使用 Apache 反向代理通过 SSL 的 WebSocket
WebSocket through SSL with Apache reverse proxy
在客户端,我正在尝试建立 wss 连接:
var ws = new WebSocket("wss://wsserver.com/test")
它 returns 一个错误:
WebSocket connection to 'wss://wsserver.com/test' failed: Error during WebSocket handshake: Unexpected response code: 400
完整的 headers 是:
请求Headers
GET wss://wsserver.com/test HTTP/1.1
Host: wsserver.com
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Origin: https://website.net
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Sec-WebSocket-Key: Tj9AJ5TKglNf5LoHsQTpvQ==
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
回复Headers
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:https://website.net
Connection:close
Content-Length:18
Content-Type:text/plain; charset=utf-8
Date:Fri, 21 Apr 2017 21:03:45 GMT
Server:Apache/2.4.18 (Ubuntu)
Vary:Origin
X-Content-Type-Options:nosniff
服务器端 运行 在 Apache 反向代理后面的端口 8888 上运行。这是 Apache 配置:
<VirtualHost *:443>
ServerName website.com
ProxyPreserveHost On
ProxyRequests Off
ProxyPass "/" "wss://localhost:8888/"
mod_proxy 和 mod_proxy_wstunnel 已安装。
这里是不是少了什么?看起来请求通过了,但没有建立连接。
我最终通过对虚拟主机使用此配置解决了这个问题,它使用 HTTP headers:
过滤请求
<VirtualHost *:443>
ServerName website.com
RewriteEngine On
# When Upgrade:websocket header is present, redirect to ws
# Using NC flag (case-insensitive) as some browsers will pass Websocket
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule ^/ws/(.*) wss://localhost:8888/ws/ [P,L]
# All other requests go to http
ProxyPass "/" "http://localhost:8888/"
我将此作为参考,以防对其他人有帮助
@pimgeek 的评论:
我认为不是
RewriteRule ^/nodered/comms wss://localhost:1880/nodered/comms [P,L]
您本可以按以下方式使用 1 美元:
RewriteRule ^/nodered/comms$ wss://localhost:1880/ [P,L]
此外,这也应该有效:
RewriteRule ^/nodered/comms$ wss://localhost:1880 [P,L]
注意端口后面不需要的 /,因为 $1 开头已经包含一个 /
在我的情况下,我需要激活 "SSLProxyEngine on" 才能使整个事情正常进行...
我最终在 Debian / Apache 2.4 上得到了这 2 行解决方案(使用的端口是 4321)
SSLProxyEngine on
ProxyPass /wss wss://127.0.0.1:4321/
这是我的虚拟主机设置,对我有用,我在 docker 上安装了 .netcore 应用程序,并将 SignalR 作为 websocket 服务。
在 5000 我的 .netcore 应用是 运行,在 /chatHub 我的 signalR 监听。
对以后遇到同样问题的人有帮助。
<IfModule mod_ssl.c>
<VirtualHost *:443>
RewriteEngine On
ProxyPreserveHost On
ProxyRequests Off
# allow for upgrading to websockets
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:5000/ [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://localhost:5000/ [P,L]
ProxyPass "/" "http://localhost:5000/"
ProxyPassReverse "/" "http://localhost:5000/"
ProxyPass "/chatHub" "ws://localhost:5000/chatHub"
ProxyPassReverse "/chatHub" "ws://localhost:5000/chatHub"
ServerName site.com
SSLCertificateFile /etc/letsencrypt/live/site.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/site.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
来源:http://shyammakwana.me/server/websockets-with-apache-reverse-proxy-with-ssl.html
为了在不安全的 websocket 服务器前面放置一个安全的反向代理服务器,您可以这样做:
<VirtualHost *:443>
SSLEngine on
SSLProxyEngine on
SSLProtocol -all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:aNULL:eNULL:EXPORT:DES:RC4:!MD5:!PSK:!SRP:!CAMELLIA
SSLCertificateFile /path/to/cert
SSLCertificateKeyFile /path/to/key
SSLCertificateChainFile /path/to/chain
ServerName website.com
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:8888/ [P,L]
</VirtualHost>
这将接受 wss://website.com:443 的入站请求,并将其反向代理到 ws://localhost: 8888.
