The websocket library I rely on (PHP-Websockets) does not yet support secure sockets (wss). My website is served over https though, so I cannot use insecure ws connections.
I'm trying to use Apache's mod_proxy to forward the secure request that comes from the browser on to the client.
Javascript
var ws = new WebSocket('wss://example.com/_ws_/');
Apache VirtualHost
ProxyPass "/_ws_/" "ws://127.0.0.1:8080/"
ProxyPassReverse "/_ws_/" "ws://127.0.0.1:8080/"
# I've also tried "/_ws_/" "ws://example.com:8080/" Same error below
Upon trying to connect, the browser receives a 500 Server Error. The logs show:
No protocol handler was valid for the URL /_ws_/. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
I've confirmed that if I remove the proxy rules, stop redirecting users to https and try to connect to insecure sockets from the browser: new WebSocket('ws://example.com/'), things work just fine.
My loaded Apache modules include mod_ssl.c, mod_proxy.c and mod_proxy_http.c
Apache 2.4
To reverse proxy WebSockets, you also need to load the mod_proxy_wstunnel module.
Related
when my server running with litespeed the ProxyPass to external site (e.g. google.com) not working but on apache it works
litespeed says that you must add a web server in externalApp in litespeed configuration panel
so far all is ok
but i want to proxy wss.bazaretala.com/wss to ws://49.12.36.109:7777 and i can't add ws://49.12.36.109:7777 as a web server because ws protocol is not supported and only http and https should use
what should i do?
I have a java application which is trying to call a HTTPS endpoint which is setup in my internal network. Also this request go through a corporate proxy.
Having said that, I don't want to implement a HTTPS client at my application level. Instead I will just trigger a plain http request, then further my proxy will take the http request and delegate it to the HTTPS endpoint. So that the proxy will take care of handling the SSL certificates & keys.
Is this something possible with Apache Httpd or Squid ?
Basically I dont want my application to worry about the SSL cerificates etc. Instead this can be managed at the proxy level ?
this should be easy with apache. in your virtual host add
ProxyPass /myapp https://somehost.com/myapp
ProxyPassReverse /myapp https://somehost.com/myapp
then you can use yourinternalhost.company.com/myapp/
then watch your error log about SSLProxyCheck* messages (depends on the ssl certificate)
see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeercn
mod_proxy:
httpd.apache.org/docs/2.4/mod/mod_proxy.html (see proxyremote for using another (corporate) proxy
i am using apache web server on localhost:80 and Geoserver served from tomcat on localhost:8080
I recently installed SSL certificate on apache and it works fine except for that i get the message that says i have insecure content which i thought they were GeoServer layers. So now I'm trying to enable SSL for GeoServer and have Openlayers content like htis https://example.org:8080/geoserver but still not sure what's the best approach to do that.
My suggestion:
Add a (reverse) proxy in Apache and configure your web application that is connects only to the Apache proxying the GeoServer.
ProxyPass "/geoserver" "http://localhost:8080/geoserver"
ProxyPassReverse "/geoserver" "http://localhost:8080/geoserver"
This way you only need to allow HTTPS in the firewall and nobody from outside will have the chance to reach GeoServers web interface unless you enable port 8080 on the firewall. Also see https://gis.stackexchange.com/q/4323/109339 for further details.
Please note that you should set the https://docs.geoserver.org/stable/en/user/configuration/globalsettings.html#proxy-base-url of GeoServer with the public reachable URL via your Apache, e.g. https://your-apache.com/geoserver - otherwise the absolute URLs generated from GeoServer in e.g. GetCapabilities start with http://localhost:8080/geoserver (which is not reachable anymore).
If you had not already Apache in use, I would recommend nginx.
I'm a bit out of my depth here and nothing I have found quite addresses my problem. Si any and all suggestions are most welcome.
I've got tomcat6 running on CentOS 6.5 hidden behind an apache server (v2.2.15) and I am using Apache's mod_proxy to expose the tomcat webapps, which are running on port 8080. The tomcat hosts one production application and several development applications. On the apache side, both a Drupal site and the aforementioned tomcat production application are on the same domain and, thanks to rewrite rules, all requests to this domain are changed to https. The development sites are reached via subdomains and do not get re-written as https requests.
For the most part, this arrangement works fine. But parts of the tomcat apps are AJAX (calling a Java Struts 1.2 backend). Most of those requests are handled OK. But a few AJAX requests result in redirects (i.e., forward.setRedirect(true)) and that redirect is http (I guess because the container itself is not secure). As a result, I run into cross site scripting issues. I imagine I can use CORS headers to avoid the problem. But that seems like a hack. Is there a relatively painless way I can use to have tomcat send redirects back as https without making tomcat handle ssl directly?
Cris
You could configure the RemoteIpValve in Tomcat:
Another feature of this valve is to replace the apparent scheme
(http/https) and server port with the scheme presented by a proxy or a
load balancer via a request header (e.g. "X-Forwarded-Proto").
To configure Apache to forward the original protocol in the X-Forwarded-Proto header, add a RequestHeader directive in your Apache config, e.g.:
<VirtualHost *:443>
RequestHeader set X-Forwarded-Proto "https"
...
Note that in Tomcat 7, there is also a RemoteIpFilter.
You don't need to do anything special. It already works. Make sure you set the "redirectPort" in server.xml to Apache's HTTPS port, usually 443, and add the following to your <security-constraint> sections for resources you want secured by HTTPS:
<user-data-constraint>
<description>HTTPS</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
Late to the game here but others may find this-- we had a similar setup and issue where everything worked fine until the application started using ajax posts which did redirects for the response. The fix was to use mod_header in apache to rewrite redirects using "Header edit Location"
http://httpd.apache.org/docs/current/mod/mod_headers.html
Header edit Location ^http://www.example.com/ https://www.example.com/
This went unnoticed prior to the ajax redirects because the browser has no problem doing page level redirects to http (which apache would then redirect back to https). But the ajax cross-site prevention halts at the initial http missing out on that would then be redirected to https by a subsequent request.
I'm trying to figure out how to properly setup apache redirect rules for back-end CherryPy server which implements websocket (done via ws4py module). The problem is that if you use rewrite engine or proxypass it strips off Upgrade header in redirected request and therefore CherryPy server complaints about it and fails at handshake step.
The scenario I have is the following. I have CherryPy server with ws4py module which setup WebSockets. It runs on localhost:9000. I want to have apache front-end which just redirect incoming request to back-end server (it does more than that, but for simplicity it should do just that).
The apache rule I have is simple
RewriteRule ^(/websocket(/.*)?)$ http://some_host:9000$1 [P,L]
so for all requests starting with /websocket it redirects them to back-end server running on port 9000. The P flag stands for Proxy, the L stops rewriting process (see http://borkweb.com/story/apache-rewrite-cheatsheet)
If client sends request with HTTP header Upgrade:websocket the apache engine (rewrite module) strips it off, which causes WebSocket handshake fails.
Is there are any way to fix rewrite rule to allow presence of Upgrade header?
Unfortunately, Apache doesn't have the capability to reverse proxy WebSocket connections yet (it absolutely should!). But there is a solution that allows web requests to be handled using Apache and WebSocket connections to be handled by something else. This solution involves using HAProxy as the front end to both apache and your WebSocket server.
Here are a couple of relevant links to get you started:
http://lheurt.blogspot.com/2011/12/reverse-proxy-nodejs-websockets-with.html
HAProxy + WebSocket Disconnection