rds-relay-server v2.2.1
Table of Contents generated with DocToc
rds-relay-server
WebSocket Relay Server for Remote Device Diagnosis
Rename from "wstty-server"
wstty-server was originally developed for embedded linux environment (running on the IoT gateway to manage many other IoT devices in the same subnet), so its codes are heavily dependent on yapps and produce single bundle js file for execution with browserify. However, yapps does not support cluster, which will be an obvious limitation to wstty-server at larger scale deployment. So, in the roadmap of wstty-server, we are planning to rewrite it from scratch by considering cloud native environment and scability since v2.0.
To align with v2.0 plan of wstty-server and our official service RDS (Remote Diagnosis Service) publish, we rename wstty-server
to rds-relay-server
and starts its first rollout version v2.0.0
.
Docker
Repository: https://hub.docker.com/r/tictactoe/rds-relay-server
Basic Usages
Running rds-relay-server
with Docker for one-time is quite simple:
$ docker run --rm -p 6030:6030 --name rds-relay-server tictactoe/rds-relay-server:latest
Or, maybe run rds-relay-server
as a background daemon:
$ docker run -d -p 6030:6030 --name rds-relay-server tictactoe/rds-relay-server:latest
Advanced Usages
The docker image supports to dump default YAML configuration, and run the daemon with the modified YAML configuration file. For example:
$ docker run --rm tictactoe/rds-relay-server:latest config > YOUR_PATH/rds.yml
$
$ docker run \
-d \
-v YOUR_PATH/rds.yml:/tic/config/default.yml \
-p 6030:6030 \
--name rds-relay-server \
tictactoe/rds-relay-server:latest
Advanced Installation
User Management
T.B.D.
Websocket over TLS
wstty-server doesn't support websocket over TLS as builtin feature, but we recommend to configure Nginx to support SSL/TLS Offloading to work with wstty-server. Here is sample nginx configuration:
server {
listen 443 ssl http2;
server_name wstty.example.com;
server_tokens off;
# Certificates
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# SSL
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
# individual nginx logs for this redmine vhost
access_log /var/log/nginx/wstty-example-com.access.log;
error_log /var/log/nginx/wstty-example-com.error.log;
## If a file, which is not found in the root folder is requested,
## then the proxy pass the request to the upsteam (redmine unicorn).
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:6030;
}
error_page 500 /500.html;
}
server {
listen 80;
server_name wstty.example.com;
return 301 https://$server_name$request_uri;
}
Above configuration assumes:
- The site for wstty-server is https://wstty.example.com
- You've applied wildcard SSL certificate for
example.com
domain from Let's Encrypt, and put those certificates at/etc/letsencrypt/live/example.com
- wstty-server and nginx are running in the same machine, so
proxy_pass http://127.0.0.1:6030
Store above configuration file at /etc/nginx/conf.d/wstty-example-com.conf
, and force Nginx to reload settings. Then open browser to visit https://wstty.example.com/tty to enjoy Web TTY with default account test1
(password is the same).
Reference studies:
- SSL/TLS Offloading, Encryption, and Certificates with NGINX and NGINX Plus
- Generate Wildcard SSL certificate using Let’s Encrypt/Certbot
- Nginx Beginner’s Guide
TODO
Refer to TODO.md.