search

ryanb / private_pub

Handle pub/sub messaging through private channels in Rails using Faye.
MIT License
864 stars 228 forks source link

Behind a proxy #58

Open janhuehne opened 12 years ago

janhuehne commented 12 years ago

Hi Ryan, I am using PrivatePub in one of my projects.

Here is my setup: Production server:

Here is a snippet of my apache vhost file:

<VirtualHost *:443>
  ServerName ***

  SSLEngine on
  SSLCertificateKeyFile /etc/apache2/ssl-certs/***.key
  SSLCertificateFile /etc/apache2/ssl-certs/***/certnew_base64.cer

  DocumentRoot /var/webapps/***/public

  ProxyPreserveHost On
  ProxyPass /faye http://127.0.0.1:9292
  ProxyPassReverse /faye http://127.0.0.1:9292

  RailsEnv production

  <Directory /var/webapps/***/current/public>
    AllowOverride all
    Options -MultiViews
  </Directory>

  ErrorLog /var/log/apache2/www.***-error.log
</VirtualHost>

It is possible to connect to the faye server over the browser (https:://_/faye and https:://_/faye/faye.js).

But I can not publish something to the faye server over my rails app. How is it possible, that the rails app could connect to the faye server directly (not over the proxy)? In the internal network (in this example: localhost) are no port restrictions.

Summary: All traffic form a browser should routed to the proxy server to faye and all application stuff should call faye directly.

antek-drzewiecki commented 12 years ago

Hey mate,

I doubt you want to use Apache and Passenger for faye requests. First because Apache doesn't really supports web-sockets, so this proxy solution wont really work. I think you really would like the following solution:

1) Add an extra IP to your machine. 2) Set up an DNS record for example; http://faye.example.com with your new IP. 3) Run Faye with the thin server under port 9292. 4) Forward your iptables (new ip):80 or (new ip):443 to 127.0.0.1:9292 5) faye should be accessible trough http://faye.example.com/faye.js or something....

Tell me how it went :)

jpawlowski commented 11 years ago

Is this still valid? I would have the same situation and would like to avoid using an additional port (which is also not encrypted by default).

jpawlowski commented 11 years ago

Would this be an option? https://github.com/disconnect/apache-websocket

jpawlowski commented 11 years ago

I am using Pound as a reverse proxy middleware now.