Secure websocket server from NodeJS app


I want to create a secure websocket connection from my frontend hosted on Google Firebase Hosting to my Balena device to be able to configure different settings on the device. I am perfectly able to connect from localhost without SSL like this:

        this.server = http.createServer()

        this.socket = new WebSocket.server({
            httpServer: this.server,
            autoAcceptConnections: false


And connecting from the frontend like this:

        const address = `ws://`
        const ws = new websocket(address)

If I parse a request handler to the NodeJS server instance on the device, I am able to get a response by accessing the public URL of the device through HTTPS, but i am not able the connect a websocket to the device through WSS from the frontend hosted on Google through HTTPS. I have also tried connecting the websocket with the public URL without luck:

       const address = `wss://<DEVICE_ID>`

Obviously it is not that simple and I recognize I might need to create a HTTPS server on the device, however i have had some problems generating the right certificates. Another possibility might be to utilize the certificates already used for the public HTTPS URL of the device. I have not been able find any good examples or references showing how to access these certificates or creating a secure websocket connecting to the device.

Hi @TobiasEmil,

If I’m correct, you’re trying to connect from your frontend hosted on Google Firebase (client) to your Balena device (server) via a websocket, correct?

I don’t know what you’re trying to achieve, but I don’t think this is the correct approach. It’s better to have server host the websocket and let the frontend and Balena devices listen to this server. This way, you only have to maintain the SSL certificates for the server hosting the websocket instead of individual Balena devices. And the frontend can emit ‘commands’ to the server and the server can forward these ‘commands’ to the specific Balena device or to all devices.

But, like I said, I don’t know if this is what you want and what you’re trying to achieve?

Thanks for answering!

Yes, that is correctly understood. I want I that way around as the Balena device is acting as a gateway for a number of sensors in a home and the residents should be able to connect to the gateway both from a smartphone app and a web app. But I am open for changes to the architecture if it makes sense.

But would it not be possible just to utilize the existing certificate the Balena device uses to secure the public URL, or am i miss understanding something?

Hi @tobiasemil, I don’t think it will be possible to use the same cert that is used to secure the public URL, because as far as I understand, the SSL termination for the webURL is done on the balenaCloud backend and then the backend to device section is tunnelled through the balena VPN. So i think @vedicium suggestion is probably a good one. That being said, we have some upcoming features to allow one to do SSL termination of tunnels on the device itself, but that is not yet released.

Thanks for answering!

Alright. Do you know anything about the time schedule of the release of these features?