SSL Proxy Tunnel to Tomcat SSL WebSocket

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I had originally sent this to the dev list but it has seemed to stall there, perhaps it is more appropriate on this list.

Should proxying requests from wss:// to an apache tomcat server using wss:// work?  From the logs (included below) it appears that the ws proxy tunnel is picking up and making the connection, but then it disconnects.  I've tried to add some logging to tomcat, but I am not seeing the request hit the tomcat server, should this work or is there something else that needs to be done config wise (also included below)?

[Fri Mar 29 17:23:20.386068 2013] [ssl:info] [pid 29972:tid 47105066768704] [client 10.81.1.12:64038] AH01964: Connection to child 2 established (server hostname:443)
[Fri Mar 29 17:23:20.401204 2013] [ssl:debug] [pid 29972:tid 47105066768704] ssl_engine_kernel.c(1899): [client 10.81.1.12:64038] AH02041: Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits)
[Fri Mar 29 17:23:20.418721 2013] [ssl:debug] [pid 29972:tid 47105066768704] ssl_engine_kernel.c(216): [client 10.81.1.12:64038] AH02034: Initial (No.1) HTTPS request received for child 2 (server hostname:443)
[Fri Mar 29 17:23:20.418762 2013] [authz_core:debug] [pid 29972:tid 47105066768704] mod_authz_core.c(799): [client 10.81.1.12:64038] AH01626: authorization result of Require all granted: granted
[Fri Mar 29 17:23:20.418773 2013] [authz_core:debug] [pid 29972:tid 47105066768704] mod_authz_core.c(799): [client 10.81.1.12:64038] AH01626: authorization result of <RequireAny>: granted
[Fri Mar 29 17:23:20.418821 2013] [proxy:debug] [pid 29972:tid 47105066768704] mod_proxy.c(1081): [client 10.81.1.12:64038] AH01143: Running scheme wss handler (attempt 0)
[Fri Mar 29 17:23:20.418833 2013] [proxy_http:debug] [pid 29972:tid 47105066768704] mod_proxy_http.c(1909): [client 10.81.1.12:64038] AH01113: HTTP: declining URL wss://hostname:8443/alert/event
[Fri Mar 29 17:23:20.418841 2013] [proxy_wstunnel:debug] [pid 29972:tid 47105066768704] mod_proxy_wstunnel.c(331): [client 10.81.1.12:64038] AH02451: serving URL wss://hostname:8443/alert/event
[Fri Mar 29 17:23:20.418850 2013] [proxy:debug] [pid 29972:tid 47105066768704] proxy_util.c(2011): AH00942: WSS: has acquired connection for (hostname)
[Fri Mar 29 17:23:20.418859 2013] [proxy:debug] [pid 29972:tid 47105066768704] proxy_util.c(2089): [client 10.81.1.12:64038] AH00944: connecting wss://hostname:8443/alert/event to hostname:8443
[Fri Mar 29 17:23:20.418869 2013] [proxy:debug] [pid 29972:tid 47105066768704] proxy_util.c(2218): [client 10.81.1.12:64038] AH00947: connected /alert/event to hostname:8443
[Fri Mar 29 17:23:20.418914 2013] [proxy:debug] [pid 29972:tid 47105066768704] proxy_util.c(2453): AH00951: WSS: backend socket is disconnected.


<VirtualHost _default_:443>

  ErrorLog "/usr/local/apache2/logs/error_log"
  TransferLog "/usr/local/apache2/logs/access_log"

  SSLEngine on
  SSLProxyEngine on

  ProxyPreserveHost on
  ProxyRequests off

  ProxyPass /event wss://hostname:8443/alert/event
  ProxyPassReverse /event wss://hostname:8443/alert/event
  ...
</VirtualHost>

If I don't use SSL on the tomcat instance things work properly.

Here is the readable text from the wireshark capture.  The request that works looks like this 

Apache running HTTPS talking to tomcat on port 8080 (non-ssl)

E@@I
Q
QmiPGET /alert/event HTTP/1.1
Host: ###.com
Origin: https://###.com
Pragma: no-cache
Cache-Control: no-cache
Sec-WebSocket-Key: vPVEY5WCf17Od94k+c/MpQ==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: x-webkit-deflate-frame
X-Forwarded-For: 10.81.1.12
X-Forwarded-Host: ###.com
X-Forwarded-Server: ###.com
Upgrade: WebSocket
Connection: Upgrade

us-cli > 27905 [ACK]

E@@`
Q
Qmi+P 5HTTP/1.1 101 Switching Protocols
Server: Apache-Coyote/1.1
Upgrade: websocket
Connection: upgrade
Sec-WebSocket-Accept: aYYtgKFlU/vrt/MCQ9EQHlPQY5c=
Date: Tue, 02 Apr 2013 13:45:07 GMT


the request that fails looks like this 

Apache running HTTPS forwarding to tomcat on 8443 (SSL)

Eh@@

Q
Q 1N,BgPGET /alert/event HTTP/1.1
Host: ###.com
Origin: https://###.com
Pragma: no-cache
Cache-Control: no-cache
Sec-WebSocket-Key: OfRlq1skxYe1Z0EqD5u9Hg==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: x-webkit-deflate-frame
X-Forwarded-For: 10.81.1.12
X-Forwarded-Host: ###.com
X-Forwarded-Server: ###.com
Upgrade: WebSocket
Connection: Upgrade

pcsync-https > 44249 [ACK]
pcsync-https > 44249 [PSH, ACK]
44249 > pcsync-https [ACK]
pcsync-https > 44249 [FIN, ACK]
44249 > pcsync-https [ACK]


It's obvious the upgrade is not happening but I don't know where to look for why.  Again any information is appreciated.


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux