HOWTO: Websockets with SSL in Meteor + Looking for Meteor Developers for newly-funded startup+games

[Ben Berman]

Friends,

Ever wonder how to get websockets working with SSL on your own server deployments? Frustrated that all the material online gets SSL working, but curiously ignores websocket-over-SSL functionality? Hate DISABLE_WEBSOCKETS?

Check out the instructions below for setting up SSL for meteor with websocket support.

This was adapted from my DevOps bible for workpop♥, my jobs market startup for hourly employees.

We're built on meteor. Contact me at b...@workpop.com. Our investors include but are not limited to SV Angel, Joe Lonsdale and Aaron Levie. We're looking for front-end meteor developers.

I'm also looking for game developers interested in finishing PartyGame, open sourced here - https://github.com/hiddenswitch/PartyGame-Web - for $$$. It needs to be refreshed for Meteor 0.7 & Blaze, and it needs a native iOS client.

Check out https://github.com/hiddenswitch/Meteor-Unity for my Unity3D / Mono / C# Meteor client with LocalCollection support.

1. Install dependencies on your host machine. For ubuntu precise:

   # Install apache2 for SSL, node
   sudo add-apt-repository ppa:chris-lea/node.js
   sudo add-apt-repository ppa:ondrej/apache2
   sudo apt-get update
   sudo apt-get install software-properties-common
   sudo apt-get install -y python-software-properties python g++ make
   sudo apt-get install nodejs libssl-dev git phantomjs
   sudo apt-get install apache2=2.4.9-1+deb.sury.org~precise+1
   # Install meteor
   curl https://install.meteor.com/ | sh
   # Install meteorite
   sudo npm install -g meteorite

2. Configure your certs. From http://support.godaddy.com/help/article/5238/installing-an-ssl-certificate-in-apache?locale=en

   sudo cp yourdomain.com.crt /etc/ssl/certs/yourdomain.com.crt
   sudo cp yourdomain.key /etc/ssl/private/yourdomain.key
   sudo mkdir -p /etc/apache2/ssl.crt
   # This is your domain provider's certificate chain
   sudo cp godaddy.crt /etc/apache2/ssl.crt/godaddy.crt
   

3. Configure apache2 to proxy the SSL. An example configuration:

     <IfModule mod_ssl.c>
     <VirtualHost *:80>
         RewriteEngine on
         ReWriteCond %{SERVER_PORT} !^443$
         # This allows DDP clients like ObjectiveDDP and Meteor-Unity to connect
         RewriteRule ^/websocket wss://%{HTTP_HOST}/websocket [NC,R,L]
         # This allows the meteor webapp to connect
         RewriteRule ^/sockjs/(.*)/websocket wss://%{HTTP_HOST}/sockjs/$1/websocket [NC,R,L]
         RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
     </VirtualHost>
     <VirtualHost _default_:443>
         ServerAdmin your...@example.com
         ServerName https://yourdomain.com
         ## SSL Engine Switch:
         # Enable/Disable SSL for this virtual host.
         SSLEngine on
   
         ## Proxy to port 3000 for Meteor apps
         SSLProxyEngine On
         ProxyRequests Off # Disable forward proxying
         # This allows DDP clients like ObjectiveDDP and Meteor-Unity to connect
         ProxyPass /websocket ws://localhost:3000/websocket
         # This allows the meteor webapp to connect
         ProxyPassMatch ^/sockjs/(.*)/websocket ws://localhost:3000/sockjs/$1/websocket
         ProxyPass / http://localhost:3000/
         ProxyPassReverse / http://localhost:3000/
         SSLCertificateFile    /etc/ssl/certs/yourdomain.com.crt
         SSLCertificateKeyFile /etc/ssl/private/yourdomain.key
         SSLCACertificateFile /etc/apache2/ssl.crt/godaddy.crt
   
         BrowserMatch "MSIE [2-6]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
         # MSIE 7 and newer should be able to use keepalive
         BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
   
     </VirtualHost>
     </IfModule>
   

4. Copy the configuration file and run apache2:

   sudo cp yourdomain-com.conf /etc/apache2/sites-available/yourdomain-com.conf
   # Enable all the necessary apache modules
   sudo a2enmod ssl
   sudo a2enmod proxy
   sudo a2enmod proxy_http
   sudo a2enmod proxy_wstunnel
   sudo a2enmod rewrite
   sudo a2ensite yourdomain-com
   sudo service apache2 reload
   sudo service apache2 restart

[Arunoda Susiripala]

Hey, I'm not sure how apache works with WS. But you should not look at apache. may be ngnix or a simple SSL terminator like BUD

Hope that helps.

---

Arunoda Susiripala

I curate Meteor Weekly - Check it out!

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ben Berman]

I chose apache since it had the best support for proxying websockets, specifically. It's working great! I gave up on nginx since its websocket support seemed a little hackier.

[Andrew Mao]

See also nginx solution at http://stackoverflow.com/q/18003689/586086

[Ben Berman]

When you use this solution, web sockets do not work. The client will fall back to the SockJS XHR implementation.

[Andrew Mao]

Are you sure? I was pretty sure that it was actually using websockets. However, I will check to make sure that this is the case.

[Phuoc Do]

DISABLE_WEBSOCKETS is very bad. Reactive update will open/close web request and cause DOS like attack to web server.

You likely run an older nginx. You need to use nginx version >= 1.4 to get web socket.

Another caveat is you need sticky session. By default, nginx doesn't come with it. You'll have to download and compile nginx with the module.

Phuoc Do

[Dave Workman]

nginx with websockets works for me. Don't just run sudo apt-get install nginx. You'll get an outdated version that doesn't support websockets. This is the steps I went through to install the latest version of nginx on Ubuntu 12.04: https://www.digitalocean.com/community/articles/how-to-install-the-latest-version-of-nginx-on-ubuntu-12-10

On Tuesday, May 13, 2014 8:10:29 PM UTC-4, Ben Berman wrote: