OPNWAF / WebSocket connection upgrade only working with Rewrite Rules

Started by ChrisGoes, October 01, 2025, 01:15:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 01, 2025, 01:15:28 PM Last Edit: October 01, 2025, 01:18:05 PM by ChrisGoes
Hi everybody,

we are hosting an application behind OPNWAF which is requiring an websocket connection upgrade.
The current possibilities to configure OPNWAF via UI are not sufficient to have this requirement working.

It was necessary to modify the generated apache24 vhost config manually and add the following lines:
Code Select
RewriteEngine on
RewriteCond %{HTTP:Upgrade} ^websocket$ [NC]
RewriteCond %{HTTP:Connection} ^Upgrade$ [NC]
RewriteRule .* wss://<IP OF SERVER BEHIND PROXY>%{REQUEST_URI} [P,QSA,L]
Would it be possible to integrate this somehow in the OPNWAF UI?
The solution right now is only valid until the next restart / UI config update when the config gets regenerated.

I'm running latest version of OPNSense BusinessEdition and opnWAF Plugin.

Thanks and BR
Chris
October 01, 2025, 01:27:11 PM #1
Could you tell me the application that causes the issue? (If its something thats openly available)

Hardware:
DEC740
October 01, 2025, 01:30:55 PM #2
sure, its Fudo Enterprise.
It seems that they are using guacamole within their software so Apache Guacamole is probably affected as well ;)

BR
October 01, 2025, 01:37:28 PM #3
Isnt Guacamole using different paths for different applications?

Is there maybe a specific path for the websocket?

E.g. /ws/
Hardware:
DEC740
October 01, 2025, 01:43:27 PM #4
@Monviech, you can use either

/guacamole/websocket-tunnel

or upgrade the connection if the proxy supports it. Works without a separate proxy instance with Caddy for example.


BTW ... the new Caddy UI is *slick* Thanks for all the work. When was that introduced? Had not looked at it for months it seems.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 01, 2025, 01:50:45 PM #5
well, I think this is part of the issue.
When Fudo is trying to upgrade the https connection to websocket its using wss://<hostname>/webclient?XXXXXX

If I try to configure a Location for /webclient the issue is that the proxy is redirecting to wss://<hostname>/webclient/?XXXXX

This request is not properly redirected because of the trailing / after the location. I do believe, that this might be the issue which requires the Rewrite Condition...
October 01, 2025, 02:30:54 PM #6
Quote from: Patrick M. Hausen on October 01, 2025, 01:43:27 PM@Monviech, you can use either

/guacamole/websocket-tunnel

or upgrade the connection if the proxy supports it. Works without a separate proxy instance with Caddy for example.


BTW ... the new Caddy UI is *slick* Thanks for all the work. When was that introduced? Had not looked at it for months it seems.

Thanks for the input. I did it at the same time when doing the grouping for dnsmasq. It was like a side effect to also introduce it there xD.
Hardware:
DEC740
October 01, 2025, 02:35:21 PM #7
Quote from: ChrisGoes on October 01, 2025, 01:50:45 PMwell, I think this is part of the issue.
When Fudo is trying to upgrade the https connection to websocket its using wss://<hostname>/webclient?XXXXXX

If I try to configure a Location for /webclient the issue is that the proxy is redirecting to wss://<hostname>/webclient/?XXXXX

This request is not properly redirected because of the trailing / after the location. I do believe, that this might be the issue which requires the Rewrite Condition...

Can you try defining both as locations?

e.g.

Code Select
ProxyPass /webclient      wss://127.0.0.1:8080/webclient
ProxyPass /webclient/     wss://127.0.0.1:8080/webclient/
Hardware:
DEC740
October 01, 2025, 02:47:40 PM #8
Quote from: Monviech (Cedrik) on October 01, 2025, 02:35:21 PM
Quote from: ChrisGoes on October 01, 2025, 01:50:45 PMwell, I think this is part of the issue.
When Fudo is trying to upgrade the https connection to websocket its using wss://<hostname>/webclient?XXXXXX

If I try to configure a Location for /webclient the issue is that the proxy is redirecting to wss://<hostname>/webclient/?XXXXX

This request is not properly redirected because of the trailing / after the location. I do believe, that this might be the issue which requires the Rewrite Condition...

