How can I use Nginx to do Secure Web Socket Connections?

1
votes

I can directly connect a web socket to my PHP daemon server via JavaScript: var websocket = new WebSocket("ws://IP:PORT"); This will get the handshake correctly, but when I try the nginx proxy http://IP it fails to receive the header value for Sec-WebSocket-Key and the handshake fails.

-- Recent Update : JavaScript does not connect at all due to: SyntaxError: An invalid or illegal string was specified! 

nginx config file:

    upstream chatwebsocket {
        server 127.0.0.1:9090;
    }
    server {
       # ...
       listen 80 default_server;
       location / {
          proxy_pass http://chatwebsocket;
          ...
          proxy_set_header Sec-WebSocket-Key      $http_sec_websocket_key;
       }

The variable: $http_sec_websocket_key is not set...why? What variable should I be using for this? My PHP Chat server does not get the web socket header "Value" called: Sec-Websocket-Key. I can set it manually to some dummy value with: proxy_set_header Sec-WebSocket-Key 13; and my PHP log file will show it got 13 for the key.

Also, when I go to http://IP I can inspect the response headers in my browser console window. HTTP/1.1 400 Bad Key Request which is my error I created in PHP when: Note - that $headers is converted to lower case and trimmed... and works fine...

$headers[strtolower(trim($matches[1]))] = trim($matches[2]);

    if (! isset($headers['sec-websocket-key'])) { 
       return "HTTP/1.1 400 Bad Key Request"; //...

Why?, I want to do this is once HTTP works I want to use HTTPS to securely use WebSockets in encrypted form, also to keep my web page traffic secure.

I've looked at these pages: https://github.com/die-net/nginx-config-example/blob/master/include/proxy-headers and http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header . Not sure why $http_sec_websocket_key is not getting a value set...or what variable to use in its place?

Seems to be a JavaScript issue: var websocket = new WebSocket('http://IP'); SyntaxError: An invalid or illegal string was specified

How can I connect JavaScript Page to a Nginx web page proxy, is it possible? Or how do I setup a server to do wss://IP

OR any small simple code in PHP to do wss sockets?

Ha, I got it now, here is the Nginx config:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

upstream chatwebsocket {
    server 127.0.0.1:9090;
}

server {
    listen 8020;
    location / {
        proxy_pass http://chatwebsocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

I was missing the proxy_set_header **

Upgrade

** $http_upgrade;

1
javascriptphpwebsocketnginx-reverse-proxy
I think I'll give this a shot: stackoverflow.com/questions/10610661/…Robert Strutts
I'd like to keep my web socket code in PHP the same as it is simple & clean, while still using Nginx to do SSL for me. I'm confused on how to do this, any ideas?Robert Strutts
Okay, I think I got it now: nginx.com/blog/websocket-nginxRobert Strutts
Just added SSL support via nginx to listen on 443 and installed certs. Now, I can connect via JavaScript wss://myDomain:443 URL for web socket. Doing a Connection Upgrade was the Ticket to getting everything working in Nginx. I did not need to set Sec-WebSocket-Key headers (in nginx)!Robert Strutts

1 Answers

1
votes

In JavaScript do: var websocket = new WebSocket('wss://DomainName:443');

In Nginx do:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

upstream appwebsocket {
    server 127.0.0.1:9090;
}

server {
    listen   443;
    server_name YOUR_Domain_Name_HERE;

    ssl  on;
    ssl_certificate  /etc/nginx/ssl/ssl.crt;
    ssl_certificate_key  /etc/nginx/ssl/ssl.key;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers   on;

    location / {
        proxy_pass http://appwebsocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

Doing a Connection Upgrade was the Ticket to getting everything working in Nginx. I did not need to set Sec-WebSocket-Key headers (in nginx)! Also, I did not need to re-write my PHP application!

Keep in mind you can add a path to the nginx Location Path, so you can keep your web page online and route the web sockets to that Path!!