Bug 69129 - Upgrade to Tomcat 10.1 breaks deployments with reverse proxies
Summary: Upgrade to Tomcat 10.1 breaks deployments with reverse proxies
Alias: None
Product: Tomcat 10
Classification: Unclassified
Component: WebSocket (show other bugs)
Version: 10.1.24
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ------
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2024-06-08 15:24 UTC by Alexander Veit
Modified: 2024-06-12 08:22 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Veit 2024-06-08 15:24:51 UTC
With Tomcat 10.1 the configuration property org.apache.tomcat.websocket.DISABLE_BUILTIN_EXTENSIONS has been removed[1].

As a result, in deployments with Tomcat 10.1 behind certain reverse proxies (notably Microsoft IIS/ARR) WebSockets do not work anymore.

Preliminary analysis:

Browsers like Chrome and Firefox send the Sec-WebSocket-Extensions header which contains a permessage-deflate attribute to the server. The reverse proxy passes this header to the backend Tomcat 10.1 instance which creates a response with Sec-WebSocket-Extensions: permessage-deflate. The reverse proxy cannot handle such responses and closes the connection to the client.

We could not find a configuration option which could replace org.apache.tomcat.websocket.DISABLE_BUILTIN_EXTENSIONS.

[1] https://tomcat.apache.org/tomcat-10.1-doc/changelog.html
Comment 1 Mark Thomas 2024-06-12 08:22:12 UTC
I'd recommend that you raise an issue with the provider of your reverse proxy.

If you need a temporary fix for your application, you'll need to implement a custom ServerEndpointConfig.Configurator and provide your own implementation of getNegotiatedExtensions (which can probably just return an empty list).