Closed bugtoo closed 4 years ago
francislavoie
commented
4 years ago Thanks for the detailed report.
That all looks okay to me as well. That error is clearly coming from IPMI, so we'll need more information as to why it's rejecting the request.
bugtoo
commented
4 years ago Hi @francislavoie , it looks like there's no way to get more informations on the IPMI itself as it is a closed system - I wish Supermicro could give us some insights but they closed the ticket saying that the architecture is not supported. Is there a way to force Caddy to reorder the headers so that "Upgrade" and "Connection" come at the same level as with nginx?
francislavoie
commented
4 years ago I'm 99% sure header order is not the problem. Headers are a key-value mapping, not an ordered set. There's no way for that to change, because Caddy uses golang's map type under the hood, which is an unordered set.
I notice that Caddy adds X-Forwarded-Proto while nginx doesn't. I guess there's a possibility that breaks things, but that would surprise me. You should be able to suppress that by adding header_up -X-Forwarded-Proto to your reverse_proxy config. https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#headers
bugtoo
commented
4 years ago I already tested all the possible combinations (stripping headers, adding headers), nothing changes. I gave it another try:
GET / HTTP/1.1
Host: server-1.ipmi.myservers.cloud
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Cache-Control: no-cache
Connection: Upgrade
Cookie: langSetFlag=0; language=English; SID=j5ggH6NXxct69FC; mainpage=remote; subpage=man_ikvm_html5
Dnt: 1
Origin: http://server-1.ipmi.myservers.cloud
Pragma: no-cache
Sec-Websocket-Extensions: permessage-deflate
Sec-Websocket-Key: MEL6GPcPFPrKYXAAnEuilw==
Sec-Websocket-Version: 13
Upgrade: websocket
X-Forwarded-For: xxx.xxx.xxx.xxx
HTTP/1.1 400 Bad Request
Strict-Transport-Security: max-age=31536000; includeSubdomains
X-XSS-Protection: 1; mode=block
Content-Type: text/html
Content-Length: 349
Date: Mon, 05 Oct 2020 15:35:25 GMT
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>400 - Bad Request</title>
</head>
<body>
<h1>400 - Bad Request</h1>
</body>
</html>No luck :(
It must be lower level then, not sure how to catch the differences between the two requests though.
francislavoie
commented
4 years ago Alright - well I'll close this, I don't think there's anything actionable on our end. There's not really enough information for us to do anything with at the moment. I hope you can convince Supermicro to tell you why a 400 might be returned so we can investigate further. We know that websockets works fine for others.
mholt
commented
4 years ago I'm 99% sure header order is not the problem.
It shouldn't be, but you never know what kind of awful enterprisey apps make stupid, spec-violating assumptions. :sweat: I definitely wouldn't be surprised if they expect a certain order to the headers and if that's breaking things.
This looks like something Supermicro will have to fix.
akosyakov
commented
3 years ago Caddy writes Websocket, but Nginx writes WebSocket.
francislavoie
commented
3 years ago @akosyakov this is probably not the right place to ask a question. This is a long-since closed issue.
Please ask your usage questions on the Caddy community forums. We prefer to keep the GitHub issue board for bugs and feature requests. Don't forget to fill out the thread template so we can help you!
Hello everybody! I am building a reverse proxy configuration with Caddy 2.2.0 to expose a Supermicro IPMI to another network. For those unfamiliar with IPMI, it's basically a web interface of a bare metal server, providing, among other things, remote access to Keyboard ,Video and Mouse of the server. This works with a websocket session with noVNC.
I can make the reverse proxy for the http part to work, but as soon as I start the websocket session, I got a 400 Bad Request from the IPMI server. I tried with different Origin/Host combination and with different Headers manipulation, and I also captured a PCAP of the session: even if the upgrade request is identical compared to another going directly to the IPMI, I always get a 400 Bad Request when going through the proxy. I am running this in a container, so I quickly switched to nginx to test it and there it works out of the box. I believe there's something low level involved that I can't see with a packet capture.,or something obvious that I don't see.
Here's Caddy config:
Here's nginx config:
From my understanding, the two configurations are equivalent, and I can see it also in the pcap capture that the outcome is similar.
Any suggestions? How can I help in acquiring more debug? There's nothing appearing in the logs.
Here's failed session with caddy:
Here's successfull session with nginx:
The only obvious thing is the order of the headers which are different: in nginx we get the "Upgrade" and "Connection" headers much earlier compared to caddy: it keeps the original order of the request coming from the browser, but it shouldn't matter.
Thanks!
Daniel