Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can the Microsoft Speech SDK be configured to use plain HTTP WebSocket (ws) connections, allowing a proxy to upgrade to wss? #2680

Open
kpramesh2212 opened this issue Nov 28, 2024 · 5 comments
Open

Can the Microsoft Speech SDK be configured to use plain HTTP WebSocket (ws) connections, allowing a proxy to upgrade to wss? #2680

kpramesh2212 opened this issue Nov 28, 2024 · 5 comments
Labels
update needed For items that are in progress but have not been updated

Comments

@kpramesh2212
Copy link

Description:

We are using the Microsoft Speech SDK to connect to the Microsoft Speech Service via WebSocket calls. Our architecture relies on an Envoy outbound proxy configured for TLS termination.

Key setup details:

  1. The instance is restricted to HTTP traffic only, with iptables redirecting this traffic to Envoy for TLS upgrades (HTTP → HTTPS, ws → wss).

  2. CONNECT requests are not allowed through the proxy, as TLS termination is exclusively handled by Envoy.

  3. This setup works for an internal service where WebSocket connections (ws) are successfully upgraded to wss by Envoy.

However, when using the Microsoft Speech SDK, the WebSocket upgrade (ws → wss) via Envoy does not work. It seems the SDK attempts to initiate wss connections directly, bypassing the proxy's TLS termination process.

Question:

Is it possible to configure the Microsoft Speech SDK to initiate plain HTTP WebSocket (ws) connections, enabling our proxy to upgrade these to wss?

Is there anything I am missing ?
@github-actions GitHub Actions
Copy link

This item has been open without activity for 19 days. Provide a comment on status and remove "update needed" label.

@github-actions github-actions bot added the update needed For items that are in progress but have not been updated label Dec 18, 2024
@kpramesh2212
Copy link
Author

Any help would be much appreciated

We found that SDK is setting the host header along with the port

eastus.stt.speech.microsoft.com:80

The above is causing envoy to make a TLS call on port 80

we tried modifying the envoy configuration to strip the port from the host header. Once we made this change envoy is successfully establishing the connection to the server. However the server responds back with

HTTP 403 Forbidden or HTTP 401 Unauthorized. Connection requests without a valid Ocp-Apim-Subscription-Key or Authorization header are rejected with a status of 403 or 401.

We are including the correct subscription key.

@kpramesh2212
Copy link
Author

We suspect that this could be because of HMACS

https://learn.microsoft.com/en-us/azure/azure-app-configuration/rest-api-authentication-hmac

As we are stripping the port from the host header this could cause the hmac signature to be invalid

could anyone please help us here

@github-actions github-actions bot removed the update needed For items that are in progress but have not been updated label Jan 7, 2025
@kokovoj
Copy link

kokovoj commented Jan 9, 2025

Any update on this ? This is a serious blocker for us as well.

@github-actions GitHub Actions
Copy link

This item has been open without activity for 19 days. Provide a comment on status and remove "update needed" label.

@github-actions github-actions bot added the update needed For items that are in progress but have not been updated label Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
update needed For items that are in progress but have not been updated
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kokovoj @kpramesh2212