NOTE: These instructions apply to PrivX 11. Secure web sockets are automatically supported in PrivX 12. Self-signed certificate support for secure web sockets shall arrive in PrivX 13.
PrivX web containers use Squid for proxying HTTPS traffic. Squid does not natively support web sockets, but it can be configured to tunnel CONNECT requests for secure web sockets.
To tunnel websocket requests through Squid, modify
/etc/squid/squid.conf on PrivX web proxy host and restart Squid afterwards (added lines marked with +):
+ acl is_websocket ssl::server_name wss.mydomain.com
acl step1 at_step SslBump1
ssl_bump peek step1
+ ssl_bump splice is_websocket
ssl_bump bump all
In this example websocket requests (to wss://wss.mydomain.com) and login requests (to https://www.mydomain.com) are using a different domain, so we can use server_name to identify web socket traffic.
NOTE: If ssl_bump splice rules match the web site login request, it bypasses PrivX Web Proxy and PrivX cannot provide the passwords for the site.