Best practice advice on how to setup and run Crossbar.io on a public Ubuntu server in production.

#1

Hi Crossbars

I’ve been playing with crossbar.io on my local machine for many months and would now like to use it for a feature on a live web app. My experiences so far with web apps has always been something trivial with Nginx proxying to some Python backend. For my next web app I’d like Python clients to be able to connect to a crossbar.io router on some domain or another and I’m not clear as to the stack I need or of the security precautions I should take when exposing my router over the internet.

In brief, I would like to give users a hostname and a port so that they can connect their Caller or Callee (Python) WAMP clients to my crossbar instance.

I’m looking for a tutorial on setting up and securely running an instance of crossbar on some virtual private server provider (such as Linode) and exposing this over some domain or another.

If someone can advise, or point me at some existing advice, then that would be much appreciated.

Many thanks

Simon

0 Likes

#2

Hi Simon!

There’s a section about going to production in the documentation: http://crossbar.io/docs/Going-to-Production/

I hope this will get you started. We’re here to help with anything not covered in this!

Regards,

Alex

···

Am Donnerstag, 23. Juni 2016 14:39:52 UTC+2 schrieb simon harrison:

Hi Crossbars

I’ve been playing with crossbar.io on my local machine for many months and would now like to use it for a feature on a live web app. My experiences so far with web apps has always been something trivial with Nginx proxying to some Python backend. For my next web app I’d like Python clients to be able to connect to a crossbar.io router on some domain or another and I’m not clear as to the stack I need or of the security precautions I should take when exposing my router over the internet.

In brief, I would like to give users a hostname and a port so that they can connect their Caller or Callee (Python) WAMP clients to my crossbar instance.

I’m looking for a tutorial on setting up and securely running an instance of crossbar on some virtual private server provider (such as Linode) and exposing this over some domain or another.

If someone can advise, or point me at some existing advice, then that would be much appreciated.

Many thanks

Simon

0 Likes

#3

Hi Alex

Thanks for your reply. I had seen those pages but i think that they assume users have at least made the first leap of running and exposing Crossbar in production.

The questions that were going through my head were of the sort:

what can i rely on the builtin webserver for? can it serve my webapp? otherwise, what is its purpose?

should i apt-get install Crossbar or install in a virtualenv?

when i already have Nginx serving multiple web apps over many domains on a VM, how can i restrict the port access to Crossbar to just one of these domains?

if i have a realm on a public internet domain do I need to take measures to protect from malicious attacks?

can i limit the number of connections to Crossbar?

I have dived in and made a start, but all of the above questions still stand for me.

Thanks for your time.

Simon

···

On Thursday, 30 June 2016 11:06:07 UTC+1, Alexander Gödde wrote:

Hi Simon!

There’s a section about going to production in the documentation: http://crossbar.io/docs/Going-to-Production/

I hope this will get you started. We’re here to help with anything not covered in this!

Regards,

Alex

Am Donnerstag, 23. Juni 2016 14:39:52 UTC+2 schrieb simon harrison:

Hi Crossbars

I’ve been playing with crossbar.io on my local machine for many months and would now like to use it for a feature on a live web app. My experiences so far with web apps has always been something trivial with Nginx proxying to some Python backend. For my next web app I’d like Python clients to be able to connect to a crossbar.io router on some domain or another and I’m not clear as to the stack I need or of the security precautions I should take when exposing my router over the internet.

In brief, I would like to give users a hostname and a port so that they can connect their Caller or Callee (Python) WAMP clients to my crossbar instance.

I’m looking for a tutorial on setting up and securely running an instance of crossbar on some virtual private server provider (such as Linode) and exposing this over some domain or another.

If someone can advise, or point me at some existing advice, then that would be much appreciated.

