. In order to know the originating IP, they set an "X-Forwarded-For" header in the request. I would like to a) log the IP and header, and b) whitelist/blacklist IPs based on username. How would I go about doing this?
Thanks.
-Yury
Tobias Oberstein
Jan 7, 2015, 11:11:41 AM1/7/15
to autob...@googlegroups.com
Hi Yury,
Am 06.01.2015 um 15:45 schrieb Yury Sobolev:
> I would like to accomplish the following things:
>
> 1) I would like a REST server to run alongside crossbar. I noticed there
> was a forwarder in the documentation, however I am a little confused
> about its usage. Can it do per user authentication? I would like
> individual users to be able to HMAC sign their posts and submit them to
> the forwarder which would then run RPC on their behalf. The
> documentation seems to imply this only works for events, not RPC, and
> that I would need a config entry for each user. Do I need to write a
> separate forwarder myself?
Currently, the REST bridge in Crossbar.io only supports one of the 4
roles: publisher.
That is, you can publish via a HTTP/POST to the bridge endpoint which
will forward the event as a regular WAMP event.
The bridge supports signed HTTP/POSTs using a simple HMAC scheme (with
replay protection).
The signing key used for the HMAC is configured for the complete bridge
though.
We definitely want to support the other 3 roles in the bridge: caller,
callee and subscriber.
The bridge is designed for _backend_ integration of legacy systems, not
as a frontend entry point into Crossbar.io
Then, a frontend entry point into Crossbar.io is already provided with
the WAMP-over-Longpoll support (already implemented). This also supports
all 4 roles.
>
> 2) I would like access to both the IP and "proxied for" IP. Some
> services such as CloudFlare offer WebSocket proxying. In order to know
> the originating IP, they set an "X-Forwarded-For" header in the request.
> I would like to a) log the IP and header, and b) whitelist/blacklist IPs
> based on username. How would I go about doing this?
Doing this with what? With Crossbar.io bridge, WAMP-over-longpoll, ..?
FWIW, above HTTP headers information is available in WAMP session
metaevents:
http://crossbar.io/docs/Session-Metaevents/
The information provided for the joining session in a metaevent includes
both WAMP level session info _and_ transport level info (which for
WebSocket based transports includes HTTP headers from the WebSocket
opening handshake).
Cheers,
/Tobias
>
> Thanks.
>
> -Yury
>
> --
> You received this message because you are subscribed to the Google
> Groups "Autobahn" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to autobahnws+...@googlegroups.com
> <mailto:autobahnws+...@googlegroups.com>.
> To post to this group, send email to autob...@googlegroups.com
> <mailto:autob...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com
> <https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Am 06.01.2015 um 15:45 schrieb Yury Sobolev:
> I would like to accomplish the following things:
>
> 1) I would like a REST server to run alongside crossbar. I noticed there
> was a forwarder in the documentation, however I am a little confused
> about its usage. Can it do per user authentication? I would like
> individual users to be able to HMAC sign their posts and submit them to
> the forwarder which would then run RPC on their behalf. The
> documentation seems to imply this only works for events, not RPC, and
> that I would need a config entry for each user. Do I need to write a
> separate forwarder myself?
roles: publisher.
That is, you can publish via a HTTP/POST to the bridge endpoint which
will forward the event as a regular WAMP event.
The bridge supports signed HTTP/POSTs using a simple HMAC scheme (with
replay protection).
The signing key used for the HMAC is configured for the complete bridge
though.
We definitely want to support the other 3 roles in the bridge: caller,
callee and subscriber.
The bridge is designed for _backend_ integration of legacy systems, not
as a frontend entry point into Crossbar.io
Then, a frontend entry point into Crossbar.io is already provided with
the WAMP-over-Longpoll support (already implemented). This also supports
all 4 roles.
>
> 2) I would like access to both the IP and "proxied for" IP. Some
> services such as CloudFlare offer WebSocket proxying. In order to know
> the originating IP, they set an "X-Forwarded-For" header in the request.
> I would like to a) log the IP and header, and b) whitelist/blacklist IPs
> based on username. How would I go about doing this?
