StackExchange / NetGain

A high performance websocket server library powering Stack Overflow.
MIT License
928 stars 141 forks source link

SSL #20

Open tjscience opened 6 years ago

tjscience commented 6 years ago

The website that I am using to connect to the socket server uses SSL. How can I do this?

mgravell commented 6 years ago

Good question. It isn't a design feature right now. We use haproxy to terminate SSL before the web-socket server. We are interested in playing with the TLS work that @drawaes has done for "pipelines", but that would be a radically different architecture, think "son of NetGain". So for now, your best bet AFAIK is: terminate ahead of the server.

On Sat, 14 Apr 2018, 21:24 Terry Phillips, notifications@github.com wrote:

The website that I am using to connect to the socket server uses SSL. How can I do this?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/StackExchange/NetGain/issues/20, or mute the thread https://github.com/notifications/unsubscribe-auth/AABDsKJb9NJtkH8aqsMWn4CmQMpalgyZks5tolr9gaJpZM4TVNmc .

tjscience commented 6 years ago

Ah, ok. I am on windows server so that may be a bit hard. Thanks for the info though.

mgravell commented 6 years ago

So are we :)

On Sun, 15 Apr 2018, 03:24 Terry Phillips, notifications@github.com wrote:

Ah, ok. I am on windows server so that may be a bit hard. Thanks for the info though.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/StackExchange/NetGain/issues/20#issuecomment-381375268, or mute the thread https://github.com/notifications/unsubscribe-auth/AABDsE2xXXMu3_Ew9NLeLrnk6bab_ZZlks5toq94gaJpZM4TVNmc .

mgravell commented 6 years ago

Or rather, we use both.

On Sun, 15 Apr 2018, 08:20 Marc Gravell, marc.gravell@gmail.com wrote:

So are we :)

On Sun, 15 Apr 2018, 03:24 Terry Phillips, notifications@github.com wrote:

Ah, ok. I am on windows server so that may be a bit hard. Thanks for the info though.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/StackExchange/NetGain/issues/20#issuecomment-381375268, or mute the thread https://github.com/notifications/unsubscribe-auth/AABDsE2xXXMu3_Ew9NLeLrnk6bab_ZZlks5toq94gaJpZM4TVNmc .

tjscience commented 6 years ago

It would be great to understand how you did that! Btw, thanks for this library and so many others that you have open sourced. I am a huge user/proponent of dapper and stackexchtange.redis :)

devMidgard commented 6 years ago

Hey @mgravell I've sucessfully set up haproxy to terminate SSL before the websocket server, but I have this problem where now my websocket server logs the IP Address the proxy is binded to.

I've read that HAProxy can send a header to the websocket server containing the original, remote IP that made the request. But is there any way of reading the request headers with NetGain?

Do you log remote IP Addresses on your websocket servers? How do you do so.

NickCraver commented 6 years ago

@devMidgard Unfortunately we don’t have this case - the volume of websocket traffic in play is too large to log reasonably, so it’s just not a case we hit. In our case, sockets are also secondary and admittedly not as critical to page function as other places

yhydra commented 6 years ago

Good question. It isn't a design feature right now. We use haproxy to terminate SSL before the web-socket server. We are interested in playing with the TLS work that @Drawaes has done for "pipelines", but that would be a radically different architecture, think "son of NetGain". So for now, your best bet AFAIK is: terminate ahead of the server. On Sat, 14 Apr 2018, 21:24 Terry Phillips, @.***> wrote: The website that I am using to connect to the socket server uses SSL. How can I do this? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#20>, or mute the thread https://github.com/notifications/unsubscribe-auth/AABDsKJb9NJtkH8aqsMWn4CmQMpalgyZks5tolr9gaJpZM4TVNmc .

Do you have a working example of how i can use HAProxy to terminate SSL and then forward to netgains via websocket?

scotkershaw commented 6 years ago

Good question. It isn't a design feature right now. We use haproxy to terminate SSL before the web-socket server. We are interested in playing with the TLS work that @Drawaes has done for "pipelines", but that would be a radically different architecture, think "son of NetGain". So for now, your best bet AFAIK is: terminate ahead of the server. On Sat, 14 Apr 2018, 21:24 Terry Phillips, @.***> wrote: The website that I am using to connect to the socket server uses SSL. How can I do this? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#20>, or mute the thread https://github.com/notifications/unsubscribe-auth/AABDsKJb9NJtkH8aqsMWn4CmQMpalgyZks5tolr9gaJpZM4TVNmc .

Do you have a working example of how i can use HAProxy to terminate SSL and then forward to netgains via websocket?

Here's the frontend/backend snippets for our HAProxy config to terminate SSL for our NetGain WSS connections. The backend port should match your NetGain WS port where as the frontend port can be anything you like (that's what the clients would connect to):


frontend websockets-ssl-in
    mode http
    log global
    bind *:{{ PORT}} ssl crt /etc/ssl/mycert.pem alpn h2,http/1.1 crt /etc/ssl/mycert.pem alpn h2,http/1.1

    default_backend websocket_backend

backend websocket_backend
    mode http

    # fetch websocket headers
    acl hdr_connection_upgrade hdr(Connection)                 -i upgrade
    acl hdr_upgrade_websocket  hdr(Upgrade)                    -i websocket
    acl hdr_websocket_key      hdr_cnt(Sec-WebSocket-Key)      eq 1
    acl hdr_websocket_version  hdr_cnt(Sec-WebSocket-Version)  eq 1

    # deny request for invalid websocket headers
    http-request deny if ! hdr_connection_upgrade ! hdr_upgrade_websocket ! hdr_websocket_key ! hdr_websocket_version

    server my_ws_server {{ IP }}:{{ PORT }} weight 1 maxconn 30000 check inter 30s # heath check every 30s