WSS and EXPRESS can share HTTP Port

[dsriseah]

As I look into supporting https on remote servers like Digital Ocean, I think the architecture looks like this:

• the node app can continue to just work as a localhost development environment for both websockets and appserving via express
• nginx can be configured to handle both https redirection of an http connection and secure websocket connection upgrading
• Websockets can also use the same port as another http server, so long as it has access to its instance and doesn't try to create its own. The standard is written to use the http protocol to initiate the connection, and then negotiate a different protocol other than http for efficiency if I am understanding this correctly.
• Lastly, multiple instances of our webapps can be handled by using nginx wildcard location definitions, though this creates some complexity in renewing our Lets Encrypt certificates. See wiki entry [[

Proof of Concept Steps

• [X] Get this single port thing to work
• [X] confirm it runs on Digital Ocean as regular http
• [X] add the websocket https upgrade code to express?
• [X] add the addition nginx location and relevant websocket upgrade to https headers
• [X] see if it works

Tests Passed

• [X] on local mac, ur net start (set to just run http) and just browse to localhost:8080 and see if the console shows messages working
• [X] on digital ocean remote ur net start after nginx proxying is set up...works
• [X] check that works on localhost

Bugs Fixed

• [X] Chrome client does not send "closing" websocket frame, which caused server not to remove clients from its message list by address. This required adding an beforeunload window event handler to call EP.disconnectAsClient() and also extend the NetSocket wrapper to accept a close() function.
• [X] This also was the cause of "messages not working when client reloads its page"
• [X] The netCall and netSend calls would reflect message invocation to itself, when this should only happen for netPing and netSignal.

Enhancements

• [X] a proof-of-concept utility to detect the locations in the nginx proxy location declarations to help the server show a list available locations.

[dsriseah]

TESTING on DIGITAL OCEAN

1. pull branch on digital ocean (DO) server
2. confirm that nginx is configured using an appropriate proxy definition file (see below)
3. open a terminal window on DO, browse to repo directory
4. npm ci
5. cd _ur
6. ur net start
7. on browser machines, open three different windows (use chrome, firefox) and open javascript consoles
8. browse to https://do-server/location (e.g. ursys.sri.xyz/app)...note this is https
9. In browser windows, reload each one in a row.
10. Check console for message CLIENT TEST UR_001 resolved with []. First window will return empty array, second window will return with {uaddr}, and third window will return with [ {uaddr}, {uaddr} ]
11. Try reloading one of the windows, which should work as an array with two elements
12. Also check the server's terminal output to detect that client connect/disconnect is working

NGINX EXAMPLE CONFIG

Described in Guide: Securing URSYS.

server {

    root /var/www/ursys_dsri_xyz/html;
    index index.html index.htm index.nginx-debian.html;

    server_name ursys.dsri.xyz ;

    location /app/ {
      proxy_pass http://127.0.0.1:8080/;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host $server_name;
      proxy_read_timeout 7200;  # 2 hours
    }

    location / {
      try_files $uri $uri/ =404;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/dsri.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/dsri.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {

    if ($host ~ ^[^.]+\.dsri\.xyz$) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = ursys.dsri.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;

    server_name ursys.dsri.xyz ;
    return 404; # managed by Certbot

}

[dsriseah]

TESTING ON LOCAL DEV

The usual instructions apply:

1. pull branch locally
2. npm ci && cd _ur
3. ur net start
4. Follow steps 7 onward from TESTING ON DIGITAL OCEAN, substituting http://127.0.0.1:8080