You are not logged in.

#1 2018-11-09 07:11:27

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,167

Doing a reverse proxy with websockify over https port 443

I can get this javascript web application to work in a few web browsers feeding itself via websockify.  However, websockify needs my certs, and the source and destination ports of the websock. I'd like to run them over https/443, so that it would most likely work in a firewalled location such as a coffee shop (or maybe even a corporate office).  If I try to use 443 websockify fails and states that the webserver is already using it.  Right now all I'm able to do is run it on some port that most likely won't work in most firewalled environments to the destination port which also might suffer the same fate.  It runs however, if there is no firewall out to the internet just fine, just not on https/443.  Somehow this is possible with the reverse proxy of apache and/or nginx.

The project itself uses nginx to do this, but I'm not able to duplicate the results.  I'd like to use apache, but apparently there isn't a idea how to make it work there.  It can be configured to listen through apache, or nginx listening on the https/443, but not sure how to get the feeding to continue to go through 443 for the client end. 

Options for websockify:

websockify --cert=mycert.crt --key=mykey.key --ssl-only --ssl-target --web=path/to/dist 443 server:port
websockify --ssl-target websockifyport server:port

Nginx:

server {
        listen 443 ssl;
        server_name some.server.com;
        ssl_certificate /etc/letsencrypt/live/some.server.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/some.server.com/privkey.pem;

        location / {
                root /path/to/dist;
        }
        location /demo {
                proxy_pass http://websockify:port;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }
}

map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
}

Apache:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName some.server.com
        ProxyPreserveHost On
        ProxyRequests off
	ProxyPass /.wellknown !
        ProxyVia On
        RewriteEngine On
        RewriteCond %{HTTP:Connection} Upgrade [NC]
        RewriteCond %{HTTP:Upgrade} websocket [NC]
        # change the port to your websockify port
        RewriteRule / ws://127.0.0.1:websocifyport [P,L]

        # change the ports below to your host or serve it directly
        ProxyPass / http://127.0.0.1:targetport/
        ProxyPassReverse / http://127.0.0.1:targetport

        # …
</VirtualHost>
</IfModule>

Apparently, apache needs

 mod_proxy_wstunnel. mod_proxy, mod_proxy_http, and mod_rewirte 

And websockify is available in the unofficial repo.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#2 2018-11-09 11:43:40

flortsch
Member
From: Linz, Austria
Registered: 2015-07-21
Posts: 33
Website

Re: Doing a reverse proxy with websockify over https port 443

So what is exactly your problem?
If I understand you correctly, you want to host a web application behind a local websockify instance with public nginx or apache as a reverse proxy.
You can achieve this by letting nginx / apache do the HTTPS serving over port 443 (as in your posted configuration), whereas websockify runs locally on a different port in non-ssl mode.
So all you have to do is set up websockify locally on a different port in non-ssl mode and let nginx / apache do the SSL termination when forwarding websocket requests to websockify.
In this case, only nginx / apache does the HTTPS serving and you don't have to specify certificates / ssl configuration for websockify.

Like this:

Client Browser (https) --> nginx / apache (SSL termination) --> websockify --> your web application

Last edited by flortsch (2018-11-09 11:48:21)

Offline

#3 2018-11-09 16:24:28

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,167

Re: Doing a reverse proxy with websockify over https port 443

flortsch wrote:

So what is exactly your problem?
If I understand you correctly, you want to host a web application behind a local websockify instance with public nginx or apache as a reverse proxy.
You can achieve this by letting nginx / apache do the HTTPS serving over port 443 (as in your posted configuration), whereas websockify runs locally on a different port in non-ssl mode.
So all you have to do is set up websockify locally on a different port in non-ssl mode and let nginx / apache do the SSL termination when forwarding websocket requests to websockify.
In this case, only nginx / apache does the HTTPS serving and you don't have to specify certificates / ssl configuration for websockify.

Like this:

Client Browser (https) --> nginx / apache (SSL termination) --> websockify --> your web application

When I watch etherape, it isn't tunnelling through https/443, it appears to be going through my destination port or the websockify port which is supposed to be on the reverse proxy side, not on the client side.  Etherape won't give me information about what the port is, it just calls it unknown.  I can't figure out what I'm doing wrong. 

