An article to show you how to use Nginx as a proxy for WebSocket

Hello everyone, I am Xiao Jiang.

The previous article talked about what the WebSocket protocol is. Here we will review it and talk about how to use nginx to proxy WebSocket.

WebSocket is a new protocol under HTML5. It realizes full-duplex communication between browser and server, which can better save server resources and bandwidth and achieve the purpose of real-time communication. It transmits data through an established TCP connection like HTTP, but the biggest difference between it and HTTP is:

• WebSocket is a two-way communication protocol. After the connection is established, both the WebSocket server and the client can actively send or receive data to each other, just like Socket.
• WebSocket needs to establish a connection like TCP, and only after the connection is successful can they communicate with each other.

Compared with HTTP protocol, WebSocket protocol can communicate multiple times after successful handshake until the connection is closed. However, the handshake in WebSocket is compatible with the handshake in HTTP. It uses the Upgrade protocol header in HTTP to upgrade the connection from HTTP to WebSocket. This makes it easier for WebSocket programs to use existing infrastructure. Most current browsers support WebSocket.

In an actual production environment, multiple WebSocket servers are required to have high performance and high availability, so the WebSocket protocol requires a load balancing layer. Nginx supports WebSocket since version 1.3. It can act as a reverse proxy and do load balancing for WebSocket programs.

The WebSocket protocol is different from the HTTP protocol, but the WebSocket handshake is compatible with HTTP, using the HTTP upgrade tool to upgrade the connection from HTTP to WebSocket. This allows WebSocket applications to fit more easily into existing infrastructure. For example, WebSocket applications can use standard HTTP ports 80 and 443, allowing existing firewall rules to be used.

WebSocket applications can maintain long-running connections between the client and the server, thereby facilitating the development of real-time applications. The HTTP Upgrade mechanism for upgrading connections from HTTP to WebSocket uses the Upgrade and Connection headers. Reverse proxy servers face some challenges in supporting WebSocket. One is that WebSocket is a hop-by-hop protocol, so when the proxy server intercepts the client's upgrade request, it needs to send its own upgrade request to the backend server, including the appropriate headers. In addition, because WebSocket connections are long-lived, as opposed to the typical short-lived connections used by HTTP, reverse proxies need to allow these connections to remain open, rather than closing them because they appear to be idle.

To allow tunneling between the client and the backend server, Nginx supports WebSocket. For NGINX to send the upgrade request from the client to the backend server, the Upgrade and Connection headers must be set explicitly.

The configuration method for Nginx to enable WebSocket proxy is as follows:

(1) Edit nginx.conf and add the following configuration in the http area:

 map $http_upgrade $connection_upgrade {
 default upgrade ;
 '' close;
 }

「Explain the role of the map instruction:」 Its role is mainly to construct and change the value of connection_upgrade according to the value in the client request, that is, to create a new variable connection_upgrade according to the value of the variable, and the rule created is what is in {}. The rule is not matched, so the default one is used, that is, if http_upgrade is an empty string, then the value is close.

(2) Edit the configuration file of the virtual host under vhosts and add the following content to the location matching configuration:

 proxy_http_version 1.1 ;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "$connection_upgrade" ;
 # proxy_set_header Connection "Upgrade"; Hard-coded Upgrade is also OK

(3) A complete example is as follows:

 upstream sre_backend {
 hash $remote_addr consistent ;
 server sre1.ayunw.cn:8080;
 server sre2.ayunw.cn:8080;
 server sre3.ayunw.cn:8080;
 }
 server {
 listen 443 ssl ;
 server_name sre.ayunw.cn;
 access_log /usr/local/nginx/logs/sre.ayunw.cn.access.log main ;
 error_log /usr/local/nginx/logs/sre.ayunw.cn..error. log error;

 ssl_certificate /data/certs/nginx/sre.ayunw.cn.crt;
 ssl_certificate_key /data/certs/nginx/sre.ayunw.cn.key;
 ssl_session_timeout 5m;
 ssl_protocols SSLv3 TLSv1 TLSv1. 1 TLSv1 .2;
 ssl_ciphers HIGH: !aNULL : !MD5 ;
 ssl_prefer_server_ciphers on;
 location / {
 proxy_pass http ://sre_backend;
 proxy_ssl_server_name on;
 include proxy .conf;
 proxy_http_version 1.1;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "$connection_upgrade" ;
 }
 error_page 500 502 503 504 /50x.html;
 location = /50x.html {
 root html;
 }
 }

The above is the one-way TLS authentication method of WebSocket through nginx proxy.

「Warm reminder:」 By default, if the proxy server does not transmit any data within 60 seconds, the connection will be closed. This timeout can be increased using the proxy_read_timeout directive.

In summary:

「WebSocket and Http similarities」:

• They are all based on TCP and are both reliable transmission protocols.
• They are all application layer protocols.

「Differences between WebSocket and Http」:

• WebSocket is a two-way communication protocol that simulates the Socket protocol and can send or receive information in both directions. HTTP is one-way.
• WebSocket requires a handshake between the browser and the server to establish a connection. However, HTTP is a connection initiated by the browser to the server, and the server does not know about this connection in advance.

「WebSocket and Http connection」 When WebSocket establishes a handshake, data is transmitted via HTTP. However, after the establishment, the HTTP protocol is not required for actual transmission.

In WebSocket, the server and browser only need to perform a handshake via the HTTP protocol, and then establish a separate TCP communication channel for data transmission. The process of WebSocket connection is:

(1) The client initiates an http request, and after three handshakes, a TCP connection is established; the http request contains information such as the version number supported by WebSocket, such as Upgrade, Connection, WebSocket-Version, etc.; 2) After the server receives the handshake request from the client, it also uses the HTTP protocol to feedback data; 3) After the client receives the message of successful connection, it starts full-duplex communication with the help of the TCP transmission channel.

How to solve the frequent interruption of Nginx proxy webSocket (i.e. how to maintain a long connection)

The problem lies in the configuration of nginx, and several timeout settings need to be configured. As follows:

 http {
 server {
 location / {
 root html;
 index index .html index .htm;
 proxy_pass http ://sre_backend;
 proxy_http_version 1.1 ;
 proxy_connect_timeout 5s;
 proxy_read_timeout 60s;
 proxy_send_timeout 30s;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "$connection_upgrade" ;
 }
 }
 }

「Explain the above timeout configuration」

The default value of the proxy_read_timeout parameter is 60 seconds. This directive sets the read timeout with the proxy server. It determines how long nginx will wait to get a response to the request. This time is not the time to get the entire response, but the time for two reading operations. That is, the maximum time the server will wait for you, which means that when you use nginx to forward webSocket, if there is no communication within 60 seconds, it will still be disconnected, so you can set it according to your needs. For example, if I set it for 5 minutes, then if I have communication within 5 minutes, or if I have a heartbeat within 5 minutes, the connection can be maintained. So this time is adjusted according to your business needs.

The default value of the proxy_send_timeout parameter is 60s, which sets the timeout for sending requests to the upstream server. The timeout is not set for the entire sending period, but for the period between two write operations. If the upstream does not receive new data after the timeout, nginx will close the connection.

「The relationship between WebSocket and Socket:」

Socket is not actually a protocol, but a layer abstracted for the convenience of using TCP or UDP. It is a set of interfaces between the application layer and the transmission control layer. When two hosts communicate, they must connect through Socket, and Socket uses TCP/IP protocol to establish TCP connection. TCP connection is more dependent on the underlying IP protocol, and IP protocol connection depends on lower layers such as the link layer.

WebSocket, like HTTP, is a typical application layer protocol.