Crossbar REST forwarding and ip/header access

#1

I would like to accomplish the following things:

  1. I would like a REST server to run alongside crossbar. I noticed there was a forwarder in the documentation, however I am a little confused about its usage. Can it do per user authentication? I would like individual users to be able to HMAC sign their posts and submit them to the forwarder which would then run RPC on their behalf. The documentation seems to imply this only works for events, not RPC, and that I would need a config entry for each user. Do I need to write a separate forwarder myself?

  2. I would like access to both the IP and “proxied for” IP. Some services such as CloudFlare offer WebSocket proxying. In order to know the originating IP, they set an “X-Forwarded-For” header in the request. I would like to a) log the IP and header, and b) whitelist/blacklist IPs based on username. How would I go about doing this?

Thanks.

-Yury

0 Likes

#2

Hi Yury,

I would like to accomplish the following things:

1) I would like a REST server to run alongside crossbar. I noticed there
was a forwarder in the documentation, however I am a little confused
about its usage. Can it do per user authentication? I would like
individual users to be able to HMAC sign their posts and submit them to
the forwarder which would then run RPC on their behalf. The
documentation seems to imply this only works for events, not RPC, and
that I would need a config entry for each user. Do I need to write a
separate forwarder myself?

Currently, the REST bridge in Crossbar.io only supports one of the 4 roles: publisher.

That is, you can publish via a HTTP/POST to the bridge endpoint which will forward the event as a regular WAMP event.

The bridge supports signed HTTP/POSTs using a simple HMAC scheme (with replay protection).

The signing key used for the HMAC is configured for the complete bridge though.

We definitely want to support the other 3 roles in the bridge: caller, callee and subscriber.

The bridge is designed for _backend_ integration of legacy systems, not as a frontend entry point into Crossbar.io

Then, a frontend entry point into Crossbar.io is already provided with the WAMP-over-Longpoll support (already implemented). This also supports all 4 roles.

2) I would like access to both the IP and "proxied for" IP. Some
services such as CloudFlare offer WebSocket proxying. In order to know
the originating IP, they set an "X-Forwarded-For" header in the request.
I would like to a) log the IP and header, and b) whitelist/blacklist IPs
based on username. How would I go about doing this?

Doing this with what? With Crossbar.io bridge, WAMP-over-longpoll, ..?

FWIW, above HTTP headers information is available in WAMP session metaevents:

http://crossbar.io/docs/Session-Metaevents/

The information provided for the joining session in a metaevent includes both WAMP level session info _and_ transport level info (which for WebSocket based transports includes HTTP headers from the WebSocket opening handshake).

Cheers,
/Tobias

···

Am 06.01.2015 um 15:45 schrieb Yury Sobolev:

Thanks.

-Yury

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com
<mailto:autobahnws+...@googlegroups.com>.
To post to this group, send email to autob...@googlegroups.com
<mailto:autob...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com
<https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#3

forgot the links into the docs:

http://crossbar.io/docs/HTTP-Pusher-Service/
http://crossbar.io/docs/WAMP-Long-Poll-Service/

0 Likes

#4

Hi Tobias,

Great! This is what I was looking for.

I need IP information for the WebSocket connection. I was able to inspect the transport in my router quite easily. It was not clear that this was accessible in crossbar. I will play around with metaevents. Is it possible to force a disconnect in response to these events?

Thanks again.

-Yury

···

On Jan 7, 2015 11:11 AM, “Tobias Oberstein” tobias.o...@gmail.com wrote:

Hi Yury,

Am 06.01.2015 um 15:45 schrieb Yury Sobolev:

I would like to accomplish the following things:

  1. I would like a REST server to run alongside crossbar. I noticed there

was a forwarder in the documentation, however I am a little confused

about its usage. Can it do per user authentication? I would like

individual users to be able to HMAC sign their posts and submit them to

the forwarder which would then run RPC on their behalf. The

documentation seems to imply this only works for events, not RPC, and

that I would need a config entry for each user. Do I need to write a

separate forwarder myself?

Currently, the REST bridge in Crossbar.io only supports one of the 4 roles: publisher.

That is, you can publish via a HTTP/POST to the bridge endpoint which will forward the event as a regular WAMP event.

The bridge supports signed HTTP/POSTs using a simple HMAC scheme (with replay protection).

The signing key used for the HMAC is configured for the complete bridge though.

We definitely want to support the other 3 roles in the bridge: caller, callee and subscriber.

The bridge is designed for backend integration of legacy systems, not as a frontend entry point into Crossbar.io

Then, a frontend entry point into Crossbar.io is already provided with the WAMP-over-Longpoll support (already implemented). This also supports all 4 roles.

  1. I would like access to both the IP and “proxied for” IP. Some

services such as CloudFlare offer WebSocket proxying. In order to know

the originating IP, they set an “X-Forwarded-For” header in the request.

I would like to a) log the IP and header, and b) whitelist/blacklist IPs

based on username. How would I go about doing this?

Doing this with what? With Crossbar.io bridge, WAMP-over-longpoll, …?

FWIW, above HTTP headers information is available in WAMP session metaevents:

http://crossbar.io/docs/Session-Metaevents/

The information provided for the joining session in a metaevent includes both WAMP level session info and transport level info (which for WebSocket based transports includes HTTP headers from the WebSocket opening handshake).

Cheers,

/Tobias

Thanks.

-Yury

You received this message because you are subscribed to the Google

Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to autobahnws+unsubscribe@googlegroups.com

mailto:autobahnws+unsub...@googlegroups.com.

To post to this group, send email to autob...@googlegroups.com

mailto:autobahnws@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com

<https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to a topic in the Google Groups “Autobahn” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/autobahnws/FN6dBRG3HmQ/unsubscribe.

To unsubscribe from this group and all its topics, send an email to autobahnws+unsubscribe@googlegroups.com.

To post to this group, send email to autob...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/54AD5AB5.3000907%40gmail.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#5

Hi Tobias,

Great! This is what I was looking for.

I need IP information for the WebSocket connection. I was able to
inspect the transport in my router quite easily. It was not clear that

Actually, transport level information like this is available in 2 places:

1. metaevents (what I was talking about)
2. custom authenticators

The latter are just regular WAMP components configured in Crossbar.io to authenticate _other_ sessions. There you can deny a session based on transport level info today (already implemented).

this was accessible in crossbar. I will play around with metaevents. Is
it possible to force a disconnect in response to these events?

Not from subscribers to metaevents (today). You are the 2nd user asking for this feature:

https://github.com/crossbario/crossbar/issues/197

···

Am 07.01.2015 um 17:20 schrieb Yury Sobolev:

Thanks again.

-Yury

On Jan 7, 2015 11:11 AM, "Tobias Oberstein" <tobias.o...@gmail.com > <mailto:tobias.o...@gmail.com>> wrote:

    Hi Yury,

    Am 06.01.2015 um 15:45 schrieb Yury Sobolev:

        I would like to accomplish the following things:

        1) I would like a REST server to run alongside crossbar. I
        noticed there
        was a forwarder in the documentation, however I am a little confused
        about its usage. Can it do per user authentication? I would like
        individual users to be able to HMAC sign their posts and submit
        them to
        the forwarder which would then run RPC on their behalf. The
        documentation seems to imply this only works for events, not
        RPC, and
        that I would need a config entry for each user. Do I need to write a
        separate forwarder myself?

    Currently, the REST bridge in Crossbar.io only supports one of the 4
    roles: publisher.

    That is, you can publish via a HTTP/POST to the bridge endpoint
    which will forward the event as a regular WAMP event.

    The bridge supports signed HTTP/POSTs using a simple HMAC scheme
    (with replay protection).

    The signing key used for the HMAC is configured for the complete
    bridge though.

    We definitely want to support the other 3 roles in the bridge:
    caller, callee and subscriber.

    The bridge is designed for _backend_ integration of legacy systems,
    not as a frontend entry point into Crossbar.io

    Then, a frontend entry point into Crossbar.io is already provided
    with the WAMP-over-Longpoll support (already implemented). This also
    supports all 4 roles.

        2) I would like access to both the IP and "proxied for" IP. Some
        services such as CloudFlare offer WebSocket proxying. In order
        to know
        the originating IP, they set an "X-Forwarded-For" header in the
        request.
        I would like to a) log the IP and header, and b)
        whitelist/blacklist IPs
        based on username. How would I go about doing this?

    Doing this with what? With Crossbar.io bridge, WAMP-over-longpoll, ..?

    FWIW, above HTTP headers information is available in WAMP session
    metaevents:

    http://crossbar.io/docs/__Session-Metaevents/
    <http://crossbar.io/docs/Session-Metaevents/>

    The information provided for the joining session in a metaevent
    includes both WAMP level session info _and_ transport level info
    (which for WebSocket based transports includes HTTP headers from the
    WebSocket opening handshake).

    Cheers,
    /Tobias

        Thanks.

