I’m encountering an issue with the Anbox Streaming SDK (JavaScript) after updating to version 1.23. Specifically, when the SDK attempts to execute the following HTTP request (after calling AnboxStream.connect):
https://<host>/1.0/sessions/<id>/join
It receives a “405: Method Not Allowed” error. Despite this, streaming from the dashboard works correctly. However, I noticed that the dashboard makes different calls compared to the SDK. In particular, it uses the following endpoint:
https://<host>/api/sessions/<id>/join
Could you provide some clarification on this discrepancy? I’m having trouble understanding where the problem might lie.
This is correct but not yet very well documented. Starting with 1.23.0 we’re enforcing strict limits on what APIs we expose through the reverse proxy the appliance configures to listen on port 443/tcp. We always did this for production deployments we were working on with users through the user of cloud firewalls etc and now enforce for the reverse proxy implementation in the appliance too.
The back story for this is the following: Most of the API the Anbox Stream Gateway provides is not meant to be used on public exposed endpoints. The API is typically meant to be used in service to service communication, one of the reasons why we only support API token based authentication. If you want to make use of the API from a client application you will need to proxy it through a frontend service which faces the user with an authentication method specific to your service (e.g. via OpenID Connect) and then does the request to the gateway API in the background once the user is authenticated and authorized. The gateway API is accessible on the local listen address of the appliance on port 9031/tcp.
The dashboard implements the same construct here and has a flask based service component which talks to both AMS and the Anbox Stream Gateway service in the background, this is what you see with it making requests to https://<host>/api/sessions/<id>/join.
The binding part between the JS SDK and your backend service in is a connector component, see here for the one for the stream gateway. The connection is set on the AnboxStream API object (see here) and then implements the actual steps on how to connect to the backend service. Altneratively your backend service could also work directly with AMS to create an instance via --enable-streaming and then you only return the session ID to the user it then connects to.
One missing part of this, which is also holding the tutorial back, is support for CORS on the reverse proxy in the appliance. This is going to be in the 1.23/beta channel soon and will be release to stable with the 1.23.1 release this month.
I hope that helps to answer your questions, if not, let us know
Thank you very much for the clarifications. I fully agree with the restrictions applied to the reverse proxy, and I understand the importance of securing these communications.
I just have one question: Can you confirm that, at the moment, to get instance streaming to work, we need to write a proxy service that communicates with the streaming gateway and then point the connector to our service? However, this service would need to implement the requests made by the SDK, as they are hardcoded in the code, correct? Or can we/should we create a custom connector that allows us to communicate with the proxy service in a way that suits us, without having to implement the requests made by the default connector?
Also, is the code for the Flask server and/or the dashboard available for reference?
Correct, for a proper implementation you need your own service and connector. Alternatively you could access the gateway directly on port 9031 and expose that.
Thank you for the continued assistance. I now fully understand how to manage the communication between the client and the gateway.
Please extend my thanks to you and the entire Anbox Cloud team for all the hard work you’re putting into the project. I really appreciate the support and guidance!