Apache Config Websockets Proxy WSS request to WS backend
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
WebSockets is a powerful protocol providing full-duplex communication channels over a single long-lived TCP connection. It is extensively used in real-time data transfer scenarios such as chat applications, financial tickers, game servers, and more. Apache HTTP Server, being one of the most robust and widely used web servers, provides mechanisms through which WebSocket connections can be proxied to a WebSocket server that may only support the basic WebSocket protocol (ws://).
Configuring Apache to Proxy WebSocket requests
To set up Apache as a WebSocket proxy, particularly upgrading from WSS (WebSocket Secure Protocol, or WebSocket over TLS/SSL) to an unsecured WS backend, involves leveraging the mod_proxy_wstunnel module. This module is specifically designed to handle WebSocket upgrade requests and tunnel these through Apache to the backend WebSocket server.
Apache Module: mod_proxy_wstunnel
mod_proxy_wstunnel is an essential module in the Apache server allowing forwarding of WebSocket connections to another server. This module must be enabled to proxy WebSocket connections.
Steps to Enable and Configure
- Enable mod_proxy_wstunnel
Depending on your Apache configuration and operating system, you generally enable modules using thea2enmodcommand or by editing your Apache configuration files directly.
- Configure your VirtualHost or server block Here is a basic configuration snippet for setting up a WebSocket proxy inside a VirtualHost block in Apache:
In the above configuration, all traffic to wss://example.com/wsapp/ will be proxied to ws://backendserver.com:8080/.
Considerations for SSL/TLS
The ProxyPass directive above handles the upgrade from HTTP/HTTPS to WebSocket. However, Apache itself does not need to handle WebSocket traffic decryption since it simply tunnels the encryption through to the backend. The backend WebSocket server will still see this as a typical ws:// request.
This can be critical, especially when the backend service is on an internal network with controlled security measures, which simplifies the SSL/TLS management by centralizing it on the Apache proxy.
Detailed Example
Below is a more detailed example which also includes logging specific to the WebSocket proxy:
In this configuration, detailed logs are configured that help in troubleshooting.
Summary Table
Here’s a table summarizing the key components discussed:
| Component | Description |
mod_proxy_wstunnel | Module required for handling WebSocket connections in Apache. |
wss:// to ws:// | Proxying from secured WebSocket connection to unsecured. |
ProxyPass | Directive to map a local URI to a backend WebSocket server. |
ProxyPassReverse | Directive to manage response headers for proxied requests. |
Security and Performance
When proxying from WSS to WS, security considerations mainly involve ensuring that the manner in which Apache is exposed to the internet is secure. Apache serves as an SSL endpoint, thereby offloading this task from the backend. However, the internal traffic from Apache to the backend server is unencrypted (ws://), which might be acceptable within a secure, controlled network.
Performance-wise, using Apache as a WebSocket proxy should be tested under load conditions. While Apache is quite capable of handling numerous connections, the specific use-case, traffic load, and WebSocket message size should be monitored.
This setup allows leveraging Apache's robustness and feature-rich configurations, like authentication and logging, while using WebSocket services, providing a powerful setup for real-time web applications.
