Messages

Thanks Monviech!
Ticket created.

I understand the timeframe....I just need to make sure that nobody is playing around with the config until then, otherwise those changes are lost again.

Hmm maybe this could be solved with this directive

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassmatch

Code Select Expand

ProxyPassMatch   ^/webclient(.*)  wss://<IP OF FUDO SERVER>/webclient$1
ProxyPassReverse ^/webclient(.*)  wss://<IP OF FUDO SERVER>/webclient$1

Can you try such a regex construct in the current apache configuration and see if that works as well? (not tested, just a thought)
I want to avoid needing to implement custom rewrites.

A while ago I have added "RedirectMatch" which solves redirect loops because / is added behind paths when it shouldnt. Maybe the above directive solves the same kind of issue for / in paths.

It does work with the ProxyPassMatch.

Config I've used looks like this now:

Code Select Expand

<Proxy balancer://XXXX>
BalancerMember wss://<IP OF FUDO SERVER>
</Proxy>
...
<LocationMatch "^/webclient(.*)">

        ProxyPreserveHost  On
        ProxyPassMatch "balancer://XXXX/webclient$1"
        ProxyPassReverse "balancer://XXXX/webclient$1"
</LocationMatch>

Would you be able to include the ProxyPassMatch into the OPNWAF Plugin?
And if so, how long would it take until its available then?

Thanks for your help so far!

well, I think this is part of the issue.
When Fudo is trying to upgrade the https connection to websocket its using wss://<hostname>/webclient?XXXXXX

If I try to configure a Location for /webclient the issue is that the proxy is redirecting to wss://<hostname>/webclient/?XXXXX

This request is not properly redirected because of the trailing / after the location. I do believe, that this might be the issue which requires the Rewrite Condition...

Can you try defining both as locations?

e.g.

Code Select Expand

ProxyPass /webclient      wss://127.0.0.1:8080/webclient
ProxyPass /webclient/     wss://127.0.0.1:8080/webclient/


didn't solve the problem.
Have both locations defined now but still its not working.
Here is the output of the Web Error Log:

Code Select Expand

[proxy:debug] [pid 83593:tid 12887523539456] proxy_util.c(3261): [client XXXXXXXXXX:15293] AH00944: connecting wss://<IP OF FUDO SERVER>/webclient/?image=image%2Fwebp&image=image%2Fpng&image=image%2Fjpg&otp=87152400XgqT-lDLlgv-CnFVR_8Y0VAx&dpi=96&width=2616&height=932&color-depth=24&resize-method=display-update&server-layout=de-de-qwertz to <IP OF FUDO SERVER>:443

well, I think this is part of the issue.
When Fudo is trying to upgrade the https connection to websocket its using wss://<hostname>/webclient?XXXXXX

If I try to configure a Location for /webclient the issue is that the proxy is redirecting to wss://<hostname>/webclient/?XXXXX

This request is not properly redirected because of the trailing / after the location. I do believe, that this might be the issue which requires the Rewrite Condition...

sure, its Fudo Enterprise.
It seems that they are using guacamole within their software so Apache Guacamole is probably affected as well ;)

BR

Hi everybody,

we are hosting an application behind OPNWAF which is requiring an websocket connection upgrade.
The current possibilities to configure OPNWAF via UI are not sufficient to have this requirement working.

It was necessary to modify the generated apache24 vhost config manually and add the following lines:

Code Select Expand

RewriteEngine on
RewriteCond %{HTTP:Upgrade} ^websocket$ [NC]
RewriteCond %{HTTP:Connection} ^Upgrade$ [NC]
RewriteRule .* wss://<IP OF SERVER BEHIND PROXY>%{REQUEST_URI} [P,QSA,L]
Would it be possible to integrate this somehow in the OPNWAF UI?
The solution right now is only valid until the next restart / UI config update when the config gets regenerated.

I'm running latest version of OPNSense BusinessEdition and opnWAF Plugin.

Thanks and BR
Chris