Stunnel secure wss websocket to unsecure ws socket
我最近将网站更改为使用SSL。我所拥有的是一个侦听端口9300的旧websocket服务器脚本,然后客户端浏览器使用javascript通过ws调用了该脚本。现在,我的站点已更改为https,我必须调用wss,但是它不起作用。因此,我只想将安全的wss重定向到套接字的非安全ws版本,这样就不必更改脚本。
我尝试使用stunnels修复此问题。但是我做错了。
正在执行的握手似乎有问题。
我拥有的PHP Websocket服务器脚本基于此git
https://github.com/Flynsarmy/PHPWebSocket-Chat
服务器打印
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | Restarting SSL tunnels: 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Clients allowed=500 2016.02.14 13:44:20 LOG5[4173:140328635270912]: stunnel 4.53 on x86_64-pc-linux-gnu platform 2016.02.14 13:44:20 LOG5[4173:140328635270912]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 2016.02.14 13:44:20 LOG5[4173:140328635270912]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6 2016.02.14 13:44:20 LOG5[4173:140328635270912]: Reading configuration from file /etc/stunnel/stunnel.conf 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Compression not enabled 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Snagged 64 random bytes from /root/.rnd 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Wrote 1024 new random bytes to /root/.rnd 2016.02.14 13:44:20 LOG7[4173:140328635270912]: PRNG seeded successfully 2016.02.14 13:44:20 LOG6[4173:140328635270912]: Initializing service section [websocket] 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Certificate: /etc/apache2/ssl/ssl-cert-businessgame.pem 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Certificate loaded 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Key file: /etc/apache2/ssl/ssl-cert-businessgame.key 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Private key loaded 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Could not load DH parameters from /etc/apache2/ssl/ssl-cert-businessgame.pem 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Using hardcoded DH parameters 2016.02.14 13:44:20 LOG7[4173:140328635270912]: DH initialized with 2048-bit key 2016.02.14 13:44:20 LOG7[4173:140328635270912]: ECDH initialized with curve prime256v1 2016.02.14 13:44:20 LOG7[4173:140328635270912]: SSL options set: 0x00000004 2016.02.14 13:44:20 LOG5[4173:140328635270912]: Configuration successful 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Service [websocket] (FD=12) bound to 94.198.160.29:9301 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Created pid file /var/run/stunnel4.pid 2016.02.14 13:44:47 LOG7[4173:140328635270912]: Service [websocket] accepted (FD=3) from 81.83.185.230:49718 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] started 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Waiting for a libwrap process 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Acquired libwrap process #0 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Releasing libwrap process #0 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Released libwrap process #0 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] permitted by libwrap from 81.83.185.230:49718 2016.02.14 13:44:47 LOG5[4173:140328635262720]: Service [websocket] accepted connection from 81.83.185.230:49718 2016.02.14 13:44:47 LOG6[4173:140328635262720]: SSL accepted: new session negotiated 2016.02.14 13:44:47 LOG6[4173:140328635262720]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2016.02.14 13:44:47 LOG6[4173:140328635262720]: Compression: null, expansion: null 2016.02.14 13:44:47 LOG6[4173:140328635262720]: connect_blocking: connecting 127.0.0.1:9300 2016.02.14 13:44:47 LOG7[4173:140328635262720]: connect_blocking: s_poll_wait 127.0.0.1:9300: waiting 10 seconds 2016.02.14 13:44:47 LOG3[4173:140328635262720]: connect_blocking: connect 127.0.0.1:9300: Connection refused (111) 2016.02.14 13:44:47 LOG5[4173:140328635262720]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Local socket (FD=3) closed 2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] finished (0 left) |
我的stunnel.conf
1 2 3 4 5 6 7 8 9 | foreground = yes key = /etc/apache2/ssl/ssl-cert-businessgame.key cert = /etc/apache2/ssl/ssl-cert-businessgame.pem CAfile = /etc/apache2/ssl/ssl-cert-businessgame.pem debug = 7 output = /var/log/stunnel_websocket.log [websocket] accept = businessgame.be:9301 connect = 9300 |
客户端浏览器控制台:
1 | WebSocket connection to 'wss://businessgame.be:9301/socket/server.php' failed: Error in connection establishment: net::ERR_SOCKET_NOT_CONNECTED |
我使用的证书与SSL证书相同。我还尝试了使用自己生成的密钥和证书文件,但是没有运气。我收到相同的错误,握手失败。
因此问题不在通道中,但我不得不更改服务器设置套接字的方式。我曾经将其创建为domain:port,但不得不将其更改为localhost:port
因此在server.php文件中,我必须更改
1 2 3 4 5 6 7 8 | // start the server $Server = new PHPWebSocket(); $Server->bind('message', 'wsOnMessage'); $Server->bind('open', 'wsOnOpen'); $Server->bind('close', 'wsOnClose'); // for other computers to connect, you will probably need to change this to your LAN IP or external IP, // alternatively use: gethostbyaddr(gethostbyname($_SERVER['SERVER_NAME'])) $Server->wsStartServer('businessgame.be', 9300); |
至
1 2 3 4 5 6 7 8 | // start the server $Server = new PHPWebSocket(); $Server->bind('message', 'wsOnMessage'); $Server->bind('open', 'wsOnOpen'); $Server->bind('close', 'wsOnClose'); // for other computers to connect, you will probably need to change this to your LAN IP or external IP, // alternatively use: gethostbyaddr(gethostbyname($_SERVER['SERVER_NAME'])) $Server->wsStartServer('localhost', 9300); |