Stunnel 安全的 wss websocket 到不安全的 ws 套接字
Stunnel secure wss websocket to unsecure ws socket
我最近更改了我的站点以使用 SSL。我拥有的是一个旧的 websocket 服务器脚本,它在端口 9300 上侦听,然后由客户端浏览器使用 javascript 通过 ws 调用。现在我的站点已更改为 https,我必须调用 wss,但它不起作用。所以我只想将一个安全的 wss 重定向到一个不安全的 ws 版本的套接字,这样我就不必更改脚本了。
我试图通过使用隧道来解决这个问题。但是我没弄对。
正在执行的握手似乎有问题。
我的PHP Websocket服务器脚本就是基于这个git
https://github.com/Flynsarmy/PHPWebSocket-Chat
服务器打印
Restarting SSL tunnels: 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Clients allowed=500
2016.02.14 13:44:20 LOG5[4173:140328635270912]: stunnel 4.53 on x86_64-pc-linux-gnu platform
2016.02.14 13:44:20 LOG5[4173:140328635270912]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
2016.02.14 13:44:20 LOG5[4173:140328635270912]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
2016.02.14 13:44:20 LOG5[4173:140328635270912]: Reading configuration from file /etc/stunnel/stunnel.conf
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Compression not enabled
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Snagged 64 random bytes from /root/.rnd
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Wrote 1024 new random bytes to /root/.rnd
2016.02.14 13:44:20 LOG7[4173:140328635270912]: PRNG seeded successfully
2016.02.14 13:44:20 LOG6[4173:140328635270912]: Initializing service section [websocket]
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Certificate: /etc/apache2/ssl/ssl-cert-businessgame.pem
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Certificate loaded
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Key file: /etc/apache2/ssl/ssl-cert-businessgame.key
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Private key loaded
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Could not load DH parameters from /etc/apache2/ssl/ssl-cert-businessgame.pem
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Using hardcoded DH parameters
2016.02.14 13:44:20 LOG7[4173:140328635270912]: DH initialized with 2048-bit key
2016.02.14 13:44:20 LOG7[4173:140328635270912]: ECDH initialized with curve prime256v1
2016.02.14 13:44:20 LOG7[4173:140328635270912]: SSL options set: 0x00000004
2016.02.14 13:44:20 LOG5[4173:140328635270912]: Configuration successful
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Service [websocket] (FD=12) bound to 94.198.160.29:9301
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Created pid file /var/run/stunnel4.pid
2016.02.14 13:44:47 LOG7[4173:140328635270912]: Service [websocket] accepted (FD=3) from 81.83.185.230:49718
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] started
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Waiting for a libwrap process
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Acquired libwrap process #0
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Releasing libwrap process #0
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Released libwrap process #0
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] permitted by libwrap from 81.83.185.230:49718
2016.02.14 13:44:47 LOG5[4173:140328635262720]: Service [websocket] accepted connection from 81.83.185.230:49718
2016.02.14 13:44:47 LOG6[4173:140328635262720]: SSL accepted: new session negotiated
2016.02.14 13:44:47 LOG6[4173:140328635262720]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2016.02.14 13:44:47 LOG6[4173:140328635262720]: Compression: null, expansion: null
2016.02.14 13:44:47 LOG6[4173:140328635262720]: connect_blocking: connecting 127.0.0.1:9300
2016.02.14 13:44:47 LOG7[4173:140328635262720]: connect_blocking: s_poll_wait 127.0.0.1:9300: waiting 10 seconds
2016.02.14 13:44:47 LOG3[4173:140328635262720]: connect_blocking: connect 127.0.0.1:9300: Connection refused (111)
2016.02.14 13:44:47 LOG5[4173:140328635262720]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Local socket (FD=3) closed
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] finished (0 left)
我的stunnel.conf
foreground = yes
key = /etc/apache2/ssl/ssl-cert-businessgame.key
cert = /etc/apache2/ssl/ssl-cert-businessgame.pem
CAfile = /etc/apache2/ssl/ssl-cert-businessgame.pem
debug = 7
output = /var/log/stunnel_websocket.log
[websocket]
accept = businessgame.be:9301
connect = 9300
客户端浏览器控制台:
WebSocket connection to 'wss://businessgame.be:9301/socket/server.php' failed: Error in connection establishment: net::ERR_SOCKET_NOT_CONNECTED
我使用的证书与我用于 SSL 的证书相同。我也用自己生成的密钥和证书文件尝试过,但没有成功。我得到同样的错误,握手失败。
所以问题不在 stunnel 中,但我不得不更改服务器设置套接字的方式。我曾经将其创建为 domain:port 但不得不将其更改为 localhost:port
所以在 server.php 文件中我必须更改
// start the server
$Server = new PHPWebSocket();
$Server->bind('message', 'wsOnMessage');
$Server->bind('open', 'wsOnOpen');
$Server->bind('close', 'wsOnClose');
// for other computers to connect, you will probably need to change this to your LAN IP or external IP,
// alternatively use: gethostbyaddr(gethostbyname($_SERVER['SERVER_NAME']))
$Server->wsStartServer('businessgame.be', 9300);
到
// start the server
$Server = new PHPWebSocket();
$Server->bind('message', 'wsOnMessage');
$Server->bind('open', 'wsOnOpen');
$Server->bind('close', 'wsOnClose');
// for other computers to connect, you will probably need to change this to your LAN IP or external IP,
// alternatively use: gethostbyaddr(gethostbyname($_SERVER['SERVER_NAME']))
