Proxy websocket wss:// to ws:// apache - apache

i searched alot but i couldnt connect my websocket to wss:// ,
i found that there is a way to proxy wss://domain.com:9090 and apache apply the proxy on it and redirect request to where the normal ws://domain.com:9090 server is running
ProxyPass /websocket ws://domain.com:9090
ProxyPassReverse /websocket ws://domain.com:9090
this code in apache config will send request from any address ended with /websocket to ws://domain.com:9090
ex : ws://websocket will be ws://domain.com:9090
i want to do it for wss:// also
ex wss://websocket must point to ws://domain.com:9090
it dosnt work and i get this error in browser console :
failed: Error in connection establishment: net::ERR_CONNECTION_REFUSED
is there any mistake here ?
thanks you .


i worked 24 hours for find this and searched a lot of forum but no one write about success.
here is my server configuration :
CentOS release 6.7 , Apache 4.2.18
here is what i did finally :
first i found that modules/mod_proxy_wstunnel.so must be enable in apache config file , but my apache didn't have that module and after a lot of search i found that module is Available in apache 2.4.5 and later.
https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
i downloaded https://archive.apache.org/dist/httpd/httpd-2.4.18.tar.gz
extracted httpd-2.4.18\modules\proxy\mod_proxy_wstunnel.c and uploaded to my server root
then from terminal could compile it again with these commonds :
chmod 755 mod_proxy_wstunnel.c #set permission
pxs -i -a -c mod_proxy_tunnel.c #compile module
pxs command did compile the module and wrote in apache config file to load it
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
after that i added these lines to end of apache config file :
RewriteEngine on
ProxyRequests Off
ProxyPreserveHost on
ProxyPass /myws ws://mysite.com:8091
ProxyPassReverse /myws ws://mysite.com:8091
AND NOW : it works !
in client side js you can set ws url like this :
var protocol = 'ws://';
if (window.location.protocol === 'https:') {
protocol = 'wss://';
}
var wsUri =protocol+ "mysite.com/myws";
var ws = new WebSocket(wsUri);
and it will forward request to ws://mysite.com:8091
doesnt matter the page loaded with https or http , it will direct all request ended with /myws to ws://mysite.com:8091


You need to enable some Apache2 modules:
$ a2enmod proxy proxy_wstunnel proxy_http rewrite
Then you can use this configuration to solve your problem.
ProxyRequests off
ProxyVia on
RewriteEngine On
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://example.com:9090/$1 [P,L]
ProxyPass /websocket http://example.com:9090/websocket
ProxyPassReverse /websocket http://example.com:9090/websocket
Apache2 automatically upgrades the connection to websocket with ws://, you don't need to set the ws:// manually. I tried dozens of configurations and this is the only one that worked for me.


the problem I was trying to solve was similar to this one. I have a reverse proxy running under Apache 2.4 on CentOs 7 which has to work with both https and wss requests.
Behind the reverse proxy I have my app server running on an internal network. the virtual host configuration in the /etc/httpd/httpd.conf config file is as follows:
<VirtualHost *:443>
ServerName example.com
RewriteCond %(HTTP:Upgrade) websocket [NC] # Required to handle the websocket connection
RewriteCond %(HTTP:Connection) upgrade [NC]
RewriteRule /(.*) ws://192.160.0.1/$1 [P,L]
SSLEngine on # SSL Certificates handling
SSLCertificateFile ssl/cert.pem # Public Certificate
SSLCertificateKeyFile ssl/key.pem # Private certificate
SSLCertificateChainFile ssl/ca.pem # CA or chain certificate
ProxyPreserveHost On
ProxyPass /websocket ws://192.168.0.1 # First you need to write the specific rules
ProxyPassReverse /websocket ws://102.168.0.1
ProxyPass / http://192.168.0.1 # Then the generic rules for the proxy.
ProxyPassReverse / http://192.168.0.1
</VirtualHost>
In your case, you will have to replace the ServerName, the SSL certificates location, and the destination of the proxy.


wss needs following module
Uncomment line at the httpd.conf of apache conf
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so


