You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/10/13 13:08:46 UTC

[Bug 64810] New: Unable to proxy requests to a secured websockets (wss) in 2.4.41

https://bz.apache.org/bugzilla/show_bug.cgi?id=64810

            Bug ID: 64810
           Summary: Unable to proxy requests to a secured websockets (wss)
                    in 2.4.41
           Product: Apache httpd-2
           Version: 2.4.41
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_proxy_wstunnel
          Assignee: bugs@httpd.apache.org
          Reporter: onengballon@gmail.com
  Target Milestone: ---

I have the following setup for a vnc service:
- vnc client : noVNC (0.6.1)
- vnc server : libvncserver (0.9.12)

When the noVNC client is launched, it will be re-directed and be served over
secured layer, 'https://host/novnc.html?path=vnc'. Then this connection will be
proxy'd to 'wss://localhost:5901':  ProxyPass /vnc wss://localhost:5901/
Then the expected upgraded to a websocket connection will happen.

In 2.4.41, the vnc server acknowledges a TLS/SSL Websockets Connection but then
it will eventually report an 'invalid client header'. Also used noVNC 1.1.0
client and this issue is still encountered.
This was working since 2.4.29, up until 2.4.39. Also tested using the recent
release - 2.4.46, and this wss connection still happens.

Best regards.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64810] Unable to proxy requests to a secured websockets (wss) in 2.4.41

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64810

Yann Ylavic <yl...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64810] Unable to proxy requests to a secured websockets (wss) in 2.4.41

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64810

--- Comment #5 from Orlando Ballon <on...@gmail.com> ---

I continued investigating on the other case wherein my site is launched over
https and then the vnc connection over wss was not a success. I made some minor
tweak related to the re-direct of the noVNC url to https path, and it fixed the
issue.

In summary, the additional directive - "SSLProxyCheckPeerName off" in my apache
config file resolved the vnc connection to be successfully served over wss.

Thanks for the help.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64810] Unable to proxy requests to a secured websockets (wss) in 2.4.41

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64810

--- Comment #4 from Orlando Ballon <on...@gmail.com> ---

Thank you for the information.

I set the "SSLProxyCheckPeerName off" in the httpd.conf and it does resolve the
issue.

Below is the workflow of my vnc service setup:
1. Launch my site over http, and starts the vnc server (libvncserver).
2. click a button to launch noVNC client.
3. The url will be re-directed and be served over https,
'https://host/novnc.html?path=vnc'.
4. This will be proxy'd to 'wss://localhost:5901' per httpd.conf :
    ProxyPass /vnc wss://localhost:5901/
5. A prompt to accept a security exception to the site will show, and accepting
the exception, the 'wss' connection will be a success.

However, when I launched my site over https, the vnc connection over wss will
fail.
So, in step #1, the site is launched over https, and a prompt to accept a
security exception to the site will show. After accepting the exception, step
#5 will not prompt anymore but the vnc connection will fail. Have no details
yet on this case but when I use the reverted option, this case where the site
is launched over https, will still have a successful vnc connection over wss.


That's all for now. Thanks.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64810] Unable to proxy requests to a secured websockets (wss) in 2.4.41

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64810

--- Comment #3 from Yann Ylavic <yl...@gmail.com> ---
Does setting "SSLProxyCheckPeerName off" help?
This was always the case before the change in 2.4.41, now it's "on" by default
like for other proxy modules.

The goal of this change was only to allow for peer certificate CN verification
in all proxy modules, I overlooked that existing wss configurations with a
non-matching certifcate would now fail because of the check by default..

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64810] Unable to proxy requests to a secured websockets (wss) in 2.4.41

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64810

--- Comment #2 from Orlando Ballon <on...@gmail.com> ---
I continued the investigation on this issue, and was able to determine the
change that affected the 'wss' proxy to fail in my vnc connection setup.
With the introduction of the change below, the previously working 'wss' proxy
encountered a failure:
---
commit 7d272e2628b4ae05f68cdc74b070707250896a34
Author: Yann Ylavic <yl...@apache.org>
Date:   Fri May 24 07:54:42 2019 +0000

    Merge r1818726 from trunk:

    mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.

    PR 61857.
---

When this change was manually reverted in my local apache 2.4.41 setup, the
'wss' proxy is a success, and the vnc connection over 'wss' will work.


That's all for now. Thanks.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64810] Unable to proxy requests to a secured websockets (wss) in 2.4.41

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64810

--- Comment #1 from Orlando Ballon <on...@gmail.com> ---
Btw, serving the vnc connection over regular websockets (ws) works as expected.

Thanks.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org