Recently we made up a new rails webapp using the pusher protocol in combination with Slanger as websocket server.

The site needed to support both, plain http and encrypted https, so I decided to start slanger in standard mode (no ssl) and put a ssl-terminating proxy in front to handle the wss:// URIs

There were rumors that pound was capable of proxying TCP requests. I work with pound for quite a long time and did not manage to get it working. However, stunnel offered a fast and solid solution:

The code snippets apply to Ubuntu 10.04, but this should work on other environments, too. I installed stunnel with

# aptitude install stunnel4

and ended up with this configuration:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

; Certificate/key is needed in server mode and optional in client mode
cert = /path/to/cert-or-cert-chain.pem
key = /path/to/private.key

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
; no, we don't want SSLv2
options = NO_SSLv2
; Some extra strong ciphers
ciphers = ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib


[https]
accept  = <your public IP>:8443

; slanger server listens on port 8080
connect = <public or local IP>:8080

If you can spare an extra server or an additional IP Address for your websocket server, it may be better to use the standard ports 80 and 443.

Possible pitfall: make sure, the hostname (don’t use an IP Address!) of yor pusher clients matches the common name of the certificate provided to stunnel. Otherwise some browsers (chrome at least) will fail silently when connecting to secure websocket URIs (wss://example.com/).