Re: Proxy both HTTP, and WebSocket traffic to UNIX socket

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am Dienstag, 27. Dezember 2022, 22:47:53 CET schrieb Florian Schwalm:
> > Reading through the report, this bug probably hit me, too. GitLab is a
> > Ruby-on-rails application using a Puma Webserver internally, connected to
> > Apache all over UNIX-sockets; this cable-stuff mentioned in the report is
> > RoR's action cable that is used in GitLab, too. And basically the
> > "working" solution I found, too; I'm not quite sure whether using two 
> > Location directives in my config makes a difference over giving the 
> > location directly to ProxyPass...
> 
> So do you have a working solution after applying the workaround from the
> bugzilla ticket or is there still a 400 response after that?

I found [1] around Saturday, and got a (partly) working config using that. The 
bug report suggests adding a (non-existing) port to the ws-pipe in the 
ProxyPass directive; whether I add that or not does not change the behaviour. 
In any case they're using ProxPass/ProxyPassReverse to proxy to unix sockets, 
not the rewrite-solution. As far as I interpret GitLab's log, the upgrade to 
Websockets occurs (but only if the cable location is written after the /-
location in the config). The request origin not allowed seems to be a CORS-
error from a misconfiguration on GitLab's side, I reported the problem over 
there. I could test filtering the ORIGIN header when tunnelling to the 
websocket, that might help, I'm not sure...

Using this config got me the "request origin not allowed" error from GitLab, 
the 400 error only occurs using rewriting. Missing the wstunnel module 
8obviouly) results in 500 errors, and the DSO-message in Apache's error log. 
Using wss instead of ws in the rewriting scenario results in 500 errors and 
another DSO-mesage i the log (secure connection impossible).

The config reads as:

---------------------------------------------------------------------------
RequestHeader add X-Forwarded-Ssl on
RequestHeader set X-Forwarded-Proto "https"

<Proxy *>
    Require all granted
</Proxy>

<Location />
    ProxyPass unix:///opt/gitlab/gitlab/tmp/sockets/gitlab-workhorse.socket|
http://127.0.0.1/
    ProxyPassReverse unix:///opt/gitlab/gitlab/tmp/sockets/gitlab-
workhorse.socket|http://127.0.0.1/
</Location>

<Location /-/cable>
    ProxyPass unix:///opt/gitlab/gitlab/tmp/sockets/gitlab-workhorse.socket|
ws://127.0.0.1/-/cable
    ProxyPassReverse unix:///opt/gitlab/gitlab/tmp/sockets/gitlab-
workhorse.socket|ws://127.0.0.1/-/cable
</Location>
---------------------------------------------------------------------------

[1] https://gist.github.com/thadeu/a29aa8413385aa82fa7007ff51ca8296

-- 
MfG Jan



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux