The TrueConf Server messenger provides chat and video communication within a corporate network. If the server needs to be accessible from outside the network (from the internet), web services are often placed behind a reverse proxy for security reasons. <\/p>\n
A reverse proxy<\/b> is a dedicated node (service) in the network infrastructure that is configured to forward traffic from client devices to the company’s web servers, hiding the real addresses of these servers from the external network. In our case, this means the TrueConf Server web service will be shielded from direct external access. We will use NGINX as the proxy.<\/p>\n \nTrueConf Technical Support does not recommend<\/b> routing media traffic through NGINX, even though it is technically possible. We cannot guarantee the stable operation of NGINX when handling large volumes of media traffic. All traffic on port 4307, which uses the proprietary TrueConf protocol, is encrypted with the AES-256 algorithm; therefore, using a firewall is considered sufficient for securing this connection.\n<\/p>\n<\/div>\n In our case the proxy machine will run Debian 11; the following software will be installed:<\/p>\n If you are running TrueConf Server on Windows, you can also install NGINX, in which case the general configuration logic remains the same.<\/p>\n We first have to configure NGINX as a proxy for the TrueConf Server web service. In our configuration, it will proxy the traffic coming to the standard HTTP and HTTPS ports: 80<\/b> and 443<\/b> respectively. If you are using different ports (check the server documentation<\/a> if you want to change them), you will need to specify them in the corresponding lines in the settings below.<\/p>\n To configure the proxy server, you will need to write directives in the configuration file. By default this file is called nginx.conf<\/b> and can be found in one of the following directories:<\/p>\n Directives should be placed within the server { \u2026 }<\/b> block. Please take these steps:<\/p>\n In the proxy_pass directive, specify the internal address of TrueConf Server in your local network. It will be available to the host from NGINX. This directive will make sure that the traffic coming to the ports specified previously will be routed to the selected address. In addition to proxying, this block will configure the transfer of HTTP headers and disable the verification of the SSL certificate.<\/li>\n At this point, the configuration of the Nginx proxy server is complete. To apply all the changes, you will need to restart the server. To do it, run the following command as the superuser:<\/p>\n In addition to the protocols discussed previously (HTTP, HTTPS, and WebSocket), other protocols that use different ports may be needed for the correct work of all features available in TrueConf video conferencing:<\/p>\n In this case, HTTP\/HTTPS traffic routing via the NGINX web server will not be enough. You can use a firewall to configure forwarding for other ports. For example, it is possible to use the firewalld<\/a> package.<\/p>\n Explanation of the parameters:<\/p>\n Explanation of the parameters:<\/p>\n Explanation of the parameters:<\/p>\n When the configuration is completed, restart firewalld to save changes:<\/p>\n Next, check if the settings have been applied. To do it, run the command identical to the one you used for port forwarding. You only have to replace If the word The TrueConf Server messenger provides chat and video communication within a corporate network. If the server needs to be accessible from outside the network (from the internet), web services are often placed behind a reverse proxy for security reasons. A reverse proxy is a dedicated node (service) in the network infrastructure that is configured to […]<\/p>\n","protected":false},"author":65,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[260],"tags":[186],"class_list":["post-22514","post","type-post","status-publish","format-standard","hentry","category-knowledge-base","tag-administration","wpautop"],"_links":{"self":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/22514","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/comments?post=22514"}],"version-history":[{"count":21,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/22514\/revisions"}],"predecessor-version":[{"id":44074,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/posts\/22514\/revisions\/44074"}],"wp:attachment":[{"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/media?parent=22514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/categories?post=22514"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trueconf.com/blog\/wp-json\/wp\/v2\/tags?post=22514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
