jo-carter
commented
1 month ago @dsl400 The same behavior can be seen when using return directive and add_header in nginx, so this behavior isn't specific to njs.
Nginx only supports the proxying of websocket connections with proxy module, and not acting as a websocket server via other content handlers (such as js_content).
the goal is to accept the connection and send a known close status that can be received on the client and used as an indicator that the authentication failed.
Likely the best way to achieve this is is within the nginx configuration itself, without njs; simply proxy_pass to a different endpoint (an actual websocket server) if authentication fails - that endpoint should just complete websocket opening handshake and then send the closing frame.
You could of course fulfill the last part by writing a fake websocket server with stream js_filter if you aren't able to use anything other than nginx in your set up.
The TLDR is ... for some unknow reason my websocket client was receiving the full 400 html response and I could not do anything about it.
While I do understand that this is a very wild experiment I thought "y'all" should know
the following is my attempt at sending a "known close status" to a websocket request that was not accompanied by the correct authentication headers
how I ended up in this mess ? well, according to this post a websocket client does not have access to the underlying http connection and can not read the status.
the goal is to accept the connection and send a known close status that can be received on the client and used as an indicator that the authentication failed.
`function websocket_reject(r) { var key = r.headersIn['Sec-WebSocket-Key']; r.log('Received WebSocket key: ' + key);
}
export default { websocket_reject };`