        -Yury

        --
        You received this message because you are subscribed to the Google
        Groups "Autobahn" group.
        To unsubscribe from this group and stop receiving emails from
        it, send
        an email to autobahnws+unsubscribe@__googlegroups.com
        <mailto:autobahnws%2...@googlegroups.com>
        <mailto:autobahnws+_...@googlegroups.com
        <mailto:autobahnws%2...@googlegroups.com>>.
        To post to this group, send email to autob...@googlegroups.com
        <mailto:autob...@googlegroups.com>
        <mailto:autob...@__googlegroups.com
        <mailto:autob...@googlegroups.com>>.
        To view this discussion on the web visit
        https://groups.google.com/d/__msgid/autobahnws/84c8b3ec-__c091-4f82-8aca-7bd3ebac556e%__40googlegroups.com
        <https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com>
        <https://groups.google.com/d/__msgid/autobahnws/84c8b3ec-__c091-4f82-8aca-7bd3ebac556e%__40googlegroups.com?utm_medium=__email&utm_source=footer
        <https://groups.google.com/d/msgid/autobahnws/84c8b3ec-c091-4f82-8aca-7bd3ebac556e%40googlegroups.com?utm_medium=email&utm_source=footer>>.
        For more options, visit https://groups.google.com/d/__optout
        <https://groups.google.com/d/optout>.

    --
    You received this message because you are subscribed to a topic in
    the Google Groups "Autobahn" group.
    To unsubscribe from this topic, visit
    https://groups.google.com/d/__topic/autobahnws/FN6dBRG3HmQ/__unsubscribe
    <https://groups.google.com/d/topic/autobahnws/FN6dBRG3HmQ/unsubscribe>.
    To unsubscribe from this group and all its topics, send an email to
    autobahnws+unsubscribe@__googlegroups.com
    <mailto:autobahnws%2...@googlegroups.com>.
    To post to this group, send email to autob...@googlegroups.com
    <mailto:autob...@googlegroups.com>.
    To view this discussion on the web visit
    https://groups.google.com/d/__msgid/autobahnws/54AD5AB5.__3000907%40gmail.com
    <https://groups.google.com/d/msgid/autobahnws/54AD5AB5.3000907%40gmail.com>.
    For more options, visit https://groups.google.com/d/__optout
    <https://groups.google.com/d/optout>.

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com
<mailto:autobahnws+...@googlegroups.com>.
To post to this group, send email to autob...@googlegroups.com
<mailto:autob...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/autobahnws/CAA4O5QhCpcOb3A93PnNPrZTbXs%3D1acOLs8zbB-CDuwuOd-u_MQ%40mail.gmail.com
<https://groups.google.com/d/msgid/autobahnws/CAA4O5QhCpcOb3A93PnNPrZTbXs%3D1acOLs8zbB-CDuwuOd-u_MQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#6

I guess what I am really looking for is:

https://github.com/crossbario/crossbar/issues/102

Anyway, not a big deal. I can read the source and figure it out. Thanks.

-Yury

0 Likes

#7

https://github.com/crossbario/crossbarexamples/tree/master/authenticate

Look at the "dynamic" examples. E.g.

https://github.com/crossbario/crossbarexamples/tree/master/authenticate/wampcradynamic/python

···

Am 07.01.2015 um 18:08 schrieb Yury Sobolev:

I guess what I am really looking for is:

https://github.com/crossbario/crossbar/issues/102

Anyway, not a big deal. I can read the source and figure it out. Thanks.

0 Likes

#8

Er… The dynamic examples specify an authenticate method:

def authenticate(realm, authid)

That does not get any transport level information as far as I can tell.

-Yury

···

On Jan 7, 2015 12:13 PM, “Tobias Oberstein” tobias.o...@gmail.com wrote:

Am 07.01.2015 um 18:08 schrieb Yury Sobolev:

I guess what I am really looking for is:

https://github.com/crossbario/crossbar/issues/102

Anyway, not a big deal. I can read the source and figure it out. Thanks.

https://github.com/crossbario/crossbarexamples/tree/master/authenticate

Look at the “dynamic” examples. E.g.

https://github.com/crossbario/crossbarexamples/tree/master/authenticate/wampcradynamic/python

You received this message because you are subscribed to a topic in the Google Groups “Autobahn” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/autobahnws/FN6dBRG3HmQ/unsubscribe.

To unsubscribe from this group and all its topics, send an email to autobahnws+unsubscribe@googlegroups.com.

To post to this group, send email to autob...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/54AD694C.5010804%40gmail.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#9

Uups. I thought I added that already. Ok, but that is easy .. will do later this day:

https://github.com/crossbario/crossbar/issues/198

Sorry, I am doing to many things in parallel ..

/Tobias

···

Am 07.01.2015 um 18:30 schrieb Yury Sobolev:

Er... The dynamic examples specify an authenticate method:

def authenticate(realm, authid)

That does not get any transport level information as far as I can tell.

0 Likes