Many thanks

Simon

0 Likes

#4

i use nginx for numerous domains and several wamp apps. each gets their own upstream block that is indicated in the server stanza.

here’s how i use it in nginx.

upstream butterfly_ws {

    server [127.0.0.1:8044](http://127.0.0.1:8044);

}

server {

    ssl on;

    listen               443 ssl http2;

    server_name          [head.org](http://head.org);

    ssl_certificate      /etc/letsencrypt/live/[head.org/fullchain.pem](http://head.org/fullchain.pem);

    ssl_certificate_key  /etc/letsencrypt/live/[head.org/privkey.pem](http://head.org/privkey.pem);

    location / {

       root              sites/[head.org/htdocs/](http://head.org/htdocs/);

       index             index.html;

    }        

    location /ws {

        proxy_http_version 1.1;

        proxy_set_header Host $host:8044;

        proxy_set_header X-Forwarded-For $remote_addr;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection $connection_upgrade;

        proxy_pass [https://butterfly_ws](https://butterfly_ws);

    }

    location /.well-known/acme-challenge {

       root /var/lib/letsencrypt;

       default_type "text/plain";

       try_files $uri =404;

    }

}

i’ve marked in purple the relevant sections. set your upstream proxy (in violet) to use localhost as i have and use iptables to block eth0 connections to port 8044 or set iptables to only allow port 8044 connections by uid for nginx on localhost. of course 8044 will go in your crossbar conf too.

···

On Mon, Jul 4, 2016 at 5:48 PM, ‘simon harrison’ via Crossbar cross...@googlegroups.com wrote:

Hi Alex

Thanks for your reply. I had seen those pages but i think that they assume users have at least made the first leap of running and exposing Crossbar in production.

The questions that were going through my head were of the sort:

what can i rely on the builtin webserver for? can it serve my webapp? otherwise, what is its purpose?

should i apt-get install Crossbar or install in a virtualenv?

when i already have Nginx serving multiple web apps over many domains on a VM, how can i restrict the port access to Crossbar to just one of these domains?

if i have a realm on a public internet domain do I need to take measures to protect from malicious attacks?

can i limit the number of connections to Crossbar?

I have dived in and made a start, but all of the above questions still stand for me.

Thanks for your time.

Simon

On Thursday, 30 June 2016 11:06:07 UTC+1, Alexander Gödde wrote:

Hi Simon!

There’s a section about going to production in the documentation: http://crossbar.io/docs/Going-to-Production/

I hope this will get you started. We’re here to help with anything not covered in this!

Regards,

Alex

Am Donnerstag, 23. Juni 2016 14:39:52 UTC+2 schrieb simon harrison:

Hi Crossbars

I’ve been playing with crossbar.io on my local machine for many months and would now like to use it for a feature on a live web app. My experiences so far with web apps has always been something trivial with Nginx proxying to some Python backend. For my next web app I’d like Python clients to be able to connect to a crossbar.io router on some domain or another and I’m not clear as to the stack I need or of the security precautions I should take when exposing my router over the internet.

In brief, I would like to give users a hostname and a port so that they can connect their Caller or Callee (Python) WAMP clients to my crossbar instance.

I’m looking for a tutorial on setting up and securely running an instance of crossbar on some virtual private server provider (such as Linode) and exposing this over some domain or another.

If someone can advise, or point me at some existing advice, then that would be much appreciated.

Many thanks

Simon

You received this message because you are subscribed to the Google Groups “Crossbar” group.

To unsubscribe from this group and stop receiving emails from it, send an email to crossbario+...@googlegroups.com.

To post to this group, send email to cross...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/12ffc4d2-9044-4e56-a63e-1a23f65f7e66%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Gay/FireRescue/Geek in 33484, USA
It’s the ideals of Linux and Open Source that are amazing, it embodies what WE want, not what is marketed

0 Likes

#5

Hi David

Really useful, thanks for this.

I’m exploring the idea of letting WAMP clients connect to my router over a public hostname and port. It looks like in your examples that only your webapp can connect to Crossbar, and not a user of the webapp directly. Is this the case?

If you were to expose a bunch of microservices behind Crossbar that allowed WAMP clients to connect to over example.com:XXXX - but not over other domains served by the same Nginx server - how would you change your configs?

