Question

I cannot find authoritative information about how WSS interacts with HTTPS proxies and load balancers.

I have a load balancer that handles the SSL (SSL off-loading), and two web servers that contains my web applications and handle the requests in plain HTTP. Therefore, the customers issue HTTPS requests, but my web servers get HTTP requests, since the load balancer takes care of the SSL certificates handling.

I am developing now an application that will expose WebSockets and SSL is required. But I have no clear idea about what will happen when the load balancer gets a secure HTTPS handshake for WSS.

Will it just relay the request as normal handshake to the web server? WebSockets use a "Upgrade:WebSocket" HTTP header that is only valid for the first hop (as there is also "Connection:Upgrade", will this be a problem?

Cheers.

Was it helpful?

Solution

loadbalancers can normally deal with websockets - also including ssl offloading shouldn't be an issue - BUT you have to configure the LB to take care about HTTP and not only to take care about balancing the traffic based on Layer 3 infos - therefore, you have to ensure that the LB has to take care about the session state.

i don't know what LB you are using - but e.g. with F5 LBs you just have to assign a http profile to loadbalance websocket based apps. If you want to do ssl offloading additionally - just assign an ssl client profile to your virtual server. http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14754.html

OTHER TIPS

I would have thought SSL-terminating LBs handle WebSockets as well, but I had to realize I was mistaken, once I tried. So the answer for F5 LBs, as of January 2013, is: It won't work. The gist of the answer I was given over at serverfault:

As of December of 2012, BIG-IP doesn't support SSL offload of WebSocket traffic.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top