I'm trying to make a secure websocket.
When i try with ws:// it's working fine but not with wss://
I've enabled mod_proxy and mod_proxy_wstunnel.
Added those line to Apache httpd.conf
ProxyPass /wss ws://127.0.0.1:8090
ProxyPassReverse /wss ws://127.0.0.1:8090
But still not working.
The website is using https, so FireFox won't allow a connexion to ws on https (for security reasons).
I'm not very use with wss and i wonder what should i do next ?
SSL Certificate is not auto-signed, but made with Let's Encrypt.
I'm managing socket with PHP and Javascript.
Looking for hours to a solution... can't find yet... still trying...
Thanks in advance for your help...
Fey
EDIT :
I'm now using WebSocketD : http://websocketd.com/ as a service. I installed it and configured it with systemCTL (so it starts with the server).
Very easy to use and reliable, works perfectly for wss :) .
Related
I have a java client and I need to rewrite it in (client-side) javascript.
I open the java Socket like this:
Socket socket = new Socket("127.0.0.1", 5015);
So I tried to use websocket in javascript:
let socket = new WebSocket("http://127.0.0.1:5015");
but here I have a js error:
Uncaught DOMException: Failed to construct 'WebSocket':
The URL's scheme must be either 'ws' or 'wss'. 'http' is not allowed.
I tried also to use the 'ws' or 'wss' protocol but the server didn't want to handshake with such protocols.
Is there a way to make such socket connection in client-side javascript or it's definitely prohibited?
The answer is a little more complicated than "no you can't do it".
Javascript in a regular web page running in a web browser cannot open a plain socket. The fundamental reason is that it is a security risk for the user. So it is intentionally not allowed.
WebSockets are the secure way to do this. In conjunction with other browser security mechanisms, they limit what a web page is permitted to connect to.
However, that is not the end of the story. It is possible (at least in theory) for trusted code to send and receive TCP and UDP traffic. The problem is that the APIs for doing this are non-standard (e.g. browser specific). In some cases are themselves implemented as 3rd-party browser extensions.
So if you really wanted to pursue this for you application, you are going to have to distribute your code as a trusted browser plugin / extension AND deal with a range of browser portability issues.
It is worth noting that there was a W3C Working Group that was trying to standardize raw socket APIs, but they have officially abandoned their efforts. Their last working draft can be found at:
https://www.w3.org/TR/tcp-udp-sockets/
Finally, there is the problem that a trusted browser extension / plugin requires the user's consent to install. Getting informed consent for something like this is difficult, given the deep and subtle security issues associated with embedding this kind of functionality in the user's browser.
No, you can't make an arbitrary TCP connection from a web page in any browser.
Web Sockets are fundamentally different than TCP sockets... they're essentially unrelated. They're a thin layer on top of HTTP along with a client API which allows bidirectional communication between a Web Socket client and a server supporting Web Sockets.
There are proxy servers you can run that allow connecting through them to make TCP connections, but this of course is a server feature and not something you can do in-browser alone.
The opening handshake is intended to be compatible with HTTP-based
server-side software and intermediaries, so that a single port can be
used by both HTTP clients talking to that server and WebSocket
clients talking to that server. To this end, the WebSocket client's
handshake is an HTTP Upgrade request:
GET /chat HTTP/1.1
Host: server.example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Origin: http://example.com
Sec-WebSocket-Protocol: chat, superchat
Sec-WebSocket-Version: 13
https://www.rfc-editor.org/rfc/rfc6455
WebSockets server must be able to handle HTTP requests!
This is less of a "what is wrong with my code" and more of a "is this possible or even required". I've been working on this CLI chat using socket.io and socket.io, and then I thought "what if this was a production server exposed to the internet - does this need security?"
