Secure websockets with Happstack - haskell

Is there a way to use secure websockets (wss://) in Haskell server-side (preferably with Happstack)?
I tried to search Cabal for websocket server implementations, I get websockets and its multiple wrappers for different frameworks. Search inside websockets package does not show anything related to TLS.

It looks like most people nowadays use nginx as a reverse proxy capable of TLS (de)serialization, so the haskell backend only handles unencrypted data with ws:// hanlders.

Related

Support HTTPS in Node.js server or require reverse proxy for HTTPS

I'm writing an open-source Node.js application that implements a HTTP server for API calls. Supporting HTTPS in Node.js isn't hard, but it adds a little complexity and cases you need to thing about:
Path to key and cert should be configurable => More settings / documentation
App should handle errors when key and cert is missing or path is wrong => More code and test
Docker image must pass an external key and cert to the application running in the container => More code and documentation
It feels a bit like reinventing the wheel. I'm personally using a reverse proxy that handles the HTTPS part of all my sites. The servers in the background are all just HTTP.
Is it ok to require a reverse proxy or is it better to support HTTPS directly as most users aren't using a reverse proxy? What's the common server setup and recommend way when writing an open-source Node.js application? How to make it as easy as possible for most users to use my app?
Reverse proxy is preferable for most of the scenarios since we can make use of security, load balancing, cache control, etc. kind of things. Also we can use for logging purpose so that we can maintain a security layer on all the server activities and data behind this proxy. As you mentioned, there will have some more lines of code to write but the system will persist more powerful. I recommend to have a reverse proxy to make the things more robust and secure.

WebSockets over SPDY

I'm learning about real-time data web applications and I have build some small chat app with Node.js and WebSockets. I was able to implement SPDY for the HTTPS traffic (the static pages) but I can't find a way to have the WebSocket connection to also use the SPDY connection. So now I have 2 TCP connections.
I have found several old articles about WebSockets over SPDY but these are all talking about how it's maybe possible in the future. Since I can't find any recent articles, let alone examples of how to do this, can I conclude that this is not possible yet?
I could be wrong, but i think that is not possible. Websockets use a different protocol and a different uri schema (ws and wss uri). Sdpy works on HTTP.

Is it a good practice to use Socket.IO's emit() instead of all HTTP requests?

I set up a Node.js HTTP server. It listens to path '/' and returns an empty HTML template on a get request.
This template includes Require.js client script, which creates Socket.IO connection with a server.
Then all communication between client and server is provided by Web Sockets.
On connection, server requires authentication; if there are authentication cookies then client sends them to server for validation, if no cookies then client renders login view and waits for user input, etc.
So far everything works, after validating credentials I create a SID for user and use it to manage his access rights. Then I render main view and application starts.
Questions:
Is there a need to use HTTPS instead of HTTP since I'm only using HTTP for sending script to the client? (Note: I'm planning to use Local Storage instead of cookies)
Are the any downfalls in using pure Web Sockets without HTTP?
If it works, why nobody's using that?
Is there a need to use HTTPS instead of HTTP since I'm only using HTTP
for sending script to the client? (Note: I'm planning to use Local
Storage instead of cookies)
No, HTTP/HTTPS is required for handshake for websockets. Choice of HTTP or HTTPS is from security point of view. If you want to use it for simply sending script then there is no harm. If you want to implement user login / authentication in your pages then HTTPS should be used.
Are the any downfalls in using pure Web Sockets without HTTP?
Web sockets and HTTP are very different. If you use pure Web Sockets you will miss out on HTTP. HTTP is the preferred choice for cross-platform web services. It is good for document traversal/retrieval, but it is one way. Web socket provides full-duplex communications channels over a single TCP connection and allows us to get rid of the workarounds and hacks like Ajax, Reverse Ajax, Comet etc. Important thing to note is that both can coexist. So aim for web sockets without leaving out HTTP.
If it works, why nobody's using that?
We live in the age of HTTP, web sockets are relatively new. In the long term, web sockets will gain popularity and take up larger share of web services. Many browsers until recently did not support web sockets properly. See here, IE 10 is the latest and only version in IE to support web sockets. nginx, a wildly popular server did not support web sockets until Feb-March 2013. It will take time for web sockets to become mainstream but it will.
Your question is pretty similar to this one
Why use AJAX when WebSockets is available?
At the end of the day they were both created for different things although you can use web sockets for most, if not everything which can be done in normal HTTP requests.
I'd recommend using HTTPS as you do seem to be sending authentication data over websockets (which will also use the SSL, no?) but then it depends on your definition of 'need'.
Downfalls - Lack of support for older browsers
It's not used this this in many other situations because it's not necessary and it's still 'relatively new'.

Websocket client in Haskell?

I see lots of libraries and examples for writing websockets servers in Haskell, but what about clients? Are there any libraries around for that?
The websockets package supports client-side applications
http://hackage.haskell.org/packages/archive/websockets/0.7.0.0/doc/html/Network-WebSockets.html#g:12
See the example:
https://github.com/jaspervdj/websockets/blob/master/example/client.hs
The websockets package contains a websocket client as well. After initiating the connection with connect, you write the client code just like you would for the server, using the WebSockets monad.

WebSockets Servers

If I have found tutorials about WebSockets, they have only been how to create Client-Side sockets. How can I create WebSocket servers and where can I get information about this (something like in Node.js)?
I don't need done Libraries for WebSockets, I need learn how to create WebSockets Servers without Libraries for WebSockets.
Thanks for replies anyone!
https://github.com/joyent/node/wiki/modules#ws-ajax
For example this "tutorial" shows a low level WebSocket server, however it would be maybe better to look at source codes of other popular servers like node-websocket-server or specific part of socket.io which deals with the WebSocket transport.
Or you can use an already-made WebSocket server. Like https://socketsbay.com/

Resources