Geek Answers Handbook

WebSocket Servers and Firewall

I have two WebSocket servers running on different ports than 80 and 443. These two servers work behind a firewall that only opens port 80 and 443.

WebSocket Server A:800 | |-----|FireWall:80 & 443|-----> INTERNET WebSocket Server B:801 |

What I'm looking for is a way for my clients to connect to WebSocket servers without knowing their port and without me opening a firewall for any other ports, not 80 and 443.

So, I thought, maybe, an intermediate server (or proxy server) between my firewall and WebSocket servers can be configured so that when clients request www.mywebsite.com/a on port 80 or 443 (to pass the firewall) the intermediate server The client connects to the WebSocket A server at the level. And when the client requests www.mywebsite.com/b on port 80 or 443, the intermediate server connects it to the WebSocket B server. Is this possible? and if so, is there any server that you may know about that function is implemented?

In another note (maybe not quite at all), what would be the differences between the TCP hole and the approach described above?

+4
source share
3 answers

This is called a WebSockets reverse proxy. You will need another logical or physical node between your firewall and the WebSocket servers. Perhaps you are using all three nodes on the same system, so I mention "logical".

This space is changing rapidly, and the decisions are quite immature. Probably the best option for your case is to use HAProxy to reverse the WebSocket proxy . Search for “WebSocket reverse proxy” for more information. This article is a bit outdated, but should give you a reasonable overview of the options.

Update : it looks like WebSocket proxy support landed in Nginx yesterday: press release , with an example

+2
source

I was able to configure HAProxy to redirect my request based on the URI thanks to the @kanaka link provided in his answer. So here is what I did:

Once you make HAProxy, you can find haproxy under usr/local/sbin . The script works with the -f flag for the configuration file. Take a look at /etc/ and if you don't have haproxy.cfg just mkdir -p /etc/haproxy and then vi /etc/haproxy.cfg and paste in your configuration. The configuration file for version 1.5 is described here with all the parameters that can be used in it. This is what my haproxy.cfg file looks like:

 global log 127.0.0.1 local0 log 127.0.0.1 local1 notice maxconn 4096 uid 99 gid 99 daemon defaults log global mode http option httplog option dontlognull retries 3 option redispatch option http-server-close maxconn 2000 contimeout 5000 clitimeout 50000 srvtimeout 50000 frontend public bind *:80 acl is_websocket1 path_beg -i /a # if the path starts with /a acl is_websocket2 path_beg -i /b # if the path starts with /b use_backend ws1 if is_websocket1 use_backend ws2 if is_websocket2 default_backend www backend www timeout server 30s server www1 127.0.0.1:8001 # the port we have our webserver running on backend ws1 timeout server 600s server ws1 127.0.0.1:800 # the port we have our websocket server 1 running on backend ws2 timeout server 600s server ws2 127.0.0.1:801 # the port we have our websocket server 2 running on
+1
source

Hackercombat MYDLP SUITE Firewall gives you something extra. Like any good firewall software, it protects you from known, unknown threats and protects all ports and protocols. It also offers many other security features, with centralized management for downloads.

-3
source

More articles:


All Articles