node.js - WebSocket 连接到“wss://api.example.com/ws”失败:WebSocket 握手期间出错:意外响应代码:404
问题描述
我正在尝试在 Google Kubernetes Engine 和 Istio 中使用 TLS 设置 websocket。
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: example-back-end
spec:
hosts:
- "api-dev.example.dev"
gateways:
- istio-system/example-gateway
http:
- match:
- uri:
prefix: /worker
route:
- destination:
host: worker
port:
number: 5001
- match:
- uri:
prefix: /
route:
- destination:
host: back-end
port:
number: 5000
- match:
- uri:
prefix: /ws
route:
- destination:
host: service-websocket
port:
number: 8080
websocketUpgrade: true
我已将 tls 证书和密钥安装到我的 websocket 服务容器中。(与我用于 api.example.com 的相同)。
apiVersion: v1
kind: Service
metadata:
name: service-websocket
spec:
selector:
app: service-websocket
ports:
- port: 8080
targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: service-websocket
spec:
selector:
matchLabels:
app: service-websocket
template:
metadata:
labels:
app: service-websocket
spec:
volumes:
- name: example-certificate
secret:
secretName: example-certificate
containers:
- name: service-websocket
image: gcr.io/example-project/service-websocket:latest
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 8080
volumeMounts:
- name: example-certificate
mountPath: /var/secrets/tls
这是使用 ws 节点包的 websocket 服务器。
// web server
const https = require("https");
const config = require("./config");
const fs = require("fs");
const server = https.createServer({
cert: fs.readFileSync(config.TLS_CERT),
key: fs.readFileSync(config.TLS_KEY)
});
// websocket
const WebSocket = require("ws");
const url = require("url");
const wss = new WebSocket.Server({ noServer: true });
wss.on("connection", function connection(ws, req) {
const parameters = url.parse(req.url, true);
ws.on("message", function incoming(message) {
wss.clients.forEach(client => {
const msg = {
msg: "hello world from server"
};
client.send(JSON.stringify(msg));
});
});
const msg = {
msg: "something"
};
ws.send(JSON.stringify(msg));
});
wss.on("error", () => console.log("error"));
server.on("upgrade", function upgrade(request, socket, head) {
const pathname = url.parse(request.url).pathname;
if (pathname === "/ws") {
wss.handleUpgrade(request, socket, head, function done(ws) {
wss.emit("connection", ws, request);
});
} else {
socket.destroy();
}
});
server.listen(8080);
从前端,我正在初始化 Websocket:
const ws = new WebSocket(`wss://api.example.com/ws`);
但是,我收到错误:
WebSocket connection to 'wss://api.example.com/ws' failed: Error during WebSocket handshake: Unexpected response code: 404
在我的 docker-compose 设置中,一切似乎都在本地运行良好。但似乎无法弄清楚如何在 GKE + Istio 上完成这项工作。
20 年 1 月 15 日更新
我更改了虚拟服务路由顺序。之前,/ws是之后/。但现在我从前端收到 503 错误。
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: example-back-end
spec:
hosts:
- "api-dev.example.dev"
gateways:
- istio-system/example-gateway
http:
- match:
- uri:
prefix: /ws
route:
- destination:
host: service-websocket
port:
number: 443
websocketUpgrade: true
- match:
- uri:
prefix: /worker
route:
- destination:
host: worker
port:
number: 5001
- match:
- uri:
prefix: /
route:
- destination:
host: back-end
port:
number: 5000
解决方案
主要问题是 TLS 终止发生在网关而不是服务层。Istio 有一个 tls 直通模式,它允许对 websocket 连接进行端到端加密。解决方案涉及几个部分。
- 创建 CNAME 记录以
ws.dev.example.dev指向dev.example.dev。这是关键,因为不支持 URI 前缀匹配,因此/ws之前没有工作。 - 在网关上配置 TLS 直通,在虚拟服务上配置 SNI 主机。
- 修改前端,以便
