Find it...

    Potential issues with your Reverse Proxy integration post Pexip v18+ upgrade.

    Follow

    *** NOTE ***

    The OS that was used for the v5 Reverse Proxy/TURN server build (Ubuntu LTS 14.04) is End of Life in April 2019, so you will no longer receive OS security fixes from this date. You should actively upgrade your Reverse Proxy (if still required) to our latest documented release (see https://docs.pexip.com/rp_turn/rpturn_intro.htm#new). 


    As noted in our change in functionality notes for v18 here (https://docs.pexip.com/admin/previous_releases.htm#v18 "Security improvements: only TLS1.2 is enabled by default for inbound HTTPS connections and ability to enable HTTP Content Security Policy on Conferencing Nodes"), Pexip now disables TLS 1.0 and 1.1 for inbound HTTPS connections. If you are running a very old version of the Pexip supplied Reverse Proxy/TURN server image (v3), the TLS connection will break. You may then see the follow error when navigating to the Reverse Proxy landing page:

    An error occurred. Sorry, the page you are looking for is currently unavailable. Please try again later.

    You have several options to get things working again, listed below in preferential order:

    1. The most sensible course of action is to deploy and re-configure a new Reverse Proxy based on our latest version (currently v6.07 at the time of writing - the latest information can be found here - https://docs.pexip.com/admin/integrate_rpturn.htm). You will need to stand up this Reverse Proxy and configure it as per our documentation on the above pages.
    2. Remove the Reverse Proxy entirely. One of the biggest reasons for a reverse proxy is to provide multiple web app brandings for multiple customers if you are a service provider. If you only require a single brand, you may not need a reverse proxy at all, and with the introduction of our Proxying Edge node in v15, the need for the reverse proxy is reducing. Instead of targeting the 'A' record to that of the Reverse Proxy, you could instead use multiple Round Robin ‘A’ records and target the DMZ nodes directly (assuming that you have the correct SAN entries on the DMZ node certificates), and firewall rules in place to allow direct HTTPS access to the nodes. A caveat here though is that if a node is in maintenance mode, HTTP requests will not be redirected to another node.
    3. Upgrade the OS of the RP, as per the instructions in the release notes at https://docs.pexip.com/admin/previous_releases.htm#changes_v18 (Security improvements: only TLS1.2 is enabled by default for inbound HTTPS connections and ability to enable HTTP Content Security Policy on Conferencing Nodes” - ensuring you have taken a VM snapshot before proceeding, and understanding this may break other functionality, such as TURN, as we do not test this upgrade path). I am deliberately not outlining the instructions required to achieve this here as one of the previously mentioned steps would be a better choice. 
    4. Regress the security level on Pexip to enable TLS v1.0 and v1.1, although I would highly advise that this is not the course of action you want to perform (I merely list it here as an extreme possibility).

     

    Was this article helpful?
    1 out of 1 found this helpful

    Comments