Im pretty new at all this server stuff, and I have a question regarding the security of the apache proxy.
What I am doing is: I have a websocket server running in non secure mode on port 11221 on the same system (localhost only, but with apache, it's a different application).
In my apache, I created a configuration with a proxy to that server:
ServerName websocket.example.com
SSLCertificateFile /path/to/fullchain.pem
SSLCertificateKeyFile /path/to/privkey.pem
ProxyPass / ws://localhost:11221/
ProxyPassReverse / ws://localhost:11221/
This combination works flawlessly, I can connect using a secure websocket connection to the server (using wss://websocket.example.com
). And I checked that I can't connect directly to it. ws://websocket.example.com:11221
will fail with a connection refused (as expected).
My question now is: Is this secure?. I.e. does the connection stay encrypted even after chaning to the websocket protocol? As far as I understood from my research, it does stay encrypted, but I couldn't find a definite answere.