SSL
Opened this issue · 9 comments
The website that I am using to connect to the socket server uses SSL. How can I do this?
Ah, ok. I am on windows server so that may be a bit hard. Thanks for the info though.
It would be great to understand how you did that! Btw, thanks for this library and so many others that you have open sourced. I am a huge user/proponent of dapper and stackexchtange.redis :)
Hey @mgravell I've sucessfully set up haproxy to terminate SSL before the websocket server, but I have this problem where now my websocket server logs the IP Address the proxy is binded to.
I've read that HAProxy can send a header to the websocket server containing the original, remote IP that made the request. But is there any way of reading the request headers with NetGain?
Do you log remote IP Addresses on your websocket servers? How do you do so.
@devMidgard Unfortunately we don’t have this case - the volume of websocket traffic in play is too large to log reasonably, so it’s just not a case we hit. In our case, sockets are also secondary and admittedly not as critical to page function as other places
Good question. It isn't a design feature right now. We use haproxy to terminate SSL before the web-socket server. We are interested in playing with the TLS work that @Drawaes has done for "pipelines", but that would be a radically different architecture, think "son of NetGain". So for now, your best bet AFAIK is: terminate ahead of the server.
…
On Sat, 14 Apr 2018, 21:24 Terry Phillips, @.***> wrote: The website that I am using to connect to the socket server uses SSL. How can I do this? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#20>, or mute the thread https://github.com/notifications/unsubscribe-auth/AABDsKJb9NJtkH8aqsMWn4CmQMpalgyZks5tolr9gaJpZM4TVNmc .
Do you have a working example of how i can use HAProxy to terminate SSL and then forward to netgains via websocket?
Good question. It isn't a design feature right now. We use haproxy to terminate SSL before the web-socket server. We are interested in playing with the TLS work that @Drawaes has done for "pipelines", but that would be a radically different architecture, think "son of NetGain". So for now, your best bet AFAIK is: terminate ahead of the server.
…
On Sat, 14 Apr 2018, 21:24 Terry Phillips, @.***> wrote: The website that I am using to connect to the socket server uses SSL. How can I do this? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#20>, or mute the thread https://github.com/notifications/unsubscribe-auth/AABDsKJb9NJtkH8aqsMWn4CmQMpalgyZks5tolr9gaJpZM4TVNmc .Do you have a working example of how i can use HAProxy to terminate SSL and then forward to netgains via websocket?
Here's the frontend/backend snippets for our HAProxy config to terminate SSL for our NetGain WSS connections. The backend port should match your NetGain WS port where as the frontend port can be anything you like (that's what the clients would connect to):
frontend websockets-ssl-in
mode http
log global
bind *:{{ PORT}} ssl crt /etc/ssl/mycert.pem alpn h2,http/1.1 crt /etc/ssl/mycert.pem alpn h2,http/1.1
default_backend websocket_backend
backend websocket_backend
mode http
# fetch websocket headers
acl hdr_connection_upgrade hdr(Connection) -i upgrade
acl hdr_upgrade_websocket hdr(Upgrade) -i websocket
acl hdr_websocket_key hdr_cnt(Sec-WebSocket-Key) eq 1
acl hdr_websocket_version hdr_cnt(Sec-WebSocket-Version) eq 1
# deny request for invalid websocket headers
http-request deny if ! hdr_connection_upgrade ! hdr_upgrade_websocket ! hdr_websocket_key ! hdr_websocket_version
server my_ws_server {{ IP }}:{{ PORT }} weight 1 maxconn 30000 check inter 30s # heath check every 30s