CODEWITHSUNDEEP
nginxwebsocketproxy
CPA
CPA

Reputation: 3063

Nginx as forward proxy for secure websocket (ws -> wss)

I have the following setup: 

+----------------------------+                +-----------------------------+
|                            |                |                             |
|                            |                |                             |
|                            |                |                             |
|   +--------+   +--------+  |                |  +--------+     +-------+   |
|   |        |   |        |  |                |  |        |     |       |   |
|   | client |   |  nginx |  |                |  |  nginx |     | server|   |
|   |        |   |        |  |                |  |        |     |       |   |
|   |   ws +-------> wss +-------------------------> wss +--------> ws  |   |
|   |        |   |        |  |                |  |        |     |       |   |
|   |        |   |        |  |                |  |        |     |       |   |
|   +--------+   +--------+  |                |  +--------+     +-------+   |
|                            |                |                             |
|                            |                |                             |
+----------------------------+                +-----------------------------+

I want to connect a client with a server via a secure websocket. But not directly. The client and the server doesn't know the security.

So the client connects to: ws://localhost:6277/wstest

The client-side nginx is listen on port 6277. I want the Nginx to forward the connection securely to ws.example.com/wstest.

The config of the Nginx is: 

server {

    server_name localhost;
    listen 6277;

    location /wstest {

        proxy_ssl_certificate         /etc/nginx/ssl/client.crt;
        proxy_ssl_certificate_key     /etc/nginx/ssl/client.key;
        proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        proxy_ssl_ciphers             HIGH:!aNULL:!MD5;

        proxy_ssl_session_reuse on;

        resolver 127.0.0.1;
        proxy_pass https://ws.example.com/wstest;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

The client-side setup doesn't work. The client gives me the following error: The HTTP response from the server [500] did not permit the HTTP upgrade to WebSocket. And Nginx gives me: "GET /ocpp/cp-1/ws HTTP/1.1" 500 193 "-" "-".

When I bypass the client-side Nginx, so that the client can connect directly (wss://ws.example.com/wstest) to the server only through the server-side Nginx, everything works fine.

The Nginx on server-side converts wss to ws and forwards the connection to the server.

Is there something wrong with the client-side Nginx configuration? Transform wss to ws with Nginx is no problem. But is it even possible to transform ws to wss with Nginx?

Upvotes: 2

Views: 5431

Answers (1)

CPA
CPA

Reputation: 3063

Everything worked like I expected. I just had to set a different resolver. For example: 

resolver 8.8.8.8;

Upvotes: 1

Related Questions