Home > Net >  Use Stunnel to connect wss to wsServer
Use Stunnel to connect wss to wsServer

Time:05-16

I am trying to use stunnel to turn a wss connection into a ws connection because wsServer doesn't support wss. The server is running Ubuntu, and the client I'm using is Chrome, if it matters.

This is my stunnel.conf file

foreground = yes
debug = info
output = /var/log/stunnel.log

[wsServer]
cert = /etc/letsencrypt/live/myurl.com/fullchain.pem
key = /etc/letsencrypt/live/myurl.com/privkey.pem
accept = 0.0.0.0:8443
connect = 127.0.0.1:8080

I'm trying to connect to it with a javascript call:

const socket = new WebSocket('wss://myurl.com:8433');

But I consistantly get a connection error:

(index):13 WebSocket connection to 'wss://myurl.com:8433/' failed: (anonymous) @ (index):13

Here's what I've checked:

  • That my port forwarding/system firewalls aren't eating the connection. If I kill stunnel and setup a regular socket listening on either port 8080 or 8433, I can connect to that socket from the client machine.
  • wsServer accepts non-encrypted traffic, if I instead connect with ws://myurl.com:8080 it works fine
  • wsServer accepts connections from localhost just fine, which I understand is necessary when stunnel is running on the same machine as the server
  • Chrome accepts my cert when used for https pages under the same domain, so I don't think I have a cert signing error, but I don't know how to tell if the cert is related to the connection failing
  • Stunnel does not print any errors when starting up
  • Nothing gets printed to /var/log/stunnel.log, although the file was created after I added the output field to the .conf file

Any ideas about what else I can try? Is there some reason the cert that works for https wouldn't work with wss?

Do people recommend using ProxyPass through apache and avoiding stunnel altogether?

CodePudding user response:

Not a solution, but a next troubleshooting step. Get yourself openssl and attempt to connect to 8443. This should spit back the certificate information and at least confirm stunnel is presenting the certificate.

openssl s_client -connect myurl.com:8443

It's been awhile since I configured stunnel, but IIRC you can't put a password on your key.

  • Related