Skip to content
This repository has been archived by the owner on Oct 8, 2021. It is now read-only.

SSL #20

Open
tjscience opened this issue Apr 14, 2018 · 9 comments
Open

SSL #20

tjscience opened this issue Apr 14, 2018 · 9 comments

Comments

@tjscience
Copy link

The website that I am using to connect to the socket server uses SSL. How can I do this?

@mgravell
Copy link
Contributor

mgravell commented Apr 14, 2018 via email

@tjscience
Copy link
Author

Ah, ok. I am on windows server so that may be a bit hard. Thanks for the info though.

@mgravell
Copy link
Contributor

mgravell commented Apr 15, 2018 via email

@mgravell
Copy link
Contributor

mgravell commented Apr 15, 2018 via email

@tjscience
Copy link
Author

It would be great to understand how you did that! Btw, thanks for this library and so many others that you have open sourced. I am a huge user/proponent of dapper and stackexchtange.redis :)

@devMidgard
Copy link

Hey @mgravell I've sucessfully set up haproxy to terminate SSL before the websocket server, but I have this problem where now my websocket server logs the IP Address the proxy is binded to.

I've read that HAProxy can send a header to the websocket server containing the original, remote IP that made the request. But is there any way of reading the request headers with NetGain?

Do you log remote IP Addresses on your websocket servers? How do you do so.

@NickCraver
Copy link
Contributor

@devMidgard Unfortunately we don’t have this case - the volume of websocket traffic in play is too large to log reasonably, so it’s just not a case we hit. In our case, sockets are also secondary and admittedly not as critical to page function as other places

@yhydra
Copy link

yhydra commented Oct 9, 2018

Good question. It isn't a design feature right now. We use haproxy to terminate SSL before the web-socket server. We are interested in playing with the TLS work that @Drawaes has done for "pipelines", but that would be a radically different architecture, think "son of NetGain". So for now, your best bet AFAIK is: terminate ahead of the server.

On Sat, 14 Apr 2018, 21:24 Terry Phillips, @.***> wrote: The website that I am using to connect to the socket server uses SSL. How can I do this? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#20>, or mute the thread https://github.com/notifications/unsubscribe-auth/AABDsKJb9NJtkH8aqsMWn4CmQMpalgyZks5tolr9gaJpZM4TVNmc .

Do you have a working example of how i can use HAProxy to terminate SSL and then forward to netgains via websocket?

@scotkershaw
Copy link

Good question. It isn't a design feature right now. We use haproxy to terminate SSL before the web-socket server. We are interested in playing with the TLS work that @Drawaes has done for "pipelines", but that would be a radically different architecture, think "son of NetGain". So for now, your best bet AFAIK is: terminate ahead of the server.

On Sat, 14 Apr 2018, 21:24 Terry Phillips, @.***> wrote: The website that I am using to connect to the socket server uses SSL. How can I do this? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#20>, or mute the thread https://github.com/notifications/unsubscribe-auth/AABDsKJb9NJtkH8aqsMWn4CmQMpalgyZks5tolr9gaJpZM4TVNmc .

Do you have a working example of how i can use HAProxy to terminate SSL and then forward to netgains via websocket?

Here's the frontend/backend snippets for our HAProxy config to terminate SSL for our NetGain WSS connections. The backend port should match your NetGain WS port where as the frontend port can be anything you like (that's what the clients would connect to):

frontend websockets-ssl-in
	mode http
	log global
	bind *:{{ PORT}} ssl crt /etc/ssl/mycert.pem alpn h2,http/1.1 crt /etc/ssl/mycert.pem alpn h2,http/1.1

	default_backend websocket_backend

backend websocket_backend
	mode http

	# fetch websocket headers
	acl hdr_connection_upgrade hdr(Connection)                 -i upgrade
	acl hdr_upgrade_websocket  hdr(Upgrade)                    -i websocket
	acl hdr_websocket_key      hdr_cnt(Sec-WebSocket-Key)      eq 1
	acl hdr_websocket_version  hdr_cnt(Sec-WebSocket-Version)  eq 1

	# deny request for invalid websocket headers
	http-request deny if ! hdr_connection_upgrade ! hdr_upgrade_websocket ! hdr_websocket_key ! hdr_websocket_version

	server my_ws_server {{ IP }}:{{ PORT }} weight 1 maxconn 30000 check inter 30s # heath check every 30s

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants