request help: Apache APISIX with Secured Websockets

[BoazDr]

Issue description

I am trying to add an API Gateway to a client-server system, which communicates through secured WebSockets.

The Server is an audio recognition engine that sits in a remote machine, and clients are connecting to it through WebSockets ('wss://...'), sending audio files and receiving their text translate representation. My main goal is to add a free open-source API Gateway in the middle in order to authenticate\authorize\rate limit\etc...
After searching the web, I focused on Apache APISIX gateway. As a test, I managed to connect the APISIX to a client-server which communicates by http/https and it worked fine.
Moreover, I managed to connect the client with the server on regular websocket connection (ws://) and the data transactions were successful, but no matter what I do i cant connect to the secured connection. Are there any special configurations I should edit in the dashboard?

I'm wondering if anyone knows from experience if it's possible to use SecuresWebSockets with Apache APISIX and if yes, how exactly it should be done (a little example would go a long way).

Environment

• apisix version (cmd: apisix version): Installed the whole project through docker-compose, all versions are the most recent from official apache APISIX docs.
• OS (cmd: uname -a): Linux Centos 7
• OpenResty / Nginx version (cmd: nginx -V or openresty -V):
• etcd version, if have (cmd: run curl http://127.0.0.1:9090/v1/server_info to get the info from server-info API):
• apisix-dashboard version, if have:
• the plugin runner version, if the issue is about a plugin runner (cmd: depended on the kind of runner):
• luarocks version, if the issue is about installation (cmd: luarocks --version):

The only Web socket reference there is in the dashboard:

[spacewander]

Would you try to set up some configurations ike this two tests:

apisix/t/node/upstream-websocket.t

Line 226 in baf216d

=== TEST 8: set wss

You can set up the same configuration via Admin API or dashboard (a route with enable_websocket = true, an SSL that provides the certificate to the client, an upstream with https scheme).

[BoazDr]

Would you try to set up some configurations ike this two tests:

apisix/t/node/upstream-websocket.t

Line 226 in baf216d

=== TEST 8: set wss

You can set up the same configuration via Admin API or dashboard (a route with enable_websocket = true, an SSL that provides the certificate to the client, an upstream with https scheme).

I tried with enable_websocket to true and my upstream is with https scheme.
However I have no experience with ssl certificates, I'm asked to insert a certificate and a private key (clients certificates and keys? or the engine computer certificate?) - my client is running from some linux remote machine ip (in the format of '111.222.333.444') and the engine on the webserver is running on different linux remote machine ('555.666.777.888')

[tzssangglass]

'm asked to insert a certificate and a private key (clients certificates and keys? or the engine computer certificate?)

see: https://github.com/apache/apisix/blob/master/docs/en/latest/admin-api.md#ssl, you can submit certs by APISIX Dashboard, sidebar with SSL configuration.

[tzssangglass]

my client is running from some linux remote machine ip (in the format of '111.222.333.444') and the engine on the webserver is running on different linux remote machine ('555.666.777.888')

I didn't understand what you mean……

[shuaijinchao]

If it is just for testing, you can sign the CA certificate yourself, refer to: https://www.openssl.org/docs/man1.1.1/man1/, or check relevant information through the Internet.

[BoazDr]

Would you try to set up some configurations ike this two tests:

apisix/t/node/upstream-websocket.t

Line 226 in baf216d

=== TEST 8: set wss

You can set up the same configuration via Admin API or dashboard (a route with enable_websocket = true, an SSL that provides the certificate to the client, an upstream with https scheme).

SSL which provides certificate to the client? Not the engine (service) itself?
I created an SSL for my service (in a linux machine) but I cant find a way to connect my route to this SNI, any special instructions?

'm asked to insert a certificate and a private key (clients certificates and keys? or the engine computer certificate?)

see: https://github.com/apache/apisix/blob/master/docs/en/latest/admin-api.md#ssl, you can submit certs by APISIX Dashboard, sidebar with SSL configuration.

I submitted a new SSL with Certificate and private key of the machine the server runs on, but now I cant figure how to connect the route to it.

If it is just for testing, you can sign the CA certificate yourself, refer to: https://www.openssl.org/docs/man1.1.1/man1/, or check relevant information through the Internet.

Have done it, created certificate and private key from openssl, inserted them into APISIx dashboard but now i can't connec tthe route to the SSL.

[tzssangglass]

I created an SSL for my service (in a linux machine) but I cant find a way to connect my route to this SNI, any special instructions?

here:https://github.com/apache/apisix/blob/master/docs/en/latest/certificate.md#single-sni

[BoazDr]

I created an SSL for my service (in a linux machine) but I cant find a way to connect my route to this SNI, any special instructions?

here:https://github.com/apache/apisix/blob/master/docs/en/latest/certificate.md#single-sni

I tried this out already, but it's not working.
I wish to work with the dashboard atm, so I added a certificate and key for my linux machine (which runs the recognition engine) and now I have a SSL and a working route to websocket, how can I connect them through the dashboard itself?
And what should be the settings in the route exactly? scheme - https, websocket enable, anything else?

[tzssangglass]

I have a SSL and a working route to websocket, how can I connect them through the dashboard itself?

You need to send a request to APISIX using a tool like curl to match the route

And what should be the settings in the route exactly

Look at the documentation and decide according to your needs.

BTW, from your description above, I think you need to do it step by step, from client to APISIX and from APISIX to upstream, and don't rely entirely on dashboard, sometimes you need to use admin-api.

[tzssangglass]

You could give some replication steps and points of blocking, such as adding a route and setting an SSL certificate, sending a request that hits the route, but doesn't hit it. Something like this would allow us to reproduce the problem.

[BoazDr]

You could give some replication steps and points of blocking, such as adding a route and setting an SSL certificate, sending a request that hits the route, but doesn't hit it. Something like this would allow us to reproduce the problem.

First of all, thank you for the fast and informative replies, much appreciated.
I can't realy reproduce it because it is a sensitive project at work, but I will try explaining it in high level it might help:
We have a web written in javascript, which inside connects through websocket to a remote recognition engine. I changed the websocket connection url in the JS code to point to APISIX host and from there it should redirect to the actual websocket.
While doing it with normal websockets (ws://) everything works fine, but when trying to change the url to secured websockets I'm getting '400 Bad Request'.
The changes I've done are: changed the port to 443 in upstream host, scheme to https without tcp, created new SSL with certificate and key of the linux engine machine. But still getting the same error everythime - the websocket connection cant be established.

Can't figure out what am I doing wrong, downloaded WireShark and TShark for network observation and tried comparing both networks transactions while on ws and wss, no real value yet. The thing I realy need is a good and working example of simple cmd commands to run some secured ws, all the docs are not that informative imo.

[tzssangglass]

got, I will take the time to try this example in the next few days.

[tzssangglass]

@BoazDr, here's my demo

1. The mock upstream websocket server is an openresty, configured as below:

master_process on;

worker_processes 2;

error_log logs/error.log warn;
pid logs/nginx.pid;

worker_rlimit_nofile 20480;

events {
    accept_mutex off;
    worker_connections 10620;
}

worker_shutdown_timeout 3;

http {
    server {
        listen 1983 ssl;
        ssl_certificate             /usr/local/Cellar/apisix/t/certs/apisix.crt;
        ssl_certificate_key         /usr/local/Cellar/apisix/t/certs/apisix.key;
        lua_ssl_trusted_certificate /usr/local/Cellar/apisix/t/certs/apisix.crt;
        server_tokens off;

        ssl_certificate_by_lua_block {
            local ngx_ssl = require "ngx.ssl"
            ngx.log(ngx.WARN, "Receive SNI: ", ngx_ssl.server_name())
        }

        location /websocket_handshake {
            content_by_lua_block {
                local websocket = require "resty.websocket.server"
                local wb, err = websocket:new()
                if not wb then
                    ngx.log(ngx.ERR, "failed to new websocket: ", err)
                    return ngx.exit(400)
                end

                local bytes, err = wb:send_text("hello")
                if not bytes then
                    ngx.log(ngx.ERR, "failed to send text: ", err)
                    return ngx.exit(444)
                end
            }

            more_clear_headers Date;
        }
    }
}

use websocat test this websocket server:

websocat -t --ws-c-uri=wss://127.0.0.1:1983/websocket_handshake - ws-c:cmd:'socat - ssl:127.0.0.1:1983,verify=0,cafile=/usr/local/Cellar/apisix/t/certs/apisix.crt'
hello

