WebSocket via HTTP proxy

转载 2013年12月05日 22:33:52

original link https://blogs.oracle.com/PavelBucek/entry/websocket_via_http_proxy

WebSocket via HTTP proxy

As you might know, WebSocket can be used for bi-directional "real-time" communication with multiple clients. What does that mean in proxy environments and how this even works? WebSocket uses HTTP upgrade mechanism specified in HTTP 1.1 and by design requires open (TCP) connection.

HTTP CONNECT is there for exactly these usecases. It is usually used for tunneling HTTPS via proxy, but it can be used for WebSocket as well.

I will describe complete "proxified" handshake using captured connection of Tyrus Client connecting to public echo service - echo.websocket.org. Please note that we are directly using Tyrus API - not WebSocket specification (JSR-356), because we need to set a proxy.

final ClientManager client = ClientManager.createClient();

  GrizzlyClientSocket.PROXY_URI, "http://my.proxy:8080"
final Session session = client.connectToServer(new Endpoint() {

  public void onOpen(Session session, EndpointConfig config) {
    session.addMessageHandler(new MessageHandler.Whole<String>() {
      public void onMessage(String message) {
        System.out.println("# Message received: " + message);
}, ClientEndpointConfig.Builder.create().build(),

session.getBasicRemote().sendText("test message");

BTW, Tyrus Client proxy support can be improved, currently it does not support proxy authentication, JDK's ProxySelector and so on. Please vote/comment on TYRUS-204 if you lack some of the mentioned options or anything else related to proxy support.

Current modern browsers do support this out of the box, so all you need is to set your HTTP proxy and described handshake will be done automatically. There might be limitation for parallel open connection in browser tab/instance, but I don't have any exact data about this.

Also, you might ask whether there is some need to server-side support - simple answer is "no". HTTP containers will see regular connection (from proxy), there is no additional work or overhead on that side.

Lets see our dumped communication:

client > proxy
CONNECT echo.websocket.org:80 HTTP/1.1
Host: echo.websocket.org
Proxy-Connection: keep-alive
Connection: keep-alive

Firstly, client need to send a request to proxy for new "permanent" connection. As already mentioned, CONNECT method handles this. First argument is a hostname (echo.websocket.org) and standard HTTP version.

proxy > client
HTTP/1.0 200 Connection established

If you are lucky, your proxy does support CONNECT and allows you to create connection (HTTP 200 is returned).

client > proxy
GET / HTTP/1.1
Connection: Upgrade
Host: echo.websocket.org
Origin: echo.websocket.org
Sec-WebSocket-Key : sDD3Wk7PMRCPE9+C0VyOcQ==
Sec-WebSocket-Version: 13
Upgrade: websocket

This is standard WebSocket handshake request, which will be passed to target HTTP container.

proxy > client
HTTP/1.1 101 Web Socket Protocol Handshake
Upgrade: WebSocket
Connection: Upgrade
Sec-WebSocket-Accept: 8TNIHr7bJHqQadjXYvqLql6RFEA=
Date: Tue, 16 Jul 2013 15:30:53 GMT

And there is a valid response to our handshake request, connection is established and communication can be started; there is nothing else different than in proxy-less environment. Please note that proxies do have limited resources and your request may be turned down because proxy "CONNECT" pool is empty.

Conclusion here is that WebSocket can work via proxies without any limitation, it just introduces different kind of traffic than pure HTTP and might cause some additional requirements related to proxy performance in case you are going to use WebSocket for long-running client connections.


Hi Pavel,

Thanks for the explanation, that really did help me to understand the handshake. I have a scenario, wherein the connection initiation is successful and the proxy returns a HTTP/1.0 200 Connection established, but the SSL handshake fails.

HTTP/1.0 500 handshakefailed
Via: 1.0 10.X.X.X (McAfee Web Gateway
Content-Type: text/html
Cache-Control: no-cache
Content-Length: 2063
Proxy-Connection: Close

Any suggestions why is it failing?

Posted by Srini on September 04, 2013 at 08:05 AM CEST #

Hi Srini,

you should add -Djavax.net.debug=all (seehttp://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html for more details). It usually is certificate issue, in your case it might be because the other side does not have properly signed certificate and you don't have truststore and/or keystore properly set on client side.

Feel free to send more details to users@tyrus.java.net.

Posted by guest on September 09, 2013 at 10:11 AM CEST #


背景:        原先有个页游的项目,需要移植到手机上,做手机页游,也就是到html5(h5)版本,面临一个问题:原先服务器和客户端(flash)通信用的是tcp协议,而h5用的是websock...
  • zdl1016
  • zdl1016
  • 2016年01月07日 19:51
  • 6439

使用nginx作为websocket的proxy server

  • zhx6044
  • zhx6044
  • 2015年12月12日 22:44
  • 37583

Nginx代理webSocket经常中断的解决方案, 如何保持长连接

背景这天气够热的,要处理的事情也够多的。。。。 想看解决的,直接 ctrl+f搜索关键字‘配置点’开始前交代(想看原因的看这个,个人观点,不代表正确)解说:今天用nginx反代通讯项目,发现平均1分钟...
  • Jack______
  • Jack______
  • 2017年08月02日 17:39
  • 6586


排版很差。直接复制的,请看原文https://www.nginx.com/blog/websocket-nginx/ 该网页套接字协议提供创建支持客户端和服务器之间的实时双向通信的Web应用程序的方式...
  • EdishenYA
  • EdishenYA
  • 2017年10月13日 15:13
  • 318


  • terminatorsong
  • terminatorsong
  • 2017年03月07日 11:26
  • 4610


  • chszs
  • chszs
  • 2014年05月20日 15:23
  • 25535


  • English0523
  • English0523
  • 2016年07月12日 14:57
  • 4588


  • younghaiqing
  • younghaiqing
  • 2017年01月11日 17:25
  • 954

.Net Framework 中设置Web Proxy 的方法

正在进行Map API到 .Net Framework 平台移植。 涉及到 Http Connection. 其中可能用到 Web proxy的设置。 有两种简单的方法。 WebProxy pro...
  • mapdigit
  • mapdigit
  • 2012年05月27日 14:05
  • 2087

HTTPS 代理-SNI Proxy-WebSocket (含源代码)

  • 2017年01月20日 18:24
  • 407KB
  • 下载
您举报文章:WebSocket via HTTP proxy