I'm trying to do this under a subdirectory instead of a subdomain, I think my proxypass should just point to http://127.0.0.1:targetport/subdir:, but websockify also takes a webroot, so I don't know if they have to match or what, because I get 500 Internal error and 502 Bad Gateway.  If I don't pass a key to websockify, it runs without TLS/SSL support, but it is passing onto a TLS/SSL target port/application, so it has to have TLS/SSL enabled otherwise the web application fails to connect between websockify and the end point application.  The end point application doesn't natively have websockets, so that's why it has to use websockify.

Last edited by nomorewindows (2018-11-09 16:36:55)


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#4 2018-11-09 17:10:27

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,167

Re: Doing a reverse proxy with websockify over https port 443

According to tcpdump the traffic is going through the websockify port, not the target port or https/443.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#5 2018-11-09 21:36:21

flortsch
Member
From: Linz, Austria
Registered: 2015-07-21
Posts: 33
Website

Re: Doing a reverse proxy with websockify over https port 443

Which web application are you trying to get to run?
Is it something I could look up somewhere?

If your client tries to access the address/port of websockify or your target application directly, i.e., without going through port 443 of nginx, then your website / target application must be telling the browser to access the wrong URL.
According to these two links (especially the first one), nginx should be able to do WebSocket proxying in a way that the client only faces nginx's public address / port:

https://www.nginx.com/blog/websocket-nginx/
https://nginx.org/en/docs/http/websocket.html

Regarding your proxy_pass directive and subdirectory hosting:
I think you can leave the URL part of the proxy_pass directive empty when you specify your application in a subdirectory location.
Because nginx then simply forwards the request URL as is to your web application.
However, you have to manage that websockify / your web application handles the requests accordingly by setting up a web root or application URL.
Some applications also respect the x-script-name header which can be set by nginx.

Last edited by flortsch (2018-11-09 21:39:31)

Offline

#6 2018-11-10 15:15:14

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,167

Re: Doing a reverse proxy with websockify over https port 443

flortsch wrote:

Which web application are you trying to get to run?
Is it something I could look up somewhere?

If your client tries to access the address/port of websockify or your target application directly, i.e., without going through port 443 of nginx, then your website / target application must be telling the browser to access the wrong URL.
According to these two links (especially the first one), nginx should be able to do WebSocket proxying in a way that the client only faces nginx's public address / port:

https://www.nginx.com/blog/websocket-nginx/
https://nginx.org/en/docs/http/websocket.html

Regarding your proxy_pass directive and subdirectory hosting:
I think you can leave the URL part of the proxy_pass directive empty when you specify your application in a subdirectory location.
Because nginx then simply forwards the request URL as is to your web application.
However, you have to manage that websockify / your web application handles the requests accordingly by setting up a web root or application URL.
Some applications also respect the x-script-name header which can be set by nginx.

The project's developer is familiar with nginx, which I'm still trying to figure out.   Anyhow, he's able to run websockify inbound on https/443 without interfering with nginx listening in on 443, which then forwards onto the end point server.  The web client defaults to 443 on the connection dialog, but can be changed to any port.  I think your links above maybe the same ones the developer is using to craft his nginx configuration. 

I'm trying to do mumble-web on the same machine running murmur (with apache).  I'll maybe have to consider using nginx if I can't get it to work on apache. I think I've tried the developer's configuration with nginx, and websockify was complaining about 443 being already in use even with nginx.  Most likely they're using Ubuntu or something and it works for them, but may not work for other distros. 

Hmm...something I'm doing is causing websockify to show that I'm attempting a connection from 127.0.0.1 as a non-SSL connection that is being refused.  But it also keeps my homepage from loading...probably the --ssl-target or --ssl-only options.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#7 2018-11-12 06:45:44

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,167

Re: Doing a reverse proxy with websockify over https port 443

It doesn't appear as if this is possible with a web server running already.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#8 2018-11-12 10:08:38

flortsch
Member
From: Linz, Austria
Registered: 2015-07-21
Posts: 33
Website

Re: Doing a reverse proxy with websockify over https port 443

I assume this is the project you are talking about?
https://github.com/Johni0702/mumble-web

If you have troubles setting up the application with an additional web server as reverse proxy, start simple.
Stop your web server (nginx, apache) and do the setup only with websockify listening on the default http ports (80, 443), i.e., with SSL enabled and a corresponding certificate.
Configure websockify to forward the requests to your mumble server.
This is the standalone configuration which is described at the beginning of the project's readme.

