Socket SSL

[ericbarch]

Add configuration options for SSL cert or generate a self signed cert for securing the connection. Some cellular networks and proxies break non-secure websockets, so this could help improve performance in those situations.

[cpdean]

+1

[maikelwever]

You can achieve this by settings the client_port to 443 in your settings, and putting an Nginx instance in front of node.js. Since Nginx 1.3.1 (i believe), it is capable of proxying websockets (wss too). This is my current setup, and it works fine.
EDIT: 1.3.13 it is

[fculpo]

could you describe you nginx conf and end to end setup plz ?
i'm currently trying to implement this feature on my subway

[maikelwever]

You need NginX 1.3.13 to proxy websockets. I use Ubuntu 12.04LTS, and got the latest version from the NginX PPAs

NginX config:

upstream subway {
        server localhost:3000;
}

server {
        listen 443 ssl;
        server_name irc.reallysecretdomain.nl;

        ssl_certificate cert.crt;
        ssl_certificate_key cert.key;

        ssl_session_timeout 5m;
        ssl_protocols SSLv3 TLSv1;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
        ssl_prefer_server_ciphers on;

        location / {
                proxy_pass http://subway;

                # These three seem to be specific to proxying websockets.
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $proxy_host;
                proxy_set_header X-NginX-Proxy true;
        }

        location /assets {  # Serving your statics with NginX is good practice
                alias /path/to/subway/assets/;
        }
}

Subway's config.js

  dev: {
    port: process.env.PORT || 3000,
    // This is to make sure the client does not try to connect to port 3000
    client_port: process.env.CLIENT_PORT || process.env.PORT || 443 
  },
  prod: {
    port: process.env.PORT || 3000,
    // And again
    client_port: 443
  },

[fculpo]

yep, that worked !! thx
however, is it possible to change location / to location /irc so that users access subway via (in your example) irc.reallysecretdomain.nl/irc (i didnt managed to get it working) ?

[maikelwever]

Yeah, I tried that too, but have found no way to let node.js know it's in a folder, which breaks all static files.

@ericbarch: Do you think the NginX as a reverse proxy solution is sufficient to close this issue?

[maikelwever]

Ow, and there seems to be someone that has implemented this in subway itself: https://github.com/pdxcat/subway/commit/a90c58b94a2bc040890b97d957f75e6cffe7d3cc

[fculpo]

yeah its only 5 more lines of code, i did it yesterday too, but i still prefer the nginx fronted.
Maybe we could add a prefix variable which do the trick mentionned above