As certificate I have tried simple (key,cert) and PKI (ca,key,cert) each sha256/sha384 prime256v1/secp384r1.
DNS and IP in cert is packed with all possible domain, *.domain, possible ip …
Yet, as the ca is self signed, client seems to drop the connection wss:… to lxd websocket.
Which logs in lxd as:
lxd.log:
t=2022-02-20T12:04:00+0100 lvl=info msg=“http: TLS handshake error from 113.91.xx.xx:41741: remote error: tls: unknown certificate”
Is there a work around for this?
Apply a real certificate from known root ca for LXD Server?
In client do https to middleman/proxy (nginx) and from there upgrade the connection to wss?
By using certificate, webserver requests an operation.
Operation id and secret are than used to build a websocket link, which is called through a javascript by web client.
TLS handshake error from 113.91.xx.xx ← IP is the web client IP which uses a browser executing within page wss://…
How can a certificate possibly be applied in this context:
Thanks for the hint.
Seems right.
I had a guess, but hoped avoiding the extra proxying the connection.
Would an nginx connection upgrade work? Call https://domain/something , than upgrade /something/ to wss:/lxdserver …
or need to call a node port which proxies to lxd server? A node middleware or agent?
It seems there are too many turning wheels in lxd interactive sockets business.
nginx probably cant proxy it because the secrets are dynamically generated and not fixed.
If the above is true you need a full proxy written in Node in between, you can add some middlewere to auth your users. LXDMosaic does this but its GPL3 so if your writing a private application you probably need to work it out without looking at that code.
I will give nginx a try.
I can pass the whole link incl. secret to nginx https://domain/catchthis/operations/ b7e4cbcf-…/websocket?secret= 2e4c660…
Than run it through a rewrite rule to make the /catchtthis/ to proper link , upgrade it to wss:
Should above not work, yes indeed a node middleware is the solution.
Both, nginx and haproxy can upgrade a connection and proxy to websocket.
haproxy seems to have more advanced options.
Request is sent to proxy, it renders http header and by ws/wss upgrades and forwards.
I just was looking for a solution where the application server remains simple webserver html/php, not involving another middleman (node.js websocket server as proxy), saving the whole node installation and commission for middleman.
wss client needs to be either proxied by a wss server instance or by another proxy such as nginx or haproxy.
In order to upgrade the http / https connection to websocket:
nginx takes the following configuration(tested, working). It shows two backends srv4 and srv8, you can create multiple backends and proxy by matching location or rewrite.
now you send a request to https://api.domain.com/1.0/operations/ b7e4cbcf-…/websocket?secret= 2e4c660…
nginx will upgrade and send it to wss://10.0.4.1:8443/1.0/operations/ b7e4cbcf-…/websocket?secret= 2e4c660…
It is bidirectional, lxd reply/data is transferred back to https:// …
HA Proxy can act as middleware too. The advantage is, you can map all your lxd server instances and divert the requests bu filtering url, domain, subdomain,port etc. to desired lxd server instance declared as wss backend: