You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jamie Johnson <je...@gmail.com> on 2013/04/02 01:33:28 UTC
SSL Proxy Tunnel to Tomcat SSL WebSocket
Instead of jumping on an old thread I decided to repost as a separate
question.
Should proxying requests from wss:// to an apache tomcat server using
wss:// work? From the logs (included below) it appears that the ws proxy
tunnel is picking up and making the connection, but then it disconnects.
I've tried to add some logging to tomcat, but I am not seeing the request
hit the tomcat server, should this work or is there something else that
needs to be done config wise (also included below)?
[Fri Mar 29 17:23:20.386068 2013] [ssl:info] [pid 29972:tid 47105066768704]
[client 10.81.1.12:64038] AH01964: Connection to child 2 established
(server hostname:443)
[Fri Mar 29 17:23:20.401204 2013] [ssl:debug] [pid 29972:tid
47105066768704] ssl_engine_kernel.c(1899): [client 10.81.1.12:64038]
AH02041: Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits)
[Fri Mar 29 17:23:20.418721 2013] [ssl:debug] [pid 29972:tid
47105066768704] ssl_engine_kernel.c(216): [client 10.81.1.12:64038]
AH02034: Initial (No.1) HTTPS request received for child 2 (server
hostname:443)
[Fri Mar 29 17:23:20.418762 2013] [authz_core:debug] [pid 29972:tid
47105066768704] mod_authz_core.c(799): [client 10.81.1.12:64038] AH01626:
authorization result of Require all granted: granted
[Fri Mar 29 17:23:20.418773 2013] [authz_core:debug] [pid 29972:tid
47105066768704] mod_authz_core.c(799): [client 10.81.1.12:64038] AH01626:
authorization result of <RequireAny>: granted
[Fri Mar 29 17:23:20.418821 2013] [proxy:debug] [pid 29972:tid
47105066768704] mod_proxy.c(1081): [client 10.81.1.12:64038] AH01143:
Running scheme wss handler (attempt 0)
[Fri Mar 29 17:23:20.418833 2013] [proxy_http:debug] [pid 29972:tid
47105066768704] mod_proxy_http.c(1909): [client 10.81.1.12:64038] AH01113:
HTTP: declining URL wss://hostname:8443/alert/event
[Fri Mar 29 17:23:20.418841 2013] [proxy_wstunnel:debug] [pid 29972:tid
47105066768704] mod_proxy_wstunnel.c(331): [client 10.81.1.12:64038]
AH02451: serving URL wss://hostname:8443/alert/event
[Fri Mar 29 17:23:20.418850 2013] [proxy:debug] [pid 29972:tid
47105066768704] proxy_util.c(2011): AH00942: WSS: has acquired connection
for (hostname)
[Fri Mar 29 17:23:20.418859 2013] [proxy:debug] [pid 29972:tid
47105066768704] proxy_util.c(2089): [client 10.81.1.12:64038] AH00944:
connecting wss://hostname:8443/alert/event to hostname:8443
[Fri Mar 29 17:23:20.418869 2013] [proxy:debug] [pid 29972:tid
47105066768704] proxy_util.c(2218): [client 10.81.1.12:64038] AH00947:
connected /alert/event to hostname:8443
[Fri Mar 29 17:23:20.418914 2013] [proxy:debug] [pid 29972:tid
47105066768704] proxy_util.c(2453): AH00951: WSS: backend socket is
disconnected.
<VirtualHost _default_:443>
ErrorLog "/usr/local/apache2/logs/error_log"
TransferLog "/usr/local/apache2/logs/access_log"
SSLEngine on
SSLProxyEngine on
ProxyPreserveHost on
ProxyRequests off
ProxyPass /event wss://hostname:8443/alert/event
ProxyPassReverse /event wss://hostname:8443/alert/event
...
</VirtualHost>
Re: SSL Proxy Tunnel to Tomcat SSL WebSocket
Posted by Jamie Johnson <je...@gmail.com>.
Is there any thing else I can provide tip help debug this? I am not sure
what to do from here...
