NGINX to reverse proxy websockets AND enable SSL wss

Question

I m so lost and new to building NGINX on my own but I want to be able to enable secure websockets without having an additional layer   I don t want to enable SSL on the websocket server itself but instead I want to use NGINX to add an SSL layer to the whole thing    Every web page out there says I can t do it  but I know I can  Thanks to whoever  myself  can show me how

User · Answer

If you want to add SSL in your test environment, then you can use mkcert. Below I mentioned the GitHub URL.
https://github.com/FiloSottile/mkcert
And also below I mentioned sample nginx configuration for reverse proxy.

server {
        listen 80;
        server_name test.local;
        return 301 https://test.local$request_uri;
}
server {
  listen 443 ssl;
  server_name test.local;
  ssl_certificate /etc/nginx/ssl/test.local.pem;
  ssl_certificate_key /etc/nginx/ssl/test.local-key.pem;

   location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Client-Verify SUCCESS;
      proxy_set_header Host $http_host;
      proxy_set_header X-NginX-Proxy true;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_pass http://localhost:3000;
      proxy_redirect off;
      proxy_buffering off;
    }
}

User · Answer

A good  concise article by Pankaj Malhotra discusses how to do this with NGINX and is available here   The basic NGINX configuration is reproduced below   map  http upgrade  connection upgrade       default upgrade         close     upstream appserver       server 192 168 100 10 9222    appserver ip ws port    server       listen 8888     client wss port      ssl on      ssl certificate  path to crt      ssl certificate key  path to key        location             proxy pass http   appserver          proxy http version 1 1          proxy set header Upgrade  http upgrade          proxy set header Connection  connection upgrade

User · Answer

Have no fear  because a brave group of Ops Programmers have solved the situation with a brand spanking new nginx tcp proxy module Written in August 2012  so if you are from the future you should do your homework  Prerequisites Assumes you are using CentOS   Remove current instance of NGINX  suggest using dev server for this  If possible  save your old NGINX config files so you can re-use them  that includes your init d nginx script  yum install pcre pcre-devel openssl openssl-devel and any other necessary libs for building NGINX Get the nginx tcp proxy module from GitHub here https   github com yaoweibin nginx tcp proxy module and remember the folder where you placed it  make sure it is not zipped   Build Your New NGINX Again  assumes CentOS   cd  usr local  wget  http   nginx org download nginx-1 2 1 tar gz  tar -xzvf nginx-1 2 1 tar gz cd nginx-1 2 1  patch -p1  lt   path to nginx tcp proxy module tcp patch   configure --add-module  path to nginx tcp proxy module --with-http ssl module  you can add more modules if you need them  make make install  Optional   sudo  sbin chkconfig nginx on  Set Up Nginx Remember to copy over your old configuration files first if you want to re-use them  Important  you will need to create a tcp    directive at the highest level in your conf  Make sure it is not inside your http    directive  The example config below shows a single upstream websocket server  and two proxies for both SSL and Non-SSL  tcp       upstream websockets              webbit websocket server in background         server 127 0 0 1 5501                      server 127 0 0 1 5502     add another server if you like           check interval 3000 rise 2 fall 5 timeout 1000                server           server name            listen 7070           timeout 43200000          websocket connect timeout 43200000          proxy connect timeout 43200000           so keepalive on          tcp nodelay on           websocket pass websockets          websocket buffer 1k             server           server name            listen 7080           ssl on          ssl certificate       path to cert pem          ssl certificate key   path to key key           timeout 43200000          websocket connect timeout 43200000          proxy connect timeout 43200000           so keepalive on          tcp nodelay on           websocket pass websockets          websocket buffer 1k

User · Answer

For me  it came down to the proxy pass location setting  I needed to change over to using the HTTPS protocol  and have a valid SSL certificate set up on the node server side of things  That way when I introduce an external node server  I only have to change the IP and everything else remains the same config   I hope this helps someone along the way    I was staring at the problem the whole time    sigh     map  http upgrade  connection upgrade       default upgrade              close    upstream nodeserver           server 127 0 0 1 8080    server           listen 443 default server ssl http2          listen      443 default server ssl http2 ipv6only on          server name mysite com          ssl certificate ssl site crt          ssl certificate key ssl site key          location  websocket    replace  websocket with the path required by your application                 proxy pass https   nodeserver                  proxy set header Upgrade  http upgrade                  proxy set header Connection  connection upgrade                  proxy http version 1 1                  proxy set header X-Forwarded-For  proxy add x forwarded for                  proxy set header Host  http host                  proxy intercept errors on                  proxy redirect off                  proxy cache bypass  http upgrade                  proxy set header X-Real-IP  remote addr                  proxy set header X-NginX-Proxy true                  proxy ssl session reuse off

User · Answer

Using nginx 1 14 0 i have a websocket-server running on port 8097 and users connect from to wss on port 8098  nginx just decrypts the content and forwards it to the websocket server So i have this config file  in my case  etc nginx conf d default conf  server       listen   8098          ssl on          ssl certificate       etc ssl certs domain crt          ssl certificate key   root domain key      location              proxy pass http   hostname 8097          proxy http version 1 1          proxy set header Upgrade  http upgrade          proxy set header Connection  quot upgrade quot           proxy read timeout 86400

User · Answer

Just to note that nginx has now support for Websockets on the release 1 3 13  Example of use   location  websocket         proxy pass  http   backend host      proxy http version 1 1      proxy set header Upgrade  http upgrade      proxy set header Connection  upgrade       proxy read timeout 86400       You can also check the nginx changelog and the WebSocket proxying documentation

User · Answer

for  net core 2 0 Nginx with SSL  location           redirect all HTTP traffic to localhost 8080     proxy pass http   localhost 8080      proxy set header X-Real-IP  remote addr      proxy set header Host  host      proxy set header X-Forwarded-For  proxy add x forwarded for         WebSocket support     proxy http version 1 1      proxy set header Upgrade  http upgrade      proxy set header Connection  http connection      This worked for me

User · Answer

This worked for me   location           redirect all HTTP traffic to localhost 8080     proxy pass http   localhost 8080      proxy set header X-Real-IP  remote addr      proxy set header Host  host      proxy set header X-Forwarded-For  proxy add x forwarded for         WebSocket support     proxy http version 1 1      proxy set header Upgrade  http upgrade      proxy set header Connection  upgrade       -- borrowed from  https   github com nicokaiser nginx-websocket-proxy blob df67cd92f71bfcb513b343beaa89cb33ab09fb05 simple-wss conf

[ssl] NGINX to reverse proxy websockets AND enable SSL (wss://)?

Examples related to ssl

Examples related to tcp

Examples related to proxy

Examples related to nginx

Examples related to mod-proxy