WebSocket through SSL with Apache reverse proxy

In order to place a secure reverse proxy server in front of an insecure websocket server, you could do this:

<VirtualHost *:443>
    SSLEngine on
    SSLProxyEngine on
    SSLProtocol -all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
    SSLCipherSuite HIGH:aNULL:eNULL:EXPORT:DES:RC4:!MD5:!PSK:!SRP:!CAMELLIA
    SSLCertificateFile /path/to/cert
    SSLCertificateKeyFile /path/to/key
    SSLCertificateChainFile /path/to/chain
    ServerName website.com
    
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)    ws://localhost:8888/$1 [P,L]
</VirtualHost>

This will take a request inbound for wss://website.com:443, and reverse proxy it to ws://localhost:8888.

If the websocket server is also secure, you can simply change ws://localhost:8888 to wss://website.com:8888


This is my setup of virtualhost that worked for me, I have .netcore app on docker with SignalR as a websocket service.

On 5000 my .netcore app is running, and on /chatHub my signalR listens.

Will be helpful for future comers with same problem.

<IfModule mod_ssl.c>
<VirtualHost *:443>
  RewriteEngine On
  ProxyPreserveHost On
  ProxyRequests Off

  # allow for upgrading to websockets
  RewriteEngine On
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /(.*)           ws://localhost:5000/$1 [P,L]
  RewriteCond %{HTTP:Upgrade} !=websocket [NC]
  RewriteRule /(.*)           http://localhost:5000/$1 [P,L]


  ProxyPass "/" "http://localhost:5000/"
  ProxyPassReverse "/" "http://localhost:5000/"

  ProxyPass "/chatHub" "ws://localhost:5000/chatHub"
  ProxyPassReverse "/chatHub" "ws://localhost:5000/chatHub"

  ServerName site.com
  
SSLCertificateFile /etc/letsencrypt/live/site.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/site.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Source: http://shyammakwana.me/server/websockets-with-apache-reverse-proxy-with-ssl.html


I ended up solving this problem by using this configuration for the virtual host, which filters requests using the HTTP headers:

<VirtualHost *:443>
    ServerName website.com

    RewriteEngine On

    # When Upgrade:websocket header is present, redirect to ws
    # Using NC flag (case-insensitive) as some browsers will pass Websocket
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule ^/ws/(.*)    wss://localhost:8888/ws/$1 [P,L]

    # All other requests go to http
    ProxyPass "/" "http://localhost:8888/"

I'm leaving this as a reference in case it helps others

Tags:

Apache

Proxy

Ssl

Reverse Proxy

Websocket

Recent Posts