Thanks

···

On Tuesday, 5 July 2016 00:18:38 UTC+1, David Ford wrote:

i use nginx for numerous domains and several wamp apps. each gets their own upstream block that is indicated in the server stanza.

here’s how i use it in nginx.

upstream butterfly_ws {
    server [127.0.0.1:8044](http://127.0.0.1:8044);
}
server {
    ssl on;
    listen               443 ssl http2;
    server_name          [head.org](http://head.org);
    ssl_certificate      /etc/letsencrypt/live/[head.org/fullchain.pem](http://head.org/fullchain.pem);
    ssl_certificate_key  /etc/letsencrypt/live/[head.org/privkey.pem](http://head.org/privkey.pem);
    location / {
       root              sites/[head.org/htdocs/](http://head.org/htdocs/);
       index             index.html;
    }        
    location /ws {
        proxy_http_version 1.1;
        proxy_set_header Host $host:8044;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_pass [https://butterfly_ws](https://butterfly_ws);
    }
    location /.well-known/acme-challenge {
       root /var/lib/letsencrypt;
       default_type "text/plain";
       try_files $uri =404;
    }
}

i’ve marked in purple the relevant sections. set your upstream proxy (in violet) to use localhost as i have and use iptables to block eth0 connections to port 8044 or set iptables to only allow port 8044 connections by uid for nginx on localhost. of course 8044 will go in your crossbar conf too.

On Mon, Jul 4, 2016 at 5:48 PM, ‘simon harrison’ via Crossbar cros...@googlegroups.com wrote:

Hi Alex

Thanks for your reply. I had seen those pages but i think that they assume users have at least made the first leap of running and exposing Crossbar in production.

The questions that were going through my head were of the sort:

what can i rely on the builtin webserver for? can it serve my webapp? otherwise, what is its purpose?

should i apt-get install Crossbar or install in a virtualenv?

when i already have Nginx serving multiple web apps over many domains on a VM, how can i restrict the port access to Crossbar to just one of these domains?

if i have a realm on a public internet domain do I need to take measures to protect from malicious attacks?

can i limit the number of connections to Crossbar?

I have dived in and made a start, but all of the above questions still stand for me.

Thanks for your time.

Simon

On Thursday, 30 June 2016 11:06:07 UTC+1, Alexander Gödde wrote:

Hi Simon!

There’s a section about going to production in the documentation: http://crossbar.io/docs/Going-to-Production/

I hope this will get you started. We’re here to help with anything not covered in this!

Regards,

Alex

Am Donnerstag, 23. Juni 2016 14:39:52 UTC+2 schrieb simon harrison:

Hi Crossbars

I’ve been playing with crossbar.io on my local machine for many months and would now like to use it for a feature on a live web app. My experiences so far with web apps has always been something trivial with Nginx proxying to some Python backend. For my next web app I’d like Python clients to be able to connect to a crossbar.io router on some domain or another and I’m not clear as to the stack I need or of the security precautions I should take when exposing my router over the internet.

In brief, I would like to give users a hostname and a port so that they can connect their Caller or Callee (Python) WAMP clients to my crossbar instance.

I’m looking for a tutorial on setting up and securely running an instance of crossbar on some virtual private server provider (such as Linode) and exposing this over some domain or another.

If someone can advise, or point me at some existing advice, then that would be much appreciated.

Many thanks

Simon

You received this message because you are subscribed to the Google Groups “Crossbar” group.

To unsubscribe from this group and stop receiving emails from it, send an email to crossbario+...@googlegroups.com.

To post to this group, send email to cros...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/12ffc4d2-9044-4e56-a63e-1a23f65f7e66%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Gay/FireRescue/Geek in 33484, USA
It’s the ideals of Linux and Open Source that are amazing, it embodies what WE want, not what is marketed

0 Likes

#6

well, what i do is a bit different as this application has a single purpose, but would i need external clients of my own to connect, i have a tinc vpn (tinc-pre) running and external clients could then connect to the tinc IP which is then REDIRECTed with iptables to the websocket port.

in another situation, i expose the wss websocket port to the world and rely on authentication to permit access.

i’ve seen some HTTP Origin work go into crossbar lately, that will help, but otherwise, i don’t think there’s much crossbar can do to auto-route or authenticate incoming connections based on the hostname

···

On Tue, Jul 12, 2016 at 9:59 AM, ‘simon harrison’ via Crossbar cross...@googlegroups.com wrote:

Hi David

Really useful, thanks for this.

I’m exploring the idea of letting WAMP clients connect to my router over a public hostname and port. It looks like in your examples that only your webapp can connect to Crossbar, and not a user of the webapp directly. Is this the case?

If you were to expose a bunch of microservices behind Crossbar that allowed WAMP clients to connect to over example.com:XXXX - but not over other domains served by the same Nginx server - how would you change your configs?

