Websocket issue with Flexible SSL

Hey everybody! I'm new here and could use some guidance. I've been using Cloudflare for a while now, but I haven't delved into setting up Websockets before. My goal is to avoid direct connections to my origin server and keep its IP address protected. Currently, I'm using the Cloudflare Flexible SSL method, where clients connect to Cloudflare on port 443 secured by Cloudflare's SSL certificate. On my origin server, I only have Apache listening on port 80, and I don't have an SSL certificate installed to reduce the SSL overhead. Recently, I created a new WebSocket app and am attempting to set it up to work through Cloudflare. However, I'm facing some difficulties. I've confirmed that Websockets are enabled in the network settings of my Cloudflare panel, and I've also verified that the WebSocket server is running and the listening port is open. I've tried using port 8080, and it's worth noting that the current WebSocket server I'm using doesn't support SSL connections. The issue I'm facing is that when I try to connect to the WebSocket using my domain name, I receive a "connection failed" message. To investigate further, I performed a tcpdump on my origin server but didn't see any incoming requests from Cloudflare. I would greatly appreciate any help or guidance you can provide. I'm eager to learn from your experiences. Thank you!
4 Replies
Erisa
Erisa2y ago
Creating thread since this issue is sort-of off-topic for the channel so it won't clutter it I receive a "connection failed" message From your browser/client tool, or from a Cloudflare error page? & off-topic from the actual issue but speaking honestly, using Flexible SSL is insecure (https://community.cloudflare.com/t/why-you-should-choose-full-strict-and-only-full-strict/286652) - if your origin webserver only supports HTTP I would recommend something like Cloudflare Tunnel (https://erisa.dev/exposing-a-web-service-with-cloudflare-tunnel/) which will give you greater control over how traffic flows, allow you to run a HTTP-only webserver and maintain security.
Laozi
LaoziOP2y ago
Hey Erisa, Thank you for your response and suggestions. I appreciate your guidance regarding the security considerations with Flexible SSL. In this specific scenario, the apps I'm working on are purely personal hobbies that don't involve any sensitive data. As the sole end-user and target audience, I'm not concerned about data theft. However, I do value the protection Cloudflare provides for my origin server's IP and the browser security benefits. Considering your recommendation, I'm open to exploring both options. Installing Let's Encrypt SSL certificates and using the Full mode or utilizing Cloudflare Tunnel to maintain security while running an HTTP-only web server are both viable alternatives. My main objective is to get my Websocket connections up and running efficiently, and I'm open to implementing the best solution for my specific use case. Additionally, I heard that creating a Cloudflare worker to proxy the Websocket connections might be a potential workaround. If you have any insights or suggestions regarding this approach, I'd appreciate your input. Once again, thank you for your help and taking the time to address my concerns. I look forward to your further advice and insights on resolving the Websocket issue. Best regards, Russell
Erisa
Erisa2y ago
Installing Let's Encrypt SSL certificates and using the Full mode
You can also install Origin Certificates which is a bit easier https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/ But back on track: are you able to share more information about the connection refused issues you see? Are they coming back from your browser/http client or from a Cloudflare error page?
Laozi
LaoziOP2y ago
To test I started a basic websocket server on port 8080 (non-SSL). I confirmed it's listening on port 8080 and that the firewall has cloudflare IP's in the trusted zone. I created a static HTML page with a single javascript
let socket = new WebSocket("wss://my.domain:8080/echo");

socket.onopen = function(e) {
console.log("[open] Connection established");
console.log("Sending to server");
socket.send("My name is John");
};

socket.onmessage = function(event) {
console.log(`[message] Data received from server: ${event.data}`);
};

socket.onclose = function(event) {
if (event.wasClean) {
console.log(`[close] Connection closed cleanly, code=${event.code} reason=${event.reason}`);
} else {
// e.g. server process killed or network down
// event.code is usually 1006 in this case
console.log('[close] Connection died');
}
};

socket.onerror = function(error) {
console.log(`[error]`);
};
let socket = new WebSocket("wss://my.domain:8080/echo");

socket.onopen = function(e) {
console.log("[open] Connection established");
console.log("Sending to server");
socket.send("My name is John");
};

socket.onmessage = function(event) {
console.log(`[message] Data received from server: ${event.data}`);
};

socket.onclose = function(event) {
if (event.wasClean) {
console.log(`[close] Connection closed cleanly, code=${event.code} reason=${event.reason}`);
} else {
// e.g. server process killed or network down
// event.code is usually 1006 in this case
console.log('[close] Connection died');
}
};

socket.onerror = function(error) {
console.log(`[error]`);
};
to be continued... all i see is the console messages
WebSocket connection to 'wss://my.domain:8080/echo' failed:
(anonymous) @ ws-test.php:2
ws-test.php:25 [error]
ws-test.php:20 [close] Connection died
WebSocket connection to 'wss://my.domain:8080/echo' failed:
(anonymous) @ ws-test.php:2
ws-test.php:25 [error]
ws-test.php:20 [close] Connection died
on the server side using tcpdump to sniff the ethernet I don't see any inbound TCP SYN for port 8080 come from anywhere I dont see any cloudflare errors, does that answer your question? I'm wondering if perhaps I need to setup the websocket server to have SSL and use port 443 (which is currently available). then see if cloudflare will proxy it on default ports To do that i need to find a new library to use in my server code since the one I'm using doesn't support SSL. I just want to make sure how cloudflare expects us to use Websockets since the documentation doesn't really mention anything relating to SSL or Port Numbers. Another other alternative is to install NGINX on the server and have that do the SSL and proxy to my server locally. Just trying to understand the cloudflare handling of websockets so I don't waste too much time going in wrong directions. Or if i need to create a worker...
Want results from more Discord servers?
Add your server