2

I am using Ratchet for implementing Websockets based application in PHP and I am successful in doing that if I am in http mode (ws)

I am not able to do the same if I switch to https. It shows connection timed out and I even tried in telnet and I dont see any response in server terminal side (showing client connected)

1) I am using wss instead of ws

var conn = new WebSocket('wss://www.mysite.com:8080/wss2');

where I have set wss2 according to this answer: php ratchet websocket SSL connect? (I have added the Proxypass line to my apache config file)

2) I loaded all necessary apache modules

[0] => core
[1] => mod_so
[2] => mod_watchdog
[3] => http_core
[4] => mod_log_config
[5] => mod_logio
[6] => mod_version
[7] => mod_unixd
[8] => mod_access_compat
[9] => mod_alias
[10] => mod_auth_basic
[11] => mod_authn_core
[12] => mod_authn_file
[13] => mod_authz_core
[14] => mod_authz_host
[15] => mod_authz_user
[16] => mod_autoindex
[17] => mod_deflate
[18] => mod_dir
[19] => mod_env
[20] => mod_filter
[21] => mod_headers
[22] => mod_mime
[23] => prefork
[24] => mod_negotiation
[25] => mod_php5
[26] => mod_proxy
[27] => mod_proxy_ajp
[28] => mod_proxy_balancer
[29] => mod_proxy_connect
[30] => mod_proxy_html
[31] => mod_proxy_http
[32] => mod_proxy_wstunnel
[33] => mod_rewrite
[34] => mod_setenvif
[35] => mod_slotmem_shm
[36] => mod_socache_shmcb
[37] => mod_ssl
[38] => mod_status

3) I did restart the apache server

4) My server does not work if I add this to the config:

Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine On

# Set the path to SSL certificate
# Usage: SSLCertificateFile /path/to/cert.pem
SSLCertificateFile /etc/apache2/ssl/file.pem


# Servers to proxy the connection, or;
# List of application servers:
# Usage:
# ProxyPass / http://[IP Addr.]:[port]/
# ProxyPassReverse / http://[IP Addr.]:[port]/
# Example: 
ProxyPass / http://0.0.0.0:8080/
ProxyPassReverse / http://0.0.0.0:8080/

# Or, balance the load:
# ProxyPass / balancer://balancer_cluster_name

The error I have in my logs if I add this:

[Sat Dec 26 02:14:11.534788 2015] [core:info] [pid 5728] AH00096: removed PID file /var/run/apache2/apache2.pid (pid=5728)
[Sat Dec 26 02:14:11.534857 2015] [mpm_prefork:notice] [pid 5728] AH00169: caught SIGTERM, shutting down
[Sat Dec 26 02:14:12.630024 2015] [ssl:info] [pid 6194] AH01887: Init: Initializing (virtual) servers for SSL
[Sat Dec 26 02:14:12.630047 2015] [ssl:info] [pid 6194] AH01914: Configuring server 127.0.1.1:443 for SSL protocol
[Sat Dec 26 02:14:12.630352 2015] [ssl:warn] [pid 6194] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name

Source: https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension

I did specify the source of the certificate file (cert.pem) which I got from letsencrypt

Source: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

Note: HTTPS works in my server

What should I do now? I just want websockets to work over HTTPS.

I am using Ubuntu 14.10, Apache 2.4.1 installed

My current config file:

<VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com


    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    ProxyPass /wss2/ ws://www.mysite.com:8080/  #Removed this line now
    ProxyPass /wss2/ wss://www.mysite.com:8080/

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
 RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Thanks in advance.

Community
  • 1
  • 1
Vignesh T.V.
  • 1,790
  • 3
  • 27
  • 48

2 Answers2

5

I figured it out after a long struggle myself.

In the file "/etc/apache2/mods-enabled/proxy_wstunnel.load" add this line (with your own name and port). 8000 is the port in which my websocket server is running.

ProxyPass "/websocket"  "ws://localhost:8000/"

Restart apache server.

Then during connection use the URL like this:

socket = new WebSocket("wss://www.xyz.com/websocket");

where xyz.com points to your localhost

Thats it. If you want to enable the respective modules use apache's a2enmod

Vignesh T.V.
  • 1,790
  • 3
  • 27
  • 48
  • This holds true. Thanks for sharing. – norrin Sep 11 '17 at 08:17
  • For me, it was important NOT to have a trailing `/` on the route for `ProxyPass`, and also to specify `ProxyPassReverse` to the same location. Also I did this without quotes and inside the vhost instead of the `.load` file. Otherwise thanks for the answer! – frumbert Oct 22 '17 at 23:14
1

You need an additional proxypass line where the 2nd argument is a wss:// URL, as in the basic example for mod_proxy_wstunnel:

https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html

covener
  • 17,402
  • 2
  • 31
  • 45
  • Thanks for the reply. I added that too now but still it does not work. I updated my question now with the current config file I have. Any ideas what I may be doing wrong? – Vignesh T.V. Dec 25 '15 at 21:20
  • your added lines -- they both go to the same port. That port is likely http. You need to decide if you want ws or wss between apache and the backend, and make sure the protocol matches the port. Either way, you don't want two entries. If it continues to fail, you'll need trace8 logging for e.g. mod_proxy and mod_proxy_wstunnel to debug it. – covener Dec 25 '15 at 21:22
  • Sorry for bothering you again. I removed the ws line from the config since I am going to be forcing only HTTPS and restarted the server but still the same thing. I am not sure how to trace the logs by mod_proxy and mod_proxy_wstunnel. I will have to research on that. Anything else I can do? – Vignesh T.V. Dec 25 '15 at 21:28
  • I doubt your backend speaks SSL on port 8080, why wss:// and port 8080 together? – covener Dec 25 '15 at 21:31
  • Your webserver has an error_log or error.log In your vhost, add LogLevel debug proxy_module:trace8 proxy_wstunnel_module:trace8 and recreate the issue then check your error_log – covener Dec 25 '15 at 21:32
  • I have configured SSL on port 443 so should I be using ProxyPass /wss2/ wss://www.mysite.com:443 ? I used 8080 just because I am running the websocket server on port 8080 (not ssl) And regarding the logs, I will check (I am still figuring it out). Thanks – Vignesh T.V. Dec 25 '15 at 21:37