WebSocket – When, Why & Watchout

Currently reading
WebSocket – When, Why & Watchout

83
31
NAS
220+
Operating system
  1. Windows
Mobile operating system
  1. Android
Newbie here. Although I learned programming with punch cards, networking is new to me.

Setup: Motorola 6800 --> Asus RT-AX88U --> DS220+ (DSM 7.1.1 Update 2)
Remote Access: DDNS with LetsEncrypt Cert --> Reverse Proxy
Use:
  • Synology packages: Office/Drive (sync)/Photo
  • Mobile apps: DS Finder/Photo/Secure Signin/Drive/DS File
  • Future: Chat/Calendar/Notes
All is working well :). Yet I am not sure if I should enable WebSocket in Control Panel > Login Portal > Advanced > Reverse Proxy > Edit > Custom Header. after surveying this forum for answers to my questions, I have come up blank. Thus, the reason for this post and request for wisdom from others with more experience.

I understand that the WebSocket protocol, which offers a continuous (open) two-way connection until it is closed by either end, may have advantages for Synology’s surveillance package. But at present, I don’t use the surveillance package.

Q1: What Packages/Services would benefit from or require enabling WebSocket?​
Q2: Are there additional security risks associated with enabling WebSocket?​
Q3: What are the unforeseen (for a newbie) consequences for enabling WebSocket?​

Thank you in advance for your kind replies.
 
Welcome to the forum! Good to have more "old school" people here ;).

Q1: What Packages/Services would benefit from or require enabling WebSocket?
Personally I only enable this on apps/platforms that need it and require it. Regarding syno apps, while I use most of these, none are going over RP, so I can't answer with 100%, but I can say that Chat might be the one that will need/support websocket if nothing else then for the notifications to work.

Now this might be incorrect, but most chat platforms that I have used (and still do), do run that way. Again, it might not be in the case of Syno Chat.

On the other hand, a Ruby version of Bitwarden, VaultWarden (password manager) uses websock for instant syncing of new items added to the vault that are then pushed towards all other clients that you use with that same instance. It does not work with iOS apps, but that is by design. This is one example of a platform that explicitly states the use of websocket (not mandatory!) in case you want to use this feature.

Q2: Are there additional security risks associated with enabling WebSocket?
Well, thats open for debate. In case there is some sort of exploit on the application/platform running via RP, I guess we could say there are risks, but then again, opening with anything today towards anywhere is a risk, no matter how big or small the platform is.

Q3: What are the unforeseen (for a newbie) consequences for enabling WebSocket?
Don't enable is if it's not required, would be my suggestion
 
Excellent reply Rusty. Thank you for your insight :).

Your assessment agrees with my thoughts. Yet, as a newbie, I still have lots to learn.

I had read about Bitwarden & VaultWarden as well as Surveillance Station websocket issues. But none seemed to apply to my use-case. Perhaps Synology's Chat package might.

One more question...
If websocket is not activated by default for Reverse Proxy setups only (which is primarily a remote (WAN) access security scheme), is websocket enabled by default for LAN access to Synology NAS? In other words, is websocket being limited by port 443 access (for reverse proxy) but enabled for LAN DSM port access? I ask because I can thing of Synology apps like Resource Monitor that could make good use of a websocket.​

Lastly: Happy Thanksgiving to all.
Bonhoeffer: In ordinary life, we hardly realize that we receive a great deal more than we give, and that it is only with gratitude that life becomes rich.
 
To my knowledge and research, DSM doesn't appear to use websockets, but instead continuously polls for information.

The setting just enables support for websocket proxying, though it doesn't mean that websockets are permanently used. The server needs to initiate it by returning status code 101 (Switching Protocols), which makes the client respond in a way that establishes a websocket tunnel between client and server.

See: WebSocket proxying


You can actually see status code 101 in your browser's developer tools network tab, if a websocket connection is established.
 
Ahhhhh...
Thanks one-eyed-king for the link on nginx.org. Interesting read, especially the part about reverse proxies...

websocket.jpg


So, the take away seems to be that the websocket issue is only associated with reverse proxy conditions. And, based on others, if an NAS app like Surveillance Station needs it, Synology is likely to post an informational message if websocket is required.

Thanks to both one-eyed-king & Rusty for both your insights.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top