Skip to Content

How to Setup Secure WebSocket with HTTPS in Apache

Secure WebSocket over TLS is strongly recommended for use in production environments and prevents data sniffing or modification from the time the data is submitted through the WebSocket protocol to the time it's received by the end-user.

This article will step you through the process of setting up secure WebSockets through HTTPS using an Apache webserver.

Advertising Disclosure: I am compensated for purchases made through affiliate links. Click here for details.

Create and Install your SSL Certificate

An SSL certificate is required for the WebSocket WSS (WebSocket Security) protocol to work in production environments that use the HTTPS protocol for the website. If your website uses an SSL certificate, you'll be required to use the WSS protocol for secure communications. There is no way around this.

Make sure that you create and install your SSL certificate first. If you've already completed this step, you can move onto the remaining WebSocket setup steps below.

Configure a Secure WebSocket in Apache

Thankfully, Apache has made this super simple to set up performing a few quick configuration updates and the ProxyPass and ProxyPassReverse directives.

To start, we'll need to enable the mod_proxy module in Apache with the following command-line command:

a2enmod proxy

Next, we'll need to load up the Apache configuration file that contains your virtual hosts. This is generally located in the following server directory:

/etc/apache2/sites-available/000-default.conf

Once you've found and opened the Apache configuration file, we'll need to load the mod_proxy module somewhere above your listing of virtual hosts:

LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so

Map the Secure WebSocket to a Proxy

Finally, we'll be using the ProxyPass and ProxyPassReverse directives to map the WebSocket data transferred to the correct location for anyone within your website or application that's listening.

Let's assume that our WebSocket connection will take place at the following URL:

wss://[our-domain]/wss

Since the /wss directory technically doesn't exist on our server, we'll need to map it to a secure port using a proxy inside our Apache virtual host node for our website:

<VirtualHost *:80 *:443>
....
ProxyPass /wss ws://[our-domain]:[secure-port]
ProxyPassReverse /wss ws://[our-domain]:[secure-port]
</VirtualHost>
You'll notice that a port is assigned to the ProxyPass and ProxyPassReverse directive URL's. Make sure that the port you select is available for use and that there are no restrictions to that port on your server. Some hosting providers close off most of your server's ports by default for security reasons and will require you to manually set up or request to allow access.

Restart Your Apache Webserver

To restart your Apache webserver, use the following command-line command:

sudo systemctl restart apache2

If no errors were found in your Apache configuration during the webserver restart, you should not see any error messages reported in the command-line console and all should be working as expected.

Conclusion

At this point, our secure WebSocket for HTTPS configuration should be set up successfully on our server.

As an example, you can tie this configuration together by creating a chat room with JavaScript to see how the client-side and server-side pieces work together.

Ubuntu with Apache is the easiest way to accomplish this. If anyone needs instructions on how to set this up in a Windows environment, let me know and I'll put something together.

Posted by: Josh Rowe
Last Updated: July 31, 2021
Created: October 01, 2020

Comments

Guustaaf Damave

3y
Thanks!

Reply
 

Josh Rowe

3y
You got it! Glad to help.

Reply

Richard

3y
If possible, please contact me. I am trying to set this up for a wss service I am running on windows. But I don't get the logic.

Reply
 

Josh Rowe

3y
Sure thing! You can get in touch with me directly by clicking the Contact link at the bottom of the page.

Reply

dick

3y
thanks. it just doesnt work on bitnami i guess. im convinced nobody knows how to do this because ive tried every posted solution and none of them work. im probably just missing a semi-colon somewhere though

Reply
 

Josh Rowe

3y
Is Bitnami setup to allow incoming traffic through your secure port?

Reply

Aaron

2y
I followed this tutorial as you specified, but when I try to bind a python websocket server to the port specified above, it fails stating that it's already in use, how do I fix that?

Reply
 

Josh Rowe

2y
Hey, Aaron. I would check to see which process or application is using that port and kill the process if it’s not needed. Or try using a different port that’s available on your server. These commands vary between different operating systems, but let me know if you need any additional help on it!

Reply

Add A Comment

Comment Etiquette: Wrap code in a <code> and </code>. Please keep comments on-topic, do not post spam, keep the conversation constructive, and be nice to each other.