WebSockets
WebSEAL can proxy WebSocket connections between clients and junctioned web servers. In the WebSEAL default configuration, all WebSocket requests are rejected.
To enable WebSocket proxy support, update the WebSEAL configuration file and configure the [websocket] max-worker-threads to a value larger than zero.
Each WebSocket created between the client and the junctioned server requires two WebSocket worker threads. The max-worker-threads setting must be configured to allow for this thread usage.
If the max-worker-threads limit is reached, then any additional requests to proxy a WebSocket connection is rejected and a warning message is logged.
WebSocket connections can have a non-trivial lifespan as a client can keep the connection open for extended periods of time with data traveling in both directions asynchronously. The max-worker-threads entry decides how many concurrent clients can be handled by WebSEAL. To help reduce the number of idle or blocked WebSocket connections, WebSEAL provides the following timeout settings:
- [websocket] jct-read-inactive-timeout
- [websocket] jct-writeblocked- timeout
- [websocket] clt-write-blocked-timeout
- [websocket] clt-read-inactive-timeout
The settings that begin with jct impact the connection between WebSEAL and the junctioned server. The settings that begin with clt impact the connection between WebSEAL and the client or browser. Carefully evaluate the WebSocket data transmission behavior before you set these timeouts.
WebSEAL's pdweb.snoop trace also applies to WebSocket data. Enabling pdweb.snoop trace allows tracing of the raw WebSocket data that is sent and received on each WebSocket connection. The pdweb.snoop trace can be enabled for the client traffic, the junction traffic, or both, by using pdweb.snoop.client and pdweb.snoop.jct trace elements.
Statistics can be gathered on WebSockets by enabling the pdweb.websocket stats component. The provided statistics are shown in the following table.
| Statistic label | Description |
|---|---|
| requests | Total WebSocket proxy requests received while statistics gathering is enabled. |
| rejected | Total WebSocket proxy requests rejected while statistics gathering is enabled. The rejection is typically due to an insufficient number of available worker threads. |
| timeout | The number of timeouts that have occurred when reading or writing through a proxied WebSocket connection while statistics gathering is enabled. |
| active | The current number of WebSocket connections that are proxied. |
| client bytes | The number of bytes read from the client side. |
| junction bytes | The number of bytes read from the junction side. |