Don't require client certificate for websockets

(Maciej świć) #1

Hi, I use client certificates to access reverse proxies services which include websockets. Unfortunately the websocket connections fail because they applications don’t understand that they have to provide a client certificate.

Can i make the websocket not require a certificate but have everything else do?

***.***.name {
    tls ***@***.name {
        clients /mnt/user/appdata/caddy/conf/ca.crt
    }

    proxy / https://10.0.1.29 {
        transparent
        websocket
        insecure_skip_verify
    }
}
(Matthew Fay) #2

I might be wrong, but I don’t think that’s possible. Websockets work on the same ports as HTTP(S), and are compatible with it. I don’t think you can even determine whether an incoming connection will be used as a websocket prior to TLS negotiation, which would be necessary in order to disable a client certificate requirement (which is handled during TLS negotiation). You’d need to put your websockets on a different listener (either hostname or port, perhaps), but if it’s going straight to a reverse proxy, you’d just lose your security since a client can just connect to the unauthenticated listener.

1 Like