HTML and CSS Reference
When you use WebSocket Secure ( wss:// ), wire traffic is encrypted and
intermediate transparent proxy servers may simply allow the encrypted
traffic through, so there is a much better chance that the WebSocket
connection will succeed. Using encryption is not free of resource costs,
but often provides the highest success rate.
Some proxy servers are harmless and work fine with WebSockets. Others will prevent
WebSockets from working correctly, causing the connection to fail. In some cases, ad‐
ditional proxy server configuration may be required, and certain proxy servers may
need to be upgraded to support WebSocket connections.
If unencrypted WebSocket traffic flows through an explicit or a transparent proxy server
on its way to the WebSocket server, then, whether or not the proxy server behaves as it
should, the connection is almost certainly bound to fail. Therefore, unencrypted Web‐
Socket connections should be used only in the simplest topologies. As WebSockets be‐
come more mainstream, proxy servers will become WebSocket aware.
If you use an encrypted WebSocket connection, then use Transport Layer Security ( TLS )
in the WebSocket Secure connection to ensure that an HTTP CONNECT command is issued
when the browser is configured to use an explicit proxy server. This sets up a tunnel,
which provides low-level end-to-end TCP communication through the HTTP proxy,
between the WebSocket Secure client and the WebSocket server. In the case of trans‐
parent proxy servers, the browser is unaware of the proxy server, so no HTTP CONNECT
is sent. Because the wire traffic is encrypted, however, intermediate transparent proxy
servers may simply allow the encrypted traffic through, so there is a much better chance
that the WebSocket connection will succeed if you use WebSocket Secure. Using en‐
cryption is not free of resource cost, but often provides the highest success rate.
A mid-2010 draft (version hixie-76) broke compatibility with reverse
proxies and gateways by including 8 bytes of key data after the headers,
but not advertising that data in a Content-Length: 8 header. This data
was not forwarded by all intermediates, which could lead to protocol
failure. More recent drafts (such as hybi-09) put the key data in a Sec-
WebSocket-Key header, solving this problem.
Building your own
Things have changed since the days of fronting our servers with Apache for tasks like
static resource serving. Apache configuration changes result in killing hundreds of active
connections, which in turn, kills service availability.
With today's private cloud architectures, there is a high demand for throughput and
availability. If we want our services like Apache or Tomcat to come up or go down at