I have WebSockets enabled using an Undertow server. When I run the Undertow server directly, WebSockets work well. I serve my pages using HTTPS and I test the endpoint using "wss:" in javascript: it works.
But now, I try to use Apache as a reverse proxy and I want it to let WebSocket connections reach the Undertow server. This is my current Virtual Host:
<VirtualHost *:80 *:443>
ServerName test.example.org
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.org/chain.pem
ProxyPass / http://test.example.org:44444/
ProxyPassReverse / http://test.example.org:44444/
</VirtualHost>
Here, Undertow is started as a HTTP server (not HTTPS) on port 44444 and the SSL security is done by Apache.
All the HTML pages work well, but when I try to start a WebSocket connection, I get this error (Chrome) :
WebSocket connection to 'wss://test.example.org/websockets/echo' failed: Error during WebSocket handshake: 'Upgrade' header is missing
And, when I look at the Network tab, I see that indeed two headers are missing in the response from the server, when the "wss://" call is made: "Connection: Upgrade" and "Upgrade: WebSocket". Those headers are present when I connect to Undertow directly, without Apache.
The "Sec-WebSocket-Accept" and "Sec-WebSocket-Location" headers are there but, and I guess this is a second issue, "Sec-WebSocket-Location" is 'ws://test.example.org/websockets/echo' not 'wss://test.example.org/websockets/echo' since Undertow runs on HTTP, not HTTPS.
Last thing, the mod_proxy_wstunnel documentation says "The connection is automatically upgraded to a websocket connection". What does this mean? Apache is upgrading the HTTP connection to a WebSocket connection by itself? This is not what I want! I want to handle the initial HTTP request and the upgrading processes by myself, using Undertow. I use informations from the initial HTTP connection to validate if the user can be connected to the requested endpoint and, if so, I programmatically call Undertow's WebSocketProtocolHandshakeHandler#handleRequest(exchange) to upgrade to a WebSocket connection. I just want Apache to let everything pass without interfering.
Any help on how to run WebSockets using Undertow behind an Apache reverse-proxy?
I got tired and decided to try Nginx.
Within 3 hours, not only did I get WebSockets working, but all my sites on a server were moved to it. Super easy.
The magical lines for WebSockets, in nginx.conf, are:
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
I understand that "Upgrade" is a special "hop-by-hop" header which has to be explicitly configured to be kept.
I hope there is a similar solution for Apache, but man, there is so few documentation about this!
Related
i have configued my Apache to act as a Reverse Proxy.
Now i wanted to enabled http2 to speed it up.
Apache has the module enabled and Nginx also.
When i enter
Protocols h2 h2c http/1.1
ProtocolsHonorOrder Off
ProxyPass / h2://192.168.2.100/
ProxyPassReverse / https://192.168.2.100/
into the apache site configuration, Nginx throws a 400 Bad Request Error.
Using this code instead works:
Protocols h2 h2c http/1.1
ProtocolsHonorOrder Off
ProxyPass / https://192.168.2.100/
ProxyPassReverse / https://192.168.2.100/
Nginx Config:
listen 443 ssl http2;
How do i need to configure this section to work properly?#
I realize that this post is over a year old, but I ran into a similar issue after upgrading nginx to 1.20.1. Turns out that nginx was receiving multiple Host headers from Apache when HTTP2 was used. Adding RequestHeader unset Host resolved the issue.
This is more a comment than an answer but it looks like you're new so maybe I can help (at the risk of being totally wrong).
I'm working on configuring Nginx as a reverse proxy for Apache to run a Django application (By the way, I have never heard of anyone using Apache as a reverse proxy for Nginx).
But there's some discussion in the Nginx documentation that makes me think it might not even be possible:
Reading through the Nginx docs on proxy_pass they mention how using websockets for proxying requires a special configuration
In that document it talks about how websockets requires HTTP1.1 (and an Upgrade and Connection HTTP header) so you can either basically fabricate them proxy_set_header between your server and proxy or you can pass them along if the client request includes them.
Presumably in this case, if the client didn't send the Upgrade header, you'd proxy_pass the connection to a server using TCP, rather than websockets.
Well, HTTP2 is (I assume) another Upgrade and one likely to have even less user agent support. So at the least, you'd risk compatibility problems.
Again, I have never configured Apache as a (reverse) proxy but my guess from your configuration is that Apache would handle the encryption to the client, then probably have to re-encrypt for the connection to Nginx.
That's a lot of overhead just on encryption, and probable browser compatibility issues...and probably not a great set up.
Again, I'm not sure if it's possible, I came here looking for a similar answer but you might want to reconsider.
The websocket library I rely on (PHP-Websockets) does not yet support secure sockets (wss). My website is served over https though, so I cannot use insecure ws connections.
I'm trying to use Apache's mod_proxy to forward the secure request that comes from the browser on to the client.
