Is it possible to relay a WebSocket through NGINX over TLS?
Question
Can this:
A node JS server acting as WebSocket client
NGINX handling the WebSocket traffic
JVM Socket Server
work over TLS?
1 answers
solution1
2 ACCPTED 2017-08-21 17:08:00
Sure, I can imagine two ways to setup this:
- Adding TLS to the Nginx
- Adding TLS to the origin Websocket server (JVM in your case)
The second approach has more advantages because it secures the connection between Nginx and Websocket as well (imagine you want to host them in two different containers / machines)
Imagine a diagram like this for the first approach:
Nodejs Socket Client <--Secure--> Nginx <--NOT Secure--> JVM
and something like this for the second approach:
Nodejs Socket Client <--Secure--> Nginx <--Secure--> JVM
I have created a public repository here which demonstrates how you can setup the first approach: https://github.com/afshinm/websocket_tls_docker
Setup TLS on the server-side
If you want to take the second approach, it varies from framework to framework. You'd need to read the documentations. But bear in mind, Nginx can decrypt and encrypt your traffic, so all you need to do in this case is changing the value of proxy_pass to https://... prefix so Nginx knows to decrypt the traffic first.
But for the first approach, just add following settings to your server configuration to enable TLS:
ssl on;
ssl_certificate /path/ssl-bundle.crt;
ssl_certificate_key /path/myserver.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
And don't forget to add these to your server or location block (according to your config):
proxy_pass http://your_jvm_backend_host;
proxy_http_version 1.1;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_read_timeout 86400;
Now, you connection from Nginx to your clients is secure ( wss://... ).
Setup client
Assuming that you are using ws package, you can connect to the secure Websocket connection like this:
const WebSocket = require('ws');
const ws = new WebSocket('wss://your_backend');
ws.on('open', function open() {
ws.send('Hola!');
});
That's it.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.