doudong0425
doudong0425
2014-09-15 13:26

php websocket重定向与stunnel

已采纳

I built a php websocket server javascript clients to connect to it. It's working fine without SSL. My next Step is to improve security with using wss instead of ws (an so enabling https on the website).

My intention is to decrypt incoming traffic and redirect it to the websocketserver using stunnel on CentOS 6.

The first step is to simply redirect the requests from the clients to the server:

client-request: ws://soundjack.eu:9030/wsServer2.php

server: socket created listening on 144.76.81.210:9090 running php -q wsServer2.php

coresponding stunnel config:

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/run/stunnel/
;setuid = nobody
;setgid = nobody
; PID is created inside the chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel/stunnel.log

; Use it for client mode
client = yes

; Service-level configuration
[wsServer]
accept = 127.0.0.1:9030
connect = 127.0.0.1:9090

stunnel starts correct and is listening to port 9030.

Every request that is sendet by a client gehts abortet (checked firebug console). On Chrome it says status: finished, without any further information.

I quite don't know what the error is, so any help would be great. Thanks!

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

2条回答

  • dongrong7267 dongrong7267 7年前

    It finaly works!!! Even with SSL it works great.

    The clue was to chance the config of stunnel to work correct (Update using SSL now):

    /etc/stunnel/stunnel.conf:

    ; Certificate/key is needed in server mode and optional in client mode
    cert = /path/to/<myCert>.pem
    key = /path/to/<myKey>.key
    
    ; Protocol version (all, SSLv2, SSLv3, TLSv1)
    sslVersion = all
    
    ; Some security enhancements for UNIX systems - comment them out on Win32
    chroot = /var/run/stunnel/
    
    ; PID is created inside the chroot jail
    pid = /stunnel.pid
    
    ; Some performance tunings
    socket = l:TCP_NODELAY=1
    socket = r:TCP_NODELAY=1
    ;compression = zlib
    
    ; Some debugging stuff useful for troubleshooting
    debug = 7
    output = /var/log/stunnel/stunnel.log
    ;foreground = yes
    
    ; Use it for client mode
    ;client = yes                     !! turn to server mode
    
    ; Service-level configuration
    [wsServer]
    accept = 0.0.0.0:9030             !! listen to all addresses
    connect = 127.0.0.1:9090
    

    Note: marks with !! are no valid comments! I inserted them only to show the changes.

    点赞 评论 复制链接分享
  • dqq3623 dqq3623 6年前

    I just ran into this same problem and I wanted to add to this answer for someone else googling around because it was killing me. In my php I wrote a websocket using ratchet that I was invoking with a laravel artisan command. If you're developing locally, I believe you can add the stunnel.pem and CAFile to your keychain (if on a mac... on second thought I don't even think you necessarily need the CAFile if working locally) and you should be able to access your websocket with stunnel over wss. However, if you are working on your live webserver you need to get your keys certified. In my case I generated my stunnel keys for the stunnel.pem using openSSL and got them certified using positive SSL. I then added the CAFile option and linked the crt file they sent me back. If you are getting "stunnel vision", use the option foreground =yes in your stunnel.conf and remember as DrakeBlack pointed out DO NOT USE client = yes. You are not the client in this case you are the server.

    点赞 评论 复制链接分享

相关推荐