Re: [users@httpd] Proxy both HTTP, and WebSocket traffic to UNIX socket

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Specifying ws instead of http in the RewriteRule should be good.

> If you are using a DSO version of mod_proxy, make
sure the proxy submodules are included in the configuration using LoadModule.

Did you explicitly load the mod_proxy_wstunnel module as is mentioned in the error message? The error message hints that Apache doesn't know how to handle a ws:// proxy connection.

If it still doesn't work after adding a LoadModule, maybe try wss://? I'm no expert on Gitlab installations, but on a quick search I didn't find any resources mentioning plain websockets, only secure websockets.


Am 22. Dezember 2022 14:54:01 MEZ schrieb Jan Kohnert <nospam001-lists@xxxxxxxxxxxxxx>:
Hello everyone,

I've set up a GitLab instance running behind an Apache HTTP-Server acting a 
proxy. GitLab officially only supports NGINX as a proxy, but since my Apache 
also serves different VirtualHosts, I'd rather keep the setup I have instead 
of setting up another WebServer.

According to [1], and [2] I have configured my virtual host's proxy as 
following:

ProxyAddHeaders On
RequestHeader add X-Forwarded-Ssl on
RequestHeader set X-Forwarded-Proto "https"

ProxyPass unix:///opt/gitlab/gitlab/tmp/sockets/gitlab-workhorse.socket|
http://127.0.0.1/
ProxyPassReverse unix:///opt/gitlab/gitlab/tmp/sockets/gitlab-
workhorse.socket|http://127.0.0.1/

So far, this is just working fine. GitLab also uses Web-Sockets, that need to 
be forwarded, too. Right now using this configuration, GitLabs log show the 
following, when trying to make a Web-Socket:

Started GET "/-/cable" for $REMOTE_IP at 2022-12-22 14:35:51 +0100
Started GET "/-/cable/"[non-WebSocket] for $REMOTE_IP at 2022-12-22 14:35:51 
+0100
Failed to upgrade to WebSocket (REQUEST_METHOD: GET, HTTP_CONNECTION: , 
HTTP_UPGRADE: )
Finished "/-/cable/"[non-WebSocket] for $REMOTE_IP at 2022-12-22 14:35:51 
+0100

So; following [3], I added:

RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "unix:/opt/gitlab/gitlab/tmp/sockets/gitlab-
workhorse.socket|http://127.0.0.1/$1" [P,NE]

Missing the NE-Flag, as well as replacing http with ws results in a bad config 
message in Apache's error logs:
[Thu Dec 22 14:34:51.093012 2022] [proxy:warn] [pid 781:tid 140179385861824] 
[client $REMOTE_IP:57328] AH01144: No protocol handler was valid for the URL 
/-/cable (scheme 'unix'). If you are using a DSO version of mod_proxy, make 
sure the proxy submodules are included in the configuration using LoadModule.

Using the config as written shows the following in GitLab's logs:

Started GET "/proxy:http://127.0.0.1/-/cable/" for $REMOTE_IP at 2022-12-22 
14:46:19 +0100
Processing by ApplicationController#route_not_found as HTML
  Parameters: {"unmatched_route"=>"proxy:http:/127.0.0.1/-/cable"}
  Rendered layout layouts/errors.html.haml (Duration: 2.2ms | Allocations: 
600)
Completed 404 Not Found in 30ms (Views: 2.8ms | ActiveRecord: 3.5ms | 
Elasticsearch: 0.0ms | Allocations: 7303)

So I assume the config is still wrong, but I could not yet find a working 
solution. Anybody knows what I'm missing?

Thanks!

[1] https://docs.gitlab.com/omnibus/settings/nginx.html
[2] https://httpd.apache.org/docs/2.4/mod/mod_proxy.html
[3] https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux