A friend referred me to Blynk. Looks great and it has its own app, free, all great perks.
I do nginx proxy on all things http, so that’s really the first thing I did. The nginx logs left me puzzled :
1.2.3.4.notreal - - [01/Jul/2020:13:13:15 +0000] “\x02,\xAC\x00\x00\x00Mmoi@mdugre.info\x00Y5nzqoAZJdwNJs37ZnSdtLYkvmKV9R+IwnwfwDgTHfY=\x00iOS\x002.26.4\x00Blynk” 400 150 “-” “-” “-”
This is from logging in locally with thie iOS mobile app. The “\x02,\xAC\x00\x00\x00” makes no sense, a standard HTTP request looks like: “GET /admin HTTP/2.0” 200 365" …
From the code it looks like the mobile app is using a homegrown protocol on top of the http channel. In the Blynk Java server class BaseHttpAndBlynkUnificationHandler.buildPipeline, I saw this :
if (isHttp(header4Bytes)) {
return buildHttpPipeline(pipeline);
}
if (isHardwarePipeline(header4Bytes, lastByteOfHeader)) {
return buildHardwarePipeline(pipeline);
}
return buildAppPipeline(pipeline);
Yeah, the Blynk app is using a non HTTP, non WS protocol for communicating over the standard HTTP/WS port and this gets intercepted on connect by reading the first 5 bytes of the request. So that answers the question : you can’t do an http proxy for the Blynk mobile app because it is not http, it just hijacks the http connection.
The solution is to configure an nginx stream proxy (as suggested by vshymanskyy) or, even better, to open a port forward on your router directly to the Blynk server (e.g. port 9443/tcp) as suggested elsewhere.
Note that both the device (Arduino, etc.) and the /admin connections seem like real http, so those work fine on a nginx reverse proxy. But you won’t be able to do that for the mobile app.
I usually prefer keeping things clean, like for example creating a separate TCP port (e.g. 9444/tcp) for separate protocols. Aside from that little hack, I’ve been really impressed with Blynk. I just cloned the Java server and I’ll see if I can’t do something about splitting those protocols into separate ports to at least make what is going on obvious.
That’s what I’ve always done, makes it easier for the poor tekky trying to troubleshoot a network failure at 2AM after a prod firewall upgrade failed and he’s trying not to have to call his boss to get the whole thing rolled back… yeah, like that never happened to me ;).