feat: use secure websocket connection

Author: codingben

docker-compose.prod.yml

@@ -7,7 +7,7 @@ services:
             REACT_APP_ENV: Production
             REMOVE_CF_IPS: "false"
         ports:
-            - 80:80
+            - 443:443
         depends_on:
             - game-service
     game-service:
@@ -16,9 +16,11 @@ services:
         expose:
             - 50051
         environment:
-            URL: ws://0.0.0.0:50051
+            URL: wss://0.0.0.0:50051
             FLECK_LOG: Info
             IM_LOG: Debug
             GAME_LOG: Debug
             CONFIG_SOURCE: v2.0
             MAX_CONNECTIONS: 100
+            CERTIFICATE_NAME: "server.pfx"
+            CERTIFICATE_PASSWORD: ""

docker-compose.yml

@@ -10,7 +10,7 @@ services:
             REACT_APP_ENV: Development
             REMOVE_CF_IPS: "true"
         ports:
-            - 80:80
+            - 443:443
         depends_on:
             - game-service
     game-service:
@@ -21,9 +21,11 @@ services:
         expose:
             - 50051
         environment:
-            URL: ws://0.0.0.0:50051
+            URL: wss://0.0.0.0:50051
             FLECK_LOG: Info
             IM_LOG: Debug
             GAME_LOG: Debug
             CONFIG_SOURCE: v2.0
             MAX_CONNECTIONS: 100
+            CERTIFICATE_NAME: "server.pfx"
+            CERTIFICATE_PASSWORD: "helloworld"

kustomize/base/frontend.yaml

@@ -18,7 +18,7 @@ spec:
           image: maplefighters/frontend:2.0.0
           imagePullPolicy: Always
           ports:
-            - containerPort: 80
+            - containerPort: 443
           env:
             - name: REACT_APP_ENV
               value: "Development"
@@ -45,8 +45,8 @@ metadata:
 spec:
   type: LoadBalancer
   ports:
-  - name: http
-    port: 80
-    targetPort: 80
+  - name: https
+    port: 443
+    targetPort: 443
   selector:
     app: frontend

kustomize/base/gameservice.yaml

@@ -20,6 +20,10 @@ spec:
           ports:
             - containerPort: 50051
           env:
+            - name: CERTIFICATE_PASSWORD
+              value: ""
+            - name: CERTIFICATE_NAME
+              value: "server.pfx"
             - name: MAX_CONNECTIONS
               value: "100"
             - name: CONFIG_SOURCE
@@ -31,7 +35,7 @@ spec:
             - name: IM_LOG
               value: Debug
             - name: URL
-              value: ws://0.0.0.0:50051
+              value: wss://0.0.0.0:50051
           resources:
             requests:
               cpu: 100m

src/frontend/Dockerfile

@@ -7,6 +7,8 @@ RUN npm run build
 
 FROM nginx:1.20.1-alpine
 COPY --from=builder /app/nginx.conf /etc/nginx/nginx.conf
+COPY --from=builder /app/server.crt /etc/nginx/ssl/server.crt
+COPY --from=builder /app/server.key /etc/nginx/ssl/server.key
 COPY --from=builder /app/cloudflare-ips.conf /var/www-allow/cloudflare-ips.conf
 COPY --from=builder /app/build /usr/share/nginx/html
 COPY --from=builder /app/entrypoint.sh /entrypoint.sh

src/frontend/nginx.conf

@@ -16,10 +16,24 @@ http {
         server game-service:50051;
     }
 
-    server { 
+    server {
         listen 80;
         server_name _;
 
+        # Redirect all HTTP requests to HTTPS
+        return 301 https://$host$request_uri;
+    }
+
+    server {
+        listen 443 ssl;
+        server_name _;
+
+        # SSL configuration
+        ssl_certificate /etc/nginx/ssl/server.crt;
+        ssl_certificate_key /etc/nginx/ssl/server.key;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+
         limit_req zone=req burst=10 delay=5;
         limit_req_status 444;
         limit_rate 5m;
@@ -31,9 +45,8 @@ http {
         }
 
         location /game {
-            # Source: https://github.com/nicokaiser/nginx-websocket-proxy/blob/master/simple-ws.conf
-            # redirect all HTTP traffic to game-service
-            proxy_pass http://game/;
+            # Upgrade to WebSocket protocol over HTTPS
+            proxy_pass https://game/;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header Host $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

src/game-service/Game.Application/.env

@@ -1,6 +1,8 @@
-URL=ws://0.0.0.0:50051
+URL=wss://0.0.0.0:50051
 FLECK_LOG=Info
 IM_LOG=Debug
 GAME_LOG=Debug
 CONFIG_SOURCE=v2.0
-MAX_CONNECTIONS=100
+MAX_CONNECTIONS=100
+CERTIFICATE_NAME=server.pfx
+CERTIFICATE_PASSWORD=helloworld

src/game-service/Game.Application/Dockerfile

@@ -8,4 +8,5 @@ RUN dotnet publish -c release -o /app --no-restore
 FROM mcr.microsoft.com/dotnet/runtime:5.0
 WORKDIR /app
 COPY --from=builder /app .
+COPY --from=builder /source/server.pfx .
 ENTRYPOINT ["dotnet", "Game.Application.dll"]

src/game-service/Game.Application/GameApplication.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Security.Cryptography.X509Certificates;
 using DotNetEnv;
 using Fleck;
 using Game.Application;
@@ -23,7 +24,10 @@
 GameLog.Level = (GameLogLevel)Enum.Parse(typeof(GameLogLevel), gameLog);
 
 var url = Env.GetString("URL");
+var certificateName = Env.GetString("CERTIFICATE_NAME");
+var certificatePassword = Env.GetString("CERTIFICATE_PASSWORD");
 var server = new WebSocketServer(url);
+server.Certificate = new X509Certificate2(certificateName, certificatePassword);
 var serverComponents = new ComponentCollection(new IComponent[]
 {
     new IdGenerator(),

src/game-service/Game.Application/Makefile

@@ -2,7 +2,7 @@ build:
 	docker build -t game-service .
 
 run:
-	docker run -p 50051:50051 game-service -e URL=ws://0.0.0.0:50051 \
+	docker run -p 50051:50051 game-service -e URL=wss://0.0.0.0:50051 \
 		FLECK_LOG=Info \
 		IM_LOG=Debug \
 		GAME_LOG=Debug

src/game-service/Game.Application/README.md

@@ -43,4 +43,4 @@ make build
 make run
 ```
 
-You should now be able to access it at `ws://localhost:50051`.
+You should now be able to access it at `wss://localhost:50051`.