Proxy server configuration<\/h2>\n
\n
\/etc\/nginx<\/code>;<\/li>\n\/usr\/local\/nginx\/conf<\/code>;<\/li>\n\/usr\/local\/etc\/nginx<\/code>.<\/li>\n<\/ul>\n\n
listen 80 default_server;\r\n listen [::]:80 default_server;\r\n\r\n listen 443 ssl default_server;\r\n listen [::]:443 ssl default_server;\r\n<\/pre>\n<\/li>\n
ssl_certificate \/etc\/example\/certificate.crt;\r\n ssl_certificate_key \/etc\/example\/cert-key.key;\r\n<\/pre>\n<\/li>\n
location \/ {\r\n proxy_pass https:\/\/192.168.10.1:443;\r\n proxy_ssl_verify off;\r\n proxy_set_header Host $host;\r\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\r\n proxy_set_header X-Real-IP $remote_addr;\r\n }\r\n<\/pre>\n location \/websocket\/ {\r\n proxy_pass http:\/\/192.168.10.1:4309\/websocket\/;\r\n proxy_http_version 1.1;\r\n proxy_set_header Upgrade $http_upgrade;\r\n proxy_set_header Connection \"Upgrade\";\r\n proxy_set_header Host $host;\r\n }\r\n<\/pre>\n sudo nginx -s reload\r\n<\/pre>\n<\/li>\n<\/ol>\n
Firewall configuration<\/h2>\n
\n
\n
sudo apt install firewalld\r\n<\/pre>\n<\/li>\n
sudo firewall-cmd --permanent --zone=\"public\" --add-service=http\r\n sudo firewall-cmd --permanent --zone=\"public\" --add-service=https\r\n<\/pre>\n
\n
--permanent<\/code> \u2013 enables to add the setting on a permanent basis<\/a> by saving it after the restart of the OS or firewall<\/li>\n--zone=\"public\"<\/code> \u2013 selects the zone<\/a> to which the configuration will apply<\/li>\n--add-service<\/code> \u2013 adds the service<\/a> to the specified zone.<\/li>\n<\/ul>\n<\/div>\n<\/li>\nsudo firewall-cmd --permanent --zone=\"public\" --add-forward-port=port=554:proto=tcp:toport=554:toaddr=192.168.10.1\r\nsudo firewall-cmd --permanent --zone=\"public\" --add-forward-port=port=50000-51999:proto=udp:toport=50000-51999:toaddr=192.168.10.1\r\n<\/pre>\n
\n
--add-forward-port<\/code> \u2014 enables to forward a port from one machine to another<\/li>\nport<\/code> \u2013 specifies the port or a range of ports that will be forwarded<\/li>\nproto<\/code> \u2013 specifies the protocol that will be used to transfer data via a port<\/li>\ntoport<\/code> \u2013 specifies the target port<\/li>\ntoaddr<\/code> \u2013 specifies the address of the machine to which the initial port will be forwarded.<\/li>\n<\/ul>\n<\/div>\n<\/li>\n sudo firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -p tcp -m multiport --dports 4307,554,1720,5060,52000:52499 -j SNAT --to-source 192.168.10.2\r\n sudo firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -p udp -m multiport --dports 5060,50000:51999 -j SNAT --to-source 192.168.10.2\r\n<\/pre>\n
\n
--direct<\/code> \u2013 enables direct interface<\/a> allowing fine tuning (this is the syntax of the iptables package)<\/li>\n--add-rule<\/code> \u2013 adds an iptables rule<\/li>\nipv4<\/code> \u2013 indicates<\/a> that the configuration is made for IPv4 traffic<\/li>\nnat<\/code> \u2013 enables the NAT table<\/a><\/li>\nPOSTROUTING<\/code> – enables the POSTROUTING<\/a> chain<\/a><\/li>\n0<\/code> \u2013 the priority of the specified rule (0 is the highest priority)<\/li>\n-p tcp<\/code> – selects<\/a> TCP network protocol<\/li>\n-p udp<\/code> \u2013 selects<\/a> UDP network protocol<\/li>\n-m multiport<\/code> \u2013 applies the rule to multiple ports<\/a><\/li>\n--dports<\/code> \u2013 the list of ports<\/a> to which the rule will apply<\/li>\n-j SNAT<\/code> – selects the action<\/a> that will be performed if the packet matches the specified rule<\/li>\n--to-source 192.168.10.2<\/code> \u2013 specifies<\/a> the IP address that will be used to replace the initial one (in our case, it is the proxy IP address)<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<\/ol>\nConfiguration test<\/h2>\n
sudo firewall-cmd --reload\r\n<\/pre>\n
--add-forward-port<\/code> with -\u2013query-forward-port<\/code>. For example, to check if the 554<\/b> port has been forwarded, run this command:<\/p>\n sudo firewall-cmd --permanent --zone=\"public\" --query-forward-port=port=554:proto=udp:toport=554:toaddr=192.168.10.1\r\n<\/pre>\n
no<\/code> is displayed in the console, the port has not been forwarded. This problem may occur because you did not include the --permanent<\/code> key in the corresponding command. Re-run this command and make sure that this key is included.
\nIf the word yes<\/code> is displayed in the console, the port has been successfully forwarded to the machine with TrueConf Server.<\/p>\n","protected":false},"excerpt":{"rendered":"