HTTS-Proxy and WebSockets

edited March 2021 in Firebox - Proxies

Hi,
My development team created a service published that uses a websocket. This service is published for several clients with different SNI (cloud.xpto.pt and cloud.qwerty.py) but only with a public ip, for that reason, I used Content Inspection with Domain Names. When my domain name rule is configured to Allow I don't have any problem but, when I configured to Inspect all the websocket connections fail.
Any idea to work with WebSocket and SSL Inspections at the same time?
Best Regards,

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @BrunoMaio
    The proxy doesn't work well with websocket connections -- if you know the SNI of the certificate presented, it's usually best to set an exception in the HTTPS proxy to ALLOW that traffic.

    The proxies follow RFC standards for HTTP/S, which websocket is not a part of (yet.) It's likely there will be more support for it once those standards are finalized by IETF.

    There is an overall feature request for websocket support (it's FBX-4486.) If you'd like to follow progress on that request, please open a support case and mention it somewhere in the case.

    -James Carson
    WatchGuard Customer Support

  • Hi @James_Carson, thank you for you explication. I will follow your suggestion to bypass this problem. I will edit my HTTPS-proxy and remove de inspect option to the SNI.

  • @james.carson I was wondering if anything has changed with this. I have a similar situation but did not want to make this change if the info is outdated and FBX-4486 has been completed. Thank you.

  • This has not been implemented yet.

    Connections with WebSocket protocol (RFC6455) fail through HTTP Proxy and HTTPS Proxy with Content Inspection
    https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA10H000000g3UMSAY&lang=en_US

Sign In to comment.