<div dir="ltr"><div><div><div>Thank you for the suggestions.<br>What Tony suggests looks like what I was trying to do.<br><br><br></div>What I'm trying to do is proxy HTTPS and RTMP/S on the same port.<br></div><div>Corporate firewalls sometimes allow SSL or even normal HTTP or TCP pass on port 443 because they assume it is secure.<br>
</div><div>I couldn't find a proxy server like SQUID or haproxy that can separate RTMP from HTTP so I thought I'll use erlang for that.<br></div><br></div><div>Currently I have nginx infront of cowboy but if I'll put cowboy in the front I won't be able to use nginx for serving static files.<br>
</div><div>Is there a light proxy I can put infront of nginx to separate RTMP from HTTP so I'll be able to pass RTMP requests to the media server (oms) and the HTTP requests to nginx?<br></div><div>nginx will serve static files and cowboy the dynamic requests.<br>
<br>Thanks<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Apr 17, 2013 at 11:15 AM, Tony Rogvall <span dir="ltr"><<a href="mailto:tony@rogvall.se" target="_blank">tony@rogvall.se</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Hi!<div><br></div><div>In general it is not possible to detect and upgrade a socket to ssl, BUT if the client initiate with some </div>
<div>known message data that can be distinguished from the SSL hello message, like HTTP requests then </div><div>you can do something like (I have, and it works :-):</div><div><br></div><div>The socket should already be in {packet,0} packet mode, set {active,false}, {packet,0} in the options to listen.</div>
<div>Then either read in passive mode:</div><div><br></div><div><span style="white-space:pre-wrap"> </span>{ok,Header} = gen_tcp:recv(Socket, MinHeaderBlockSize),<span style="white-space:pre-wrap"> </span>%% say 8 bytes ?</div>
<div><br></div><div>Or something like this in active once mode</div><div><span style="white-space:pre-wrap"> </span>inet:setopts(Socket, [{active, once}]),<span style="white-space:pre-wrap"> </span>%% not easy to control the number of bytes received here yet (there is an EEP!)</div>
<div><span style="white-space:pre-wrap"> </span>Header = </div><div><span style="white-space:pre-wrap"> </span>receive</div><div><span style="white-space:pre-wrap"> </span>{tcp, Socket, Header} -> ok</div><div><span style="white-space:pre-wrap"> </span>end</div>
<div><span style="white-space:pre-wrap"> </span></div><div>Then do a match on the data that the client normally send with some known SSL intro messages:</div><div><br></div><div><span style="white-space:pre-wrap"> </span>Type = detect(Header),</div>
<div><br></div><div><div>detect(<<"GET", _/binary>>) -> plain;</div><div>detect(<<"POST", _/binary>>) -> plain;</div><div>detect(<<"OPTIONS", _/binary>>) -> plain;</div>
<div>detect(<<"TRACE", _/binary>>) -> plain;</div><div>...</div><div>detect(<<1:1,_Len:15,1:8,_Version:16, _/binary>>) -> ssl;</div><div>detect(<<ContentType:8, _Version:16, _Length:16, _/binary>>) -></div>
<div> if ContentType == 22 -> %% HANDSHAKE</div><div> ssl;</div><div> true -></div><div> undefined</div><div> end;</div><div>detect(_) -></div><div> undefined.</div></div><div>
<br></div><div>Then switch to ssl if that was detected:</div><div><br></div><div><span style="white-space:pre-wrap"> </span>if Type =:= ssl -></div><div><span style="white-space:pre-wrap"> </span>%% Socket MUST be in passive mode at this point</div>
<div><span style="white-space:pre-wrap"> </span>gen_tcp:unrecv(Socket, Header),<span style="white-space:pre-wrap"> </span>%% push back SSL data </div><div><span style="white-space:pre-wrap"> </span>{ok, SSLSocket} = ssl:ssl_accept(Socket, SSLOptions, SSLAcceptTimeout),</div>
<div><span style="white-space:pre-wrap"> </span>do_ssl_request(SSLSocket);</div><div><span style="white-space:pre-wrap"> </span> true -></div><div><span style="white-space:pre-wrap"> </span>do_plain_request(Socket)</div>
<div><span style="white-space:pre-wrap"> </span>end</div><div><br></div><div>/Tony</div><div><br></div><div><div><div><div class="h5"><div>On 17 apr 2013, at 09:41, Ingela Andin <<a href="mailto:ingela.andin@gmail.com" target="_blank">ingela.andin@gmail.com</a>> wrote:</div>
<br></div></div><blockquote type="cite"><div><div class="h5"><div dir="ltr">Hi!<br><div><div class="gmail_extra"><br><div class="gmail_quote">2013/4/17 pablo platt <span dir="ltr"><<a href="mailto:pablo.platt@gmail.com" target="_blank">pablo.platt@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><div><div>Hi,<br><br></div>Is it possible to accept SSL connections and normal TCP connections on the same port?<br></div>Maybe accept normal TCP connections. If the connection is SSL connection pass it to the ssl module and if it is a normal TCP connection just handle the socket.<br>
</div></blockquote><div><br></div><div>It is possible to upgrade a tcp socket to an ssl socket.<br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><div></div><div>If it is possible, how can I distinct SSL from non SSL connections?<br></div></div></blockquote><div><br></div><div>That is the hard part. You must have some scheme to negotiate the upgrade with the client over plain tcp. (Like STARTTLS, HTTP Connect etc)<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div></div><div>How can I pass the socket to the ssl module?<br></div></div></blockquote>
<br><div>ssl:ssl_accept(TcpSocket, SslOptions) or ssl:connect(TcpSocket, SslOptions) <br></div><div>make sure the socket is passive ({active, false}) before you make the call.<br></div><div><br></div>Regards Ingela Erlang/OTP team Ericsson AB<br>
</div></div></div></div></div></div><div class="im">
_______________________________________________<br>erlang-questions mailing list<br><a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br><a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
</div></blockquote></div><br><div>
<span style="border-collapse:separate;border-spacing:0px"><div><span style="color:rgb(51,51,51);font-family:Geneva,Arial,Helvetica,sans-serif;font-size:12px">"Installing applications can lead to corruption over time. </span><span style="color:rgb(51,51,51);font-family:Geneva,Arial,Helvetica,sans-serif;font-size:12px">Applications gradually write over each other's libraries, partial upgrades occur, user and system errors happen, and minute changes may be unnoticeable and difficult to fix"</span></div>
<div><span style="color:rgb(51,51,51);font-family:Geneva,Arial,Helvetica,sans-serif;font-size:12px"><br></span></div></span><br>
</div>
<br></div></div></blockquote></div><br></div>