Y-Websocket SSL Config

Vagif07 · September 14, 2021, 2:23pm

During the development process, on my localhost I used the ws:/ip:1234 and everything worked properly.

this.provider = new WebsocketProvider(
                'ws:/xx.xxx.xxx.xxx:1234/',
                'document.' + this.hash,
                this.ydoc,
            )

However, once I changed it to ws:/domain.com:1234 connection refused to be established. Same with wss:/domain.com:1234. The reason ws:/ip:1234 is not applicable for me is that my website is running on HTTPS and cannot establish ws:/ connections. This should be the case for many users.

I googled and came upon a solution that involved nginx configuration, however still was not able to implement it, due to the lack of knowledge in this field.

Posting it here, so that once the solution is found - everyone can benefit from it.

Vagif07 · September 14, 2021, 2:24pm

@canadaduane please take a look. Thanks in advance!

canadaduane · September 14, 2021, 4:42pm

Hey @Vagif07 welcome!

Have you tried wss://domain.com:1234 (note the two //)?

Do you have TLS set up on your domain (e.g. via certbot with the nginx addon)?

Did you set up nginx to use a reverse proxy to your (non-TLS) websocket?

If any of the above questions don’t make sense or you need more explanation, let me know. Hopefully it can be a good starting place for you.

Vagif07 · September 14, 2021, 7:12pm

Yes, I have tried, still no luck there.

I have. obtained an SSL certificate and configured my nginx in the following way:

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/socket.wetype.net/before/*;

server {
    listen 80 ;
    # listen [::]:80 ipv6only=on;

    root /home/forge/socket.wetype.net/public;
    index index.php index.html index.htm;

    server_name socket.wetype.net;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_pass http://localhost:1234;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_connect_timeout 7d;
        proxy_send_timeout 7d;
        proxy_read_timeout 7d;

        client_max_body_size 10m;
    }

    error_page 413 @filetoobig;
    error_page 404 /index.php;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    location @filetoobig {
        add_header Access-Control-Allow-Origin * always;
    }

    listen 443 ssl; # managed by Certbot
    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/socket.wetype.net/1191830/server.crt;
    ssl_certificate_key /etc/nginx/ssl/socket.wetype.net/1191830/server.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_dhparam /etc/nginx/dhparams.pem;
    
    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/socket.wetype.net/server/*;
}

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/socket.wetype.net/after/*;

canadaduane · September 14, 2021, 7:40pm

Ok, interesting. The nginx config looks good. What I would test next is that

(a) you can reach the site via regular HTTPS, and
(b) you can reach your websocket on the machine at http://localhost:1234.

For (b) you could try a basic connection using telnet (e.g. telnet localhost 1234 should say “Connected to localhost”, then press ctrl-C to leave). Or you could try a more sophisticated tool such as https://github.com/hashrocket/ws or https://github.com/vi/websocat.

It’s also possible there is some kind of firewall activity preventing nginx from talking to localhost:1234 (ufw?).

Vagif07 · September 14, 2021, 7:57pm

Okay, seems like we are getting somewhere.

(a) Site is reachable via https
(b) However, this is what I got, when I called telnet:

telnet: could not resolve http://localhost:1234/telnet: Name or service not known

canadaduane · September 14, 2021, 8:13pm

Telnet is old software and doesn’t usually understand URIs. Try this instead:

telnet localhost 1234

Vagif07 · September 15, 2021, 10:30am

telnet localhost 1234
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

So, this was my output. Seems like we found the core of the problem

canadaduane · September 15, 2021, 1:32pm

Excellent! It sounds like it’s a straightforward case of starting the process, or otherwise figuring out why you can’t connect locally. I hope you post back here to let us know if you figure it out

Vagif07 · September 16, 2021, 5:23pm

telnet localhost 1234
Trying 127.0.0.1...
Connected to localhost.

So I ended up fixing it, however the WebSocket connection still cannot be established. At this point I have no idea what can be the reason of such a behavior .

canadaduane · September 16, 2021, 8:34pm

What server are you running on port 1234? Is it the default y-websocket server (e.g. HOST=localhost PORT=1234 npx y-websocket-server)?

Vagif07 · September 17, 2021, 4:18am

I have tried running both
HOST=socket.wetype.net PORT=1234 npx y-websocket-server
and
HOST=localhost PORT=1234 npx y-websocket-server
In the first case, I am able to create ws://ip:1234 (but not a domain itself or wss)
In the second one nothing works

canadaduane · September 17, 2021, 2:33pm

Hmm, this is strange. I would expect the following:

If you run HOST=socket.wetype.net PORT=1234 npx y-websocket-server you should be able to access it externally, via ws://socket.wetype.net:1234. Something doesn’t add up here. Maybe try HOST=0.0.0.0 PORT=1234 npx y-websocket-server and see if that allows you to access it at ws://socket.wetype.net:1234? I feel like there could be a clue waiting for us here.
If you run HOST=localhost PORT=1234 npx y-websocket-server you should NOT be able to access it externally, via ws://ip:1234 nor via ws://socket.wetype.net:1234. It sounds like that is the case? If so, when you say “nothing works” do you mean that telnet localhost 1234 ALSO does not work? Because I would expect telnet on localhost to work.

Vagif07 · September 18, 2021, 10:37am

telnet localhost 1234 doesn’t work in case I only do HOST=socket.wetype.net PORT=1234 npx y-websocket-server. In this case only ws:/ip:1234 works
When I run HOST=localhost PORT=1234 npx y-websocket-server nothing works except for telnet localhost 1234

When I ran HOST=0.0.0.0 PORT=1234 npx y-websocket-server both ws://ip:1234 and telnet localhost 1234 worked. However wss://socket.wetype.net:1234 and ws://socket.wetype.net:1234 still didn’t work.

Vagif07 · September 18, 2021, 2:28pm

Finally got a wss connection!
I ended up doing wss://socket.wetype.net without port. Running on host = 0.0.0.0 and it all worked!

canadaduane · September 20, 2021, 1:17pm

Oh good!! I’m glad it finally worked for you. So to be clear, when you say “I ended up doing wss://socket.wetype.net without port” is this on the javascript side, when configuring your connection in the browser? e.g.

    this.provider = new WebsocketProvider(
      "wss://socket.wetype.net",
      "room01",
      ydoc
    );

Vagif07 · September 22, 2021, 6:30am

Yeap! That was the case for me.