NGINX to reverse proxy websockets AND enable SSL (wss://)?
Just to note that nginx has now support for Websockets on the release 1.3.13. Example of use:
location /websocket/ { proxy_pass ​http://backend_host; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400;}
You can also check the nginx changelog and the WebSocket proxying documentation.
Have no fear, because a brave group of Ops Programmers have solved the situation with a brand spanking new nginx_tcp_proxy_module
Written in August 2012, so if you are from the future you should do your homework.
Prerequisites
Assumes you are using CentOS:
- Remove current instance of NGINX (suggest using dev server for this)
- If possible, save your old NGINX config files so you can re-use them (that includes your
init.d/nginx
script) yum install pcre pcre-devel openssl openssl-devel
and any other necessary libs for building NGINX- Get the nginx_tcp_proxy_module from GitHub here https://github.com/yaoweibin/nginx_tcp_proxy_module and remember the folder where you placed it (make sure it is not zipped)
Build Your New NGINX
Again, assumes CentOS:
cd /usr/local/
wget 'http://nginx.org/download/nginx-1.2.1.tar.gz'
tar -xzvf nginx-1.2.1.tar.gz
cd nginx-1.2.1/
patch -p1 < /path/to/nginx_tcp_proxy_module/tcp.patch
./configure --add-module=/path/to/nginx_tcp_proxy_module --with-http_ssl_module
(you can add more modules if you need them)make
make install
Optional:
sudo /sbin/chkconfig nginx on
Set Up Nginx
Remember to copy over your old configuration files first if you want to re-use them.
Important: you will need to create a tcp {}
directive at the highest level in your conf. Make sure it is not inside your http {}
directive.
The example config below shows a single upstream websocket server, and two proxies for both SSL and Non-SSL.
tcp { upstream websockets { ## webbit websocket server in background server 127.0.0.1:5501; ## server 127.0.0.1:5502; ## add another server if you like! check interval=3000 rise=2 fall=5 timeout=1000; } server { server_name _; listen 7070; timeout 43200000; websocket_connect_timeout 43200000; proxy_connect_timeout 43200000; so_keepalive on; tcp_nodelay on; websocket_pass websockets; websocket_buffer 1k; } server { server_name _; listen 7080; ssl on; ssl_certificate /path/to/cert.pem; ssl_certificate_key /path/to/key.key; timeout 43200000; websocket_connect_timeout 43200000; proxy_connect_timeout 43200000; so_keepalive on; tcp_nodelay on; websocket_pass websockets; websocket_buffer 1k; }}
This worked for me:
location / { # redirect all HTTP traffic to localhost:8080 proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # WebSocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade";}
-- borrowed from: https://github.com/nicokaiser/nginx-websocket-proxy/blob/df67cd92f71bfcb513b343beaa89cb33ab09fb05/simple-wss.conf