HA Proxy and Websockets

Solution 1:

As this is a 3rd party app, I'm not sure if I'm going to be able to get them to change their app. Therefore, I was wondering if there's something I can do on the HAProxy server to force a secure websocket connection.

This depends mostly on the 3rd party application. If the application is specifically using the ws: protocol, there is nothing you can do on the HAProxy side - browsers won't even connect to the HAProxy instance, so you aren't ever even given the chance to do anything about it.

You would need to open an issue with the 3rd party application developers and have them make the web socket protocol configurable, or add some detection (if the page is loaded over HTTPS, then use WSS).

Alternatively you could introduce content rewriting, where you have something that modifies outgoing content to re-write ws:/ to wss://. HAProxy cannot do this, but Nginx along with the sub_filter module can.