WebSockets

WebSEAL can proxy WebSocket connections between clients and junctioned web servers. In the WebSEAL default configuration, all WebSocket requests are rejected. To enable WebSocket proxy support, update the WebSEAL configuration file and configure the [websocket] max-worker-threads to a value larger than zero. Each WebSocket created between the client and the junctioned server requires two WebSocket worker threads. The max-worker-threads setting must be configured to allow for this thread usage. If the max-worker-threads limit is reached, then any additional requests to proxy a WebSocket connection is rejected and a warning message is logged. WebSocket connections can have a non-trivial lifespan as a client can keep the connection open for extended periods of time with data traveling in both directions asynchronously. The max-worker-threads entry decides how many concurrent clients can be handled by WebSEAL. To help reduce the number of idle or blocked WebSocket connections, WebSEAL provides the following timeout settings:

• [websocket] jct-read-inactive-timeout
• [websocket] jct-writeblocked- timeout
• [websocket] clt-write-blocked-timeout
• [websocket] clt-read-inactive-timeout

The settings that begin with jct impact the connection between WebSEAL and the junctioned server. The settings that begin with clt impact the connection between WebSEAL and the client or browser. Carefully evaluate the WebSocket data transmission behavior before we set these timeouts.

WebSEAL's pdweb.snoop trace also applies to WebSocket data. Enabling pdweb.snoop trace allows tracing of the raw WebSocket data sent and received on each WebSocket connection. The pdweb.snoop trace can be enabled for the client traffic, the junction traffic, or both, by using pdweb.snoop.client and pdweb.snoop.jct trace elements.

Statistics can be gathered on WebSockets by enabling the pdweb.websocket stats component.

Statistic label	Description
requests	Total WebSocket proxy requests received while statistics gathering is enabled.
rejected	Total WebSocket proxy requests rejected while statistics gathering is enabled. The rejection is typically due to an insufficient number of available worker threads.
timeout	The number of timeouts that have occurred when reading or writing through a proxied WebSocket connection while statistics gathering is enabled.
active	Current number of WebSocket connections that are proxied.
client bytes	The number of bytes read from the client side.
junction bytes	The number of bytes read from the junction side.

Parent topic: Advanced junction configuration

Related

1. Mutually authenticated SSL junctions
2. TCP and SSL proxy junctions
3. WebSEAL-to-WebSEAL junctions over SSL
4. Stateful junctions
5. Use of /pkmslogout with virtual host junctions
6. Junction throttling
7. Management of cookies
8. Passing of session cookies to junctioned portal servers
9. Support for URLs as not case-sensitive
10. Junctions to Windows file systems
11. Standard junctions to virtual hosts
12. UTF-8 encoding for HTTP header data
13. Forcing a new junction
14. Bypassing buffering on a per-resource basis