Thanks

On Tuesday, 5 July 2016 00:18:38 UTC+1, David Ford wrote:

i use nginx for numerous domains and several wamp apps. each gets their own upstream block that is indicated in the server stanza.

here’s how i use it in nginx.

upstream butterfly_ws {
    server [127.0.0.1:8044](http://127.0.0.1:8044);
}
server {
    ssl on;
    listen               443 ssl http2;
    server_name          [head.org](http://head.org);
    ssl_certificate      /etc/letsencrypt/live/[head.org/fullchain.pem](http://head.org/fullchain.pem);
    ssl_certificate_key  /etc/letsencrypt/live/[head.org/privkey.pem](http://head.org/privkey.pem);
    location / {
       root              sites/[head.org/htdocs/](http://head.org/htdocs/);
       index             index.html;
    }        
    location /ws {
        proxy_http_version 1.1;
        proxy_set_header Host $host:8044;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_pass [https://butterfly_ws](https://butterfly_ws);
    }
    location /.well-known/acme-challenge {
       root /var/lib/letsencrypt;
       default_type "text/plain";
       try_files $uri =404;
    }
}

i’ve marked in purple the relevant sections. set your upstream proxy (in violet) to use localhost as i have and use iptables to block eth0 connections to port 8044 or set iptables to only allow port 8044 connections by uid for nginx on localhost. of course 8044 will go in your crossbar conf too.

On Mon, Jul 4, 2016 at 5:48 PM, ‘simon harrison’ via Crossbar cros...@googlegroups.com wrote:

Hi Alex

Thanks for your reply. I had seen those pages but i think that they assume users have at least made the first leap of running and exposing Crossbar in production.

The questions that were going through my head were of the sort:

what can i rely on the builtin webserver for? can it serve my webapp? otherwise, what is its purpose?

should i apt-get install Crossbar or install in a virtualenv?

when i already have Nginx serving multiple web apps over many domains on a VM, how can i restrict the port access to Crossbar to just one of these domains?

if i have a realm on a public internet domain do I need to take measures to protect from malicious attacks?

can i limit the number of connections to Crossbar?

I have dived in and made a start, but all of the above questions still stand for me.

Thanks for your time.

Simon

On Thursday, 30 June 2016 11:06:07 UTC+1, Alexander Gödde wrote:

Hi Simon!

There’s a section about going to production in the documentation: http://crossbar.io/docs/Going-to-Production/

I hope this will get you started. We’re here to help with anything not covered in this!

Regards,

Alex

Am Donnerstag, 23. Juni 2016 14:39:52 UTC+2 schrieb simon harrison:

Hi Crossbars

I’ve been playing with crossbar.io on my local machine for many months and would now like to use it for a feature on a live web app. My experiences so far with web apps has always been something trivial with Nginx proxying to some Python backend. For my next web app I’d like Python clients to be able to connect to a crossbar.io router on some domain or another and I’m not clear as to the stack I need or of the security precautions I should take when exposing my router over the internet.

In brief, I would like to give users a hostname and a port so that they can connect their Caller or Callee (Python) WAMP clients to my crossbar instance.

I’m looking for a tutorial on setting up and securely running an instance of crossbar on some virtual private server provider (such as Linode) and exposing this over some domain or another.

If someone can advise, or point me at some existing advice, then that would be much appreciated.

Many thanks

Simon

You received this message because you are subscribed to the Google Groups “Crossbar” group.

To unsubscribe from this group and stop receiving emails from it, send an email to crossba...@googlegroups.com.

To post to this group, send email to cros...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/12ffc4d2-9044-4e56-a63e-1a23f65f7e66%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Gay/FireRescue/Geek in 33484, USA
It’s the ideals of Linux and Open Source that are amazing, it embodies what WE want, not what is marketed

You received this message because you are subscribed to the Google Groups “Crossbar” group.

To unsubscribe from this group and stop receiving emails from it, send an email to crossbario+...@googlegroups.com.

To post to this group, send email to cross...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/aaa40b98-a175-47e4-ac0f-75d9c92c69f6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Gay/FireRescue/Geek in 33484, USA
It’s the ideals of Linux and Open Source that are amazing, it embodies what WE want, not what is marketed

0 Likes