Am Dienstag, 27. Dezember 2022, 22:47:53 CET schrieb Florian Schwalm: > > Reading through the report, this bug probably hit me, too. GitLab is a > > Ruby-on-rails application using a Puma Webserver internally, connected to > > Apache all over UNIX-sockets; this cable-stuff mentioned in the report is > > RoR's action cable that is used in GitLab, too. And basically the > > "working" solution I found, too; I'm not quite sure whether using two > > Location directives in my config makes a difference over giving the > > location directly to ProxyPass... > > So do you have a working solution after applying the workaround from the > bugzilla ticket or is there still a 400 response after that? I found [1] around Saturday, and got a (partly) working config using that. The bug report suggests adding a (non-existing) port to the ws-pipe in the ProxyPass directive; whether I add that or not does not change the behaviour. In any case they're using ProxPass/ProxyPassReverse to proxy to unix sockets, not the rewrite-solution. As far as I interpret GitLab's log, the upgrade to Websockets occurs (but only if the cable location is written after the /- location in the config). The request origin not allowed seems to be a CORS- error from a misconfiguration on GitLab's side, I reported the problem over there. I could test filtering the ORIGIN header when tunnelling to the websocket, that might help, I'm not sure... Using this config got me the "request origin not allowed" error from GitLab, the 400 error only occurs using rewriting. Missing the wstunnel module 8obviouly) results in 500 errors, and the DSO-message in Apache's error log. Using wss instead of ws in the rewriting scenario results in 500 errors and another DSO-mesage i the log (secure connection impossible). The config reads as: --------------------------------------------------------------------------- RequestHeader add X-Forwarded-Ssl on RequestHeader set X-Forwarded-Proto "https" <Proxy *> Require all granted </Proxy> <Location /> ProxyPass unix:///opt/gitlab/gitlab/tmp/sockets/gitlab-workhorse.socket| http://127.0.0.1/ ProxyPassReverse unix:///opt/gitlab/gitlab/tmp/sockets/gitlab- workhorse.socket|http://127.0.0.1/ </Location> <Location /-/cable> ProxyPass unix:///opt/gitlab/gitlab/tmp/sockets/gitlab-workhorse.socket| ws://127.0.0.1/-/cable ProxyPassReverse unix:///opt/gitlab/gitlab/tmp/sockets/gitlab- workhorse.socket|ws://127.0.0.1/-/cable </Location> --------------------------------------------------------------------------- [1] https://gist.github.com/thadeu/a29aa8413385aa82fa7007ff51ca8296 -- MfG Jan --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx