Nginx + SSL + wss + bokeh

Community Support
1

Hi there,

I responded to a closed thread (which was probably bad etiquette), here:

https://groups.google.com/a/continuum.io/forum/#!topic/bokeh/wsyj4bR10Mo

I am currently trying to force bokeh to use secure web sockets as when I connect over https, the content is blocked. However, I wasn’t sure whether the response to the above thread was a solution or a feature suggestion (I couldn’t figure out how to implement it in any case I’m afraid).

Example:

Nginx config file (with SSL):

server {

listen 80 default_server;

listen [::]:80 default_server ipv6only=on;

listen 443 ssl;

ssl_certificate ####.crt;

ssl_certificate_key ####.key;

location /bokeh {

   proxy_pass http://localhost:5006;

}

location /static {

   proxy_pass http://localhost:5006;

}

}

If I just use this and run the bokeh-server command with no special arguments, the web app tries to use an unsecured web socket, and I get an error in the JavaScript console

bokeh.js:14786 Bokeh: websocket creation failed for connection string: ws://localhost:5006/bokeh/subConsoleAppender.cerror @ bokeh.js:14786

bokeh.js:14786 Bokeh: - SecurityError: Failed to construct ‘WebSocket’: An insecure WebSocket connection may not be initiated from a page loaded over HTTPS

Should I try and hard code the connection string to wss?

bokeh-server --script ./app.py --ws-conn-string wss://blahblahblah

I’m not sure what the correct address would be. Has anyone done this before?

2

Hi Hugo,

Ooops, I didn’t notice you’ve posted this so I’ve replied to the other thread. I’m pasting my reply here so we can keep the discussion here as the other was closed:

Proxying bokeh-server through nginx shoud work fine. Have you tried specifying --ws-conn-string option on bokeh server to use wss instead of the default ws? Looks like this is your issue… So from your log you’d need to specify:
--ws-conn-string wss://prdbviewer:5006/bokeh/sub/

Also not that you may need to set the connection upgrade, so:
location /bokeh/sub {
proxy_pass http://localhost:5006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}

Cheers

Fabio

···

On Saturday, May 16, 2015 at 1:09:55 PM UTC+2, Hugo Carr wrote:

Hi there,

I responded to a closed thread (which was probably bad etiquette), here:

https://groups.google.com/a/continuum.io/forum/#!topic/bokeh/wsyj4bR10Mo

I am currently trying to force bokeh to use secure web sockets as when I connect over https, the content is blocked. However, I wasn’t sure whether the response to the above thread was a solution or a feature suggestion (I couldn’t figure out how to implement it in any case I’m afraid).

Example:

Nginx config file (with SSL):

server {

listen 80 default_server;

listen [::]:80 default_server ipv6only=on;

listen 443 ssl;

ssl_certificate ####.crt;

ssl_certificate_key ####.key;

location /bokeh {

   proxy_pass [http://localhost:5006](http://localhost:5006);

}

location /static {

   proxy_pass [http://localhost:5006](http://localhost:5006);

}

}

If I just use this and run the bokeh-server command with no special arguments, the web app tries to use an unsecured web socket, and I get an error in the JavaScript console

bokeh.js:14786 Bokeh: websocket creation failed for connection string: ws://localhost:5006/bokeh/subConsoleAppender.cerror @ bokeh.js:14786

bokeh.js:14786 Bokeh: - SecurityError: Failed to construct ‘WebSocket’: An insecure WebSocket connection may not be initiated from a page loaded over HTTPS

Should I try and hard code the connection string to wss?

bokeh-server --script ./app.py --ws-conn-string wss://blahblahblah

I’m not sure what the correct address would be. Has anyone done this before?