Secure web socket proxy does not work in Apache 2.4.7
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apache2 Web Server |
Fix Released
|
High
|
|||
apache2 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
In Apache 2.4.7 the wstunnel proxy has a bug where a plain-text request is sent to a WSS URL. The bug is described in https:/
[Test Case]
This is a testcase involving websockify and NoVNC.
On Host A install a VNC server listening on port 5900. On the same host also install websockify to make VNC accessible through websocket. Launch websockify with
websockify --cert privatecert.pem --ssl-only 6080 localhost:5900
where privatecert.pem contains both a certificate and the corresponding private key.
On Host B install Apache 2.4 and download NoVNC in the directory /vnc inside the document root. Enable SSL and the websocket proxy with
a2enmod proxy proxy_http proxy_wstunnel ssl
Add the following configuration directives for Apache:
<Location /ws/client>
ProxyPass wss://HostA:6080
</Location>
Now, connecting with a browser at the following URL:
should launch a remote VNC session on HostB, but it does not work because the tunnel created by ProxyPass does not really use SSL.
[Regression Potential]
If someone had incorrectly configured Apache to use a WSS proxy towards a server which only supports WS, this would stop working after the bug is fixed. This can be fixed replacing the WSS schema with WS.
OS: Ubuntu 14.04.2 LTS
Package: 2.4.7-1ubuntu4.4
information type: | Private Security → Public Security |
Changed in apache2 (Ubuntu): | |
status: | New → Confirmed |
Changed in apache2: | |
importance: | Unknown → High |
status: | Unknown → Fix Released |
description: | updated |
Changed in apache2 (Ubuntu Trusty): | |
importance: | Undecided → Medium |
tags: |
added: trusty verification-done removed: verification-needed |
When I configure ws_proxy_wstunnel module with wss:// URL the request is actually sent in plaintext which gets rejected by backend server due to SSL handshake failure.
Suggested correction,
314a315
> int is_ssl = 0;
320a322
> is_ssl = 1;
344c346
< backend->is_ssl = 0;
---
> backend->is_ssl = is_ssl;
Thanks,
Alex