WebSocket protocol is newly standarized protocol which is supported now by many of current versions of browsers. Currently there is a draft of protocol draft-ietf-xmpp-websocket-00 which describes usage of WebSocket to connect to XMPP server. Tigase XMPP Server implementation of WebSocket protocol to connect to XMPP server is very close to this draft of this specification. By default Tigase XMPP Server has XMPP-over-WebSocket protocol enabled without encryption on port 5290. To use this protocol you need to use library which supports XMPP-ober-WebSocket protocol.
It is possible to enable encrypted WebSocket connection in Tigase XMPP Server. To do this you need to add following lines to etc/init.properties config file:
In this example we enabled WebSocket endpoint on port 5290 and encrypted WebSocket endpoint on port 5291. Connections on port 5291 are SSL connections which are encapsulating not encrypted WebSocket connections. As this is TLS/SSL connection (no STARTTLS) it uses default certificate installed in Tigase XMPP Server instance. This certificate is located in certs/default.pem.
As mentioned in Tip #1 WebSocket endpoint is plain TLS/SSL port, so it always serves default certificate for Tigase XMPP Server instance. It is ok, if we are hosting single domain and if default certificate matches matches our domain. But If we host multiple domain we cannot use wss://example1.com:5291/ connection URI, if our default certificate is for domain example2.com. In this situation it is recomended use default certificate for domain under which server is accessible from internet. This domain should identify this server, so this domain would not point i.e. on two nodes of a cluster. After we deploy separate certificate for each of cluster nodes, we should follow same tip as Tip #1 for BOSH. Our web-based XMPP client should have knowledge about each node of a cluster and when it needs to connect it should randomly select one node from list of available cluster nodes and try to connect to is using connection URL that would contain name of server under which it can be identified from internet.
We have servers t1.example1.com and t2.example1.com which are nodes of a cluster hosting domain example2.com. Each of our nodes contains default SSL certificate which domain matches name of cluster node. Web client retrieves list of cluster nodes from web server and then when it needs to connect to XMPP server it picks random host from list of retrieved cluster nodes (i.e. t2.example1.com) and tries to connect using WebSocket encrypted protocol to host t2.example1.com using following connections URL wss://t2.example1.com:5291/. During connection client should still send example2.com as name of server to which it tries to connect (example2.com should be value of to attribute of XMPP stream. This will allow browser to validate certificate as it will be for the same domain to which browser connects, and it will allow XMPP client to connect to domain example2.com, which is one of hosted vhosts.