2. start APISIX, and add route

curl --location --request PUT 'http://127.0.0.1:9080/apisix/admin/routes/1' \
--header 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
--header 'Content-Type: application/json' \
--data-raw '{
    "upstream": {
        "scheme": "https",
        "nodes": {
            "127.0.0.1:1983": 1
        },
        "type": "roundrobin"
    },
    "enable_websocket": true,
    "uri": "/websocket_handshake"
}'

3. add ssl

curl --location --request PUT 'http://127.0.0.1:9080/apisix/admin/ssl/1' \
--header 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
--header 'Content-Type: application/json' \
--data-raw '{
    "cert": "-----BEGIN CERTIFICATE-----
MIIEojCCAwqgAwIBAgIJAK253pMhgCkxMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxDzANBgNVBAcMBlpodUhhaTEPMA0G
A1UECgwGaXJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTAgFw0xOTA2MjQyMjE4MDVa
GA8yMTE5MDUzMTIyMTgwNVowVjELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5n
RG9uZzEPMA0GA1UEBwwGWmh1SGFpMQ8wDQYDVQQKDAZpcmVzdHkxETAPBgNVBAMM
CHRlc3QuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyCM0rqJe
cvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5jhZB3W6BkWUWR4oNFLLSqcVb
VDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfoeLj0efMiOepOSZflj9Ob4yKR
2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5smPtW1Oc/BV5terhscJdOgmRr
abf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt6iMWEGeQU6mwPENgvj1olji2
WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiyVt1TmtMWn1ztk6FfLRqwJWR/
Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1onpRVeXhrBajbCRDRBMwaNw/1
/3Uvza8QKK10PzQR6OcQ0xo9psMkd9j9ts/dTuo2fzaqpIfyUbPST4GdqNG9NyIh
/B9g26/0EWcjyO7mYVkaycrtLMaXm1u9jyRmcQQI1cGrGwyXbrieNp63AgMBAAGj
cTBvMB0GA1UdDgQWBBSZtSvV8mBwl0bpkvFtgyiOUUcbszAfBgNVHSMEGDAWgBSZ
tSvV8mBwl0bpkvFtgyiOUUcbszAMBgNVHRMEBTADAQH/MB8GA1UdEQQYMBaCCHRl
c3QuY29tggoqLnRlc3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQAHGEul/x7ViVgC
tC8CbXEslYEkj1XVr2Y4hXZXAXKd3W7V3TC8rqWWBbr6L/tsSVFt126V5WyRmOaY
1A5pju8VhnkhYxYfZALQxJN2tZPFVeME9iGJ9BE1wPtpMgITX8Rt9kbNlENfAgOl
PYzrUZN1YUQjX+X8t8/1VkSmyZysr6ngJ46/M8F16gfYXc9zFj846Z9VST0zCKob
rJs3GtHOkS9zGGldqKKCj+Awl0jvTstI4qtS1ED92tcnJh5j/SSXCAB5FgnpKZWy
hme45nBQj86rJ8FhN+/aQ9H9/2Ib6Q4wbpaIvf4lQdLUEcWAeZGW6Rk0JURwEog1
7/mMgkapDglgeFx9f/XztSTrkHTaX4Obr+nYrZ2V4KOB4llZnK5GeNjDrOOJDk2y
IJFgBOZJWyS93dQfuKEj42hA79MuX64lMSCVQSjX+ipR289GQZqFrIhiJxLyA+Ve
U/OOcSRr39Kuis/JJ+DkgHYa/PWHZhnJQBxcqXXk1bJGw9BNbhM=
-----END CERTIFICATE-----",