The /websocket path is missing in your ProxyPass configuration path.
Use:
ProxyPass /websocket ws://example.com:9090/websocket
ProxyPassReverse /websocket ws://example.com:9090/websocket
Additional information:
Like others mentioned, you have to uncomment the line:
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
If you are also using a http ProxyPass thats relative path is "/" (forwarding everything directly), the specific "/websocket" path configuration must be configured first, otherwise "/" grabs first.
ProxyPass /websocket ws://example.com:9090/websocket
ProxyPassReverse /websocket ws://example.com:9090/websocket
ProxyPass balancer://ac-cluster/
ProxyPassReverse / http://example.com:9090


I did it for aria 2. I just enabled some modules and added a single line to config. (env: debian buster/apache 2.4).
enabling modes:
sudo a2enmod proxy proxy_balancer proxy_wstunnel proxy_http
and add this line to ssl site config file inside the virtual host directive :
ProxyPass /jsonrpc ws://127.0.0.1:6888/jsonrpc


I want to share this in case it helps somebody else avoid days of wasted time and effort.
I was giving up after researching everything. I was ready to start following the code of the different proxy modules, yes I know, a spiderweb..., but I was desperate. As a last resource I installed wireshark to follow exactly what was going on in my network. After installing wireshark, the instructions asked me to restart my server through a power off/on cycle. So, I did. When I started tracing it, to my complete surprise, the server was proxying perfectly the wss requests to ws, no problems! So I had the correct setup to start with but something got messed up in Ubuntu 20.4 / Apache 2.4.41 / node 14.17.2 that required a complete restart of the machine where the server operates. Crazy! But that was it...

Related

Apache Module mod_proxy_wstunnel not working

I have a website running at http://XXX.XXX.XXX.XXX:3000 and it runs [Botpress][1]
In order to have it running via HTTPS I made an Apache reverse proxy configuration:
My file looks like:
SSLProxyEngine on
ProxyPass "/" "http://XXX.XXX.XXX.XXX:3000/"
ProxyPassReverse "/" "http://XXX.XXX.XXX.XXX:3000/"
ProxyPass "/socket.io/" "ws://XXX.XXX.XXX.XXX:3000/socket.io/"
ProxyPassReverse "/socket.io/" "ws://XXX.XXX.XXX.XXX:3000/socket.io/"
Now if I go to https://botpress.mywebsite.com I see the Botstrap admin interface working however when I login I see an error in the browser's console showing:
Firefox can’t establish a connection to the server at wss://botpress.mywebsite.com/socket.io/?visitorId=_GUWkjNu-VH9XpE3DpO76PxD&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....&transport=websocket. web.100.....94b.js:2:6616130
was interrupted while the page was loading.
Is there something wrong in my config file with the ProxyPass & ProxyPassReverse for socket.io?
Thanks.
[1]: https://botpress.com/

i spent a few days on this. I found the problem was really in the order things were added in conf file.
‘RewriteEngine On’
‘RewriteCond %{QUERY_STRING} transport=polling [OR]’
‘RewriteCond %{REQUEST_URI} /socket.io/socket.io.js’
‘RewriteRule /socket.io/(.*)$ http://localhost:3000/socket.io/$1 [P]’
‘ProxyPass /socket.io/ ws://localhost:3000/socket.io/‘
‘ProxyPassReverse /socket.io/ ws://localhost:8082/socket.io/‘
‘ProxyPass / http://localhost:3000/‘
‘ProxyPassReverse / http://localhost:3000’
‘ProxyPreserveHost on’

Apache proxypass configuration for Apache and JBoss application installed on same server node

If I hit - http://10.157.128.170/oneapp application should load index.html from Apache content
And ALL API calls like http://10.157.128.170:25003/oneapp/* (where * could be any API Call) should redirect calls to JBOSS on port :25003/oneapp
What could be the Apache configuration for this requirement ?
My current Configuration is :
ProxyPassMatch ^/oneapp/$ !
ProxyPass /oneapp/index.html !
ProxyPass /oneapp http://10.157.128.170:25003/oneapp
ProxyPassReverse /oneapp http://10.157.128.170:25003/oneapp
where I need to hit : http://10.157.128.170/index.html for going to index.html but I need that to be http://10.157.128.170/oneapp
File I've on Apache Content directory
index.html
app.css
app.js
images

Just add a trailing slash to fix the issue
ProxyPassMatch ^/oneapp/$ !
ProxyPass /oneapp/index.html !
ProxyPass /oneapp/ http://10.157.128.170:25003/oneapp/
ProxyPassReverse /oneapp/ http://10.157.128.170:25003/oneapp/
Also make sure that mod_proxy and mod_proxy_http are enabled.

