Recently we made up a new rails webapp using the pusher protocol in combination with Slanger as websocket server.
The site needed to support both, plain http and encrypted https, so I decided to start slanger in standard mode (no ssl) and put a ssl-terminating proxy in front to handle the wss:// URIs
There were rumors that pound was capable of proxying TCP requests. I work with pound for quite a long time and did not manage to get it working. However, stunnel offered a fast and solid solution:
The code snippets apply to Ubuntu 10.04, but this should work on other environments, too.
I installed stunnel with
# aptitude install stunnel4
and ended up with this configuration:
; Certificate/key is needed in server mode and optional in client mode
; Protocol version (all, SSLv2, SSLv3, TLSv1)sslVersion= all
; no, we don't want SSLv2
; Some extra strong ciphers
; Some security enhancements for UNIX systems - comment them out on Win32
; PID is created inside the chroot jail
; Some performance tunings
[https]accept= <your public IP>:8443
; slanger server listens on port 8080
connect= <public or local IP>:8080
If you can spare an extra server or an additional IP Address for your websocket server, it may be better to use the standard ports 80 and 443.
Possible pitfall: make sure, the hostname (don’t use an IP Address!) of yor pusher clients matches the common name of the certificate provided to stunnel. Otherwise some browsers (chrome at least) will fail silently when connecting to secure websocket URIs (wss://example.com/).