WebSockets and SSL

Some time ago one of our clients requested SSL support in application. This would be nothing special, but some part of the application is using Websockets (Socket.IO to be precise). Due to fact that Nginx doesn’t support websockets in standard installation, we had to find another way to proxy SSL requests.

There were three main proposals:

  • Patch and compile Nginx with tcp module
  • Add STunnel to the configuration
  • Use Development version of HAProxy with SSL

First two solutions were making our infrastructure more complex:

First required maintaing new package, and was obsoleting the HAProxy configuration, which we didn’t want to get rid of due to high availability (and yes we’re aware of Nginx http proxy capabilities).

Second one was adding another layer to the infrastructure which is one more to debug in case of problems.

The third one, using HAProxy, was simple and clean:

bind /path/to/ssl.pem
acl is_websocket path_reg ^/socket.io/.*$
use_backend nginx if !is_websocket 
use_backend socket_io if is_websocket

UPDATE (2013.03.01) There’s a 4th option available as NGINX from version 1.3.13 supports Websockets natively