Then see if it works by testing it with your web browser.
If it works, continue with the more advanced setup and add an additional webserver which does the reverse proxying.
Do it with nginx first, because it seems to support web socket proxying well and the developer of mumble-web also gives configuration instructions for it.
If this works, you can try and play around with apache, replacing your nginx front-end webserver.
Of course, if nginx or apache is your new front-end webserver running on the default http ports (80, 443), you have to set up websockify to listen on a local address with a port different than 80 or 443.
Otherwise, you will have a port conflict and one of the two application (websockify or nginx/apache) won't start.

Note:
It seems that Mumble or Murmur (your backend application to which you want to connect via websockify) only accepts SSL connections.
If this is the case, you must specify the --ssl-target option for websockify to make the connection to your backend application work.
However, if you use an additional front-end webserver like nginx which handles SSL, you at least can do SSL termination between nginx and websockify and disable SSL at websockify.
But the --ssl-target option would still be necessary.

Last edited by flortsch (2018-11-12 10:15:47)

Offline

#9 2018-11-12 17:45:36

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,167

Re: Doing a reverse proxy with websockify over https port 443

With

 ProxyPass /mumble-web /mumble-web 

apache complains that URL must be absolute. 
I think apache must be trying to reverse proxy a page coming from the websockify port into http as an html page.  But the websockify port would be the port that mumble-web is using to forward socket from the end point server.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#10 2018-11-12 18:05:55

flortsch
Member
From: Linz, Austria
Registered: 2015-07-21
Posts: 33
Website

Re: Doing a reverse proxy with websockify over https port 443

As I said, try a standalone setup first (only websockify, no nginx/apache), then look at my hints and the given nginx instructions of the project's readme to get a running setup with a front-end proxy.
If this does not work, then please report exactly which steps you did and what the actual error is.
If it works, you can still exchange nginx with any front-end server that you like and that supports websocket proxying.
But you won't be successful if you start with the most-complex setup first and try arbitrary configuration directives without understanding them (as it seems to me).

Last edited by flortsch (2018-11-12 18:13:39)

Offline

#11 2018-11-13 07:23:33

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,167

Re: Doing a reverse proxy with websockify over https port 443

flortsch wrote:

As I said, try a standalone setup first (only websockify, no nginx/apache), then look at my hints and the given nginx instructions of the project's readme to get a running setup with a front-end proxy.
If this does not work, then please report exactly which steps you did and what the actual error is.
If it works, you can still exchange nginx with any front-end server that you like and that supports websocket proxying.
But you won't be successful if you start with the most-complex setup first and try arbitrary configuration directives without understanding them (as it seems to me).

Ok so this line

websockify --cert=mycert.crt --key=mykey.key --ssl-only --ssl-target --web=path/to/dist 443 server:port

is the important line to do that.  Now that would satisfy doing all transactions on the website through https, which is fine.  However, there is no interpreter for php for wordpress doing it this way.  Even the webservers (apache or nginx have to have the php included in order for it to process those pages).  So now I need to figure out how to make this work so that the php pages will work and mumble-web will also work through 443.  So websockify was using the same port for webpages as the websocket...neat!
But since websockify could serve both pages I would have to make a proxypass for both and disable apache's ssl to do that?  Websockify would be serving the ssl/tls/certs instead of apache.   (Same outcome by commenting out httpd-ssl.conf in apache, and allowing websockify to take over 443, websockify takes over the serving of pages and apache does nothing in this configuration, not even php).

Last edited by nomorewindows (2018-11-13 14:34:56)


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#12 2018-11-13 13:36:01

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,167

Re: Doing a reverse proxy with websockify over https port 443

I wonder if this provides websockify in nginx without using python-websockify:
https://github.com/tg123/websockify-nginx-module


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#13 2018-11-13 21:18:49

flortsch
Member
From: Linz, Austria
Registered: 2015-07-21
Posts: 33
Website

Re: Doing a reverse proxy with websockify over https port 443

nomorewindows wrote:

Now that would satisfy doing all transactions on the website through https, which is fine.  However, there is no interpreter for php for wordpress doing it this way.  Even the webservers (apache or nginx have to have the php included in order for it to process those pages).  So now I need to figure out how to make this work so that the php pages will work and mumble-web will also work through 443.

Exactly, so now you have to set up nginx or apache as webserver in front of websockify.
So the web server runs on the default http ports (80 / 443), and whenever it gets a PHP request, it forwards the request to a corresponding PHP handler (e.g. php-fpm), or when it gets requests for mumble-web, it forwards the requests to websockify.

nomorewindows wrote:

So websockify was using the same port for webpages as the websocket...neat!

