feat: use secure websocket connection

Author: codingben

docker-compose.prod.yml

@@ -7,7 +7,7 @@ services:
             REACT_APP_ENV: Production
             REMOVE_CF_IPS: "false"
         ports:
-            - 80:80
+            - 443:443
         depends_on:
             - game-service
     game-service:
@@ -16,7 +16,7 @@ services:
         expose:
             - 50051
         environment:
-            URL: ws://0.0.0.0:50051
+            URL: wss://0.0.0.0:50051
             FLECK_LOG: Info
             IM_LOG: Debug
             GAME_LOG: Debug

docker-compose.yml

@@ -10,7 +10,7 @@ services:
             REACT_APP_ENV: Development
             REMOVE_CF_IPS: "true"
         ports:
-            - 80:80
+            - 443:443
         depends_on:
             - game-service
     game-service:
@@ -21,7 +21,7 @@ services:
         expose:
             - 50051
         environment:
-            URL: ws://0.0.0.0:50051
+            URL: wss://0.0.0.0:50051
             FLECK_LOG: Info
             IM_LOG: Debug
             GAME_LOG: Debug

kustomize/base/frontend.yaml

@@ -18,7 +18,7 @@ spec:
           image: maplefighters/frontend:2.0.0
           imagePullPolicy: Always
           ports:
-            - containerPort: 80
+            - containerPort: 443
           env:
             - name: REACT_APP_ENV
               value: "Development"
@@ -45,8 +45,8 @@ metadata:
 spec:
   type: LoadBalancer
   ports:
-  - name: http
-    port: 80
-    targetPort: 80
+  - name: https
+    port: 443
+    targetPort: 443
   selector:
     app: frontend

kustomize/base/gameservice.yaml

@@ -31,7 +31,7 @@ spec:
             - name: IM_LOG
               value: Debug
             - name: URL
-              value: ws://0.0.0.0:50051
+              value: wss://0.0.0.0:50051
           resources:
             requests:
               cpu: 100m

src/frontend/Dockerfile

@@ -7,6 +7,8 @@ RUN npm run build
 
 FROM nginx:1.20.1-alpine
 COPY --from=builder /app/nginx.conf /etc/nginx/nginx.conf
+COPY --from=builder /app/server.crt /etc/nginx/ssl/server.crt
+COPY --from=builder /app/server.key /etc/nginx/ssl/server.key
 COPY --from=builder /app/cloudflare-ips.conf /var/www-allow/cloudflare-ips.conf
 COPY --from=builder /app/build /usr/share/nginx/html
 COPY --from=builder /app/entrypoint.sh /entrypoint.sh

src/frontend/nginx.conf

@@ -16,10 +16,24 @@ http {
         server game-service:50051;
     }
 
-    server { 
+    server {
         listen 80;
         server_name _;
 
+        # Redirect all HTTP requests to HTTPS
+        return 301 https://$host$request_uri;
+    }
+
+    server {
+        listen 443 ssl;
+        server_name _;
+
+        # SSL configuration
+        ssl_certificate /etc/nginx/ssl/server.crt;
+        ssl_certificate_key /etc/nginx/ssl/server.key;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+
         limit_req zone=req burst=10 delay=5;
         limit_req_status 444;
         limit_rate 5m;
@@ -31,9 +45,8 @@ http {
         }
 
         location /game {
-            # Source: https://github.com/nicokaiser/nginx-websocket-proxy/blob/master/simple-ws.conf
-            # redirect all HTTP traffic to game-service
-            proxy_pass http://game/;
+            # Upgrade to WebSocket protocol over HTTPS
+            proxy_pass https://game/;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header Host $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

src/game-service/Game.Application/.env

@@ -1,4 +1,4 @@
-URL=ws://0.0.0.0:50051
+URL=wss://0.0.0.0:50051
 FLECK_LOG=Info
 IM_LOG=Debug
 GAME_LOG=Debug

src/game-service/Game.Application/Dockerfile

@@ -8,4 +8,5 @@ RUN dotnet publish -c release -o /app --no-restore
 FROM mcr.microsoft.com/dotnet/runtime:5.0
 WORKDIR /app
 COPY --from=builder /app .
+COPY --from=builder /source/server.crt .
 ENTRYPOINT ["dotnet", "Game.Application.dll"]

src/game-service/Game.Application/GameApplication.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Security.Cryptography.X509Certificates;
 using DotNetEnv;
 using Fleck;
 using Game.Application;
@@ -24,6 +25,7 @@
 
 var url = Env.GetString("URL");
 var server = new WebSocketServer(url);
+server.Certificate = new X509Certificate2("server.crt");
 var serverComponents = new ComponentCollection(new IComponent[]
 {
     new IdGenerator(),

src/game-service/Game.Application/Makefile

@@ -2,7 +2,10 @@ build:
 	docker build -t game-service .
 
 run:
-	docker run -p 50051:50051 game-service -e URL=ws://0.0.0.0:50051 \
+	docker run -p 50051:50051 game-service -e \
+		URL=wss://0.0.0.0:50051 \
 		FLECK_LOG=Info \
 		IM_LOG=Debug \
-		GAME_LOG=Debug
+		GAME_LOG=Debug \
+		CONFIG_SOURCE=v2.0 \
+		MAX_CONNECTIONS=100

src/game-service/Game.Application/README.md

@@ -43,4 +43,4 @@ make build
 make run
 ```
 
-You should now be able to access it at `ws://localhost:50051`.
+You should now be able to access it at `wss://localhost:50051`.

src/maple-fighters/Assets/Maple Fighters/Resources/Configurations/NetworkConfiguration.asset

@@ -14,12 +14,15 @@ MonoBehaviour:
   m_EditorClassIdentifier: 
   HostingData:
   - Name: Editor
+    Protocol: ws
     Host: localhost
     Environment: 0
   - Name: Development
+    Protocol: ws
     Host: localhost
     Environment: 1
   - Name: Production
+    Protocol: wss
     Host: maplefighters.io
     Environment: 2
   Environment: 0

src/maple-fighters/Assets/Maple Fighters/Scripts/ScriptableObjects/Configurations/HostingData.cs

@@ -7,6 +7,8 @@ public class HostingData
     {
         public string Name;
 
+        public string Protocol;
+
         public string Host;
 
         public HostingEnvironment Environment;

src/maple-fighters/Assets/Maple Fighters/Scripts/ScriptableObjects/Configurations/NetworkConfiguration.cs

@@ -14,6 +14,18 @@ public class NetworkConfiguration : ScriptableSingleton<NetworkConfiguration>
 
         public HostingEnvironment Environment;
 
+        public string GetProtocol()
+        {
+            var hostingData =
+                HostingData.FirstOrDefault((x) => x.Environment == Environment);
+            if (hostingData != null)
+            {
+                return hostingData.Protocol;
+            }
+
+            return string.Empty;
+        }
+
         public string GetHost()
         {
             var hostingData =

src/maple-fighters/Assets/Maple Fighters/Scripts/Services/GameApi/WebSocketGameApi.cs

@@ -77,7 +77,7 @@ private void Start()
 
             var uriBuilder = new UriBuilder()
             {
-                Scheme = "ws",
+                Scheme = networkConfiguration.GetProtocol(),
                 Host = networkConfiguration.GetHost(),
                 Path = "game"
             };