Set apache subdomain reverse proxy for bitbucket

I read several documentations "how to make it possible" like these
confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html
httpd.apache.org/docs/2.4/vhosts/examples.html
I not even try to use https for the moment. First I wanna a small success, access bitbucket via my subdomain...
Running:
Ubuntu 16.04.2 LTS
Bitbucket 5.0.0
Apache/2.4.18
/var/atlassian/application-data/bitbucket/shared/bitbucket.properties:
server.port=7990
server.secure=false
server.scheme=http
server.proxy-port=80
server.redirect-port=80
server.proxy-name=mysub.mydomain.mytld
/etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerName mysub.mydomain.mytld
ProxyRequests Off
ProxyVia Off
ProxyPass "/" "http://mydomain.mytld:7990/"
ProxyPassReverse "/" "http://mydomain.mytld:7990/"
</VirtualHost>
bitbucket base url (bitbucket settings administration)
http://mysub.mydomain.mytld
restart commands
/etc/init.d/apache2 restart
within /opt/atlassian/bitbucket/5.0.0/bin/
./stop-bitbucket.sh
./start-bitbucket.sh
With the default bitbucket.properties bitbucket works, when I call http://mydomain:mytld:7990/
With my custom bitbucket.properties, when I call http://mysub.mydomain.mytld/ shows 500 internal error. In the apache logs:
"No protocol handler was valid for the URL /. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule."

Finally the problem was wrong virtualHost configuration
<VirtualHost subdomain.domain.tld:80>
ProxyPass "/" "http://localhost:7990/"
ProxyPassReverse "/" "http://localhost:7990/"
localhost... instead the public domain

How to run IPython behind an Apache proxy

I would like to run an IPython notebook web server behind an Apache (reverse) proxy so that instead of the URL
https://my.server:XXXX
(where XXXX is some port number) I could use
https://my.server/py0
I am aware that IPython uses websockets and I suspect this is the part that is missing from my setup, but I simply could not find a suitably detailed description on how to configure this. Unfortunately the IPython webserver setup docs don't have much to say regarding proxies apart from this:
When behind a proxy, especially if your system or browser is set to
autodetect the proxy, the notebook web application might fail to
connect to the server’s websockets[...]
So I decided to try it on my own and put the following in /etc/apache2/sites-enabled/default-ssl.conf :
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
ProxyPass /py0/ https://localhost:10000/
ProxyPassReverse /py0/ https://localhost:10000/
Accessing IPython "directly" over the URL https://my.server:10000 works perfectly as advertised.
The URL https://my.server/py0 (without a trailing slash) returns "404 Not found".
The same with a trailing slash https://my.server/py0/ does "work" in that it forwards to https://my.server/login?next=%2F, which is then "Not found" in its own right -- obviously because the /py0/ part got lost. Maybe I should tell IPython about it but how ??
Perhaps relevant version numbers: Ubuntu 14.04 LTS, Apache 2.4.7.
Perhaps relevant SO question: IPython behind nginx. However, since everything else in my setup is handled by Apache to my full satisfaction, I do not want to run Nginx in addition.
Is there any good soul out there who has successfully configured IPython notebook web servers behind Apache? If yes, then please step forward and share your knowledge :-) Many thanks!

I got this working using the following setup.
IPython
IPython Notebook is listening at http://localhost:8888/ipython. It was necessary to add the /ipython prefix, because IPython uses absolute paths, so it must be the same as the reverse proxied path.
The ipython_notebook_config.py
c = get_config()
c.NotebookApp.ip = 'localhost'
c.NotebookApp.open_browser = False
c.NotebookApp.port = 8888
c.NotebookApp.base_url = '/ipython'
Apache
I enabled
mod_proxy
mod_proxy_http
mod_proxy_wstunnel
In the apache config I added
<Location /ipython>
ProxyPass http://localhost:8888/ipython
ProxyPassReverse http://localhost:8888/ipython
ProxyPassReverseCookieDomain localhost my.server.com
RequestHeader set Origin "http://localhost:8888"
</Location>
<Location /ipython/api/kernels/>
ProxyPass ws://localhost:8888/ipython/api/kernels/
ProxyPassReverse ws://localhost:8888/ipython/api/kernels/
</Location>
to an SSL enabled virtual host definition.
The RequestHeader set Origin "http://localhost:8888" was necessary for the websockets, otherwise you get a 403 Forbidden.
Now IPython is reachable at https://my.server.com/ipython (no trailing /!).

WARNING: This is rather verbose, as I gather you have figured much of this, but for documentation purposes, I laid out enough detail here for someone else to follow.
I put this answer together after implementing this myself with the help from various links. The first from here Websocket origin check fails when used with Apache WS proxy #5525. I repeat much of it here with some changes. Other links are referenced below.
1. Set up iPython:
This is in the post, but rather than do it as the original post suggested, I just followed the general instructions for Running a notebook server. With this done you should be able to test the setup, which will require enabling the port you have this configured for. If this does not work, then any Apache set up will not work.
2. Configure Apache:
Make sure you have the following mods available and enabled.
./configure --enable-proxy --enable-ssl --enable-deflate --enable-proxy-http --enable-proxy-wstunnel --enable-info --enable-rewrite --enable-headers
Added --enable-headers here as they were not installed on mine. Also I used the Apache2 a2enmod command. So sudo a2enmod headers, sudo a2enmod proxy, etc.
If you're running a version of Apache prior to 2.4, you do not have the proxy_wstunnel mod. You can either a patch your version or upgrade. To patch your version, you can follow these instructions. Be sure to copy over both mod_proxy.so and mod_proxy_wstunnel.so. To get the configure script, you need to run ./buildconfig, which has its own dependencies. This is noted in a comment therein.
Within Apache, create a "sites-available/iPython.conf" file. Originally I said to either add to httpd.conf or ports.conf. Adding your own site file is much cleaner and will allow you to enable/disable the configuration when desired.
Listen [ANY PORT HERE] # post has port 8999 here...
...
<VirtualHost *:[ANY PORT HERE]>
SSLProxyEngine On # post did not have this...
ProxyPass / http://127.0.0.1:8888/
ProxyPassReverse / http://127.0.0.1:8888/
# spoof headers to make notepad accept the request as coming from the same origin
Header set Origin "http://127.0.0.1:8888/"
RequestHeader set Origin "http://127.0.0.1:8888/"
LogLevel debug
</VirtualHost>
NOTE 1: The post uses port 8999, but it can be any port you want. You want port 80 here, but you do not need to specify it, so, modifying the above would yield:
<VirtualHost *:80>
... # Everything is the same here...
</VirtualHost>
NOTE 2: Since you are using SSL, you need to add SSLProxyEngine On within the body of the VirtualHost definition. As noted above, the post did not have this specifically.
NOTE 3: Port 8888 is whatever port ipython is running on. Change this based on your configuration.
NOTE 4: If you want to host multiple applications, and this is one of them, rather than having / and :8888/, you will want /ipython and :8888/ipython or whatever you want this to be named. In order to support this, see Running with a different URL prefix.
Enable the new configuration:
sudo a2ensite iPython
If you need to disable:
sudo a2dissite iPython
Reload Apache:
sudo service apache2 reload
My Environment:
Ubuntu 14.04.1
Apache 2.4.7
ipython 2.3.0
EDIT: Updated to reflect the final changes I made to get this working. I also changed the instruction order to what I think makes more sense.

Based on Apache's config of #adam, I'm putting here a full SSL-aware <VirualHost> sections but without the /ipython prefix, and i'm giving also the SSL-options for anyone interested:
<VirtualHost *:80>
ServerAdmin myname#my.place.com
ServerName some.server.com
SSLEngine off
Redirect permanent / https://some.server.com
</VirtualHost>
## From http://stackoverflow.com/questions/23890386/how-to-run-ipython-behind-an-apache-proxy
#
<VirtualHost *:443>
ServerAdmin myname#my.place.com
ServerName some.server.com
SSLEngine on
SSLCertificateFile some_server_com.crt
SSLCertificateKeyFile some_server_com.key
<Location />
ProxyPass http://localhost:8888/
ProxyPassReverse http://localhost:8888/
ProxyPassReverseCookieDomain localhost some.server.com
RequestHeader set Origin "http://localhost:8888"
</Location>
<Location /api/kernels/>
ProxyPass ws://localhost:8888/api/kernels/
ProxyPassReverse ws://localhost:8888/api/kernels/
</Location>
Redirect permanent / https://some.server.com
</VirtualHost>