Javascript
var ws = new WebSocket('wss://example.com/_ws_/');
Apache VirtualHost
ProxyPass "/_ws_/" "ws://127.0.0.1:8080/"
ProxyPassReverse "/_ws_/" "ws://127.0.0.1:8080/"
# I've also tried "/_ws_/" "ws://example.com:8080/" Same error below
Upon trying to connect, the browser receives a 500 Server Error. The logs show:
No protocol handler was valid for the URL /_ws_/. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
I've confirmed that if I remove the proxy rules, stop redirecting users to https and try to connect to insecure sockets from the browser: new WebSocket('ws://example.com/'), things work just fine.
My loaded Apache modules include mod_ssl.c, mod_proxy.c and mod_proxy_http.c
Apache 2.4
To reverse proxy WebSockets, you also need to load the mod_proxy_wstunnel module.
I have a java application which is trying to call a HTTPS endpoint which is setup in my internal network. Also this request go through a corporate proxy.
Having said that, I don't want to implement a HTTPS client at my application level. Instead I will just trigger a plain http request, then further my proxy will take the http request and delegate it to the HTTPS endpoint. So that the proxy will take care of handling the SSL certificates & keys.
Is this something possible with Apache Httpd or Squid ?
Basically I dont want my application to worry about the SSL cerificates etc. Instead this can be managed at the proxy level ?
this should be easy with apache. in your virtual host add
ProxyPass /myapp https://somehost.com/myapp
ProxyPassReverse /myapp https://somehost.com/myapp
then you can use yourinternalhost.company.com/myapp/
then watch your error log about SSLProxyCheck* messages (depends on the ssl certificate)
see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeercn
mod_proxy:
httpd.apache.org/docs/2.4/mod/mod_proxy.html (see proxyremote for using another (corporate) proxy
I'm trying to figure out how to get noVNC to work through a reverse proxy, and while it works if I connect directly to it, it doesn't seem to work if I try to reverse proxy.
namely:
I run it as ./utils/launch.sh --vnc localhost:5901
if I connect to it as https://<machine>:6080/vnc.html?host=<machine>&port=6080
it works fine and I can connect to the vnc session
However, I want to be able to connect to it via a reverse proxy over port 443.
In Apache 2.4.10 (-8 in Debian Jessie), I've configured my proxy line to be
ProxyPass /home http://127.0.0.1:6080/
ProxyPassReverse /home http://127.0.0.1:6080/
ProxyPass /websockify wss://127.0.0.1:6080/websockify retry=3
ProxyPassReverse /websockify wss://127.0.0.1:6080/websockify retry=3
and I connect to it as https://<machine>/vnc.html?host=<machine>&port=6080
This still works, as while the fetch of the html/javascript is going through the reverse proxy, I'm still telling the websocket connection to go over 6080 and it works.
However, when I change it to https://<machine>/vnc.html?host=<machine>&port=443
I get the html/javascript just fine, but when it goes to make the connection, in firefox (and chrome and IE, but this error is from firefox in specific) I quickly get
Firefox can't establish a connection to the server at wss://<machine>/websockify.
and in noVNC I see the error message
127.0.0.1: ignoring socket not ready
Turns out, if one wants to proxy websockets through an https proxy, one should make the proxy part normal websockets (ws://) not secure web sockets (wss://) which makes sense as the https proxy would have handled the ssl portion already and there is nothing to do.
ProxyPass /websockify ws://127.0.0.1:6080/websockify retry=3
ProxyPassReverse /websockify ws://127.0.0.1:6080/websockify retry=3
make that change and everything works.
I have a uwsgi server running for unix domain socket
[uwsgi]
...
socket = /var/run/someuwsgi.sock
socket = localhost:9987
...
The mod_proxy_uwsgi is installed
In apache config has that line:
ProxyPass /some uwsgi://localhost:9987
And it is working.
Question: what should be the apache config line to go through unix domain socket
/var/run/someuwsgi.sock
?
I tried
ProxyPass /some uwsgi:///var/run/someuwsgi.sock
and got
Bad Request
Your browser sent a request that this server could not understand.
Also tried
ProxyPass /some uwsgi://unix:///var/run/someuwsgi.sock
and got
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /some/.
Reason: DNS lookup failure for: unix:
Thanks!
Starting from Apache 2.4.7, support for Unix sockets has been added. The syntax is pretty simple:
ProxyPass / unix:/tmp/uwsgi.sock|uwsgi://
Unfortunately the apache proxy api does not (currently) support unix sockets
From the comments on the other answer and my experience this seems to be the correct syntax:
ProxyPass /some unix:/var/run/someuwsgi.sock|uwsgi://localhost
https://httpd.apache.org/docs/trunk/en/mod/mod_proxy.html#proxypass
In 2.4.7 and later, support for using a Unix Domain Socket is available by using a target which prepends unix:/path/lis.sock|. For example, to proxy HTTP and target the UDS at /home/www.socket, you would use unix:/home/www.socket|http://localhost/whatever/. Since the socket is local, the hostname used (in this case localhost) is moot, but it is passed as the Host: header value of the request.