Websockets and the PrivX Carrier browser
PrivX web containers are used for accessing HTTP or HTTPS sites via PrivX role-based access control.
PrivX can be used to automatically provide authentication for the sites and/or to record the web sessions.
If your site uses official CA signed certificate, secure web sockets are automatically supported. If you're using self-signed or company CA signed certificates or old ciphers, please continue reading.
PrivX Carrier uses ports 18080 and 18443 to proxy HTTP and HTTPS traffic via PrivX Web Proxy Host.
Port 18444 is used for tunneling web socket traffic.
Trusting self-signed certificates
By default, PrivX Web Container trusts only official CA signed certificates. For company-signed or self-signed certificates, a SEC_ERROR_UNTRUSTED_ISSUER warning is shown for the user. By default, this warning can be bypassed by the user.
For web sites using official certificates (trusted by both PrivX Web Proxy host and Firefox browser), no certificate config is necessary.
Connecting to self-signed or company CA signed website with HTTPS
To avoid security warnings for regular HTTPS traffic, please copy your CA bundle for the trusted certificates to /etc/pki/ca-trust/source/anchors/ directory on PrivX Web Proxy host and run "update-ca-trust extract". After this, run "service privx-web-proxy restart".
Configuring web socket certificates with Carrier config
If using self-signed certificates, the certificate must fulfill the following requirements:
- Web site certificate cannot be a CA certificate, but it must be signed by one.
- CA certificate must be trusted by web proxy host OS (for HTTPS) and Carrier (for WSS).
- Certificate validity must be less than 398 days (https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/)
- The web site hostname must match the site certificate Subject Alternative Name field contents.