0

I have a PSGI/Plack application hosted behind a reverse https proxy. Visitors are authenticated with client certificates. I use websockets to pass data (say, the output of "tail -f " to the browser asynchronously. The application works fine when accessed directly, but not when accessed via the reverse https proxy. Is there some way to use client certificate authentication for websockets?

Gurunandan Bhat
  • 3,544
  • 3
  • 31
  • 43

1 Answers1

3

There are 2 options:

  1. Have the reverse proxy terminate the TLS, do the client cert based auth and forward unencrypted traffic to the WebSocket server behind

  2. Have the reverse proxy forward the TLS untouched to the WebSocket server

With 2., you will need a WebSocket server that implements TLS and client-cert based authentication.

Here is a TLS-enabled WebSocket server example based on Autobahn (Python/Twisted-based):

You can add client-cert auth following the examples here:

Disclaimer: I am author of Autobahn and work for Tavendo.

oberstet
  • 21,353
  • 10
  • 64
  • 97
  • Thank you. Option 2: I am constrained to use a Perl websocket server (for reasons other than tech) and to the best of my knowledge there isnt one that supports SSL. I have to examine Option 1 since that does not require a WS server with SSL support. Will report here if I have a problem. Thank you once again - the docs are extremely well written for their purpose. – Gurunandan Bhat Oct 26 '12 at 17:39
  • @oberstet ,Hi, I'm trying to use a websocket python client against Tornado's websocket implementation, and actually, I'm doing authentication against django app, where I track users with session id. The problem is: I can't add header (to pass the session id to Tornado websocket server, which in turn checks against sessions repository) to the already existing websocket python client implementations. Can Autobahn do that, giving me an example will be highly appreciated. Also, if Autobahn can ease this process for me in some way, please lead me to. Thanks! – securecurve Jan 21 '13 at 17:36
  • There is currently no user API to set custom HTTP headers to be sent during the initial opening WS handshake of AutobahnPython client. – oberstet Jan 21 '13 at 19:45