Ratchet Websockets over WSS on iis8

Question

Spent many hour looking for the answer and there doesn't seem to be a definitive answer. I have ratchet websockets setup and running on IIS8 and this is working fine over ws:// both locally and remotely. I would now like to implement wss:// but I just can't get it working.

I have tried two different approaches firstly enabling wss on react as follows:

$loop = React\EventLoop\Factory::create();
$webSock = new React\Socket\Server('0.0.0.0:2000', $loop);
$webSock = new React\Socket\SecureServer($webSock, $loop, [
'local_cert' => 'C:/ssl/cert.crt', // path to your cert
    'local_pk' => 'C:/ssl/cert_d.key', //path to your server private key
    'allow_self_signed' => FALSE, // Allow self signed certs (should be false in production)
    'verify_peer' => FALSE
]);
$webServer = new Ratchet\Server\IoServer(
    new Ratchet\Http\HttpServer(
        new Ratchet\WebSocket\WsServer(
            new Chat()
        )
    ),
    $webSock, $loop
);
$webServer->run();

Using this crashes the php_cli when I try to connect from the client.

My second approach was to use IIS rewrite with the following added to web.config

<rule name="WebSocketTestRule" enabled="true" stopProcessing="true">
    <match url=".*" />
    <conditions>
        <add input="{CACHE_URL}" pattern="^wss://" />
   </conditions>
   <action type="Rewrite" url="ws://localhost:2000/" />
</rule>

As far as i understand this should rewrite everything that comes in on wss:// addresses to ws://localhost:2000/. I installed WebSockets on IIS. But this just gives me the following error WebSocket connection to 'wss://[domain.name]/' failed: HTTP Authentication failed; no valid credentials available.

Which is the best way to implement WSS:// on IIS 8. Is it even possible? How do I debug these issues? For example, how do I test the certificates are okay? If someone could help point me in the right direction and hopefully this question can help someone else in the future.

Answer 1

Okay, so I stuck with the rewrite and got it working. Here's what I did.

1. On the IIS server make sure Websockets are installed as a windows feature.
2. Create a new website folder (eg wssproxy)
3. Make sure the access rights to this folder are correct. This is where I was tripping up. I changed the authentication method just for this folder to "Anonymous Authentication" and also specify the Anonymous user identity as "Application pool Identity"
4. Add rewrite rule just for the folder created (my local server port is 2000)

<configuration>
<system.webServer>
    <rewrite>
        <rules>
               <rule name="Rewrite ssl to non-ssl" enabled="true" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="{MapProtocol:{C:1}}://127.0.0.1:2000/" />
                    <conditions>
                        <add input="{CACHE_URL}" pattern="^(.+)://" />
                    </conditions>
                </rule>
        </rules>
            <rewriteMaps>
                <rewriteMap name="MapProtocol">
                    <add key="wss" value="ws" />
                    <add key="https" value="http" />
                </rewriteMap>
            </rewriteMaps>
           </rewrite>
</system.webServer>
</configuration>

5. On the client (in my case JS) including the trailing "/"

var conn = new WebSocket('wss://domain.com/wssproxy/'); 

6. Wasn't too sure how secure it was so I added "Origin Check" to the ratchet server.

$allowed_origins = array('localhost');
$ws = new WsServer(new Chat());
$checkOrigin = new OriginCheck($ws, $allowed_origins);
$checkOrigin->allowedOrigins[] = 'domain.com';
$server = IoServer::factory( new HttpServer($checkOrigin), 2000 );
$server->run();

Everything was working after that. If anyone could point out any glaring security issues with this configuration that would be helpful.