Nginx reverse proxy wss with ssl

Overview

WebSockets allow a two-way, persistent communication channel between a client and a server. Like any other HTTP requests, WebSockets can be either secure (WSS) or insecure (WS). In This tutorial, you will be shown how to configure NGINX to proxy WSS connections.

Getting Started

If you are not a developer or have not developed a WebSocket application, you may find demo applications in Github. Each one was written for tutorials like this.

  • NodeJS Express
  • Python

Source: https://www.serverlab.ca/tutorials/linux/web-servers-linux/how-to-proxy-wss-websockets-with-nginx/

Configuring Secure WebSocket Proxy

In order for WWS requests to be proxied to a backend WSS service, NGINX must be configured to listen over a secure port. Just as you would configure SSL when using NGINX to server web application, a ssl certificate and certificate key must be configured.

The following example nginx.conf adds uses a certificate file named cert.pem and a key file named key.pem. The acceptabed protocols are explicitly set using the ssl_protocols directive, and the allowed ciphers are set with the ssl_ciphers directive.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
server {
listen 443 ssl;

server_name xxx.xx.io

ssl on;
ssl_certificate /etc/asterisk/certs/xxx.io.pem;
ssl_certificate_key /etc/asterisk/certs/xxx.io.key;

ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

#prevent 502 bad gateway
#large_client_header_buffers 8 32;

location / {

# prevents 502 bad gateway error
proxy_buffers 8 32k;
proxy_buffer_size 64k;

# redirect all HTTP traffic to localhost:8088;
proxy_pass http://0.0.0.0:8088/ws;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-NginX-Proxy true;

# enables WS support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

proxy_read_timeout 999999999;

}
}

Source: https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce

Comments

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×