HAProxy Websockets - Frigate
-
Good day, all. I have spent days looking at the posts regarding websockets on HAProxy, but I cannot seem to get it to work at all. I know my HAProxy is working, because I have 8 other web sites that are working just fine. I'm trying to set up a reverse proxy to Frigate, which is a security camera monitoring package. It is accessible via web browser at ip:5000. According to the Frigate documentation, if I were using Apache as a reverse proxy, I would need the following parameters:
RewriteEngine on RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /(.*) ws://frigatepi.local:5000/$1 [P,L] RewriteCond %{HTTP:Upgrade} !=websocket [NC] RewriteRule /(.*) http://frigatepi.local:5000/$1 [P,L]For whatever reason, I cannot seem to translate the documentation I have seen on websocket setup into something that works for me. I'm not sure if I'm trying to put the values in the wrong place (frontend vs. backend) or what. I would be very grateful if anyone can help shed some light. Thank you very much in advance!
For reference: pfsense+ 24.03 and haproxy 0.63_4
-
Or, if you speak nginx, here is the suggested setup:
proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; access_log /data/logs/proxy-host-40_access.log proxy; error_log /data/logs/proxy-host-40_error.log warn; location / { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; } -
@phipac
I use websockets quite a bit.
Put your websocket servers into their own backend, websocket_servers
Ensure that the correct parameters are met in order to upgrade to websocket by placing these rules
For health checks I use GET and this URL:
HTTP/1.1\r\nHost:\ yourdomain.com\r\nConnection:\ Upgrade\r\nUpgrade:\ websocket\r\nSec-WebSocket-Key:\ haproxy\r\nSec-WebSocket-Version:\ 13\r\nSec-WebSocket-Protocol:\ echo-protocolAlso on the backend add these rules to 'Backend pass thru'
timeout tunnel 1h
http-check expect status 101
timeout http-request 10s
timeout http-keep-alive 2s
timeout queue 5s
timeout server-fin 1sOn your frontend dedicated https offloading set these 2 rules for the connection upgrading to websocket.
with ACTION:
hdr_connection_upgrade hdr_upgrade_websocket
USE backend websocket_servers. -
@davecummins Dave this is great information, but I can't see the full config value of the ACL's. Could you post the haproxy config with all of it included, I'm not familiar with some of these haproxy commands. Thanks in advance
-
@rpm5099 my config contains a lot of frontends and backends and sensitive information but here is the backend websocket info which you can't see from the screen shots. Hope this helps.
backend webapp_websockets_app_ipvANY
mode http
id 119
log global
http-response replace-header Set-Cookie "^((?:(?!; [Ss]ecure\b).)*)$" "\1; secure" if { ssl_fc }
http-check send meth GET uri /wssapp ver HTTP/1.1\r\nHost:\ mydomain.com\r\nConnection:\ Upgrade\r\nUpgrade:\ websocket\r\nSec-WebSocket-Key:\ haproxy\r\nSec-WebSocket-Version:\ 13\r\nSec-WebSocket-Protocol:\ echo-protocol
balance roundrobin
timeout connect 5000
timeout server 50000
retries 1
load-server-state-from-file global
option httpchk
timeout tunnel 1h
http-check expect status 101
timeout http-request 10s
timeout http-keep-alive 2s
timeout queue 5s
timeout server-fin 1s
acl hdr_websocket_key hdr_cnt(Sec-WebSocket-Key) eq 1
acl hdr_websocket_version hdr_cnt(Sec-WebSocket-Version) eq 1
acl hdr_connection_upgrade hdr(Connection) -i upgrade
acl hdr_upgrade_websocket hdr(Upgrade) -i websocket
acl ws_valid_protocol hdr(Sec-WebSocket-Protocol) echo-protocol
http-request deny deny_status 503 if !hdr_connection_upgrade !hdr_upgrade_websocket !hdr_websocket_version !hdr_websocket_key
server websocketServer-37 172.18.80.237:443 id 112 ssl check inter 5000 weight 10 verify none
server websocketServer-36 172.18.80.236:443 id 120 ssl check inter 5000 weight 10 verify none