Configuring virtualhost for secure websocket using ratchet websocket library on an apache webserver
Question
I have implemented/tried to implement a websocket for communcation between users on an ec2 instance running linux with an apache webserver. I had it working when i first configured it where my ratchet websocket pointed to port 8081 without any TLS. With this configuration i was able to upgrade to a websocket and send/recieve data - through a non secure websocket. This was only possible through the ip address though and not through the actual url. I am running the websocket at a subdomain.
<VirtualHost *:443>
DocumentRoot "/var/www/html/video"
ServerName video.domain.com
SSLEngine on
SSLCertificateFile ./certs/server.crt
SSLCertificateKeyFile ./certs/server.key
# ProxyPass /ratchet/ ws://video.domain.com:8081/
<Directory "/var/www/html/video">
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
The above solution works when i use the ip based websocket connection to connect to the websocket through the JS websocket API.
I have tried both WSS, WS, with and without ports etc for the websocket API but still the beneath written code is the only i can get to work.
let socket = new WebSocket("ws://server_ip:8081");
I have read a lot of stackoverflow questions regarding adding a proxypass to the VH but it doesn't upgrade the request. Furthermore, i have tried to create it's own virtualhost and that doesn't work either.
I think it's worth to mention i have a cloudflare CDN the requests are proxied through. Hope to get some fresh eyes. Been stuck for a while.
1 answers
solution1
0 2020-04-13 13:05:02
I do not have enough rep for a comment, so answer it is.
It has been a while since I have dabbled into this stuff, and my first thought was that you indeed need a ProxyPass, but when I looked at my config this is not the case.
I'm going out on a limb and guess that your VH is the issue here, you are explicitly listening on port 443(https) but I believe wss has another port it listens on, so maybe you could try another port. Other than that you could also try to do new WebSocket('https://video.domain.com') and enable the proxy in the VH, this way the secure connection is handled by the http layer. But since the browser will then try to upgrade the request to a socket I doubt this will work.
I should mention that in my case I used websockets to open an mqtt connection, since browser don't implement mqtt this is done via wss.
If non of this works I could try to dive deeper into the inner workings of the mqtt lib I use in order to dissect how the connection is set up.
I hope any of this helps:D
edit
since there was not enough space in the comments I'll place it here:
not related to sockets but to apache and proxies: the ProxyPass directive has a counterpart ProxyPassReverse for that very goal.
<virtualhost IPv4:443 [IPv6]:443>
Servername knowledge.domain.com:443
ServerAlias knowledge.domain.com
ServerAdmin webmaster@domain.com
DocumentRoot /path/to/documentRoot
<Directory /path/to/documentRoot>
Options -Indexes -FollowSymLinks -SymLinksIfOwnerMatch
</Directory>
SSLEngine On
SSLCertificateFile /path/to/ssl.crt
SSLCertificateKeyFile /path/to/ssll.key
SSLCACertificateFile /path/to/ssll.cer
Header always set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
<Proxy *>
Require all granted
</Proxy>
<Location />
ProxyPass http://127.0.0.1:3000/
ProxyPassReverse http://127.0.0.1:3000/
</Location>
<Directory />
Options -FollowSymLinks -Indexes -SymLinksIfOwnerMatch
</Directory>
CustomLog "/path/to/logs/access.log" combined
ErrorLog "/path/to/logs/error.log"
LogLevel warn
</virtualhost>
this is an example of my proxy conf for a nodejs app
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.