SSl certificate ans naming/placement
92 views
Skip to first unread message
Michel Hageman
Feb 16, 2023, 6:58:28 AM2/16/23
to Mistserver.org
Hello,
I've procured a SSl certificate through Nginx Proxy Manager and can reach Mistserver through port 4242 and HTTPS fine, but when loading a preview of a stream, I get a failure that https://mistserver.domainname.com/player.js is not available.
I also see that HTTPS-protocol is not available in the summary.
I would like to place the certificate that I have in the appropiate directory, /etc/leysencrypt/live, so that Mistserver can use this certificate, but I don't knwo how to name the certs. E.g. cert.pem or cert.crt. Can you point me in the right direction?
I tried obtaining a certificate through Mistcertbot, but this fails.
Thanks in advance!
I also see that HTTPS-protocol is not available in the summary.
I would like to place the certificate that I have in the appropiate directory, /etc/leysencrypt/live, so that Mistserver can use this certificate, but I don't knwo how to name the certs. E.g. cert.pem or cert.crt. Can you point me in the right direction?
I tried obtaining a certificate through Mistcertbot, but this fails.
Thanks in advance!
Michel Hageman
Feb 16, 2023, 7:05:01 AM2/16/23
to Mistserver.org
In the overview the following protocols are disabled: HTTPMinimalServer, HTTPS, TS
Port 8080 doesn't accept https-connections, so the player.js won't load...
Michel Hageman
Feb 16, 2023, 9:27:25 AM2/16/23
to Mistserver.org
So, my real question is this one: how to embed a stream that's unencrypted, i.e. http-stream, in an HHTPS-website by means of an i-frame, when said website is encypted with SSL and https? Because, when use HTTP to access Mistserver, all functions are available and running really well. As soon as I use the reverse proxy, NPM in this case, and instate HTTPS protocol, the player.js stops functioning, because of port 8080 which can't be HTTPS. Also any call to Mistserver.com:8080/player.js fail because of having no SSL.
Also, I direct traffic from NPM (Nginx Proxy Manager) to Mistserver through port 4242, but the player.js and embedding expects to be called through port 8080. I can't make two references to Mistserver in NPM on one domain and use two ports. How to accomplish this?
As I see it now it is only possible to use HTTP with Mistserver and route traffic, people who want to watch the stream, to the Mistserver-domain, instead of embedding the stream in an i-frame in a HTTPS-secured website?
Balder Vietor
Feb 16, 2023, 11:20:38 AM2/16/23
to mists...@googlegroups.com
Hey there,
You're on the right track. HTTP and HTTPS do not mix, at all. So the solution is indeed having everything HTTPS or HTTP depending on which is used. Since you're already using a proxy you'd probably just want to tell MistServer to use that fully. Now there's 2 ways to do this.
Setting up Public Address
You can set up a Public Address setting in the HTTP protocol of MistServer.
This option is what you'd use if you're already reverse proxying addresses to MistServers 8080 port. Within Nginx that would mean you've set up a "/location" towards port 8080.
Change example.com to your address.
Note: I would recommend using http://example.com/mist/ and not just doing the https one. That way you can use both http and https using the same syntax. Makes things a lot easier.
Setting up X-Mst-Path
MistServer is also automatically able to detect the reverse proxy address if the reverse proxy incorporates the X-Mst-Path header. Now we don't have a Nginx Proxy Manager example, but our Nginx one is:
location /mistserver/ {
proxy_pass http://localhost:8080/;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 600s;
proxy_set_header Host $host;
proxy_set_header X-Mst-Path "$scheme://$host/mistserver";
}
I'm expecting the advanced tab within Nginx Proxy Manager would just let you set these up. As far as I'm aware Nginx Proxy Manager is just a browser interface around Nginx.Certbot
Certbot most likely failed because you were already using port 80. MistUtilCertbot will start a http connector on port 80 to use and if that port is already in use this will fail.
Certbot most likely failed because you were already using port 80. MistUtilCertbot will start a http connector on port 80 to use and if that port is already in use this will fail.
A way to "fix" this would be de-activating NPM and then running it again, though I can't really recommend this as both the 80 port and the 443 port that will be setup by MistUtilCertbot will be conflicting with NPM and auto-renewal will definitely not work without access to the default http port.
If it was failing for a different reason I'd of course be interested in any info/error message you can share.
Testing it
The Public address solution should fix the links within the 4242 interface, but the X-Mst-Path would not. The "best" way to verify everything working is to visit a stream.html page:
If it doesn't work open the developer console (f12) and look at the network tab to see what addresses are used, or open the page source and look for the player.js path and the streamname.html path. Our embed code always needs those 2 addresses, so editing the embed code to use the correct forwarded locations might be needed if you copy it off the embed page.
With kind regards,
Balder Viëtor
Head of Testing
Balder Viëtor
Head of Testing
--
You received this message because you are subscribed to the Google Groups "Mistserver.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mistserver+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mistserver/210db5e7-2be8-4df9-b779-b30caab73cecn%40googlegroups.com.
Michel Hageman
Feb 18, 2023, 10:14:26 AM2/18/23
to Mistserver.org
Thank you very much! Works like a charm.
I made an entrance in NPM with a domain like mistserver.example.com to point to port 4242 and requested a certificate for this domain under the SSL-tab, to reach the management-end of Mistserver through HTTPS. Then I added the code you provided in the advanced tab in the NPM proxied domain mistserver.example.com, to let traffic pass to port 8080, both HTTPS and HTTP and let Nginx add the appropiate header. I then added the references to both the public addresses http://mistserver.example.com/mistserver and https://mistserver.example.com/mistserver under 'HTTP-protocol' edit-option in Mistserver itself and voila!
Thanks again!
I made an entrance in NPM with a domain like mistserver.example.com to point to port 4242 and requested a certificate for this domain under the SSL-tab, to reach the management-end of Mistserver through HTTPS. Then I added the code you provided in the advanced tab in the NPM proxied domain mistserver.example.com, to let traffic pass to port 8080, both HTTPS and HTTP and let Nginx add the appropiate header. I then added the references to both the public addresses http://mistserver.example.com/mistserver and https://mistserver.example.com/mistserver under 'HTTP-protocol' edit-option in Mistserver itself and voila!
Thanks again!
Michel Hageman
Feb 18, 2023, 11:17:17 AM2/18/23
to Mistserver.org
In addition to this I'd like to add that in my case it was necessary to forward port 1935 from the modem to the ip-address of the VM-instance where the Mistserver Docker container resides, aas well as add 'Streams' in NPM proxy-manager to forward streams 1935 and 8080 to the before-mentioned VM-instance where the docker-container of Mistserver is running on. Furthermore add hostname to /etc/hosts file and name the host in /etc/hostname.
That should be it. Embedding with HTTPS works perfectly with the by Misterver provided code-snippet under 'Embed'.
Reply all
Reply to author
Forward
0 new messages