Does it support wss proxy?

[weiwuduzui]

May I ask whether the forward proxy of websocket is currently supported, and if so, how to configure it?

[chobits]

May I ask whether the forward proxy of websocket is currently supported, and if so, how to configure it?

The configuration for the proxy_connect module is the same for both HTTPS and WebSockets. It does not parse the data flow over the CONNECT tunnel, so the protocol used does not matter. However, you must ensure that your client can establish a CONNECT tunnel and then send WebSocket data through that tunnel.

[weiwuduzui]

I am using openresty 1.24.1 proxy_connect_rewrite_102101.patch

When I access the wss service, the following error occurs

wscat -c wss://stream.binance.com:9443/ws --proxy https://xxx.xxx.com:443 error: write EPROTO 140704539743040:error:14094460:SSL routines:ssl3_read_bytes:reason(1120):ssl/record/rec_layer_s3.c:1563:SSL alert number 120

My openrestry configuration is as follows:

     server {
     listen         443 ssl;

     # self signed certificate generated via openssl command
     ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
     ssl_certificate_key            /opt/server.key;
     ssl_certificate                /opt/server.crt;
     ssl_session_cache              shared:SSL:1m;

     # dns resolver used by forward proxying
     resolver                       8.8.8.8;

     # forward proxy for CONNECT request
     proxy_connect;
     proxy_connect_allow            443 563;
     proxy_connect_connect_timeout  10s;
     proxy_connect_data_timeout     100000s;

     # forward proxy for non-CONNECT request
     location / {
              proxy_pass http://$host;
              proxy_set_header Host $host;
     }
   }

[chobits]

hi, after some tests of wscat.

1. websocket + CONNECT tunnel without SSL

• nginx config:

    resolver 223.5.5.5;

    server {
        listen 8888;

        proxy_connect;
        proxy_connect_allow all;
        proxy_connect_connect_timeout 10s;
        proxy_connect_data_timeout 100000s;

        location / {
            proxy_pass http://$host;
            proxy_set_header Host $host;
        }

    }

• wscat can work on CONNECT tunnel, see configuration and test command as following:

$ wscat -c ws://websocket-echo.com --proxy http://localhost:8888 -n
Connected (press CTRL+C to quit)
> hello 
< hello
> world
< world

2. websocket + CONNECT tunnel under SSL

2. It cannot make wscat client work under CONNECT tunnel in https, I suspect there is a problem with the implementation of ALPN of WSCAT. However, I successfully established a websocket Connection using the openssl client. nginx config:

    server {
        listen 8443 ssl;
        error_log logs/8443.log debug;
        ssl_certificate_key     /opt/nginx/server.key;
        ssl_certificate         /opt/nginx/server.crt;
        ssl_session_cache       shared:SSL:1m;

        ssl_protocols SSLv2 SSLv3 TLSv1.1 TLSv1.2;

        proxy_connect;
        proxy_connect_allow all;
        proxy_connect_connect_timeout 10s;
        proxy_connect_data_timeout 100000s;

        location / {
            proxy_pass http://$host;
            proxy_set_header Host $host;
        }
    }

• wscat command test failed:

$ wscat -c ws://websocket-echo.com --proxy https://localhost:8443 -n
error: write EPROTO 139656494663488:error:14094460:SSL routines:ssl3_read_bytes:reason(1120):../ssl/record/rec_layer_s3.c:1543:SSL alert number 120

nginx error log:
2023/06/04 15:44:10 [info] 6011#0: *13 SSL_do_handshake() failed (SSL: error:142320EB:SSL routines:tls_handle_alpn:no application protocol) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:8443

