Decrypting websocket connections in Hiawatha

5 July 2018, 19:27
I'm using Hiawatha to forward my websocket connections to a node.js server. If I want to use secure websockets (wss), is it possible to have Hiawatha decrypt them into regular websockets (ws)? Here's an example of what my code looks like.
Binding {
Port = 80

VirtualHost {
Hostname =
WebsiteRoot = /path/to/website
StartFile = index.html
AccessLogfile = /path/to/access.log
ErrorLogfile = /path/to/error.log
ReverseProxy .*
WebSocket = ws://ip:3000 /websocket1 15
WebSocket = ws://ip:9002 /websocket2 15
Hugo Leisink
6 July 2018, 01:03
I don't understand what you try to achieve. You want to use secure websockets, but at the same time have Hiawatha to decrypt them (not use secure websockets).
6 July 2018, 01:27
Sorry, I'll clarify. I have a node.js server runnning in the background using an http connection and unsecured websockets. I'm currently using Hiawatha to forward requests from the client to my node.js server using the reverse proxy functionality and two unprotected websockets. For multiple reasons, it is advantageous to me to leave the node.js server functioning completely unencrypted but hosted locally, and use Hiawatha to interact with anything outside my local network.
If I want to encrypt my traffic, is it possible for me to encrypt the traffic that goes between Hiawatha and the client (use wss/https), but decrypt this traffic inside Hiawatha such that connections to my node js server through the Reverse proxy and websockets are unencrypted (ws/http)?

Thanks for all your help Hugo!!
Hugo Leisink
6 July 2018, 09:56
Ah, ok. if you use 'WebSocket = ws://...', then the connection to the websocket will be plain text. If you use 'ReverseProxy .* http://...', the connection between Hiawatha and backend server will be plain text. If you use a TLScertFile option in your binding (use Port = 443), then the connection between the client and webserver will be encrypted. That will be for normal requests, AJAX requests, websocket requests and so on. So, yes, in that case, Hiawatha acts as an SSL offloading server.
This topic has been closed.