Pexip Geo Policy Server

Pexip Geo Location Policy server for WebRTC

This blog illustrates how to build a simple policy server for the Pexip platform. The end result provides the means to nominate a Pexip Location based on which country the user is connecting from. This is particularily useful for Pexip installations that span multiple AWS regions but incoming HTTPS requests come in to a single region via a Reverse Proxy.

This blog will step you through how to:

  • Deploy an Ubuntu instance in AWS
  • Install NGINX reverse proxy
  • Create a virtual python environment
  • Install a policy server from git
  • Install the Maxmind DB
  • Configure NGINX to server policy server
  • Start the policy server

Install an Ubuntu AMI

Install an Amazon Ubuntu AMI, ssh into the instance then confiure as follows:

sudo apt-get update
sudo apt-get install python-pip python-dev nginx
sudo pip install virtualenv
git clone https://github.com/lorist/pexgeo.git
cd pexgeo
virtualenv policyvenv
source policyvenv/bin/activate
pip install -r requirements.txt
sudo add-apt-repository ppa:maxmind/ppa
sudo aptitude update
sudo aptitude install libmaxminddb0 libmaxminddb-dev mmdb-bin

Test the web server runs

uwsgi --socket 0.0.0.0:8000 --protocol=http -w wsgi

Now download the GeoIP database

python policy.py -o

Success looks like this:

2016-03-24 11:18:32,180: downloading fresh database from: http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz
2016-03-24 11:18:32,189: Starting new HTTP connection (1): geolite.maxmind.com
2016-03-24 11:18:32,312: decompressing database file...

Copy the config file to install the policy as a service:

sudo cp policy.conf /etc/init/

Configure NGINX

sudo nano /etc/nginx/sites-enabled/default

Add desired config to the file. Note that the file listed below is pretty much default out of the box NGINX config with the exception of the config between Policy server START and Policy server END

server {
listen 80 default_server;
listen [::]:80 default_server;

# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;

root /var/www/html;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;

server_name _;

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ .php$ {
# include snippets/fastcgi-php.conf;
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
# fastcgi_pass unix:/var/run/php5-fpm.sock;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /.ht {
# deny all;
#}
}

################## Policy server START ###############################
server {
listen 8081 default_server;

error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location / {
#auth_basic “Restricted";
#auth_basic_user_file /etc/nginx/.htpasswd;
include uwsgi_params;
uwsgi_pass unix:/home/ubuntu/pexgeo/policy.sock;
}
}
#################Policy server END #########################################

# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

Restart nginx:

sudo service nginx restart

Start the policy server:

sudo start policy

Tail /var/log/syslog to see the logs

Test in a browser:

http://your-elastic-ip:8081/policy/v1/participant/location?remote_address=8.8.8.8

result:

{
 "credit": "AWS regional Policy",
     "result": {
         "location": "AWS-US-East",
         "primary_overflow_location": "AWS-Ireland"
     },
     "status": "success"
}

To make this policy server Highly Available, refer to this post
More info about uWSGI: https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-uwsgi-and-nginx-on-ubuntu-14-04#

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s