You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jamie Johnson <je...@gmail.com> on 2013/04/11 04:52:16 UTC

[users@httpd] SSL Proxy Tunnel to Tomcat SSL WebSocket

I had originally sent this to the dev list but it has seemed to stall
there, perhaps it is more appropriate on this list.

Should proxying requests from wss:// to an apache tomcat server using
wss:// work?  From the logs (included below) it appears that the ws proxy
tunnel is picking up and making the connection, but then it disconnects.
 I've tried to add some logging to tomcat, but I am not seeing the request
hit the tomcat server, should this work or is there something else that
needs to be done config wise (also included below)?

[Fri Mar 29 17:23:20.386068 2013] [ssl:info] [pid 29972:tid 47105066768704]
[client 10.81.1.12:64038] AH01964: Connection to child 2 established
(server hostname:443)
[Fri Mar 29 17:23:20.401204 2013] [ssl:debug] [pid 29972:tid
47105066768704] ssl_engine_kernel.c(1899): [client 10.81.1.12:64038]
AH02041: Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits)
[Fri Mar 29 17:23:20.418721 2013] [ssl:debug] [pid 29972:tid
47105066768704] ssl_engine_kernel.c(216): [client 10.81.1.12:64038]
AH02034: Initial (No.1) HTTPS request received for child 2 (server
hostname:443)
[Fri Mar 29 17:23:20.418762 2013] [authz_core:debug] [pid 29972:tid
47105066768704] mod_authz_core.c(799): [client 10.81.1.12:64038] AH01626:
authorization result of Require all granted: granted
[Fri Mar 29 17:23:20.418773 2013] [authz_core:debug] [pid 29972:tid
47105066768704] mod_authz_core.c(799): [client 10.81.1.12:64038] AH01626:
authorization result of <RequireAny>: granted
[Fri Mar 29 17:23:20.418821 2013] [proxy:debug] [pid 29972:tid
47105066768704] mod_proxy.c(1081): [client 10.81.1.12:64038] AH01143:
Running scheme wss handler (attempt 0)
[Fri Mar 29 17:23:20.418833 2013] [proxy_http:debug] [pid 29972:tid
47105066768704] mod_proxy_http.c(1909): [client 10.81.1.12:64038] AH01113:
HTTP: declining URL wss://hostname:8443/alert/event
[Fri Mar 29 17:23:20.418841 2013] [proxy_wstunnel:debug] [pid 29972:tid
47105066768704] mod_proxy_wstunnel.c(331): [client 10.81.1.12:64038]
AH02451: serving URL wss://hostname:8443/alert/event
[Fri Mar 29 17:23:20.418850 2013] [proxy:debug] [pid 29972:tid
47105066768704] proxy_util.c(2011): AH00942: WSS: has acquired connection
for (hostname)
[Fri Mar 29 17:23:20.418859 2013] [proxy:debug] [pid 29972:tid
47105066768704] proxy_util.c(2089): [client 10.81.1.12:64038] AH00944:
connecting wss://hostname:8443/alert/event to hostname:8443
[Fri Mar 29 17:23:20.418869 2013] [proxy:debug] [pid 29972:tid
47105066768704] proxy_util.c(2218): [client 10.81.1.12:64038] AH00947:
connected /alert/event to hostname:8443
[Fri Mar 29 17:23:20.418914 2013] [proxy:debug] [pid 29972:tid
47105066768704] proxy_util.c(2453): AH00951: WSS: backend socket is
disconnected.


<VirtualHost _default_:443>

  ErrorLog "/usr/local/apache2/logs/error_log"
  TransferLog "/usr/local/apache2/logs/access_log"

  SSLEngine on
  SSLProxyEngine on

  ProxyPreserveHost on
  ProxyRequests off

  ProxyPass /event wss://hostname:8443/alert/event
  ProxyPassReverse /event wss://hostname:8443/alert/event
  ...
</VirtualHost>

If I don't use SSL on the tomcat instance things work properly.

Here is the readable text from the wireshark capture.  The request that
works looks like this

Apache running HTTPS talking to tomcat on port 8080 (non-ssl)

E@@I
Q
QmiPGET /alert/event HTTP/1.1
Host: ###.com
Origin: https://###.com
Pragma: no-cache
Cache-Control: no-cache
Sec-WebSocket-Key: vPVEY5WCf17Od94k+c/MpQ==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: x-webkit-deflate-frame
X-Forwarded-For: 10.81.1.12
X-Forwarded-Host: ###.com
X-Forwarded-Server: ###.com
Upgrade: WebSocket
Connection: Upgrade

us-cli > 27905 [ACK]

E@@`
Q
Qmi+P 5HTTP/1.1 101 Switching Protocols
Server: Apache-Coyote/1.1
Upgrade: websocket
Connection: upgrade
Sec-WebSocket-Accept: aYYtgKFlU/vrt/MCQ9EQHlPQY5c=
Date: Tue, 02 Apr 2013 13:45:07 GMT


the request that fails looks like this

Apache running HTTPS forwarding to tomcat on 8443 (SSL)

Eh@@

Q
Q 1N,BgPGET /alert/event HTTP/1.1
Host: ###.com
Origin: https://###.com
Pragma: no-cache
Cache-Control: no-cache
Sec-WebSocket-Key: OfRlq1skxYe1Z0EqD5u9Hg==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: x-webkit-deflate-frame
X-Forwarded-For: 10.81.1.12
X-Forwarded-Host: ###.com
X-Forwarded-Server: ###.com
Upgrade: WebSocket
Connection: Upgrade

pcsync-https > 44249 [ACK]
pcsync-https > 44249 [PSH, ACK]
44249 > pcsync-https [ACK]
pcsync-https > 44249 [FIN, ACK]
44249 > pcsync-https [ACK]


It's obvious the upgrade is not happening but I don't know where to look
for why.  Again any information is appreciated.