Configure NGINX to deny web socket connections except for certain paths

teward nginx-forum at
Wed Apr 1 13:10:20 UTC 2020

This will sound a little odd, but we have an NGINX reverse proxy acting as
an SSL termination point for a remote desktop web gateway from Microsoft.

Currently, the primary Web Client ingress point is protected by SSL Client
Certificates - you must have a valid SSL CLient Certificate to get to the
web component.

However, RDWeb from Microsoft still has to establish WSS connections
(`wss://...`) to the RD Gateway component - a separate server.  The tricky
part about this is it uses *only* `wss`.  This works fine if the web
frontend is open to all, but we want to restrict it so that only one WSS
pathway can actually be used and no other WSS requests work.

When attempting to make this work, we've been trying various configurations
of location matching ultimately ending with the WSS connections all failing
except when passed through directly WITHOUT any restrictions (that is,
`location / { ... }` is globally permitted for the gateway component.)

Is there a way to configure NGINX so that it tests the requested wss path
*first* before it hands off to the backend, thereby determining if it's
permitted or rejected?

Posted at Nginx Forum:,287519,287519#msg-287519

More information about the nginx mailing list