Dear All,
I have deployed Openvidu 2.15 using docker with our app. My concern is how can I prevent malicious user from trying to open bogus websocket connection to Openvidu-server ? I mean anybody can keep on trying open wss connection using fake tokens. I know without valid token, he can not join but still it will consume some resource of server and may be a possible DOS threat ? Am I right to assume that wss connections to Openvidu-server are also going through ngnix proxy? Is so how to secure the wss connection at proxy level itself ? I also want to limit api call from localhost only where my app is deployed. Is there any configuration to do so ? If I am correct that it can be done via ngnix proxy?
Hi,
Any connection made to an OpenVidu deployment will be routed through the ngnix proxy. So yes, your assumption that websocket connections need to get through the ngnix is right.
That being said, ngninx does not incorporate by default a security option for limitting client’s websocket connections simply because that’s not the most common use case. Generally speaking, an application should allow clients connections from any address.
But it is possible to limit the origins allowed to consume REST API. Check out ALLOWED_ACCESS_TO_RESTAPI configuration parameter.
Thanks @pabloFuente for your reply. I will test it. Can I use ngnix auth_request features to check if token in valid at the time websocket connection initiation ?