如果 websocket 服务器也是安全的,你可以简单地改变
ws://localhost:8888 到
wss://website.com:8888
在客户端,我正在尝试建立 wss 连接:
var ws = new WebSocket("wss://wsserver.com/test")
它 returns 一个错误:
WebSocket connection to 'wss://wsserver.com/test' failed: Error during WebSocket handshake: Unexpected response code: 400
完整的 headers 是:
请求Headers
GET wss://wsserver.com/test HTTP/1.1
Host: wsserver.com
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Origin: https://website.net
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Sec-WebSocket-Key: Tj9AJ5TKglNf5LoHsQTpvQ==
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
回复Headers
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:https://website.net
Connection:close
Content-Length:18
Content-Type:text/plain; charset=utf-8
Date:Fri, 21 Apr 2017 21:03:45 GMT
Server:Apache/2.4.18 (Ubuntu)
Vary:Origin
X-Content-Type-Options:nosniff
服务器端 运行 在 Apache 反向代理后面的端口 8888 上运行。这是 Apache 配置:
<VirtualHost *:443>
ServerName website.com
ProxyPreserveHost On
ProxyRequests Off
ProxyPass "/" "wss://localhost:8888/"
mod_proxy 和 mod_proxy_wstunnel 已安装。
这里是不是少了什么?看起来请求通过了,但没有建立连接。
我最终通过对虚拟主机使用此配置解决了这个问题,它使用 HTTP headers:
过滤请求<VirtualHost *:443>
ServerName website.com
RewriteEngine On
# When Upgrade:websocket header is present, redirect to ws
# Using NC flag (case-insensitive) as some browsers will pass Websocket
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule ^/ws/(.*) wss://localhost:8888/ws/ [P,L]
# All other requests go to http
ProxyPass "/" "http://localhost:8888/"
我将此作为参考,以防对其他人有帮助
@pimgeek 的评论:
我认为不是
RewriteRule ^/nodered/comms wss://localhost:1880/nodered/comms [P,L]
您本可以按以下方式使用 1 美元:
RewriteRule ^/nodered/comms$ wss://localhost:1880/ [P,L]
此外,这也应该有效:
RewriteRule ^/nodered/comms$ wss://localhost:1880 [P,L]
注意端口后面不需要的 /,因为 $1 开头已经包含一个 /
在我的情况下,我需要激活 "SSLProxyEngine on" 才能使整个事情正常进行...
我最终在 Debian / Apache 2.4 上得到了这 2 行解决方案(使用的端口是 4321)
SSLProxyEngine on
ProxyPass /wss wss://127.0.0.1:4321/
这是我的虚拟主机设置,对我有用,我在 docker 上安装了 .netcore 应用程序,并将 SignalR 作为 websocket 服务。
在 5000 我的 .netcore 应用是 运行,在 /chatHub 我的 signalR 监听。
对以后遇到同样问题的人有帮助。
<IfModule mod_ssl.c>
<VirtualHost *:443>
RewriteEngine On
ProxyPreserveHost On
ProxyRequests Off
# allow for upgrading to websockets
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:5000/ [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://localhost:5000/ [P,L]
ProxyPass "/" "http://localhost:5000/"
ProxyPassReverse "/" "http://localhost:5000/"
ProxyPass "/chatHub" "ws://localhost:5000/chatHub"
ProxyPassReverse "/chatHub" "ws://localhost:5000/chatHub"
ServerName site.com
SSLCertificateFile /etc/letsencrypt/live/site.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/site.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
来源:http://shyammakwana.me/server/websockets-with-apache-reverse-proxy-with-ssl.html
为了在不安全的 websocket 服务器前面放置一个安全的反向代理服务器,您可以这样做:
<VirtualHost *:443>
SSLEngine on
SSLProxyEngine on
SSLProtocol -all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:aNULL:eNULL:EXPORT:DES:RC4:!MD5:!PSK:!SRP:!CAMELLIA
SSLCertificateFile /path/to/cert
SSLCertificateKeyFile /path/to/key
SSLCertificateChainFile /path/to/chain
ServerName website.com
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:8888/ [P,L]
</VirtualHost>
这将接受 wss://website.com:443 的入站请求,并将其反向代理到 ws://localhost: 8888.
如果 websocket 服务器也是安全的,你可以简单地改变 ws://localhost:8888 到 wss://website.com:8888