Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure WebSockets #467

Closed
distributorofpain opened this issue Jun 18, 2016 · 10 comments
Closed

Secure WebSockets #467

distributorofpain opened this issue Jun 18, 2016 · 10 comments
Labels
area/websocket status/5-frozen-due-to-age

Comments

@distributorofpain
Copy link

Does traefik support WSS ? If so, how are they setup on the front end( i cant find any documents that cover even web sockets, but i see mentions of ws use on the web ). I saw something about a rule, but i am not sure how that is pointed at a marathon app..

Also, i plan to run the app in marathon, do i just use the traefik.frontend.entryPoints=ws ( or wss? ) to stipulate its a wss only?

Lastely, does traefik support end to end wss? For example, for end to end https, you just add a tag in marathon ( traefik.protocol=https ) .. is that then traefik.protocol=wss ?

Thanks!! 😄
@samber
Copy link
Contributor

samber commented Jun 21, 2016
edited by ldez
Loading

Hi @distributorofpain

1- Traefik does support wss as it supports https. Consider using the same frontend/entrypoint configuration for http/ws and https/wss.

2- traefik.frontend.entryPoints has to be set to an entrypoint name. For example in the following entrypoint:

[entryPoints]
  [entryPoints.foobar]
    address = ":80"

The name is "foobar".

In your case, just create an entrypoint like the following:

[entryPoints]
   [entryPoints.https]
   address = ":443"
     [entryPoints.https.tls]
       [[entryPoints.https.tls.certificates]]
         CertFile = "integration/fixtures/https/snitest.com.cert"
         KeyFile = "integration/fixtures/https/snitest.com.key"
       [[entryPoints.https.tls.certificates]]
         CertFile = "integration/fixtures/https/snitest.org.cert"
         KeyFile = "integration/fixtures/https/snitest.org.key"

Then attach this entrypoint to the frontend with traefik.frontend.entryPoints=https

3- And finally: yes, you can set traefik.protocol to wss.

TIPS- To test a simple end-to-end websocket client/server, use the following configuration:

[entryPoints]
   [entryPoints.https]
   address = ":443"
     [entryPoints.https.tls]
       [[entryPoints.https.tls.certificates]]
         CertFile = "integration/fixtures/https/snitest.com.cert"
         KeyFile = "integration/fixtures/https/snitest.com.key"
       [[entryPoints.https.tls.certificates]]
         CertFile = "integration/fixtures/https/snitest.org.cert"
         KeyFile = "integration/fixtures/https/snitest.org.key"

[file]
[backends]
  [backends.backend1]
        [backends.backend1.servers.server1]
              url = "wss://echo.websocket.org"
[frontends]
  [frontends.frontend1]
      backend = "backend1"
          rule = "Path:/"

Then run wscat -c wss://localhost:443/ --host echo.websocket.org (wscat is also available from the docker image joshgubler/wscat)

@illotum
Copy link

illotum commented Jun 22, 2016
edited
Loading

To followup on existing discussion, how would one configure WSS with Kubernetes Ingress[1]? I assume with an annotation akin to traefik.backend.srv1.url, but would be nice to define schema for the whole backend at once, considering how servers are populated and updated dynamically.

[1] Currently Ingress supports only HTTP rules.

@distributorofpain
Copy link
Author

@samber Thank you for replying with very useful information! I have tested the setup and i can see the wss showing up in the traefik status page. I am still having a problem getting websockets to work, but it might be something on the container side at this point. Knowing what is needed is in place, cuts down the troubleshooting time!

@SvenAbels
Copy link

SvenAbels commented Oct 14, 2016
edited by ldez
Loading

Hi guys..

I tried using wss but the logs of traefik say:

time="2016-10-14T21:29:09Z" level=warning msg="Error forwarding to wss://server:8080, err: unsupported protocol scheme \"wss\""

Did anyone have success with wss?

@emilevauge
Copy link
Member

@ascora I just tested successfully wss:

wscat -n -c wss://docker.localhost:4443/echo                                                                                                         159ms
connected (press CTRL+C to quit)
> test
< test
> test
< test
> q⏎

Closing this issue for now.

@SvenAbels
Copy link

@emilevauge Thanks a lot but maybe you can share the rules.toml that you've used for it? BEcause as soon as I use a backend URL that starts with wss://..., I get the message that wss is not a supported protocol scheme...

@emilevauge
Copy link
Member

@ascora sorry, I misread your issue... Could you try using https instead of wss ?

@SvenAbels
Copy link

Yes, that works fine.

@mwaaas
Copy link

mwaaas commented Oct 22, 2016

@emilevauge how do one set web sockets using docker backend

@mwaaas
Copy link

mwaaas commented Nov 12, 2016

using docker-backend how will one take advantage of using web sockets

@regner regner mentioned this issue May 11, 2017
Closed
@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/websocket status/5-frozen-due-to-age
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@illotum @SvenAbels @samber @ldez @emilevauge @mwaaas @distributorofpain @traefiker