Bug 65286

Summary: Websockets connections fail with Apache as forward proxy
Product: Apache httpd-2 Reporter: Bjoern Voigt <bjoernv>
Component: mod_proxyAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED WORKSFORME    
Severity: normal    
Priority: P2    
Version: 2.4.46   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Bjoern Voigt 2021-05-04 15:07:00 UTC 
When Apache is configured as a forward proxy, Websocket connections fail.

The Websocket echo test https://www.websocket.org/echo.html already fails with "Connect". The error message is

ERROR: undefined

DISCONNECTED

Other connections work as expected.

This is a minimal proxy configuration which shows the issue:

<IfModule mod_proxy.c>
  ProxyRequests On
  <Proxy *>
    Require ip 192.168.1.0/255.255.255.0 127.0.0.0/255.0.0.0 ::1
  </Proxy>
</IfModule>

This is the list of activated Apache modules:

APACHE_MODULES="actions alias asis auth_basic auth_digest authn_file authz_core authz_host authz_groupfile authz_user autoindex cgi dir env expires include log_config mime negotiation rewrite setenvif status ssl userdir proxy proxy_connect proxy_ftp proxy_http proxy_http2 proxy_wstunnel cache cache_disk authn_core dbd authn_dbd reqtimeout authn_socache socache_shmcb socache_dbm wsgi proxy-html proxy_html headers xml2enc dav dav_fs http2 proxy_fcgi"
Comment 1 Bjoern Voigt 2021-06-28 10:04:10 UTC 
The Websocket echo test still fails with Apache HTTPD 2.4.18.
Comment 2 Yann Ylavic 2021-06-28 11:52:14 UTC 
> This is a minimal proxy configuration which shows the issue:
> 
> <IfModule mod_proxy.c>
>   ProxyRequests On
>   <Proxy *>
>     Require ip 192.168.1.0/255.255.255.0 127.0.0.0/255.0.0.0 ::1
>   </Proxy>
> </IfModule>

It tried that with firefox and it seems that websocket.org issues a "CONNECT echo.websocket.org:80 HTTP/1.1" request when clicking on the "connect" button (port 80 or 443 depending on schemes ws: or wss: respectively).

So it works for me with:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
AllowCONNECT 80 443
ProxyRequests On
<Proxy *>
   Require ip ...
</Proxy>

But I agree that a "GET http://echo.websocket.org:80/ HTTP/1.1" request wouldn't work with WebSocket because the generic forward proxy worker does not handle Upgrade for now. Not sure it's worth it though with nowadays TLS everywhere..
Comment 3 Bjoern Voigt 2021-06-28 21:52:54 UTC 
Yann Ylavic wrote:
> But I agree that a "GET http://echo.websocket.org:80/ HTTP/1.1" request
> wouldn't work with WebSocket because the generic forward proxy worker
> does not handle Upgrade for now. Not sure it's worth it though with
> nowadays TLS everywhere..
After testing your HTTPD configuration and additional testing with different browsers and with my original HTTPD configuration, I found that my daily Firefox profile seems to cause the problem. Disabling all add-ons does not help. But Firefox with a new profile (and proxy settings of cause) works.

http://www.websocket.org/echo.html (without SSL) seems to be broken. How do you tested this?
Comment 4 Bjoern Voigt 2021-06-28 22:14:26 UTC 
After cleaning my proxy settings in Firefox ("SOCKS Host" was set to "localhost" which never caused problems) also my daily Firefox profile works now. I found this Firefox hint here: https://askubuntu.com/a/890539

Sorry, I think, HTTPD is okay and this bug can be closed.