Layer7 API Management

Expand all | Collapse all

Configuring and testing websockets on API Gateway

  • 1.  Configuring and testing websockets on API Gateway

    Posted 02-28-2019 04:49 AM

    We need to use websockets connection via our API GW. What everything and how should be set up on API GW and  what everything I need to test it. Is it possible to have on my computer some simple .NET application or tool which acts as a server and client and is exchanging messages via API GW? Perhaps there is somewheer some useful step-by-step.



  • 2.  Re: Configuring and testing websockets on API Gateway

    Posted 02-28-2019 07:33 AM

    Hi Lipa,

     

    You would use something like websocketd (https://github.com/joewalnes/websocketd). Set this up to run a simple program and use the Gateway Websocket connection to point to it.

     

    ie: 

    Host: win10.com

    websocketd --port=8888 c:\test\someScript.bat

     

    On the Gateway:

     

     

     

    This site has a good HTML5 WS test client you can use to initiate the connection to the Gateway.

    websocket.org Echo Test - Powered by Kaazing 

     

     

    Regards,

    Joe



  • 3.  Re: Configuring and testing websockets on API Gateway

    Posted 03-08-2019 04:30 AM

    Thank you for introducing me in websocket setup. We basically have similar setting, but for inbound connection we use port 13443 ( using SSL, so I use wss://) and for outbound we use port 80 ( I use ws://).

     

    Our outbound connection setting differs a bit, because our API GW in DMZ zone has no access to DNS server. Unfortunately I also don't have direct access to VMs running API GW to modify host file, so for outbound connection I use direct IP address and port 80 ( e.g. ws://152.10.10.12:80 ) where is our websocket server available. In Outbound connection policy  I am inserting header HOST with DNS name of the websocket server.

     

    All our calls are coming through F5 LB ( reverse-proxy ) and port 13443 has been enabled ( verified by telnet ), but I am not a 100% sure if a request coming from client ( i am using app Advanced REST client ) is correctly forwarded to API GW, because I tried to launch debugger on Inbound connection policy and catch a request, but nothing appears. I also asked for help our LB colleagues, but in the meantime I wonder if there is any way how to verify if request actually arrives to API GW.

     

    Any idea what else could be causing troubles or what else can I verify ?



  • 4.  Re: Configuring and testing websockets on API Gateway

    Posted 03-08-2019 07:58 AM

    The debugger should be getting invoked if the Gateway is indeed being hit.

     

    It sounds like the DNS is only an issue for outbound, so if this is a cluster you may want to check that the inbound connection targets a specific node. It's possible if you are using a cluster name another node is being hit.

     

    You can also check the ssg log : /opt/SecureSpan/Gateway/node/default/var/logs/ssg_0_0.log

    or through policy manager: VIEW -> VIEW LOGS

     

    You should see some entries like this:

     

    OUTBOUND

    com.l7tech.external.assertions.websocket.server.WebSocketOutboundHandler: Attempting to create WebSocket connection to: ws://win10.com:8888
    2019-03-08T07:54:04.010-0500 INFO 107686 com.l7tech.external.assertions.websocket.server.WebSocketOutboundHandler: Successfully created WebSocket connection to: ws://win10.com:8888

     

    Additionally, you can add an audit to the inbound policy, say something like "** WEBSOCKET INBOUND ESTABLISHED **

     

    You can then see the corresponding message in the SSG log and audits. This will confirm that the Gateway received the message and processed at least up to the point of the connection and inbound policies. The above will show the outbound connection established.

     

    INBOUND

    2019-03-08T07:55:16.877-0500 INFO 107688 com.l7tech.server.message: Processing request for service: inbound [/inbound]
    2019-03-08T07:55:16.878-0500 WARNING 107688 com.l7tech.server.policy.assertion.ServerAuditDetailAssertion: -5: ** WEBSOCKET INBOUND ESTABLISHED **

     

    Hope this helps.

     

    Regards,

    Joe



  • 5.  Re: Configuring and testing websockets on API Gateway

    Posted 03-19-2019 11:34 AM

    After some changes applied by our infrastructure colleagues, it seems now that the connection from test websocket client (JMeter) on my laptop is working fine and Inbound Connection policy is launched and could be debugged. I also found info in Logs that policy was activated.

     

    The problem now is that I can not launch Outbound Connection policy ( debugger just doesn't stop at breakpoint ) and also I found info that policy was activated in logs.   

     

    I assume there is a connection to target websocket-server from API GW, because I receive error message ( screenshot from JMeter ) and also was given a screenshot from firewall that TCP communication between API GW and websocket-server was OK.

     

    When I call directly websocket-server bypassing API GW from JMeter, all works fine, but I have to add 2 headers : SML-ServerID and Sec-WebSocket-Protocol. I wonder if those headers are automatically forwarded also to target-server while establishing connection. I was trying to add them in Outbound Connection policy, but when it is not launched, headers are not inserted and forwarded to websocket-server. So perhaps that is why server returns error.

     

    Any idea why Outbound connection policy is not launched? I also use it to add there header Host with DNS name of websocket-server, because we don't have DNS server in DMZ with API GW.