WebSocket via HTTP proxy

转载 2013年12月05日 22:33:52

original link https://blogs.oracle.com/PavelBucek/entry/websocket_via_http_proxy

WebSocket via HTTP proxy

As you might know, WebSocket can be used for bi-directional "real-time" communication with multiple clients. What does that mean in proxy environments and how this even works? WebSocket uses HTTP upgrade mechanism specified in HTTP 1.1 and by design requires open (TCP) connection.

HTTP CONNECT is there for exactly these usecases. It is usually used for tunneling HTTPS via proxy, but it can be used for WebSocket as well.

I will describe complete "proxified" handshake using captured connection of Tyrus Client connecting to public echo service - echo.websocket.org. Please note that we are directly using Tyrus API - not WebSocket specification (JSR-356), because we need to set a proxy.

final ClientManager client = ClientManager.createClient();

  GrizzlyClientSocket.PROXY_URI, "http://my.proxy:8080"
final Session session = client.connectToServer(new Endpoint() {

  public void onOpen(Session session, EndpointConfig config) {
    session.addMessageHandler(new MessageHandler.Whole<String>() {
      public void onMessage(String message) {
        System.out.println("# Message received: " + message);
}, ClientEndpointConfig.Builder.create().build(),

session.getBasicRemote().sendText("test message");

BTW, Tyrus Client proxy support can be improved, currently it does not support proxy authentication, JDK's ProxySelector and so on. Please vote/comment on TYRUS-204 if you lack some of the mentioned options or anything else related to proxy support.

Current modern browsers do support this out of the box, so all you need is to set your HTTP proxy and described handshake will be done automatically. There might be limitation for parallel open connection in browser tab/instance, but I don't have any exact data about this.

Also, you might ask whether there is some need to server-side support - simple answer is "no". HTTP containers will see regular connection (from proxy), there is no additional work or overhead on that side.

Lets see our dumped communication:

client > proxy
CONNECT echo.websocket.org:80 HTTP/1.1
Host: echo.websocket.org
Proxy-Connection: keep-alive
Connection: keep-alive

Firstly, client need to send a request to proxy for new "permanent" connection. As already mentioned, CONNECT method handles this. First argument is a hostname (echo.websocket.org) and standard HTTP version.

proxy > client
HTTP/1.0 200 Connection established

If you are lucky, your proxy does support CONNECT and allows you to create connection (HTTP 200 is returned).

client > proxy
GET / HTTP/1.1
Connection: Upgrade
Host: echo.websocket.org
Origin: echo.websocket.org
Sec-WebSocket-Key : sDD3Wk7PMRCPE9+C0VyOcQ==
Sec-WebSocket-Version: 13
Upgrade: websocket

This is standard WebSocket handshake request, which will be passed to target HTTP container.

proxy > client
HTTP/1.1 101 Web Socket Protocol Handshake
Upgrade: WebSocket
Connection: Upgrade
Sec-WebSocket-Accept: 8TNIHr7bJHqQadjXYvqLql6RFEA=
Date: Tue, 16 Jul 2013 15:30:53 GMT

And there is a valid response to our handshake request, connection is established and communication can be started; there is nothing else different than in proxy-less environment. Please note that proxies do have limited resources and your request may be turned down because proxy "CONNECT" pool is empty.

Conclusion here is that WebSocket can work via proxies without any limitation, it just introduces different kind of traffic than pure HTTP and might cause some additional requirements related to proxy performance in case you are going to use WebSocket for long-running client connections.


Hi Pavel,

Thanks for the explanation, that really did help me to understand the handshake. I have a scenario, wherein the connection initiation is successful and the proxy returns a HTTP/1.0 200 Connection established, but the SSL handshake fails.

HTTP/1.0 500 handshakefailed
Via: 1.0 10.X.X.X (McAfee Web Gateway
Content-Type: text/html
Cache-Control: no-cache
Content-Length: 2063
Proxy-Connection: Close

Any suggestions why is it failing?

Posted by Srini on September 04, 2013 at 08:05 AM CEST #

Hi Srini,

you should add -Djavax.net.debug=all (seehttp://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html for more details). It usually is certificate issue, in your case it might be because the other side does not have properly signed certificate and you don't have truststore and/or keystore properly set on client side.

Feel free to send more details to users@tyrus.java.net.

Posted by guest on September 09, 2013 at 10:11 AM CEST #

使用nginx作为websocket的proxy server

  • zhx6044
  • zhx6044
  • 2015年12月12日 22:44
  • 29182


背景:        原先有个页游的项目,需要移植到手机上,做手机页游,也就是到html5(h5)版本,面临一个问题:原先服务器和客户端(flash)通信用的是tcp协议,而h5用的是websock...
  • zdl1016
  • zdl1016
  • 2016年01月07日 19:51
  • 5789


1、HTTP协议对长连接的支持以及各浏览器的支持情况 http://blog.csdn.net/fenglibing/article/details/7100222 2、WEB客户端与服务...

在线代理(Web ProxyServer)完全详解

在线代理(Web Proxy)原理可以简单的概述为:用户(A)-在线代理服务器(B)-目标网站(C),即:A向B发送浏览请求-B执行请求发送给C-C收到请求,回应。 什么是在线代理 ...


因为涉及到代理的各种情况,WebRequest和WebProxy类的文档写的相当复杂,不但各个文档关注点不同,而且不同版本的同一文档也有小小的区别。 对于需要使用WebProxy类的情况,大...


  • broze
  • broze
  • 2010年07月21日 12:26
  • 5215

Installing Mod-Proxy-Html and Proxying Virtuoso Via Apache2

  Contents[hide] 1 Introduction 2 Installing Mod-Proxy-Html on Ubuntu 3 Installing Mod-Proxy-Html o...

Remote Connection via Proxy Server in TCP/IP Socket

说一下我想写这个干嘛: 就是能够连接在NAT转发环境下无DNS解析的主机。 由于NAT转发下的主机没有办法通过外网ip直连,所以代理模式必须使用主动模式。 我简单说一下大概思路:Created ...
  • mpsk07
  • mpsk07
  • 2016年10月02日 18:16
  • 148

HTTPS 代理-SNI Proxy-WebSocket-Java

  • 2017年01月20日 18:13
  • 430KB
  • 下载
您举报文章:WebSocket via HTTP proxy