Mailing List Archive

[Bug 64810] Unable to proxy requests to a secured websockets (wss) in 2.4.41
https://bz.apache.org/bugzilla/show_bug.cgi?id=64810

--- Comment #1 from Orlando Ballon <onengballon@gmail.com> ---
Btw, serving the vnc connection over regular websockets (ws) works as expected.

Thanks.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64810] Unable to proxy requests to a secured websockets (wss) in 2.4.41 [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=64810

--- Comment #2 from Orlando Ballon <onengballon@gmail.com> ---
I continued the investigation on this issue, and was able to determine the
change that affected the 'wss' proxy to fail in my vnc connection setup.
With the introduction of the change below, the previously working 'wss' proxy
encountered a failure:
---
commit 7d272e2628b4ae05f68cdc74b070707250896a34
Author: Yann Ylavic <ylavic@apache.org>
Date: Fri May 24 07:54:42 2019 +0000

Merge r1818726 from trunk:

mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.

PR 61857.
---

When this change was manually reverted in my local apache 2.4.41 setup, the
'wss' proxy is a success, and the vnc connection over 'wss' will work.


That's all for now. Thanks.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64810] Unable to proxy requests to a secured websockets (wss) in 2.4.41 [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=64810

--- Comment #3 from Yann Ylavic <ylavic.dev@gmail.com> ---
Does setting "SSLProxyCheckPeerName off" help?
This was always the case before the change in 2.4.41, now it's "on" by default
like for other proxy modules.

The goal of this change was only to allow for peer certificate CN verification
in all proxy modules, I overlooked that existing wss configurations with a
non-matching certifcate would now fail because of the check by default..

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64810] Unable to proxy requests to a secured websockets (wss) in 2.4.41 [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=64810

--- Comment #4 from Orlando Ballon <onengballon@gmail.com> ---

Thank you for the information.

I set the "SSLProxyCheckPeerName off" in the httpd.conf and it does resolve the
issue.

Below is the workflow of my vnc service setup:
1. Launch my site over http, and starts the vnc server (libvncserver).
2. click a button to launch noVNC client.
3. The url will be re-directed and be served over https,
'https://host/novnc.html?path=vnc'.
4. This will be proxy'd to 'wss://localhost:5901' per httpd.conf :
ProxyPass /vnc wss://localhost:5901/
5. A prompt to accept a security exception to the site will show, and accepting
the exception, the 'wss' connection will be a success.

However, when I launched my site over https, the vnc connection over wss will
fail.
So, in step #1, the site is launched over https, and a prompt to accept a
security exception to the site will show. After accepting the exception, step
#5 will not prompt anymore but the vnc connection will fail. Have no details
yet on this case but when I use the reverted option, this case where the site
is launched over https, will still have a successful vnc connection over wss.


That's all for now. Thanks.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64810] Unable to proxy requests to a secured websockets (wss) in 2.4.41 [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=64810

--- Comment #5 from Orlando Ballon <onengballon@gmail.com> ---

I continued investigating on the other case wherein my site is launched over
https and then the vnc connection over wss was not a success. I made some minor
tweak related to the re-direct of the noVNC url to https path, and it fixed the
issue.

In summary, the additional directive - "SSLProxyCheckPeerName off" in my apache
config file resolved the vnc connection to be successfully served over wss.

Thanks for the help.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org