Right, so websockify was listening on port 443, and your nginx / apache web server also did.
This is a port conflict, two applications can not listen at the same port on the same network device.

nomorewindows wrote:

But since websockify could serve both pages I would have to make a proxypass for both and disable apache's ssl to do that?  Websockify would be serving the ssl/tls/certs instead of apache.   (Same outcome by commenting out httpd-ssl.conf in apache, and allowing websockify to take over 443, websockify takes over the serving of pages and apache does nothing in this configuration, not even php).

Maybe, in theory. But websockify was not made for this purpose. It's main purpose is to proxy websocket requests to tcp/ip.
That's why nginx / apache should be used at the front-end.
Which means, nginx / apache runs on port 80 / 443 and proxies requests for your mumble-web application to websockify, which runs on a port different than 80 / 443.
In this scenario, nginx / apache can also handle PHP or other type of requests and process or proxy them accordingly.

Offline

#14 2018-11-13 21:21:55

flortsch
Member
From: Linz, Austria
Registered: 2015-07-21
Posts: 33
Website

Re: Doing a reverse proxy with websockify over https port 443

nomorewindows wrote:

I wonder if this provides websockify in nginx without using python-websockify:
https://github.com/tg123/websockify-nginx-module

Don't use that. It seems old and outdated. Recent nginx versions support websocket proxying out of the box. So you just have to run websockify besides nginx and do regular reverse proxying.

Offline

#15 2018-11-13 21:56:22

flortsch
Member
From: Linz, Austria
Registered: 2015-07-21
Posts: 33
Website

Re: Doing a reverse proxy with websockify over https port 443

So you could start websockify by running following command:

websockify --ssl-target 127.0.0.1:30300 127.0.0.1:64738

This starts websockify locally on port 30300, proxying requests to the mumble server, which also listens locally on default port 64738.
The --ssl-target option seems to be needed here.
As is read it in some issues of mumble-web, the mumble server or murmur seems to be running only in ssl mode.
So with this option, you specify that websockify opens an ssl connection when it forwards requests to your mumble server.

Now, websockify is ready and you can now set up a front-end web server which does the reverse proxying.
Note that websockify does not need SSL certificates here.
The front-end web server will handle this, and it will terminate SSL when it forwards the requests to websockify.
The web server setup now depends on which web server you like (apache seems to need the mod_proxy_wstunnel enabled), and on which URLs you want to make the application available.

Offline

#16 2018-11-14 06:51:06

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,167

Re: Doing a reverse proxy with websockify over https port 443

I had my apache already set up to run php and wordpress, along with mariadb, so I had that set up some time ago.  And apache was serving up the mumble-web page along with everything else. 
And I had websockify set up on one port for the end port and to do that part wouldn't require the reverse proxy.  Of course the mumble server would be available directly through it's standard port using well known mumble applications. 

I think I had to do --cert and --key on websockify because mumble-web would give a failed connection, error: object event. (Seems to not have a verbage for the actual error just that something should be printed there.)  That would most likely be mumble-web and not websockify. 

It looks like the guy running mumble-web on http://mumble,madirc.net can do that on 443, because that's probably all that's on there. So he could practically run it on websockify, but it appears he has it running through apache.

I thought that I had read that apache was capable of running multiple servers from multiple places through <VirtualServer> and I probably assumed it would just serve it back through the listening port just like websockify is able to do (except I think websockify only does it on 80/443 and not any other port).  Websockify probably adds another link in the chain and it more or less goes through the websockify port instead of through 443.  The only thing is if I were to try it from a coffee shop, the only available ports to try to get through would be 80/443 and maybe 8080, 8448, or something similar, but that would vary based on coffee shop/firewall.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#17 Yesterday 06:16:40

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,167

Re: Doing a reverse proxy with websockify over https port 443

Might be useful, but possibly too old to be...
https://stackoverflow.com/questions/114 … ith-apache
HAproxy may also be possibility.

Last edited by nomorewindows (Yesterday 06:39:02)


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#18 Yesterday 14:22:43

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,167

Re: Doing a reverse proxy with websockify over https port 443


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#19 Today 04:56:44

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,167

Re: Doing a reverse proxy with websockify over https port 443

Even if I hand my wordpress page off through a reverse proxy back to apache, some parts of the page end up missing.
https://blog.virtualzone.de/2016/08/how … httpd.html
test.php consisting of:

<?php phpinfo(); ?>

works, so it is handing off to apache for it to process the php.

Last edited by nomorewindows (Today 04:59:58)


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

Board footer

Powered by FluxBB