Ant Media Server with Apache Reverse Proxy

I’ve been using the Communtiy Edition of Ant Media Server for quite a while. The server is normally addressed via HTTP on port 5080. In principle HTTPS with Let’s Encrypt is also possible, but only if no web server is already active on port 80, which is not practical for my application. Instead, I configured a reverse proxy in Apache.

However after one of the last updates there was an unexpected problem: the live stream was still working, but trying to login to the dashboard was acknowledged with HTTP 403. The solution for this is to add the option ProxyAddHeaders off to the proxy configuration. Apparently Ant Media denies access to the dashboard when a proxy is used. The new configuration now looks like this:

RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:5080/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://localhost:5080/$1 [P,L]
ProxyAddHeaders off
ProxyPass / http://localhost:5080/
ProxyPassReverse / http://localhost:5080/

In this way, both the dashboard and live streams can be used. Just be aware that Ant Media now also treats every incoming request as it was from 127.0.0.1 and not the IP address of the client.

Update 2022-08-29

The reason for this behavior is now also clear:

Ant Media doesn’t support IPv6 – at least the community version I’m currently using. This can easily be checked by setting up an FQDN for the machine running Ant Media that only has an AAAA record and then trying to contact Ant Media using that name and port 5080. In this case no connection is possible since Ant Media does not have any IPv6 listener only IPv4.

When using a proxy, connection requests via IPv6 are handled by proxy and then forwarded to Ant Media with IPv4. However, these requests contain the IPv6 address as the source in the headers, which Ant Media cannot interpret as an allowed IPv4 address and therefore rejects the request.

The addition ProxyAddHeaders off prevents the IPv6 source address from being passed on in the headers, so that for Ant Media all requests come as IPv4 from the address 127.0.0.1, which is accepted.

Update 2022-09-10

The problem can be fixed by adjusting the configuration which will propably included in one of the next updates of Ant Media – also see Use Ant Media with IPv6.

Leave a public comment

Your email address will not be published. This is not a contact form! If you want to send me a personal message, use my e-mail address in the imprint.

You can use the following HTML tags in the comment:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>