How to use WebSocket as transport in the NATS C client library

[tomghuang]

The NATS port is usually blocked by corporate firewalls, which prevent a NATS client connecting to a public NATS server. Since the latest NATS server has supported WebSocket, which is not blocked by corporate firewalls, I wonder if it is possible to use the C client library to connect to a NATS server with WebSocket. Thanks.

[kozlovic]

@tomghuang Thank you for your interest!

There is no plan at the moment. I personally find it a bit too much to have to implement websocket framing (encoding/decoding) on all supported NATS clients just because of that. I don't see how being websocket framed makes it more "secure". At the end, it is still NATS protocol underneath. So if a company security team evaluates a team use of NATS and believe it is secure enough, why not open the NATS port? Again, making it "websocket" is not making it more secure.

What we miss, though, is an option to establish TLS right away, which is causing problems in some environments since the first message from the server to client is in plain text.

[tomghuang]

The purpose of using WebSocket is not for security, but for bypassing the firewall.

We want to use NATS as our communication backbone of our consumer IoT solution. However, we cannot control where these IoT devices are deployed. If some devices are deployed in a corporate environment, we can't just ask the customer's corporate IT department to change their firewall policies because of their employee buying a smart lighting device.

Of course there are some ways to overcome this problem, such as deploying a WebSocket proxy in front of the NATS server. However, since NATS already supports WebSocket, we should be able to bypass firewalls and connect to the NATS server directly, without all these gateway/proxy solutions.

Most of the IoT devices are embedded systems written in C. Therefore, we may not have to implement WebSocket framing in all the supported client libraries, but support the C client library first. If we can connect to a NATS server from a $3 MCU, I believe NATS can help to simplify the IoT network architecture and replace many protocols.

If you don't have any plan to make the C client library support WebSocket, could you give me a direction about how to add the WebSocket framing to the library? Thanks.

[kozlovic]

@tomghuang Sorry for the delay. I may get to this at one point, but have more pressing duties at the moment. If you want to have a look for yourself, well there would be the decoding of websocket frames and that would be conn.c's _readLoop, after reading data from socket (after the natsSock_Read() call), and natsConnection_ProcessReadEvent() for external event loops, or even maybe down into natsSock_Read() call itself, to make sure we cover all cases. Of course it means that until a frame is complete, this call cannot return data to the upper-level.
For writing, it would in natsConn_bufferFlush() or natsConn_bufferWrite(), anywhere we call natsSock_WriteFully(). So again, maybe down to that function.
And of course, the connect process will have to change to perform TLS handshake right away and send HTTP headers.

So as you will find out, it is a bit more involved than it seem from the outside, hence my hesitation to make NATS clients websocket clients just because of the corporate firewall rules. (I am not arguing the general benefit of having NATS clients that can "speak" websocket natively).