This works for jupyter and password hash:
<VirtualHost *:443>
ServerName default
ProxyPreserveHost On
ProxyRequests off
SSLProxyEngine on
SSLEngine on
SSLProtocol TLSv1
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLCertificateFile /home/ubuntu/.certs/mycert.pem
ProxyPass /notebook/terminals/websocket/ wss://localhost:9999/notebook/terminals/websocket/
ProxyPassReverse /notebook/terminals/websocket/ wss://localhost:9999/notebook/terminals/websocket/
ProxyPass /notebook/api/kernels/ wss://127.0.0.1:9999/notebook/api/kernels/
ProxyPassReverse /notebook/api/kernels/ wss://127.0.0.1:9999/notebook/api/kernels/
ProxyPass /notebook https://127.0.0.1:9999/notebook
ProxyPassReverse /notebook https://127.0.0.1:9999/notebook
</VirtualHost>

On newer versions of IPython/Jupyter that have a terminal you also need to add entries for terminals.
<Location /ipython/terminals/websocket/>
ProxyPass ws://localhost:8888/ipython/terminals/websocket/
ProxyPassReverse ws://localhost:8888/ipython/terminals/websocket/
</Location>

I'm using apache version 2.4.18 in a server running Ubuntu 16.04.1 LTS(xenial)
and finally I have my jupyter notebook running through ssl.
I had already configured the standard SSL on my server, so https:// was working. I had also followed this instructions: Running a notebook server to get my cert file and my password in the jupyter_notebook_config.py configuration file. What I was missing was:
c.NotebookApp.allow_origin = '*'
c.NotebookApp.base_url = '/SomeName'
The apache configuration file that worked for me using solutions from several places and part of the answers here was:
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
<Location "/SomeName">
ProxyPass https://localhost:XXXX/SomeName
ProxyPassReverse https://localhost:XXXX/SomeName
</Location>
<Location "/SomeName/api/kernels">
ProxyPass wss://localhost:XXXX/SomeName/api/kernels
ProxyPassReverse wss://localhost:XXXX/SomeName/api/kernels
</Location>
<Location "/SomeName/terminals/websocket">
ProxyPass wss://localhost:XXXX/SomeName/terminals/websocket
ProxyPassReverse wss://localhost:XXXX/SomeName/terminals/websocket
</Location>
where XXXX is the port you are using, e.g. 8888, and SomeName could be any name you want.
I hope this can help.

ProxyPreserveHost seems to do little for me

I see many on the web referring to the use of ProxyPreserveHost On to make sure that a proxied backend receives the original caller's host name. I am using this to tighten my web application's security (Java, Tomcat) whereas it would also be nice if my logs would show where users are actually at. My Tomcat logs now show this – pretty useless:
127.0.0.1 - - [17/Mar/2013:06:32:13 +0100] "GET /webapp/frontend/app/partials/welcome.html HTTP/1.1" 200 54
This is my configuration that does clearly not work as expected:
"/etc/apache2/sites-enabled/000-default"
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass /webapp http://localhost:8080/webapp
ProxyPassReverse /webapp http://localhost:8080/webapp
RewriteEngine On
RewriteRule ^/$ /webapp/frontend/app/ [proxy]
RewriteRule ^/webapp/$ /webapp/frontend/app/ [redirect]
RewriteRule ^/webapp/app/$ /webapp/frontend/app/ [redirect]
(from here on default stuff that was in the 000-default)
Enabled modules:
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod rewrite
This is Ubuntu 12.10 running Apache HTTPD 2.2.22.
Your help would be much appreciated.

I assume your concern is that your access log still contains 127.0.0.1 in the client field. This isn't affected by ProxyPreserveHost; this is the IP address of the network end point that connected to Apache. For proxied connections from another server, this is going to always be localhost.
Also, ProxyPreserveHost is about preserving the Host header sent by the client, not about preserving the original IP of the client. In other words, it's about information going the wrong direction for your purposes; it's preserving the name of your server as sent by the client, not the client's IP.
I think your question is the same as this question. I'd add the additional note that you can log the X-Forwarded-For header in your logs using %{X-Forwarded-For}i in your CustomLog configuration.