Find it...

    How to geo balance company internal WebRTC users based on client IP subnet

    Follow
    Follow this guide if you would like to ensure certain users from certain subnets is connected to some conferencing nodes, and other users are routed to other conferencing nodes based on the IP-address/subnet the client is coming from.
     
    This is very useful if you are using WebRTC internally and have conference nodes in different regions, to ensure the users in a certain region hits their local nodes.
     
    All users would connect to the same reverse proxy (RP), but the RP will forward the request to the conference nodes as per configured in this example.
     
    For each of the example locations in this case, we will have two conferencing nodes as destinations for signaling. When signaling arrives at the conferencing nodes, they will assign media to the node that has most available capacity in this location, so it is not required to put all conf nodes in the list.
     
    For each location you will also see that we nominate two nodes as backup nodes, if the primary nodes are not available.
     
     
    In this example, Norway is the default location (10.47.x.x) and in this case UK and US is the regional geo with their own Pexip install.
     
    UK has one subnet 10.44.0.0/16 
    US has two subnets, 10.1.0.0/16 and 10.101.0.0/16
    Everything else should go to Oslo (so this is the default)
    (/etc/nginx/sites-enabled/pexapp) 
     
    upstream webrtc.osl {
        server 10.47.0.43:443 weight=1 max_fails=2 fail_timeout=30s;
        server 10.47.0.46:443 weight=1 max_fails=2 fail_timeout=30s;
        # UK is backup for Oslo
        server 10.44.13.2:443 weight=1 max_fails=2 fail_timeout=30s backup;
        server 10.44.13.3:443 weight=1 max_fails=2 fail_timeout=30s backup;
        }
     
    upstream webrtc.uk {
        server 10.44.13.2:443 weight=1 max_fails=2 fail_timeout=30s;
        server 10.44.13.3:443 weight=1 max_fails=2 fail_timeout=30s;
        # Oslo is backup for UK
        server 10.47.0.43:443 weight=1 max_fails=2 fail_timeout=30s backup;
        server 10.47.0.46:443 weight=1 max_fails=2 fail_timeout=30s backup;
        }
     
     
    upstream webrtc.us {
        server 10.1.0.11:443 weight=1 max_fails=2 fail_timeout=30s;
        server 10.1.0.12:443 weight=1 max_fails=2 fail_timeout=30s;
        # Oslo is backup for US as well
        server 10.47.0.43:443 weight=1 max_fails=2 fail_timeout=30s backup;
        server 10.47.0.46:443 weight=1 max_fails=2 fail_timeout=30s backup;
        }
     
    geo $geo {
        default osl;
        10.44.0.0/16 uk;
        10.1.0.0/16 us;
        10.101.0.0/16 us;
    }
     
     
    Now to the location, this now includes the $geo variable and if no specific geo is matched, the variable for default will be used (in this case it will input osl for Oslo location).
     
        location / {
            proxy_pass https://webrtc.$geo;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_set_header Host $host;
            proxy_redirect off;
            proxy_connect_timeout 3s;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Authorization "";
            proxy_buffering off;
        }
     
     
    Another example:
     
    In the below example, customer.com has a reverse proxy that needs to service internal and external clients and browsers.
     
     

    # Upstream servers
    #### External (DMZ) node(s)
    upstream pexip.ext {
    server 10.30.4.42:443 weight=1 max_fails=2 fail_timeout=30s;
    keepalive 1024;
    }
    upstream pexip-webrtc.ext {
    ip_hash;
    server 10.30.4.42:443 weight=1 max_fails=2 fail_timeout=30s;
    }

    #### Internal east coast nodes
    upstream pexip.east {
    server 10.30.4.41:443 weight=1 max_fails=2 fail_timeout=30s;
    server 10.30.4.40:443 weight=1 max_fails=2 fail_timeout=30s;
    keepalive 1024;
    }
    upstream pexip-webrtc.east {
    ip_hash;
    server 10.30.4.41:443 weight=1 max_fails=2 fail_timeout=30s;
    server 10.30.4.40:443 weight=1 max_fails=2 fail_timeout=30s;
    }

    #### Internal west coast nodes
    upstream pexip.west {
    server 10.40.4.41:443 weight=1 max_fails=2 fail_timeout=30s;
    server 10.40.4.40:443 weight=1 max_fails=2 fail_timeout=30s;
    keepalive 1024;
    }
    upstream pexip-webrtc.west {
    ip_hash;
    server 10.40.4.41:443 weight=1 max_fails=2 fail_timeout=30s;
    server 10.40.4.40:443 weight=1 max_fails=2 fail_timeout=30s;
    }

    geo $geo {
    default ext; #default to the external conference node(s)
    10.30.0.0/16 east; # Presumes that 10.30.0.0 is the internal east coast subnet
    10.40.0.0/16 west; # Presumes that 10.40.0.0 is the internal west coast subnet
    }

    # Redirect HTTP to HTTPS
    server {
    listen 80;
    server_name connect.customer.com 10.30.4.45;
    return 301 https://$host$request_uri;
    }

    server {
    listen 443 ssl;
    server_name connect.customer.com;

    include /etc/nginx/includes/pex-rewrites.conf;
    include /etc/nginx/includes/pex-ldap.conf;

    ssl_certificate ssl/pexip.pem;
    ssl_certificate_key ssl/pexip.pem;
    ssl_session_timeout 5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!DH:!EDH;
    ssl_prefer_server_ciphers on;

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;

    # Redirect from web root to /webrtc
    location / {
    return 301 /webapp;
    }


    location /api {
    proxy_next_upstream http_404 http_500 http_502 http_503 http_504 error timeout;
    proxy_pass https://pexip.$geo;
    proxy_redirect off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_connect_timeout 2s;
    access_log /var/log/nginx/pexapp.access.log pexapplog;
    error_log /var/log/nginx/pexapp.error.log;
    include /etc/nginx/includes/pex-ldap-api.conf;
    }

    location /webapp {
    proxy_pass https://pexip-webrtc.$geo;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header Host $host;
    proxy_redirect off;
    proxy_connect_timeout 3s;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    access_log /var/log/nginx/webapp.access.log;
    error_log /var/log/nginx/webapp.error.log;
    }

    location /webrtc {
    proxy_pass https://pexip-webrtc.$geo;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header Host $host;
    proxy_redirect off;
    proxy_connect_timeout 3s;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    access_log /var/log/nginx/webrtc.access.log;
    error_log /var/log/nginx/webrtc.error.log;
    }

    location /static/webrtc {
    proxy_pass https://pexip-webrtc.$geo;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header Host $host;
    proxy_redirect off;
    proxy_connect_timeout 3s;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    access_log /var/log/nginx/webrtc.access.log;
    error_log /var/log/nginx/webrtc.error.log;
    }

    location /stats {
    root /var/www;
    allow 10.30.0.0/21;
    allow 10.30.0.0/21;
    deny all;
    access_log /var/log/nginx/stats.access.log;
    error_log /var/log/nginx/stats.error.log;
    }

    location /404.html {
    root /var/www;
    }

    location /50x.html {
    root /var/www;
    }
    }

     
    Was this article helpful?
    1 out of 1 found this helpful

    Comments