WebSocket over a Reverse Proxy
WebSocket communication can take place over any reverse proxy which is configured to perform forwarding at the transport layer. Some proxies are able to handle WebSocket communication from certain clients at the application layer. This page details example configurations for the open source proxy and load balancing software HAProxy.
Application Layer (HTTP) Proxy
Clients communicating using versions of the WebSocket protocol later than version 8 are able to negotiate some reverse proxies which use application layer forwarding. HAProxy is one such vendor able to handle WebSocket communication in this manner.
An example configuration file for HAProxy is as follows:
# Example HAProxy Configuration file
# Here we forward all requests on port 443 to our nirvana server
# listening on port 9443
# backend defines the nirvana server to forward to. We declare
# two backends, one for # serving the http page and another for
# websocket communication. Note that these could be two different
# ports (80 for serving the web content and 9443 for the secure
# nirvana websocket connection)
backend nirvana_www
balance roundrobin
option forwardfor
timeout connect 10s
timeout server 30s
server nirvana1 nirvanahost:9443 weight 1 maxconn 1024 check
backend nirvana_socket
balance roundrobin
option forwardfor
timeout connect 10s
timeout server 30s
server nirvana1 nirvanahost:9443 weight 1 maxconn 1024 check
frontend https_proxy
bind *:443
timeout client 30s
default_backend nirvana_www
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
use_backend nirvana_socket if is_websocket
Transport Layer (TCP) Proxy
As forwarding occurs at the transport layer it can only be performed based on the port of the received packet. To perform forwarding based on URL we would need access to the HTTP object at the application layer.
The configuration file for HAProxy is as follows:
# Example HAProxy Configuration file
# Here we forward all incoming requests on port 443 to our nirvana
# server which has an nhps interface listening on port 9443
# backend defines the nirvana server to forward to
backend nirvana
mode tcp
timeout connect 10s
timeout server 30s
balance roundrobin
server nirvana1 nirvanahost:9443 weight 1 maxconn 1024
# nirvanahost translates to an ip address
# frontend defines the interfaces for the reverse proxy to listen on
frontend https_proxy
bind *:443
mode tcp
timeout client 30s
default_backend nirvana
Configuring the Client
The client JavaScript session should be configured as follows:
NirvanaSession.start({
...
webSocket : true,
webSocketPort : 443,
secure : true
The client can then connect by visiting the page
https://proxyhost:443
It is possible to communicate using WebSockets over a reverse proxy
without using a secure connection. This can be achieved similar to the example
above except modifying the port (to use a non-secure port) and changing the
session options to this port and setting the
secure flag to
false. It is however recommended that to maximise the
success of establishing a WebSocket connection a secure communication method is
chosen.