On Apr 2, 2013 10:01 AM, "Jamie Johnson" <je...@gmail.com> wrote:
> Here is the readable text from the wireshark capture. The request that
> works looks like this
>
> Apache running HTTPS talking to tomcat on port 8080 (non-ssl)
>
> E@@I
> Q
> QmiPGET /alert/event HTTP/1.1
> Host: ###.com
> Origin: https://###.com
> Pragma: no-cache
> Cache-Control: no-cache
> Sec-WebSocket-Key: vPVEY5WCf17Od94k+c/MpQ==
> Sec-WebSocket-Version: 13
> Sec-WebSocket-Extensions: x-webkit-deflate-frame
> X-Forwarded-For: 10.81.1.12
> X-Forwarded-Host: ###.com
> X-Forwarded-Server: ###.com
> Upgrade: WebSocket
> Connection: Upgrade
>
> us-cli > 27905 [ACK]
>
> E@@`
> Q
> Qmi+P 5HTTP/1.1 101 Switching Protocols
> Server: Apache-Coyote/1.1
> Upgrade: websocket
> Connection: upgrade
> Sec-WebSocket-Accept: aYYtgKFlU/vrt/MCQ9EQHlPQY5c=
> Date: Tue, 02 Apr 2013 13:45:07 GMT
>
>
> the request that fails looks like this
>
> Apache running HTTPS forwarding to tomcat on 8443 (SSL)
>
> Eh@@
>
> Q
> Q 1N,BgPGET /alert/event HTTP/1.1
> Host: ###.com
> Origin: https://###.com
> Pragma: no-cache
> Cache-Control: no-cache
> Sec-WebSocket-Key: OfRlq1skxYe1Z0EqD5u9Hg==
> Sec-WebSocket-Version: 13
> Sec-WebSocket-Extensions: x-webkit-deflate-frame
> X-Forwarded-For: 10.81.1.12
> X-Forwarded-Host: ###.com
> X-Forwarded-Server: ###.com
> Upgrade: WebSocket
> Connection: Upgrade
>
> pcsync-https > 44249 [ACK]
> pcsync-https > 44249 [PSH, ACK]
> 44249 > pcsync-https [ACK]
> pcsync-https > 44249 [FIN, ACK]
> 44249 > pcsync-https [ACK]
>
>
> It's obvious the upgrade is not happening but I don't know where to look
> for why. Again any information is appreciated.
>
>
>
> On Mon, Apr 1, 2013 at 8:11 PM, Jamie Johnson <je...@gmail.com> wrote:
>
>> Changing from 8443 to 8080 everything works as expected so my assumption
>> is yes. I will try to grab the packets to verify
>> On Apr 1, 2013 7:52 PM, "Eric Covener" <co...@gmail.com> wrote:
>>
>>> Are you sure the other end is speaking websockets? A packet capture
>>> might confirm which side complained first / wrongly.
>>>
>>
>
Re: SSL Proxy Tunnel to Tomcat SSL WebSocket
Posted by Jamie Johnson <je...@gmail.com>.
Here is the readable text from the wireshark capture. The request that
works looks like this
Apache running HTTPS talking to tomcat on port 8080 (non-ssl)
E@@I
Q
QmiPGET /alert/event HTTP/1.1
Host: ###.com
Origin: https://###.com
Pragma: no-cache
Cache-Control: no-cache
Sec-WebSocket-Key: vPVEY5WCf17Od94k+c/MpQ==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: x-webkit-deflate-frame
X-Forwarded-For: 10.81.1.12
X-Forwarded-Host: ###.com
X-Forwarded-Server: ###.com
Upgrade: WebSocket
Connection: Upgrade
us-cli > 27905 [ACK]
E@@`
Q
Qmi+P 5HTTP/1.1 101 Switching Protocols
Server: Apache-Coyote/1.1
Upgrade: websocket
Connection: upgrade
Sec-WebSocket-Accept: aYYtgKFlU/vrt/MCQ9EQHlPQY5c=
Date: Tue, 02 Apr 2013 13:45:07 GMT
the request that fails looks like this
Apache running HTTPS forwarding to tomcat on 8443 (SSL)
Eh@@
Q
Q 1N,BgPGET /alert/event HTTP/1.1
Host: ###.com
Origin: https://###.com
Pragma: no-cache
Cache-Control: no-cache
Sec-WebSocket-Key: OfRlq1skxYe1Z0EqD5u9Hg==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: x-webkit-deflate-frame
X-Forwarded-For: 10.81.1.12
X-Forwarded-Host: ###.com
X-Forwarded-Server: ###.com
Upgrade: WebSocket
Connection: Upgrade
pcsync-https > 44249 [ACK]
pcsync-https > 44249 [PSH, ACK]
44249 > pcsync-https [ACK]
pcsync-https > 44249 [FIN, ACK]
44249 > pcsync-https [ACK]
It's obvious the upgrade is not happening but I don't know where to look
for why. Again any information is appreciated.
On Mon, Apr 1, 2013 at 8:11 PM, Jamie Johnson <je...@gmail.com> wrote:
> Changing from 8443 to 8080 everything works as expected so my assumption
> is yes. I will try to grab the packets to verify
> On Apr 1, 2013 7:52 PM, "Eric Covener" <co...@gmail.com> wrote:
>
>> Are you sure the other end is speaking websockets? A packet capture
>> might confirm which side complained first / wrongly.
>>
>
Re: SSL Proxy Tunnel to Tomcat SSL WebSocket
Posted by Jamie Johnson <je...@gmail.com>.
Changing from 8443 to 8080 everything works as expected so my assumption is
yes. I will try to grab the packets to verify
On Apr 1, 2013 7:52 PM, "Eric Covener" <co...@gmail.com> wrote:
> Are you sure the other end is speaking websockets? A packet capture
> might confirm which side complained first / wrongly.
>
Re: SSL Proxy Tunnel to Tomcat SSL WebSocket
Posted by Eric Covener <co...@gmail.com>.
Are you sure the other end is speaking websockets? A packet capture
might confirm which side complained first / wrongly.