Best practice advice on how to setup and run Crossbar.io on a public Ubuntu server in production.

[simon harrison]

Hi Crossbars

I've been playing with crossbar.io on my local machine for many months and would now like to use it for a feature on a live web app. My experiences so far with web apps has always been something trivial with Nginx proxying to some Python backend. For my next web app I'd like Python clients to be able to connect to a crossbar.io router on some domain or another and I'm not clear as to the stack I need or of the security precautions I should take when exposing my router over the internet.

In brief, I would like to give users a hostname and a port so that they can connect their Caller or Callee (Python) WAMP clients to my crossbar instance.

I'm looking for a tutorial on setting up and securely running an instance of crossbar on some virtual private server provider (such as Linode) and exposing this over some domain or another.

If someone can advise, or point me at some existing advice, then that would be much appreciated.

Many thanks

Simon

[Alexander Gödde]

Hi Simon!

There's a section about going to production in the documentation: http://crossbar.io/docs/Going-to-Production/

I hope this will get you started. We're here to help with anything not covered in this!

Regards,

Alex

[simon harrison]

Hi Alex

Thanks for your reply. I had seen those pages but i think that they assume users have at least made the first leap of running and exposing Crossbar in production.

The questions that were going through my head were of the sort:

what can i rely on the builtin webserver for? can it serve my webapp? otherwise, what is its purpose?

should i apt-get install Crossbar or install in a virtualenv?

when i already have Nginx serving multiple web apps over many domains on a VM, how can i restrict the port access to Crossbar to just one of these domains?

if i have a realm on a public internet domain do I need to take measures to protect from malicious attacks?

can i limit the number of connections to Crossbar?

I have dived in and made a start, but all of the above questions still stand for me.

Thanks for your time.

Simon

[David Ford]

i use nginx for numerous domains and several wamp apps. each gets their own upstream block that is indicated in the server stanza.

here's how i use it in nginx.

    upstream butterfly_ws {

        server 127.0.0.1:8044;

    }

    server {

        ssl on;

        listen               443 ssl http2;

        server_name          head.org;

        ssl_certificate      /etc/letsencrypt/live/head.org/fullchain.pem;

        ssl_certificate_key  /etc/letsencrypt/live/head.org/privkey.pem;

        location / {

           root              sites/head.org/htdocs/;

           index             index.html;

        }        

        location /ws {

            proxy_http_version 1.1;

            proxy_set_header Host $host:8044;

            proxy_set_header X-Forwarded-For $remote_addr;

            proxy_set_header Upgrade $http_upgrade;

            proxy_set_header Connection $connection_upgrade;

            proxy_pass https://butterfly_ws;

        }

        location /.well-known/acme-challenge {

           root /var/lib/letsencrypt;

           default_type "text/plain";

           try_files $uri =404;

        }

    }

i've marked in purple the relevant sections. set your upstream proxy (in violet) to use localhost as i have and use iptables to block eth0 connections to port 8044 or set iptables to only allow port 8044 connections by uid for nginx on localhost. of course 8044 will go in your crossbar conf too.

--
You received this message because you are subscribed to the Google Groups "Crossbar" group.
To unsubscribe from this group and stop receiving emails from it, send an email to crossbario+...@googlegroups.com.
To post to this group, send email to cross...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/12ffc4d2-9044-4e56-a63e-1a23f65f7e66%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Gay/FireRescue/Geek in 33484, USA
It's the ideals of Linux and Open Source that are amazing, it embodies what WE want, not what is marketed

[simon harrison]

Hi David

Really useful, thanks for this.

I'm exploring the idea of letting WAMP clients connect to my router over a public hostname and port. It looks like in your examples that only your webapp can connect to Crossbar, and not a user of the webapp directly. Is this the case?

If you were to expose a bunch of microservices behind Crossbar that allowed WAMP clients to connect to over example.com:XXXX - but not over other domains served by the same Nginx server - how would you change your configs?

Thanks

[David Ford]

well, what i do is a bit different as this application has a single purpose, but would i need external clients of my own to connect, i have a tinc vpn (tinc-pre) running and external clients could then connect to the tinc IP which is then REDIRECTed with iptables to the websocket port.

in another situation, i expose the wss websocket port to the world and rely on authentication to permit access.

i've seen some HTTP Origin work go into crossbar lately, that will help, but otherwise, i don't think there's much crossbar can do to auto-route or authenticate incoming connections based on the hostname

To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/aaa40b98-a175-47e4-ac0f-75d9c92c69f6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.