GitHub Documentation

Colyseus and wss proxy (to a docker)

  • Installing Local Certificate Authority for testing purposes.

    I wanted to create a proxy from wss to ws connection. But I didn't want to touch my production environment.

    So I created a local certificate authority on my local = private computer.

    This is how I did this (Oracle Enterprise Linux = CentOS = RedHat - based)

    (First start with a root login)

    • vi /etc/yum/repos.d/epel-yum-ol7.repo
    name=Oracle Linux $releasever EPEL ($basearch)
    • yum repolist

    • yum -y install easy-rsa

    Connect non-root-user

    • useradd myrsa

    • passwd myrsa

    • su - myrsa

    (add user to sudoers)

    • mkdir ~/easy-rsa

    • ln -s /usr/share/easy-rsa/3/* ~/easy-rsa/

    • chmod 700 ~/easy-rsa

    • cd ~/easy-rsa
      *./easyrsa init-pki

    • vi vars

    set_var EASYRSA_REQ_COUNTRY    "NL"
    set_var EASYRSA_REQ_PROVINCE   "MyProv"
    set_var EASYRSA_REQ_CITY       "MyCity"
    set_var EASYRSA_REQ_ORG        "MyOrg"
    set_var EASYRSA_REQ_EMAIL      "admin@localhost"
    set_var EASYRSA_REQ_OU         "Community"
    set_var EASYRSA_ALGO           "ec"
    set_var EASYRSA_DIGEST         "sha512"
    • ./easyrsa build-ca nopass
    . . .
    Enter New CA Key Passphrase:
    Re-Enter New CA Key Passphrase:
    . . .
    Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
    CA creation complete and you may now import and sign cert requests.
    Your new CA certificate file for publishing is at:
    • cat ~/easy-rsa/pki/ca.crt

    Other Server : WebServer (or the same system : in my case the same system )

    • vi /tmp/ca.crt
      pate data from the ca.crt you created earlier

    • sudo cp /tmp/ca.crt /etc/pki/ca-trust/source/anchors/

    • sudo update-ca-trust

    Make private key

    • openssl genrsa -out webserver.key

    Certificate SIGNING request : CSR

    • openssl req -new -key webserver.key -out webserver.req


    • openssl req -in webserver.req -noout -subject

    • cat webserver.req

    Transport this certificate to the ca-server

    • vi /tmp/webserver.req
      paste - webserver.req from other server
    • cd ~/easy-rsa
    • ./easyrsa import-req /tmp/webserver.req webserver
    • ./easyrsa sign-req server webserver
      Enter: Yes

    Certificate created at: .../webserver.crt

    • cat ~/easy-rsa/pki/issued/webserver.crt


    Take this certifcate to the webserver

    • vi /tmp/webserver_ca.crt
      Paste certificate

    WebServer (root)

    • cp /tmp/webserver_ca.crt /etc/pki/tls/certs/webserver_ca.crt
    • cp webserver.key /etc/pki/tls/private/webserver.key
    • chmod 600 /etc/pki/tls/private/webserver.key
    • yum -y install httpd mod_ssl mod_dav_svn ssl proxy proxy_http proxy_html proxy_wstunne
    • vi /etc/httpd/conf.d/ssl.conf

    SSLCertificateFile /etc/pki/tls/certs/webserver_ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/webserver.key
    SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

    service httpd restart

    Importing CA in Browser

    In order for the client to trust the server it should also trust the CA that made the key.

    Generate a key you can import in a browser:

    • cd /home/myrsa/easy-rsa
    • openssl pkcs12 -export -in pki/ca.crt -inkey pki/private/ca.key -out browser.pfx

    Browser / Client

    Client computer:
    c> pscp root@ca_server:/home/myrsa/easy-rsa/browser.pfx Downloads

    Add the name 'webserver' to your host-resolver:

    C> notepad c:\windows\system32\drivers\etc\hosts webserver

    Open browser

    • chrome://settings/security?search=certificat
      Go to certificate management and import the PFX into the Trusted ROOT CERTIFICATES

    You can now make a secure connection to the webserver:


    Proxy Forward

    • vi /etc/httpd/conf.d/ssl.conf
      Add below in the file :

    To make sure that all non-browser traffic goes to specific port I open up the 8567 port instead of 443

      <VirtualHost *:8567>
        SSLEngine On
        SSLCertificateFile /etc/pki/tls/certs/webserver_ca.crt
        SSLCertificateKeyFile /etc/pki/tls/private/webserver.key
        SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
         RewriteEngine On
        RewriteCond %{HTTP:Upgrade} =websocket [NC]
            # Port 3567 is where the docker is listening for
        RewriteRule ^/(.*)    ws://$1 [P,L]

    My docker is started like this:

    • docker run --name=col -h col --dns= -p 3567:3567 -v /home/root:/home/extern/ -t -d oel /bin/bash

    Port forward trafic comming from 3567 is going inside the docker where colyseus is listening on 3567 as well.

    Firewall is completely open on my private server.
    This should never be done for global servers. But for global servers you really need a non-self-signed certificate.

    You now have a secure connection to the server and it will proxy the stream to the docker. Inside the docker (colyseus-code) nothing has to be altered!


© 2021 Lucid Sight, Inc