ws.dev.example.dev在连接到 websocket 服务时使用。 - 将 tls 证书和密钥挂载到 websocket 服务中。(我们复制了一个存储为 Kubernetes 机密的现有证书)
- 修改 websocket 服务以使用证书。
网关.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: example-gateway
namespace: istio-system
labels:
app: ingressgateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
protocol: HTTPS
name: https-ws
tls:
mode: PASSTHROUGH
hosts:
- "ws.dev.example.dev"
服务-websocket-virtual-service.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: service-websocket
spec:
hosts:
- "ws.dev.example.dev"
gateways:
- istio-system/example-gateway
tls:
- match:
- port: 443
sni_hosts:
- "ws.dev.example.dev"
route:
- destination:
host: service-websocket
port:
number: 443
服务-websocket.yaml
apiVersion: v1
kind: Service
metadata:
name: service-websocket
spec:
selector:
app: service-websocket
ports:
- port: 443
targetPort: 443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: service-websocket
spec:
selector:
matchLabels:
app: service-websocket
template:
metadata:
labels:
app: service-websocket
spec:
volumes:
- name: example-dev-certificate
secret:
secretName: example-dev-certificate
containers:
- name: service-websocket
image: gcr.io/example-dev/service-websocket:latest
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 443
volumeMounts:
- name: example-dev-certificate
mountPath: /var/secrets/tls
service-websocket 节点服务器
const https = require("https");
const config = require("./config");
const fs = require("fs");
const server = https.createServer({
cert: fs.readFileSync(config.TLS_CERT),
key: fs.readFileSync(config.TLS_KEY)
});
// websocket
const WebSocket = require("ws");
const url = require("url");
const wss = new WebSocket.Server({ noServer: true });
wss.on("connection", function connection(ws, req) {
const parameters = url.parse(req.url, true);
ws.ideaRoom = { id: parseInt(parameters.query.ideaId) };
console.log("ws.ideaRoom", ws.ideaRoom);
ws.on("message", function incoming(message) {
console.log("received: %s", message);
console.log("wss.clients", wss.clients);
wss.clients.forEach(client => {
const msg = {
msg: "hello world from server " + ws.ideaRoom.id
};
client.send(JSON.stringify(msg));
});
});
const msg = {
msg: "something"
};
ws.send(JSON.stringify(msg));
});
wss.on("error", () => console.log("error"));
server.on("upgrade", function upgrade(request, socket, head) {
const pathname = url.parse(request.url).pathname;
console.log("pathname", pathname);
if (pathname === "/") {
wss.handleUpgrade(request, socket, head, function done(ws) {
wss.emit("connection", ws, request);
});
} else {
socket.destroy();
}
});
server.listen(443);
前端代码
const ws = new WebSocket(`wss://ws.dev.example.dev:443?ideaId=${idea.id}`);
ws.onopen = () => {
ws.send("hello world from client: " + idea.id);
};
ws.onerror = error => {
console.error(error);
};
ws.onmessage = e => {
console.log('e.data', e.data);
const idea_comment = JSON.parse(e.data);
console.log("idea_comment", idea_comment);
};
推荐阅读
- android - 如何使用微调器更改 json 数组的索引值?
- javascript - 为什么我的 JQuery 代码不想在正确编写代码时工作
- python - np.random.choice 中的概率分布
- javascript - Reactjs 导出函数,未定义函数报错 [Reactjs + Material UI]
- java - jdk(G1GC)中的堆分配源码
- python - 列出其他列中具有重复值的唯一 ID
- css - 在 antd 4 中创建可滚动部分
- flutter - Flutter/Dart - 在 Future 中使用 ChangeNotifier 或 setState 之类的东西?
- c# - 签署 PDF 时如何以编程方式输入 X509Certificate2 证书的 PIN(在 C# 中)
- delphi - Delphi - 如何在运行时创建堆叠条形系列?