I've seen a lot of stuff online about using nginx or express (or both) to achieve this - but no mention of any type of encryption if you were trying to do this via CLI (eg, "node file.js" for this to emit traffic to the webserver but securely). I've tried a few examples (as they were provided) and then adapted my existing code to incorporate the same config, but now I'm starting to think that perhaps it isn't possible because they are already secure? (In my understanding the server listening port is just for the server to bind client to another port to send data)
I can't seem to find a cut and dry answer (past forum posts seem to contradict each other on this) from what I've found.
I tried running my server and connecting up via 2 clients (one localhost on the same as the server and one on another IP on my LAN) and ran wireshark to see if I could see my other host (which I couldn't) but I could see unencrypted traffic being sent... So while this isn't broadcast traffic to all, how easy would this be to snoop on if you knew the exact port server & client were using to communicate?
Hope someone can help explain these nuances
The long answer is complex. The short one is:
Anything you send through a Wire is easy to spoof. This is why TCP over TLS exists. Any communication through a TLS secured channel would assure your data between client & server will be secret (as long as you trust the server you are good-to-go).
Socket.io uses WebSocket under the hood, (same as there is HTTPS for HTTP over TLS) there is WSS for WS over TLS. So if you set up your server to accept WSS (maybe only WSS to be sure there is no unencrypted connection going on) and you make sure to connect the client to a wss://.... endpoint, you have achieved client-server security. It's that simple.
If you can not trust the server, and what you are doing is essentially a message broker, you can go further and experiment with end-to-end encryption (https://en.wikipedia.org/wiki/End-to-end_encryption).
I have a project runs on intranet, so I didn't buy any SSL certificate or domain name. Instead, I created self-signed certificate. I have two layer one of which is web service/websocket and the other is view. Everything is OK for all https connections, hence all pages, but browser could not make connection with ws or wss links(was tried ports 8443,443,8080). If I write link with localhost instead of my ip, it works perfectly, but then I cannot use it from another device. I created certificete as RSA/2048. My project runs on Ubuntu 18.04. Serverside was written in Java-Spring Boot.
If someone else need an answer, I got it from here. As summary, the problem is about Firefox, not about other browsers. Main reason is that Firefox do not accept certificate of wss link, in fact it is also the same certificate for the first connection link start with https. Solution is to go to the link started with wss by chancing wss to https and accept privilege of that link, and everthing works fine :)
I am using ssl communication with websocket.
so I added the secure communication in my javascript code like this "wss://myip"
when lunch a websocket communication from my page with https://myip
i get the following error.
failed: Error in connection establishment: net::ERR_SSL_PROTOCOL_ERROR
I am using lighttpd server and chrome navigator on a linux machine.
could any one help me?thanks in advance
At present, this does not appear to be supported by lighttpd. The following link suggests using HAProxy as frontend to proxy the traffic to the websockets application:
Redirecting websocket traffic on port 80 with lighttpd
(actually without lighttpd)
I am trying to develop a client/server app with AngluarJS & PHP (which is probably AJAX as it just handles HTTP GET and never actually displays a page in a browser).
I use XAMPP Apache for my localhost and develop the client in the Brackets IDE. Brackets runs a "live preview" on local host port 49883.
[Update] It chooses a new port after each reboot, so if I want to align my Apache with that, then i have manually edit the config after each reboot (ick).
When I try to $http.get('http://127.0.0.1/my_script.php?action=overview_map&date=2014-04-12&user=abc')
the debug console shows.
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:49833' is therefore not allowed access.
How can I get around this?
I put this line in my Windows hosts file 127.0.0.1 test_site and this in my PHP
header('Access-Control-Allow-Origin: test_site' but I still get The 'Access-Control-Allow-Origin' header contains the invalid value 'test_site'.
Perhaps there is some way to get Brackets to start Chrome with the --disable-web-security option, so as to have no CORS problems at all?
Or another (free) IDE which handles this?
This is all new to me, but there must be many, many, many others out there developing with client & server (preferably with JS & PHP) on localhost. How do you do it?
Thanks in advance for your help.
You're using different port. It is subject to CORS.