• openssl command: a successful test to create websocket connection with backend, using openssl client

xc output $ openssl s_client -connect localhost:8443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
---
Certificate chain
 0 s:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
   i:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDETCCAfkCFGMHTy3mey2h5pDH/reBIOhVeyOCMA0GCSqGSIb3DQEBCwUAMEUx
CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjIxMTI1MDgzNjM4WhcNMjMxMTI1MDgz
NjM4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA2PMUPwQEdCIqEZS5NarTd29myyeFRtPAxiSNoQ1jCAntyQbf
VWoXo1Kbb9PgjugIN8bEGWvwTtZj5VhQqj1nBI1cjX3d9sTZCdw+dIbOeB7Hdx11
Yt/zyzEIgkHhjMCZGmhpCdT21dWgxEb1Ej0EEXu0yIW3akRUxBqTS7QGXC1n8SV/
DNSE+KyEy/1ZrW9XxTLuyEFIlqs+YpydVEPTYAj+ze9MHJA9aHvnextKn71w1iwy
Jo/0POzhvIxrEWsIHUPH1nUGWUsRxefQOSP+n1DZQt6INad17H9X0hHaNkPPeVQz
UmcAMgaO/secCSN+BxV3ymPew/q4PAGLUFXWPwIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQADHl/M5PcFhv9daOxXfV5ow0fl+ZzxrMh31VBH41bmGxjUPsSLdZf+ZMvJ
J4xYpyO2l8LikiktQCGKbo5Jmlwzr+xUprQ6qVdm6XWZo+Z7GuG7Z9bkNfKPPQhY
+dNmzgxkI6DiBy6vYU0DShIib2j2tQXIWO8XfWiwYDijoN0mxiC/QsOBuN8jztTo
ZdnjPWrs2PmR8GbC/imIjbfAl5y3osD+Tqqwm4VmEIXfeH7Np9lbcXsMvCmvNU4u
vRX/siGOwXdN1Rmg+MB9t4lYHGPpI4pvv1L6sW+G1728t0/4Q7NCFvF47c93P3kK
2+yQ3RrPNeavvwVEOI5bzU5OYk61
-----END CERTIFICATE-----
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd

issuer=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1430 bytes and written 376 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: B5C90301DE84FF967783B61C1060087D254A365708F07606FA12422455E92D37
    Session-ID-ctx:
    Master-Key: 9BAF6BB6B2D7DAD6C8C07F926AC685B30EC455BC5BD26F96F78FE9FB1105E31CD485F88BE67A2B18CBDB2E174AFC899E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 17 6c 26 54 9d 64 b3 61-28 05 f8 12 ad c6 dd a1   .l&T.d.a(.......
    0010 - cd 99 c4 72 3b 07 94 26-7f 4b 7a 02 59 fd 71 62   ...r;..&.Kz.Y.qb
    0020 - 7e 3d 41 e5 1a e5 43 ed-06 35 4b 7c 14 69 50 22   ~=A...C..5K|.iP"
    0030 - d1 3d 2b 25 c3 0e ef 7c-46 8a a7 b3 18 18 2b e9   .=+%...|F.....+.
    0040 - b6 65 a9 51 59 fb cb c7-93 b3 be 0c 4f 0d 1f 3b   .e.QY.......O..;
    0050 - b6 ba a5 aa 45 9e c9 a3-65 1a 19 08 38 fa 5d fb   ....E...e...8.].
    0060 - 5b 38 19 7d bc f9 83 55-e3 99 24 3b bb 8d cb ed   [8.}...U..$;....
    0070 - 44 29 c4 53 1e 9c 9b 84-c9 de c8 68 da e7 89 f1   D).S.......h....
    0080 - 7e 3c 2c a0 b9 36 f8 78-d6 28 ef bb 6e 72 e8 9f   ~<,..6.x.(..nr..
    0090 - 99 d8 62 09 0e 18 a7 22-ff 99 6b b6 dd a3 d0 86   ..b...."..k.....
    00a0 - 77 9b dd e0 b8 45 1b 4d-de ed 4e 05 5b c4 e6 6b   w....E.M..N.[..k

    Start Time: 1685864736
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
CONNECT websocket-echo.com:80 HTTP/1.1
Host: websocket-echo.com
Connection: close

HTTP/1.1 200 Connection Established
Proxy-agent: nginx

GET / HTTP/1.1
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: UWMvGS6cb+71E0wkkeWbNw==
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Host: websocket-echo.com

HTTP/1.1 101 Switching Protocols
Server: nginx
Date: Sun, 04 Jun 2023 07:39:33 GMT
Connection: upgrade
Upgrade: websocket
Sec-WebSocket-Accept: wy5BrygNs8D8jvfriorgah2hgFg=