[solved] Apache reverse proxy to foreign server wss issue

Troubleshooting
1

Summary

Wss proxy passing doesnot working

Steps to reproduce

I’ve got a gitlab 11 server in my local network at address 192.168.3.230 and reverse proxy server on address 192.168.3.35 which passing traffic from internet to intranet. I’ve successfully setted up gitlab proxy pass and mattermost proxypass in partial (login page and mattermost site works as well, but not a websockets. my apache conf listed below:

<VirtualHost :443>
SSLEngine on
SSLProxyEngine On
ServerName mattermost.server.org
ErrorLog /var/log/apache2/mattermost-error.log
CustomLog /var/log/apache2/mattermost-access.log combined
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/api/v[0-9]+/(users/)?websocket [NC,OR]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule . wss://192.168.3.230:8065%{REQUEST_URI} [P,QSA,L]
#RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
#RewriteRule .* https://192.168.3.230:8065%{REQUEST_URI} [P,QSA,L]
RequestHeader set X-Forwarded-Proto “https”

    RequestHeader unset If-Modified-Since
    RequestHeader unset If-None-Match

    <LocationMatch "/api/(?<version>v[0-9]+)/(?<users>users/)?websocket$">
            Require all granted
            ProxyPassReverse wss://192.168.3.230:8065/api/v%{env:MATCH_VERSION}/%{env:MATCH_USERS}websocket
            ProxyPassReverseCookieDomain 192.168.3.230 mattermost.server.org
    </LocationMatch>
    <Location />
            Require all granted
            ProxyPass  https://192.168.3.230/
            ProxyPassReverse https://192.168.3.230/
            ProxyPassReverseCookieDomain 192.168.3.230 mattermost.server.org
    </Location>

    ProxyPreserveHost On
    ProxyRequests Off
    SSLCertificateFile /etc/letsencrypt/live/mattermost.server.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mattermost.server.org/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

Observed behavior

websocket_client.jsx:38 WebSocket connection to wss://mattermost.server.org/api/v4/websocket’ failed: Error during WebSocket handshake: Unexpected response code: 503

is it possible to proxy wss websocket?

2

Hi @qmor,

It should be possible to proxy websockets (even with Apache - as described in the documentation). One of our community members suggests you to investigate which service returned the 503 . Mattermost or your Apache proxy? Log files might provide additional insights.

3

got some apacke2 logs

[Wed Apr 24 16:01:03.723277 2019] [proxy:error] [pid 18975:tid 140161291581184] (111)Connection refused: AH00957: WSS: attempt to connect to 192.168.3.230:8065 (*) failed
[Wed Apr 24 16:01:03.723352 2019] [proxy_wstunnel:error] [pid 18975:tid 140161291581184] [client 192.168.3.17:28317] AH02452: failed to make connection to backend: 192.168.3.230

4

Hi @qmor, Do you have any information in your Mattermost logs - around Wed Apr 24 16:01:03 2019 - why Mattermost refused that connection?

5

looks like i’ve solved a problem. just need to redirect mattermost wss connection to 443 port not 8065

RewriteRule .* wss://192.168.3.230:443%{REQUEST_URI} [P,QSA,L]

instead of

RewriteRule .* wss://192.168.3.230:8065%{REQUEST_URI} [P,QSA,L]

1 Like