Can you try defining both as locations?

e.g.

Code Select
ProxyPass /webclient      wss://127.0.0.1:8080/webclient
ProxyPass /webclient/     wss://127.0.0.1:8080/webclient/

didn't solve the problem.
Have both locations defined now but still its not working.
Here is the output of the Web Error Log:

Code Select
[proxy:debug] [pid 83593:tid 12887523539456] proxy_util.c(3261): [client XXXXXXXXXX:15293] AH00944: connecting wss://<IP OF FUDO SERVER>/webclient/?image=image%2Fwebp&image=image%2Fpng&image=image%2Fjpg&otp=87152400XgqT-lDLlgv-CnFVR_8Y0VAx&dpi=96&width=2616&height=932&color-depth=24&resize-method=display-update&server-layout=de-de-qwertz to <IP OF FUDO SERVER>:443
October 01, 2025, 03:35:20 PM #9 Last Edit: October 01, 2025, 03:37:07 PM by Monviech (Cedrik)
Hmm maybe this could be solved with this directive

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassmatch

Code Select
ProxyPassMatch   ^/webclient(.*)  wss://<IP OF FUDO SERVER>/webclient$1
ProxyPassReverse ^/webclient(.*)  wss://<IP OF FUDO SERVER>/webclient$1

Can you try such a regex construct in the current apache configuration and see if that works as well? (not tested, just a thought)
I want to avoid needing to implement custom rewrites.

A while ago I have added "RedirectMatch" which solves redirect loops because / is added behind paths when it shouldnt. Maybe the above directive solves the same kind of issue for / in paths.
Hardware:
DEC740
October 02, 2025, 06:50:40 AM #10
Quote from: Monviech (Cedrik) on October 01, 2025, 03:35:20 PMHmm maybe this could be solved with this directive

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassmatch

Code Select
ProxyPassMatch   ^/webclient(.*)  wss://<IP OF FUDO SERVER>/webclient$1
ProxyPassReverse ^/webclient(.*)  wss://<IP OF FUDO SERVER>/webclient$1

Can you try such a regex construct in the current apache configuration and see if that works as well? (not tested, just a thought)
I want to avoid needing to implement custom rewrites.

A while ago I have added "RedirectMatch" which solves redirect loops because / is added behind paths when it shouldnt. Maybe the above directive solves the same kind of issue for / in paths.

It does work with the ProxyPassMatch.

Config I've used looks like this now:

Code Select
<Proxy balancer://XXXX>
BalancerMember wss://<IP OF FUDO SERVER>
</Proxy>
...
<LocationMatch "^/webclient(.*)">

        ProxyPreserveHost  On
        ProxyPassMatch "balancer://XXXX/webclient$1"
        ProxyPassReverse "balancer://XXXX/webclient$1"
</LocationMatch>

Would you be able to include the ProxyPassMatch into the OPNWAF Plugin?
And if so, how long would it take until its available then?

Thanks for your help so far!
October 02, 2025, 07:00:02 AM #11
Nice, seems like we found the simplest solution.

Can you create a ticket here?

https://github.com/opnsense/plugins/issues

Theres some other OPNWAF issue open too, so just do it like that.

About timeframe: implementation, testing and review can take a while, a while meaning at least a few weeks until its released in a Business version.
Hardware:
DEC740
October 02, 2025, 07:41:23 AM #12
Thanks Monviech!
Ticket created.

I understand the timeframe....I just need to make sure that nobody is playing around with the config until then, otherwise those changes are lost again.
Print
Go Up Pages1
User actions