FWIW, above HTTP headers information is available in WAMP session
metaevents:
http://crossbar.io/docs/Session-Metaevents/
The information provided for the joining session in a metaevent includes
both WAMP level session info _and_ transport level info (which for
WebSocket based transports includes HTTP headers from the WebSocket
opening handshake).
Cheers,
/Tobias
>
> Thanks.
>
> -Yury
>
> --
> You received this message because you are subscribed to the Google
> Groups "Autobahn" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to autobahnws+...@googlegroups.com
> <mailto:autobahnws+...@googlegroups.com>.
> To post to this group, send email to autob...@googlegroups.com
> <mailto:autob...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com
> <https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Tobias Oberstein
Jan 7, 2015, 11:13:22 AM1/7/15
to autob...@googlegroups.com
forgot the links into the docs:
http://crossbar.io/docs/HTTP-Pusher-Service/
http://crossbar.io/docs/WAMP-Long-Poll-Service/
http://crossbar.io/docs/HTTP-Pusher-Service/
http://crossbar.io/docs/WAMP-Long-Poll-Service/
Yury Sobolev
Jan 7, 2015, 11:20:44 AM1/7/15
to autob...@googlegroups.com
Hi Tobias,
Great! This is what I was looking for.
I need IP information for the WebSocket connection. I was able to inspect the transport in my router quite easily. It was not clear that this was accessible in crossbar. I will play around with metaevents. Is it possible to force a disconnect in response to these events?
Thanks again.
-Yury
an email to autobahnws+unsubscribe@googlegroups.com
<mailto:autobahnws+unsub...@googlegroups.com>.
To post to this group, send email to autob...@googlegroups.com
<mailto:autobahnws@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com
<https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Autobahn" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/autobahnws/FN6dBRG3HmQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to autobahnws+unsubscribe@googlegroups.com.
To post to this group, send email to autob...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/54AD5AB5.3000907%40gmail.com.
Tobias Oberstein
Jan 7, 2015, 11:50:09 AM1/7/15
to autob...@googlegroups.com
Am 07.01.2015 um 17:20 schrieb Yury Sobolev:
> Hi Tobias,
>
> Great! This is what I was looking for.
>
> I need IP information for the WebSocket connection. I was able to
> inspect the transport in my router quite easily. It was not clear that
Actually, transport level information like this is available in 2 places:
> Hi Tobias,
>
> Great! This is what I was looking for.
>
> I need IP information for the WebSocket connection. I was able to
> inspect the transport in my router quite easily. It was not clear that
1. metaevents (what I was talking about)
2. custom authenticators
The latter are just regular WAMP components configured in Crossbar.io to
authenticate _other_ sessions. There you can deny a session based on
transport level info today (already implemented).
> this was accessible in crossbar. I will play around with metaevents. Is
> it possible to force a disconnect in response to these events?
for this feature:
https://github.com/crossbario/crossbar/issues/197
> <http://crossbar.io/docs/Session-Metaevents/>
>
> The information provided for the joining session in a metaevent
> includes both WAMP level session info _and_ transport level info
> (which for WebSocket based transports includes HTTP headers from the
> WebSocket opening handshake).
>
> Cheers,
> /Tobias
>
>
> Thanks.
>
> -Yury
>
> --
> You received this message because you are subscribed to the Google
> Groups "Autobahn" group.
> To unsubscribe from this group and stop receiving emails from
> it, send
> an email to autobahnws+unsubscribe@__googlegroups.com
>
> The information provided for the joining session in a metaevent
> includes both WAMP level session info _and_ transport level info
> (which for WebSocket based transports includes HTTP headers from the
> WebSocket opening handshake).
>
> Cheers,
> /Tobias
>
>
> Thanks.
>
> -Yury
>
> --
> You received this message because you are subscribed to the Google
> Groups "Autobahn" group.
> To unsubscribe from this group and stop receiving emails from
> it, send
> <mailto:autobahnws%2Bunsu...@googlegroups.com>
> <mailto:autobahnws+_...@googlegroups.com
> <mailto:autobahnws%2Bunsu...@googlegroups.com>>.
> To post to this group, send email to autob...@googlegroups.com
> <mailto:autob...@googlegroups.com>
> <mailto:autobahnws@__googlegroups.com
> <mailto:autob...@googlegroups.com>>.
> To view this discussion on the web visit
> https://groups.google.com/d/__msgid/autobahnws/84c8b3ec-__c091-4f82-8aca-7bd3ebac556e%__40googlegroups.com
> <https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com>
> <https://groups.google.com/d/__msgid/autobahnws/84c8b3ec-__c091-4f82-8aca-7bd3ebac556e%__40googlegroups.com?utm_medium=__email&utm_source=footer
> <https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com?utm_medium=email&utm_source=footer>>.
> For more options, visit https://groups.google.com/d/__optout
> <https://groups.google.com/d/optout>.
>
>
> --
> You received this message because you are subscribed to a topic in
> the Google Groups "Autobahn" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/__topic/autobahnws/FN6dBRG3HmQ/__unsubscribe
>
> --
> You received this message because you are subscribed to a topic in
> the Google Groups "Autobahn" group.
> To unsubscribe from this topic, visit
> <https://groups.google.com/d/topic/autobahnws/FN6dBRG3HmQ/unsubscribe>.
> To unsubscribe from this group and all its topics, send an email to
> autobahnws+unsubscribe@__googlegroups.com
> <mailto:autobahnws%2Bunsu...@googlegroups.com>.
> To post to this group, send email to autob...@googlegroups.com
> <mailto:autob...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/__msgid/autobahnws/54AD5AB5.__3000907%40gmail.com
> <https://groups.google.com/d/msgid/autobahnws/54AD5AB5.3000907%40gmail.com>.
> For more options, visit https://groups.google.com/d/__optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Autobahn" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to autobahnws+...@googlegroups.com
> --
> You received this message because you are subscribed to the Google
> Groups "Autobahn" group.
> To unsubscribe from this group and stop receiving emails from it, send
> <mailto:autobahnws+...@googlegroups.com>.
> To post to this group, send email to autob...@googlegroups.com
> <mailto:autob...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/autobahnws/CAA4O5QhCpcOb3A93PnNPrZTbXs%3D1acOLs8zbB-CDuwuOd-u_MQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/autobahnws/CAA4O5QhCpcOb3A93PnNPrZTbXs%3D1acOLs8zbB-CDuwuOd-u_MQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Yury Sobolev
Jan 7, 2015, 12:08:02 PM1/7/15
to autob...@googlegroups.com
I guess what I am really looking for is:
https://github.com/crossbario/crossbar/issues/102
Anyway, not a big deal. I can read the source and figure it out. Thanks.
-Yury
Tobias Oberstein
Jan 7, 2015, 12:13:56 PM1/7/15
to autob...@googlegroups.com
Yury Sobolev
Jan 7, 2015, 12:30:30 PM1/7/15
to autob...@googlegroups.com
Er... The dynamic examples specify an authenticate method:
def authenticate(realm, authid)
That does not get any transport level information as far as I can tell.
-Yury
--
You received this message because you are subscribed to a topic in the Google Groups "Autobahn" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/autobahnws/FN6dBRG3HmQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to autobahnws+unsubscribe@googlegroups.com.
To post to this group, send email to autob...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/54AD694C.5010804%40gmail.com.
Tobias Oberstein
Jan 7, 2015, 1:09:36 PM1/7/15
to autob...@googlegroups.com
Am 07.01.2015 um 18:30 schrieb Yury Sobolev:
> Er... The dynamic examples specify an authenticate method:
>
> def authenticate(realm, authid)
>
> That does not get any transport level information as far as I can tell.
Uups. I thought I added that already. Ok, but that is easy .. will do
> Er... The dynamic examples specify an authenticate method:
>
> def authenticate(realm, authid)
>
> That does not get any transport level information as far as I can tell.
later this day:
https://github.com/crossbario/crossbar/issues/198
Sorry, I am doing to many things in parallel ..
/Tobias
Reply all
Reply to author
Forward
0 new messages