$Server->wsStartServer('localhost', 9300);
我最近更改了我的站点以使用 SSL。我拥有的是一个旧的 websocket 服务器脚本,它在端口 9300 上侦听,然后由客户端浏览器使用 javascript 通过 ws 调用。现在我的站点已更改为 https,我必须调用 wss,但它不起作用。所以我只想将一个安全的 wss 重定向到一个不安全的 ws 版本的套接字,这样我就不必更改脚本了。
我试图通过使用隧道来解决这个问题。但是我没弄对。
正在执行的握手似乎有问题。
我的PHP Websocket服务器脚本就是基于这个git https://github.com/Flynsarmy/PHPWebSocket-Chat
服务器打印
Restarting SSL tunnels: 2016.02.14 13:44:20 LOG7[4173:140328635270912]: Clients allowed=500
2016.02.14 13:44:20 LOG5[4173:140328635270912]: stunnel 4.53 on x86_64-pc-linux-gnu platform
2016.02.14 13:44:20 LOG5[4173:140328635270912]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
2016.02.14 13:44:20 LOG5[4173:140328635270912]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
2016.02.14 13:44:20 LOG5[4173:140328635270912]: Reading configuration from file /etc/stunnel/stunnel.conf
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Compression not enabled
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Snagged 64 random bytes from /root/.rnd
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Wrote 1024 new random bytes to /root/.rnd
2016.02.14 13:44:20 LOG7[4173:140328635270912]: PRNG seeded successfully
2016.02.14 13:44:20 LOG6[4173:140328635270912]: Initializing service section [websocket]
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Certificate: /etc/apache2/ssl/ssl-cert-businessgame.pem
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Certificate loaded
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Key file: /etc/apache2/ssl/ssl-cert-businessgame.key
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Private key loaded
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Could not load DH parameters from /etc/apache2/ssl/ssl-cert-businessgame.pem
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Using hardcoded DH parameters
2016.02.14 13:44:20 LOG7[4173:140328635270912]: DH initialized with 2048-bit key
2016.02.14 13:44:20 LOG7[4173:140328635270912]: ECDH initialized with curve prime256v1
2016.02.14 13:44:20 LOG7[4173:140328635270912]: SSL options set: 0x00000004
2016.02.14 13:44:20 LOG5[4173:140328635270912]: Configuration successful
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Service [websocket] (FD=12) bound to 94.198.160.29:9301
2016.02.14 13:44:20 LOG7[4173:140328635270912]: Created pid file /var/run/stunnel4.pid
2016.02.14 13:44:47 LOG7[4173:140328635270912]: Service [websocket] accepted (FD=3) from 81.83.185.230:49718
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] started
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Waiting for a libwrap process
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Acquired libwrap process #0
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Releasing libwrap process #0
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Released libwrap process #0
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] permitted by libwrap from 81.83.185.230:49718
2016.02.14 13:44:47 LOG5[4173:140328635262720]: Service [websocket] accepted connection from 81.83.185.230:49718
2016.02.14 13:44:47 LOG6[4173:140328635262720]: SSL accepted: new session negotiated
2016.02.14 13:44:47 LOG6[4173:140328635262720]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2016.02.14 13:44:47 LOG6[4173:140328635262720]: Compression: null, expansion: null
2016.02.14 13:44:47 LOG6[4173:140328635262720]: connect_blocking: connecting 127.0.0.1:9300
2016.02.14 13:44:47 LOG7[4173:140328635262720]: connect_blocking: s_poll_wait 127.0.0.1:9300: waiting 10 seconds
2016.02.14 13:44:47 LOG3[4173:140328635262720]: connect_blocking: connect 127.0.0.1:9300: Connection refused (111)
2016.02.14 13:44:47 LOG5[4173:140328635262720]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Local socket (FD=3) closed
2016.02.14 13:44:47 LOG7[4173:140328635262720]: Service [websocket] finished (0 left)
我的stunnel.conf
foreground = yes
key = /etc/apache2/ssl/ssl-cert-businessgame.key
cert = /etc/apache2/ssl/ssl-cert-businessgame.pem
CAfile = /etc/apache2/ssl/ssl-cert-businessgame.pem
debug = 7
output = /var/log/stunnel_websocket.log
[websocket]
accept = businessgame.be:9301
connect = 9300
客户端浏览器控制台:
WebSocket connection to 'wss://businessgame.be:9301/socket/server.php' failed: Error in connection establishment: net::ERR_SOCKET_NOT_CONNECTED
我使用的证书与我用于 SSL 的证书相同。我也用自己生成的密钥和证书文件尝试过,但没有成功。我得到同样的错误,握手失败。
所以问题不在 stunnel 中,但我不得不更改服务器设置套接字的方式。我曾经将其创建为 domain:port 但不得不将其更改为 localhost:port
所以在 server.php 文件中我必须更改
// start the server
$Server = new PHPWebSocket();
$Server->bind('message', 'wsOnMessage');
$Server->bind('open', 'wsOnOpen');
$Server->bind('close', 'wsOnClose');
// for other computers to connect, you will probably need to change this to your LAN IP or external IP,
// alternatively use: gethostbyaddr(gethostbyname($_SERVER['SERVER_NAME']))
$Server->wsStartServer('businessgame.be', 9300);
到
// start the server
$Server = new PHPWebSocket();
$Server->bind('message', 'wsOnMessage');
$Server->bind('open', 'wsOnOpen');
$Server->bind('close', 'wsOnClose');
// for other computers to connect, you will probably need to change this to your LAN IP or external IP,
// alternatively use: gethostbyaddr(gethostbyname($_SERVER['SERVER_NAME']))
$Server->wsStartServer('localhost', 9300);