How to avoid insecure websockets requests in Apache Httpd? - apache

I have an Apache server in front of a Websocket Tomcat server, and I would like to restrict access to secure websockets only (wss://).
How can I achieve that in Apache configuration ?
One thing that I do not understand is that even if I block port 80 (not 443) on AWS, it is still possible for me to connect to my unsecured ws via Simple WebSocket Client, whereas a telnet myHost 80 is logically failing...

Actually, configuring Apache with SSL is enough : it will redirect all HTTP traffic to HTTPS.
I did not figure out that quickly, but I can only connect with WS protocol only after I have been redirected by the browser with a simple HTTP request to HTTPS. And then, when I try to connect with WS, looking at Chrome Developer tools, I can see in request headers that the final endpoint is WSS.
So, in Simple WebSocket Client, I am actually silently redirected to WSS endpoint when trying to connect with insecure WS. As I said previously, this silent redirection is enabled only after a HTTP to HTTPS redirection on a simple call in the browser. You can check it by closing your browser and trying to reconnect in WS via Simple WebSocket Client : you will get a 403 HTTP error.

Related

How do I make all Apache redirects https?

I have an apache proxy in our DMZ which then proxies on port 80 to and internal server. It uses port 80 so our firewall between the DMZ and internal network can inspect the request. So, it's like this;
browser -> 443 -> proxy -> 80 -> firewall -> internal server
This all works well but for one thing. If the user calls "https:/site/" this will end up calling http:/site on the internal server. This works fine if the page is there and get 200 and return data. However, if the app on the server tries to redirect the client to a /site/login page for example. This redirect seem to be sent back as http:/site/login, presumably because the connection from the proxy was http port 80. This then results in the client getting this error;
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
How can I make this work better? Either, 1/ make the redirect match the http/https from the original request, or 2/ if I can't do that, force it to always be an https in the redirect sent back?
Thanks

How to get Amazon EC2 to accept https with socket.io

My server works fine for http requests, but when I send https, I get:
polling-xhr.js:268 GET https://ec2-18-218-160-24.us-east-2.compute.amazonaws.com:8000/socket.io/?EIO=3&transport=polling&t=N826ajA net::ERR_SSL_PROTOCOL_ERROR
My security groups definitely allow http and https. Any ideas.

Running Apache HTTP on SSL with

I have successfully implemented the two different jboss 5 instaces with Apache HTTP Server and can access the application through the HTTP server (i.e. http://localhost:8089) where my http server is listening on port 8089 This was the smooth case. But when talking about HTTP Secured layer have enabled the Apache HTTP SSL by following the steps provided on this page and on default secure port (i.e. 443) now i can access the HTTP Server from secure layer by url: https://localhost/. But when i hit my jboss application, I ended up with following error in browser:
Not Found
The requested URL /myApp was not found on this server.
can anyone let me know how to deal with this?
Thanks

Apache redirect rules for back-end server with WebSockets

I'm trying to figure out how to properly setup apache redirect rules for back-end CherryPy server which implements websocket (done via ws4py module). The problem is that if you use rewrite engine or proxypass it strips off Upgrade header in redirected request and therefore CherryPy server complaints about it and fails at handshake step.
The scenario I have is the following. I have CherryPy server with ws4py module which setup WebSockets. It runs on localhost:9000. I want to have apache front-end which just redirect incoming request to back-end server (it does more than that, but for simplicity it should do just that).
The apache rule I have is simple
RewriteRule ^(/websocket(/.*)?)$ http://some_host:9000$1 [P,L]
so for all requests starting with /websocket it redirects them to back-end server running on port 9000. The P flag stands for Proxy, the L stops rewriting process (see http://borkweb.com/story/apache-rewrite-cheatsheet)
If client sends request with HTTP header Upgrade:websocket the apache engine (rewrite module) strips it off, which causes WebSocket handshake fails.
Is there are any way to fix rewrite rule to allow presence of Upgrade header?
Unfortunately, Apache doesn't have the capability to reverse proxy WebSocket connections yet (it absolutely should!). But there is a solution that allows web requests to be handled using Apache and WebSocket connections to be handled by something else. This solution involves using HAProxy as the front end to both apache and your WebSocket server.
Here are a couple of relevant links to get you started:
http://lheurt.blogspot.com/2011/12/reverse-proxy-nodejs-websockets-with.html
HAProxy + WebSocket Disconnection

Is it possible to have a forward proxy with ssl encryption between the proxy and the user?

First of all I want to make clear that i am not talking about accessing content which is on origin servers that deliver using https which can be done using the module mod_proxy_connect.
What I want is a secured connection between the client and the proxy, also when the origin that is requested actually is served by an unsecured standard http server.
I am using apache 2.2 and also would like to make this possible with apache if that works.
I sniffed some requests using wireshark and noted the following:
A usual http of the url http://example.com/file looksl ike this:
on a connection to the origin server:
GET /file HTTP 1.1
Host: example.com
Note that the host information is stripped from the actual request and the host header is supplied instead (which can be handled server side in named virtual hosts).
When the request goes through a proxy server it looks slightly different:
on a connection to the proxy server:
GET http://example.com/file HTTP 1.1
Host: example.com
Note that the request line now actually contains the full url including protocol and hostname.
The host header is probably redundant, bus if I read the RFC correctly it is required by HTTP 1.1.
So I think about setting up an apache webserver listening on port 443, enable a virtualhost with ssl engine and certificates up and do not bind it to any hostname.
I think that should get apache to talk ssl, but however the certificates common name will not match the host specfied in the connect line to the proxys server ip adress.
Is what I want to to even possible with current standards and if so how can I do it?
Yes of course, that's what HTTPS proxy is.
Client connects to proxy over SSL, sends commands to proxy in text.
It is also possible to use HTTP CONNECT to establish HTTPS connection "inside" the SSL connection to HTTPS proxy, though not all clients support this:
HTTPS connection over HTTPS proxy
client proxy server
ssl \-------/ ssl
connect---------200 OK
ssl \---------------------------/ ssl
data-------------------------------data
/---------------------------\
/-------\
HTTP connection over HTTPS proxy
client proxy server
ssl \-------/ ssl
GET http://server/ ->
GET /
Host: server ->
<---------OK, data
<--------------OK, data
/-------\