Closed ejouvin closed 7 years ago
I'll have a look, thanks for the report
@ejouvin , I'm not able to reproduce the issue.
Could you provide some kind of log of the http traffic of the logout sequence? Do you notice some kind of HTTP errors?
As an example, this is what happen on my side:
There is no traffic. Clicking on the link does not do anything and only under Chrome.
which version of chrome/operating system are you using?
Windows & Chrome version 55.0.2883.87 (Build officiel)
In fact, when access to the Tomcat directly, this is OK. When accessing behin a proxy, it failed.
And finally, this is linked to #45
But Under Firefox and IE, no problem. Try to find why I am having a 403 error
I think that you have the same issue as #38, some headers are incorrectly handled by Chrome with your current configuration.
Hum, seems to be an SSL related issue. Ok, my SSL configuration is not the best one, because I always have a security alert when accessing the instance.
But when I put the configuration under a not SSL site, it is OK.
It really seems to be an SSL error when self signed http://stackoverflow.com/questions/23404160/why-does-my-wss-websockets-over-ssl-tls-connection-immediately-disconnect-w
But the solution does not solve my error.
Moreover I found that I have error when accessing websocket A 403 when behind SSL A 400 when not behind SSL.
So there is also an error in my Apache configuration. Does someone have an example
Did you check the issue #38? It's based on NGINX but I think the problem is the same, make sure you send the right headers through the proxy.
I am still stuck. But I think we can close this case because all is a matter of Apache configuration.
Will try again, hope someone will find the solution ;)
"Finally" I got it work, not fully as I expected, but for a first step...
So for those who will have difficulties, here is what I put in my Apache configuration, thanks to reading on http://stackoverflow.com/questions/27526281/websockets-and-apache-proxy-how-to-configure-mod-proxy-wstunnel
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:8080/$1 [P,L]
#RewriteCond %{HTTP:Upgrade} !=websocket [NC]
#RewriteRule /(.*) http://localhost:8080/$1 [P,L]
ProxyPass /lavagna http://localhost:8080/lavagna
ProxyPassReverse /lavagna http://localhost:8080/lavagna
<Proxy http://localhost:8080/lavagna>
Order allow,deny
Allow from all
</Proxy>
I did comment the second RewriteRule, because this configuration is shared why other application deployed and not necessary in the same Tomcat.
But, this will only work when Lavagna on Tomcat and enabled behind an Apache in http, not in https.
I will have to study in order to deploy it under SSL, may be need to activate the SSL ono tomcat also.
I close the issue.
@ejouvin thanks for the comment, we will add your configuration in the documentation :)
Did you try wss://localhost:8080/$1
instead of ws://localhost:8080/$1
?
When using SSL you have to make sure that you are using it on HTTPS but also on WSS.
@SitoCH Yes I did try, but no chance. But I does not mean it does not work :laughing: because I did may tries and sometimes I missed some details.
I will give it a try later. Later is almost 5 minutes in fact and no it does not work currently. But I am pretty sure it is because I have to setup something on Tomcat
@syjer Thanks. But it was done "quickly" and I did not try to optimize the configuration. Three days to get it works (I understand nothing on Apache, this is out of my scope) and when it finally works, I stop.
1 year since I try to find a solution. Today, I did try to work on it, because I have now "correct" certificate.
I found a try to make it works on HTTPS for Apache server, but deployed on HTTP in Tomcat.
Careful, I change one another thing... I remove the sub URI /lavagna, to make it acessible throw root URI, but all mandatory configuration are not put in the following extract.
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) wss://localhost:8080/lavagna/$1 [P,L]
SSLProxyEngine on
ProxyPreserveHost On
ProxyPass /.well-known !
ProxyPassReverse /.well-known !
ProxyPass /robots.txt !
ProxyPassReverse /robots.txt !
ProxyPass / http://localhost:8080/lavagna/
ProxyPassReverse / http://localhost:8080/lavagna/
ProxyPassReverseCookiePath /lavagna /
AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/html
Substitute "s|<base href=\"/lavagna/\">|<base href=\"/\">|n"
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
The important part was the wss redirection and the request header modification, for proto and port.
Perfect, thank you for posting the proxy configuration because at the moment we had only samples for NGINX and it may be really useful for other users.
Full proxy configuration for proxy with HTTPS
<VirtualHost *:443>
ServerAdmin contact-email@dummy.net
ServerName www.lavagna.dummy.net
DocumentRoot /var/www/lavagna/
DirectoryIndex index.html
Header edit Location login\?reqUrl=%2Flavagna%2F login?reqUrl=%%2F
Header edit Location ^/lavagna/ /
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/lavagna_ssl_error.log
CustomLog ${APACHE_LOG_DIR}/lavagna_ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/cert/cert.pem
SSLCertificateKeyFile /etc/cert/privkey.pem
SSLCertificateChainFile /etc/cert/chain.pem
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
<Directory /var/www/lavagna>
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
AllowEncodedSlashes NoDecode
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:8080/lavagna/$1 [P,L]
SSLProxyEngine on
ProxyPreserveHost On
ProxyPass /robots.txt !
ProxyPassReverse /robots.txt !
ProxyPass / http://localhost:8080/lavagna/
ProxyPassReverse / http://localhost:8080/lavagna/
ProxyPassReverseCookiePath /lavagna /
AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/html
Substitute "s|<base href=\"/lavagna/\">|<base href=\"/\">|n"
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
In this case, Lavagna is deployed on Tomcat, on same server than Apache, and aceessible throw http://localhost:8080/lavagna
The proxy configuration made Lavagna enabled under https://www.lavagna.dummy.net. It would be easier if I wanted to have https://www.dummy.net/lavagna.
A "root" folder is created under /var/www/lavagna, where I put a file robots.txt.
For websocket, the trick is there
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) wss://localhost:8080/lavagna/$1 [P,L]
For the robots.txt file, use directive to order to serve the file frmo the root folder.
ProxyPass /robots.txt !
ProxyPassReverse /robots.txt !
Proxy redirect for the other.
ProxyPass / http://localhost:8080/lavagna/
ProxyPassReverse / http://localhost:8080/lavagna/
ProxyPassReverseCookiePath /lavagna /
Because I expose Lavagna under a sub domain, many things to do. First, change headers.
Header edit Location login\?reqUrl=%2Flavagna%2F login?reqUrl=%%2F
Header edit Location ^/lavagna/ /
The first one is for the login page. The redirect URL in argument must be (hman readable) reqUrl=/ and not reqUrl=/lavagna/ (because the root location in Tomcat is /lavagna) the second one change Location directive from /lavagna/... to /....
The most tricky part was to modify one directive in the HTML. Bad news is that it required to "unzip", modfiy content and then zip.
AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/html
Substitute "s|<base href=\"/lavagna/\">|<base href=\"/\">|n"
In this case, I replace
And finally I had to change the request header to force the HTTPS. Without this, websocket will fail.
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
Hope this will help.
Installed from the last commit, when I access to the application with Chrome, the logout button does nothing.