Using STunnel to provide reliable SSL support for Faye

[Matthijs Langenberg]

Dear Faye users,

I would like to share that I am having good results using STunnel (http://www.stunnel.org/) to do the SSL heavy lifting for Node.js/Faye. It works for both long-polling and WebSocket transport. Also seems to have good performance, because it does stuff like SSL session caching.

As you all might know, current SSL support in Node.js is far from finished. I know people hard working hard on this subject, but I needed something working today. 

If you want to see how reliable Node's SSL support currently is, please clone my repository: git://github.com/mlangenberg/node-faye-ssl-test.git

You will notice that the connection to the Faye server will only last for about ten seconds ... then the client doesn't receive any more messages from the server.

My current setup looks something like this: browser --[SSL]--> STunnel:443 --[NON-SSL] --> node:5000 

There is also one problem I would like to share. When using a reverse proxy to do SSL and maybe some load balancing (you could in theory use HAProxy, NginX or maybe Mongrel2, but in practice STunnel is one of the few to support both WebSocket and SSL), there is a minor problem with the WebSocket handshake.

Please take a look at: http://github.com/jcoglan/faye/blob/master/javascript/util/node/web_socket.js#L31  

Let's say a WebSocket client connects to 'wss://chat.domain.com'. This will establish a secure connection to the SSL-proxy. Now the SSL-proxy will forward this connection in a non-secure way to the Node server. This causes request.socket.secure to return false ... so the url returned to the client is 'ws://chat.domain.com', which will cause a handshake mismatch in the browser.

As far as I know, there is no way to tell if the request has been forwarded by STunnel, except for the origin being 'null'. So I resorted to hardcoding faye-node.js to always return a 'wss:' url. Of course this is no real solution. 

One option would be to write a patch for STunnel to add an 'X-FORWARDED-PROTO' header, which Faye can use to check if it should return a 'wss:' or 'ws:' url ...

Any thoughts?

Bests,

Matthijs

[James Coglan]

On Nov 2, 10:18 am, Matthijs Langenberg <mlangenb...@gmail.com> wrote:
> One option would be to write a patch for STunnel to add an
> 'X-FORWARDED-PROTO' header, which Faye can use to check if it should return
> a 'wss:' or 'ws:' url ...

I've pulled in Matthijs's patch for this and added support to the Ruby
version:
https://github.com/jcoglan/faye/commit/e32f82cd2ff61e7799a7529fcab1b9472c5ab466
https://github.com/jcoglan/faye/commit/864ab0a73b75de2b75eb3fb0fc6c6e60c93ee90c

Thanks to Matthijs for your work on this.

[Matthijs Langenberg]

By the way, did I mention that I patched STunnel to add an 'X-
Forwarded-Proto' header?

Please see https://github.com/nedap/stunnel for this.

A coworker and I also put some effort into creating a debian patch and
package for the current debian stable STunnel version. But I didn't
find the time to wrap this up and publish this on GitHub yet.

Anyway, most important is probably that we have this setup running for
over three weeks without any issues. So STunnel proves to be a pretty
good tool for handling SSL connections to Node servers (probably Ruby
too).

[Rishikesh Chandra]

HI Matthijs,

I am facing similar problems in using Faye.js on SSL using Nginx, so was referring STunnel. Can you please provide the configuration file for the same.

Regards,

Rishikesh