Nginx to Reverse Proxy Websockets and Enable Ssl (Wss://)?

Nginx
Better Stack Team
Updated on October 7, 2024

To configure Nginx as a reverse proxy for WebSocket connections and enable SSL/TLS (for wss://), you'll need to set up both WebSocket-specific configuration and SSL/TLS settings. Here's a step-by-step guide to achieve this:

1. Install Nginx with SSL Support

Ensure that Nginx is installed with SSL/TLS support. You can verify this by checking if the ssl module is available:

 
nginx -V 2>&1 | grep --color ssl

If it is not installed, you may need to install Nginx from a package that includes SSL support or compile it with the --with-http_ssl_module option.

2. Obtain SSL/TLS Certificates

You need SSL/TLS certificates for your domain to enable wss://. You can obtain certificates from a Certificate Authority (CA) or use a tool like Let's Encrypt to get a free SSL certificate.

  • Let's Encrypt: You can use tools like certbot to obtain and automatically renew certificates.

     
    sudo certbot --nginx -d yourdomain.com

  • Manually: If you have your own certificates, ensure you have the certificate file (.crt) and the private key file (.key).

3. Configure Nginx for SSL and WebSocket Proxy

Here’s a sample Nginx configuration to set up SSL and reverse proxy WebSocket connections:

 
server {
    listen 443 ssl;
    server_name yourdomain.com;

    # SSL Configuration
    ssl_certificate /etc/nginx/ssl/yourdomain.com.crt;
    ssl_certificate_key /etc/nginx/ssl/yourdomain.com.key;

    # Optional: Add SSL security settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384';
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://backend_server;  # The URL of your WebSocket server
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    # Optional: Additional configuration for static files
    location /static/ {
        alias /path/to/static/files/;
    }
}

server {
    listen 80;
    server_name yourdomain.com;

    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

Explanation of Configuration

  1. SSL/TLS Setup:
    • listen 443 ssl;: Configures Nginx to listen on port 443 with SSL enabled.
    • ssl_certificate and ssl_certificate_key: Specify the paths to your SSL certificate and private key.
  2. WebSocket Configuration:
    • proxy_pass: Directs WebSocket traffic to the backend WebSocket server.
    • proxy_http_version 1.1;: WebSockets require HTTP/1.1.
    • proxy_set_header Upgrade $http_upgrade;: Ensures the Upgrade header is passed through, which is necessary for WebSocket connections.
    • proxy_set_header Connection 'upgrade';: Sets the Connection header to upgrade for WebSocket connections.
    • proxy_set_header Host $host;: Forwards the original Host header.
  3. HTTP to HTTPS Redirection:
    • The second server block listens on port 80 and redirects all HTTP traffic to HTTPS.

4. Test and Reload Nginx

After configuring Nginx, it’s crucial to test your configuration for syntax errors and then reload or restart Nginx to apply the changes.

 
# Test Nginx configuration
sudo nginx -t

# Reload Nginx to apply changes
sudo systemctl reload nginx

5. Verify WebSocket Connection

Ensure that your WebSocket connections are working over wss:// by using a WebSocket client or testing tool. For example, you can use the browser’s developer tools to monitor WebSocket traffic and verify that it is being upgraded and proxied correctly.

Troubleshooting

  • Check Nginx Logs: If there are issues, check the Nginx error and access logs for troubleshooting.

     
    sudo tail -f /var/log/nginx/error.log
sudo tail -f /var/log/nginx/access.log

  • Firewall and Network: Ensure that ports 80 and 443 are open and accessible through your firewall and network configuration.

By following these steps, you can successfully configure Nginx to reverse proxy WebSocket connections over SSL (wss://), ensuring secure and efficient communication between clients and your WebSocket server.

Got an article suggestion? Let us know
Licensed under CC-BY-NC-SA

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Make your mark

Join the writer's program

Are you a developer and love writing and sharing your knowledge with the world? Join our guest writing program and get paid for writing amazing technical guides. We'll get them to the right readers that will appreciate them.

Write for us
Writer of the month
Marin Bezhanov
Marin is a software engineer and architect with a broad range of experience working...
Build on top of Better Stack

Write a script, app or project on top of Better Stack and share it with the world. Make a public repository and share it with us at our email.

community@betterstack.com

or submit a pull request and help us build better products for everyone.

See the full list of amazing projects on github