Secure web socket through reverse proxy

I am new to HAProxy and working with sockets in general. I have trouble hole-punching through the proxy to the endpoint that starts up the socket. As of now, I am not even sure the problem is Origin related, which initially thought it was.

The setup:

Postman → Firewall (HaProxy) → Server
Between the client and Firewall the connection has SSL.
Between the Firewall and server there is no SSL

Is this set-up even possible? I mean is it necessary for the socket (wss) to have an SSL connection directly from client to server?

It’s possible as long as your application (server) is OK with it. Most applications are. Some are not.

As of now, the server accepts cors from all clients until we go into production.
I might be wrong, but it seems the problem is, that when the connection is upgraded from HTTP to ws the reverse proxy doesn’t allow the data to go through and I receive error code 400 - where I expect to receive 101. But I have absolutely no clue how to fix the issue.

Fortunately, HAProxy embeds all you need to load-balance properly websockets

I have backend servers that require websockets, and there’s no special configuration to support it. Occasionally, I come across an app that requires a specific header to be written, but that’s rare and very application-specific.

First of all, thanks a lot for the replies, it means a lot. :slight_smile:

That’s what I thought as well, but I began doubting it since nothing worked.

The only difference between my setup and the one that you linked is that I have HTTPS on the front end (certificate from Cloudflare).

Yep, I use Cloudflare in front of mine as well. Shouldn’t hurt a thing.

If it works without HAProxy, see if there are any missing headers. Check the logs from HAProxy to see if maybe it’s just a routing issue or a seemingly unrelated misconfig. Outside of that, it might be worth reaching out to tthe community around the app.

It works fine when I am on LAN net and request the local address of the server. So I assume that the headers are configured correctly.

But you are right, the next logical step is to check the logs to ensure that this is in fact not just a routing issue.