WebSocket通过SSL与Apache反向代理

Question

在客户端,我正在尝试建立wss连接:

var ws = new WebSocket("wss://wsserver.com/test")

它会返回一个错误:

WebSocket connection to 'wss://wsserver.com/test' failed: Error during WebSocket handshake: Unexpected response code: 400

完整的标题是:

请求标题

GET wss://wsserver.com/test HTTP/1.1
Host: wsserver.com
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Origin: https://website.net
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Sec-WebSocket-Key: Tj9AJ5TKglNf5LoHsQTpvQ==
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits

响应标题

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:https://website.net
Connection:close
Content-Length:18
Content-Type:text/plain; charset=utf-8
Date:Fri, 21 Apr 2017 21:03:45 GMT
Server:Apache/2.4.18 (Ubuntu)
Vary:Origin
X-Content-Type-Options:nosniff

服务器端在Apache反向代理后面的端口8888上运行.这是Apache配置:

<VirtualHost *:443>
        ServerName website.com

        ProxyPreserveHost On
        ProxyRequests Off
        ProxyPass "/" "wss://localhost:8888/"

安装了mod_proxy和mod_proxy_wstunnel.

这里有什么东西不见了吗？似乎请求通过但没有建立连接.

Answer 1

我最终通过对虚拟主机使用此配置来解决此问题,虚拟主机使用HTTP标头过滤请求:

<VirtualHost *:443>
    ServerName website.com

    RewriteEngine On

    # When Upgrade:websocket header is present, redirect to ws
    # Using NC flag (case-insensitive) as some browsers will pass Websocket
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule ^/ws/(.*)    wss://localhost:8888/ws/$1 [P,L]

    # All other requests go to http
    ProxyPass "/" "http://localhost:8888/"

我将此作为参考,以防其他人帮助

Answer 2

为了在不安全的 websocket 服务器前面放置一个安全的反向代理服务器，您可以这样做：

<VirtualHost *:443>
    SSLEngine on
    SSLProxyEngine on
    SSLProtocol -all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
    SSLCipherSuite HIGH:aNULL:eNULL:EXPORT:DES:RC4:!MD5:!PSK:!SRP:!CAMELLIA
    SSLCertificateFile /path/to/cert
    SSLCertificateKeyFile /path/to/key
    SSLCertificateChainFile /path/to/chain
    ServerName website.com
    
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)    ws://localhost:8888/$1 [P,L]
</VirtualHost>

这将接受wss://website.com:443 的入站请求，并将其反向代理到ws://localhost:8888。

如果 websocket 服务器也是安全的，您只需将 ws://localhost:8888更改为 wss://website.com:8888