    "key": "-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEAyCM0rqJecvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5
jhZB3W6BkWUWR4oNFLLSqcVbVDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfo
eLj0efMiOepOSZflj9Ob4yKR2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5s
mPtW1Oc/BV5terhscJdOgmRrabf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt
6iMWEGeQU6mwPENgvj1olji2WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiy
Vt1TmtMWn1ztk6FfLRqwJWR/Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1o
npRVeXhrBajbCRDRBMwaNw/1/3Uvza8QKK10PzQR6OcQ0xo9psMkd9j9ts/dTuo2
fzaqpIfyUbPST4GdqNG9NyIh/B9g26/0EWcjyO7mYVkaycrtLMaXm1u9jyRmcQQI
1cGrGwyXbrieNp63AgMBAAECggGBAJM8g0duoHmIYoAJzbmKe4ew0C5fZtFUQNmu
O2xJITUiLT3ga4LCkRYsdBnY+nkK8PCnViAb10KtIT+bKipoLsNWI9Xcq4Cg4G3t
11XQMgPPgxYXA6m8t+73ldhxrcKqgvI6xVZmWlKDPn+CY/Wqj5PA476B5wEmYbNC
GIcd1FLl3E9Qm4g4b/sVXOHARF6iSvTR+6ol4nfWKlaXSlx2gNkHuG8RVpyDsp9c
z9zUqAdZ3QyFQhKcWWEcL6u9DLBpB/gUjyB3qWhDMe7jcCBZR1ALyRyEjmDwZzv2
jlv8qlLFfn9R29UI0pbuL1eRAz97scFOFme1s9oSU9a12YHfEd2wJOM9bqiKju8y
DZzePhEYuTZ8qxwiPJGy7XvRYTGHAs8+iDlG4vVpA0qD++1FTpv06cg/fOdnwshE
OJlEC0ozMvnM2rZ2oYejdG3aAnUHmSNa5tkJwXnmj/EMw1TEXf+H6+xknAkw05nh
zsxXrbuFUe7VRfgB5ElMA/V4NsScgQKBwQDmMRtnS32UZjw4A8DsHOKFzugfWzJ8
Gc+3sTgs+4dNIAvo0sjibQ3xl01h0BB2Pr1KtkgBYB8LJW/FuYdCRS/KlXH7PHgX
84gYWImhNhcNOL3coO8NXvd6+m+a/Z7xghbQtaraui6cDWPiCNd/sdLMZQ/7LopM
RbM32nrgBKMOJpMok1Z6zsPzT83SjkcSxjVzgULNYEp03uf1PWmHuvjO1yELwX9/
goACViF+jst12RUEiEQIYwr4y637GQBy+9cCgcEA3pN9W5OjSPDVsTcVERig8++O
BFURiUa7nXRHzKp2wT6jlMVcu8Pb2fjclxRyaMGYKZBRuXDlc/RNO3uTytGYNdC2
IptU5N4M7iZHXj190xtDxRnYQWWo/PR6EcJj3f/tc3Itm1rX0JfuI3JzJQgDb9Z2
s/9/ub8RRvmQV9LM/utgyOwNdf5dyVoPcTY2739X4ZzXNH+CybfNa+LWpiJIVEs2
txXbgZrhmlaWzwA525nZ0UlKdfktdcXeqke9eBghAoHARVTHFy6CjV7ZhlmDEtqE
U58FBOS36O7xRDdpXwsHLnCXhbFu9du41mom0W4UdzjgVI9gUqG71+SXrKr7lTc3
dMHcSbplxXkBJawND/Q1rzLG5JvIRHO1AGJLmRgIdl8jNgtxgV2QSkoyKlNVbM2H
Wy6ZSKM03lIj74+rcKuU3N87dX4jDuwV0sPXjzJxL7NpR/fHwgndgyPcI14y2cGz
zMC44EyQdTw+B/YfMnoZx83xaaMNMqV6GYNnTHi0TO2TAoHBAKmdrh9WkE2qsr59
IoHHygh7Wzez+Ewr6hfgoEK4+QzlBlX+XV/9rxIaE0jS3Sk1txadk5oFDebimuSk
lQkv1pXUOqh+xSAwk5v88dBAfh2dnnSa8HFN3oz+ZfQYtnBcc4DR1y2X+fVNgr3i
nxruU2gsAIPFRnmvwKPc1YIH9A6kIzqaoNt1f9VM243D6fNzkO4uztWEApBkkJgR
4s/yOjp6ovS9JG1NMXWjXQPcwTq3sQVLnAHxZRJmOvx69UmK4QKBwFYXXjeXiU3d
bcrPfe6qNGjfzK+BkhWznuFUMbuxyZWDYQD5yb6ukUosrj7pmZv3BxKcKCvmONU+
CHgIXB+hG+R9S2mCcH1qBQoP/RSm+TUzS/Bl2UeuhnFZh2jSZQy3OwryUi6nhF0u
LDzMI/6aO1ggsI23Ri0Y9ZtqVKczTkxzdQKR9xvoNBUufjimRlS80sJCEB3Qm20S
wzarryret/7GFW1/3cz+hTj9/d45i25zArr3Pocfpur5mfz3fJO8jg==
-----END RSA PRIVATE KEY-----",
    "sni": "127.0.0.1"
}'

