WebSocket over TLS: Golang / Gorilla

Question

I have been trying to set up a WebSocket connection over TLS (so with encryption). I use Golang with Gorilla. A WebSocket connection is implemented as an initial HTTP connection that gets upgraded to the WebSocket protocol connection. The code is like this:

func wsEndpoint(w http.ResponseWriter, r *http.Request) {
    // upgrade
    ws, err := upgrader.Upgrade(w, r, nil)
    if err != nil {
        //...
    }

    log.Println("Client Connected")
    err = ws.WriteMessage(1, []byte("Hi Client!"))
    if err != nil {
        //...
    }
    // listen indefinitely for new messages coming 
}

Then we set up the routing:

func main() {
    //...
    setupRoutes()
    log.Fatal(http.ListenAndServe(":8080", nil))
}

Does it suffice to change the last line to:

...http.ListenAndServeTLS(...)

so in other words to use TLS to establish the first connection? Does this approach suffice to secure the entire communication over WebSocket from start till the end? Should I be certain that all packet transmission within the connection duration is also protected by TLS? If not, how to set it up in Golang / Gorilla framework?

Answer 1

Use http.ListenAndServeTLS to encrypt the underlying network connections used for the HTTP protocol and the WebSocket protocol.

The approach secures the entire communication on the underlying network connection including all WebSocket traffic.

The Gorilla server code uses the network connection provided by the net/http server. The Gorilla server code does create new network connections.

http.ListenAndServeTLS is a helper function that calls lower-level functions and methods. It also works to call those lower-level functions and methods directly.

Answer 2

One approach to this problem would be to set up a reverse proxy like nginx with certbot to generate certificates.

Here's how it would work

[ Client ] ----------> [ nginx ] --------------> [ golang server ]
            Encrypted             Not encrypted