GraphQL - Subscription WebSocket doesn't support secure connection

[winterstefan]

Hey guys,

this might not be a bug at all, so I'm using the Custom issue template for it. This issue is strongly connected with #13546 - please have a look at this for further details.

• As fully described in GraphQL - Message subscription doesn't return feedback #13546 I'm trying to use the Rocket.Chat GraphQL feature.
• The system I'm using fully runs in secure mode (just https, no http available). So my WebSocket shall be secured, too (ws versus wss).
• When trying to connect a client to the WebSocket URI in normal mode (ws://chat.my.example.com:3100) I'm getting informed that an unsecure WebSocket connection cannot be established when running in SSL mode.
• When changing the protocol to wss, the socket rejects my request completely.

While browsing through the Rocket.Chat code, I cannot spot the part where wss is used / activated.

As a work-around, I added a WebSocket Reverse Proxy to the nginx config:

server {
    listen 443 ssl;
    # That's the HTTPS config (...)
    server_name my.example.com

    location /websocket-example {
        proxy_pass http://127.0.0.1:3100;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }
}

With that, I managed to successfully establish a WebSocket connection to wss://my.example.com/websocket-example (getting a correct connection_ack).

Is there any native way for enabling the WebSocket secure mode? Could we add a simple config param (e.g. for the Rocket.Chat admin UI, like the default port) to activate this?

[MarcosSpessatto]

Hi @winterstefan, the way of you did this is correct, we can connect via wss via proxy as you did or we must load the certificates in the express server, it is not only change the protocol from ws to wss. I think the way you did is the best way to handle with this.

[winterstefan]

Hi @MarcosSpessatto,

thank you for you quick reply! Cool to hear that I found a suitable way of handling this issue. I personally am totally fine with that solution, since GraphQL seems to be rarely used at the moment. 👍

Just for clarification
Is that something the consumer in general has to do by himself or would it be suitable in the big picture of Rocket.Chat to assist the consumer in setting up a secured connection for GraphQL / subscriptions?
Could be some kind of Admin UI configuration regarding my certificates (just like I specify authentication config for e.g. the YouTube livestream feature) - or a default nginx / webserver config addition.

[MarcosSpessatto]

@winterstefan We can add a little example in the docs.

[winterstefan]

for the sake of completeness

See https://github.com/RocketChat/docs/pull/1150 for docs
I'll close this issue - thanks for your support!

[engelgabriel]

Hi @winterstefan,

We are planning to remove the support for GrapgQL on the next release and work a new implementation later.

Are you using the GraphQL API in production?

Can you please give us your opinion on the issue?

#14959