Note:

• the functions of the sni are explained below
• the cert is content of: https://github.com/apache/apisix/blob/master/t/certs/apisix.crt, the key is content of: https://github.com/apache/apisix/blob/master/t/certs/apisix.key

3. use websocat test this websocket server:

websocat -t --tls-domain="127.0.0.1" --ws-c-uri=wss://127.0.0.1:9443/websocket_handshake - ws-c:cmd:'socat - ssl:127.0.0.1:9443,verify=0,cafile=/usr/local/Cellar/apisix/t/certs/apisix.crt'
hello

--tls-domain="127.0.0.1" specify domain for SNI when client do tlshandshake with APISIX,

Wireshake captures the following packet:

Handshake Protocol: Client Hello
    Handshake Type: Client Hello (1)
    Length: 415
    Version: TLS 1.2 (0x0303)
    Random: 31959c15cb141a3b6493f35ec3fe97b26c7824aa9f2703aada7712d20229b5a2
    Session ID Length: 32
    Session ID: 30d9629faee10e4e4dc7b6feccaac46e64e7a9fccf1de32e8fd4d3dd1c09f804
    Cipher Suites Length: 150
    Cipher Suites (75 suites)
    Compression Methods Length: 1
    Compression Methods (1 method)
    Extensions Length: 192
    Extension: server_name (len=14)
        Type: server_name (0)
        Length: 14
        Server Name Indication extension
            Server Name list length: 12
            Server Name Type: host_name (0)
            Server Name length: 9
            Server Name: 127.0.0.1
    Extension: ec_point_formats (len=4)
    Extension: supported_groups (len=4)
    Extension: session_ticket (len=0)
    Extension: encrypt_then_mac (len=0)
    Extension: extended_master_secret (len=0)
    Extension: signature_algorithms (len=48)
    Extension: supported_versions (len=9)
    Extension: psk_key_exchange_modes (len=2)
    Extension: key_share (len=71)
****

you can see that the Server Name Indication extension passes 127.0.0.1, APISIX will look up the corresponding cert and key based on this SNI, then find the cert and key uploaded in step 2.

finally, the wss protocol is completed from the client -> APISIX -> upstream

[tzssangglass]

and my sni is in the format of: "170.10.100.102"

When I run this command it succeds

look like that you do it success?

while if I create the ssl through the dashboard itself with the same cert and key, it accepts it but with a wrong sni, with no connection to '170.10.100.102'

I don't know, maybe it's a dashboard issue and you need to go there and raise an issue.

[BoazDr]

succeeds = creates the SSL.
a response is sent back and a SSL is created.
But when trying to connect with the wss://, there is still the same connection problem, and when looking into it in the dashboard I see under 'Expiretion Time - "Invalid date".

What do you mean by dashboard issue?

[tzssangglass]

can you use curl or postman to create SSL? my curl coommond is generated by postman.

[BoazDr]

As I said, I used curl command to create the SSL, and the result is 'Expiration Time': 'Invalid date'.
I tried creating it by regular curl, by .sh script and even with python.
All the methods created the same SSL with the same problem.

[tzssangglass]

I can't reproduce the error, I can't help