Creating HTTPS Service
Question:
How does Workerman create an https service to enable clients to connect and communicate using https?
Answer:
The https protocol is actually http + SSL, which means adding an SSL layer on top of the http protocol. Workerman supports the http protocol and also supports SSL (requires Workerman version >= 3.3.7),
so it only needs to enable SSL on top of the http protocol to support the https protocol.
There are two general options to enable HTTPS in Workerman: one is to directly enable SSL in Workerman, and the other is to use nginx as a proxy for SSL. You can choose one of the two options, but not set them both at the same time.
Enabling SSL in Workerman
Preparation:
-
Workerman version >= 3.3.7
-
PHP has the openssl extension installed
-
A certificate has been applied for (pem/crt file and key file) and placed in /etc/nginx/conf.d/ssl
<?php
use Workerman\Worker;
use Workerman\Connection\TcpConnection;
require_once __DIR__ . '/vendor/autoload.php';
// It is best to use a certificate that has been applied for
$context = array(
'ssl' => array(
'local_cert' => '/etc/nginx/conf.d/ssl/server.pem', // It can also be a crt file
'local_pk' => '/etc/nginx/conf.d/ssl/server.key',
'verify_peer' => false,
'allow_self_signed' => true, // This option needs to be enabled if using self-signed certificates
)
);
// Here, http protocol is set
$worker = new Worker('http://0.0.0.0:443', $context);
// Set transport to enable ssl, changing it to http+SSL, i.e., https
$worker->transport = 'ssl';
$worker->onMessage = function(TcpConnection $con, $msg) {
$con->send('ok');
};
Worker::runAll();The above code creates an HTTPS service via Workerman, allowing clients to connect to Workerman using the HTTPS protocol for secure encrypted communication.
Test:
Input https://domain:443 in the browser's address bar to access.
Note:
-
The HTTPS port must be accessed using the HTTPS protocol; the HTTP protocol cannot be used.
-
Certificates are generally bound to a domain name, so please use the domain name for testing and do not use the IP.
-
If you cannot access HTTPS, please check the server firewall.
Using nginx as an SSL Proxy
In addition to using Workerman's own SSL, you can also use nginx as an SSL proxy to achieve HTTPS.
Note
You must choose either the nginx proxy SSL or Workerman's SSL; both cannot be enabled simultaneously.
The communication principle and process are as follows:
-
The client initiates an HTTPS connection to nginx.
-
Nginx converts the HTTPS protocol data into HTTP protocol and forwards it to Workerman's HTTP port.
-
Workerman processes the data for business logic and returns the HTTP protocol data to nginx.
-
Nginx then converts the HTTP protocol data back to HTTPS and forwards it to the client.
Nginx Configuration Reference
Prerequisites and Preparation:
-
Assume Workerman is listening on port 8181 (HTTP protocol).
-
A certificate has been applied for (pem/crt file and key file) and placed in /etc/nginx/conf.d/ssl.
-
Plan to use nginx to open port 443 to provide external wss proxy service (the port can be modified as needed).
Nginx configuration similar to the following:
upstream workerman {
server 127.0.0.1:8181;
keepalive 10240;
}
server {
listen 443;
server_name yourdomain.com;
access_log off;
ssl on;
ssl_certificate /etc/nginx/conf.d/ssl/server.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/server.key;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_protocols SSLv3 SSLv2 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
location /
{
proxy_pass http://workerman;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Connection "";
}
}