# HTTPS component

# Component description

After the component is installed, the corresponding service will be automatically added on the OS:

On Windows, it will be named TrueConf Border Controller htpps and will have the id tc_bchttps, the path to the executable file will be C:\Program Files\TrueConf\Border Controller\tc_bchttps.exe.
On Linux, it will be identified as trueconf-bchttps, the path to the executable file will be /opt/trueconf/border-controller/bin/tc_bchttps.

The parameters for working with the HTTPS protocol are specified in the webproxy.toml configuration file as shown below.

It is possible to work with multiple instances of TrueConf Server (web traffic proxying) behind a single TrueConf Border Controller. To achieve this, you need to configure the mapping of network interfaces and targets as demonstrated below.

The launch of this component is configured similarly to the component for handling the TrueConf traffic. However, there are certain differences:

You need to configure the certificate in advance.
The parameters are specified in the webproxy.toml configuration file.
The component uses the logging parameters set in the tc_bc.cfg file which is created when configuring the component for the TrueConf protocol.

# Configuration of certificates

Step 1

If a self-signed certificate is configured on TrueConf Server, download it via the link Download ca.crt in the Self-signed certificate section and add it to the trusted root certificates on the machine with TrueConf Border Controller. Check the documentation for your OS to learn how it can be done.

You can also just set the parameter skip_verify = true (see below), but we recommend doing it only for temporary testing purposes.

For example, on Debian:

Copy the certificate file to the certificate storage in the directory usr/local/share/ca-certificates/:

sudo cp ca.crt /usr/local/share/ca-certificates/

Update the certificate storage with this command:

sudo update-ca-certificates -v

If you receive an error message indicating that the command is not found, install the package from the repository with this command:

sudo apt install -y ca-certificates

To check if your OS trusts the certificate, run this command:

openssl verify /usr/local/share/ca-certificates/ca.crt

Step 2

On Linux, after copying the certificate files, make sure that their owner is set to trueconf-border-controller. Otherwise, the TrueConf Border Controller service will not start correctly. To verify the ownership status, run the following command:

ls -l /usr/local/share/ca-certificates/ca.crt

The terminal should display trueconf-border-controller trueconf-border-controller in columns 2 and 3. If this is not the case, execute this command:

sudo chown trueconf-border-controller:trueconf-border-controller /usr/local/share/ca-certificates/ca.crt

Step 3

In the TrueConf Server control panel, go to the section Web → Settings and enter the address of the machine, where TrueConf Border Controller is installed, in the field External address of TrueConf Server web.

Step 4

Create a certificate for the machine with TrueConf Border Controller. If a commercial certificate is not available, you can create a self-signed certificate as shown in our knowledge base.

Step 5

Copy the certificate and key obtained at Step 3 to the directory <path_to_border_controller>\etc\crt\ where <path_to_border_controller> is the path to the executable file of the component on your OS.

Step 6

Generate a 128-bit GUID identifier, for example, using the online service UUID Generator (opens new window).

Rename the certificate and key files in this way <guid>.crt and <guid>.key, where <guid> is the GUID received during the previous step.

# Configuration file settings

The configuration file webproxy.toml will be created during component installation:

on Windows: C:\Program Files\TrueConf\Border Controller\etc\webproxy.toml
on Linux: /opt/trueconf/border-controller/etc/webproxy.toml

By default, the configuration file contains the following lines:

## [certificate]
## cert_extension = '.crt'
## key_extension = '.key'

[dir]
executable_relative = false
installation = '/opt/trueconf/border-controller'
logs = '/opt/trueconf/border-controller/var/log'

[file]
configname = 'webproxy'

[interfaces]
[interfaces.list]
[interfaces.list.0]
Address = 'localhost:443'
EnableTLS = false
ReadTimeout = 0
## HostWhitelist = []
## HostHeaders = ['Host']
## TLSConfigID = ''
## TargetID = '2f0dbf86-8378-41fc-9c5a-89a43728a0b7'

## [interfaces.list.1]
## Address = '[::]:443'
## EnableTLS = true
## ReadTimeout = 0
## HostWhitelist = []
## HostHeaders = ['Host']
## TLSConfigID = 'd25ceb20-f473-41dc-8db9-37f4dec1a3d1'
## TargetID = 'a824b5cb-c92d-4a52-a5cc-434fecaba6a8'

[proxy]
trust_client_headers = false

## [targets]
## [targets.list]
## [targets.list.2f0dbf86-8378-41fc-9c5a-89a43728a0b7]
## address = 'example.org:80'
## is_secure = false

## [targets.list.a824b5cb-c92d-4a52-a5cc-434fecaba6a8]
## address = 'example.org:443'
## is_secure = true
## skip_verify = true

## [tls]
## [tls.list]
## [tls.list.d25ceb20-f473-41dc-8db9-37f4dec1a3d1]
## CertificateID = 'd25ceb20-f473-41dc-8db9-37f4dec1a3d1'
## CertificateType = 'user-provided'
## DisplayName = 'My TLS configuration'
## ID = 'd25ceb20-f473-41dc-8db9-37f4dec1a3d1'

Specify the following values to configure the component for the HTTPS protocol:

in the [dir] section:
- installation — the path to the executable file of the component

The blocks in the [interfaces] section describe external network interfaces that receive new connections. They have to include a unique number (0, 1, etc.) in the line [interfaces.list.NUMBER], for example, [interfaces.list.0]. The parameters that can be included in each block are as follows:
- Address is the address and port for each interface in the format address:port. If no address is specified, all interfaces will listen on the given port (the port is required). There is no need to specify the prefix (scheme), such as https:// or http://, in the address.
- TLSConfigID — the name of the certificate and key files received at step 5
- TargetID — GUID for identifying a block of HTTPS settings from the [targets] section
- EnableTLS — indicates if it is necessary to use TLS for incoming connections. If the port is 443, set this parameter to true.
- HostHeaders are the HTTP headers read by TrueConf Border Controller to identify the address to which a connection is being made. The default value is Host. If the list is empty, Host will still be used. You can add other environment-specific headers, such as X-Forwarded-Host or X-Forwarded-Server. If multiple headers are specified, TrueConf Border Controller will search for each one in the incoming HTTP request from the first one to the last. The first found header will be used. The host/port is trimmed from the value, and the resulting string is searched in the HostWhitelist list.
- HostWhitelist is the list of trusted addresses for TrueConf Border Controller. Only requests to these addresses will be processed, while requests to other addresses will be immediately discarded. For example, if you specify some.example.com, any other addresses entered in the browser will not pass through TrueConf Border Controller. If the list is empty, packet forwarding is allowed for all web addresses.

[interfaces.list.1] and [interfaces.list.0] can be swapped; their order does not matter. The key point is that if there is only one web port, only one block [interfaces.list.0] or [interfaces.list.1] has to be specified, otherwise, two blocks with different numbers need to be used.

In the [proxy] section, general proxy settings are specified:
- trust_client_headers determines whether incoming headers can be trusted. You should set this parameter to false, if you need to configure the forwarding of real addresses through TrueConf Border Controller towards TrueConf Server.
- X-Forwarded-For — if this parameter is set to false, the value X-Forwarded-For in the headers of received HTTP packets will be ignored. The chain of preceding proxy servers will be lost.

for each [targets.list.<guid>] blocks in the [targets] section:
- generate unique GUIDs and add them instead of <guid> in the names (these GUIDs will be used to link each [targets.list.<guid>] block with the corresponding parameters from [interfaces.list.0])
- address — IP address or FQDN of TrueConf Server and the port for the transfer of traffic from the component
- is_secure — the value is true, if an HTTPS port is specified for the address parameter of the current [targets.list.<guid>] block,; otherwise, this parameter is set to false
- skip_verify — specifies whether it is possible to continue working with untrusted certificates (TLS) when HTTPS is configured
- allow_access_by_host — if you need to redirect traffic to the video conferencing server by FQDN instead of IP, set the value to true. If traffic will be redirected by IP, set this parameter to false.
- host — if the value allow_access_by_host = true is specified, here, you need to enter the domain name for redirection, this name will be resolved to the required IP according to network settings
in the [tls] section:
- for the [tls.list.<guid>] block name, replace <guid> with the TLSConfigID value (it is also the name of the certificate file from step 5)
- CertificateID and ID — value of TLSConfigID.

7. Save the file webproxy.toml and run the component.

# Forwarding of real addresses

Generally, when web traffic passes through TrueConf Border Controller, the X-Forwarded-For headers are rewritten on its side for security reasons. As a result, the video conferencing server does not know the real address of the request sender. This may create certain inconveniences, if some settings are based on the address, such as access to the control panel or user authentication methods in client applications.

In such cases, you can disable header overwrite:

On the machine with TrueConf Server, open the file:
on Linux: /opt/trueconf/server/etc/webmanager/extra/httpd-remoteip.conf
on Windows: C:\Program Files\TrueConf Server\httpconf\conf\extra\httpd-remoteip.conf

2. Add the string RemoteIPTrustedProxy with the address of the machine where TrueConf Border Controller is installed.

3. Set the parameter value trust_client_headers = false in the webproxy.toml file on the side of TrueConf Border Controller.

If there are additional proxies before TrueConf Border Controller, they should be made responsible for removing the client header, and trust_client_headers should be enabled on TrueConf Border Controller.

# Launching the component on Windows

Similarly to the component for the TrueConf protocol, the service on Windows can be started from the services.msc tool or from the terminal with the help of the sc.exe utility. For example:

sc start tc_bchttps

The component can be added to the automatic startup in a similar way, for example:

sc config tc_bchttps start=auto

# Launching the component on Linux

To control the component, use the utility systemctl as it was described for trueconf-bc. For example, to start the component, run this command:

sudo systemctl start trueconf-bchttps

← The component for the TrueConf protocol