[Bug 1445914] Re: Secure web socket proxy does not work in Apache 2.4.7
Marc Deslauriers
marc.deslauriers at canonical.com
Tue Sep 15 12:38:33 UTC 2015
Thanks for the debdiff. The patch looks good, but could you please add
proper DEP-3 patch tags, including the Origin tag?
For example:
Description: xxx
Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1594625
Author: xxx
See the following for more information:
http://dep.debian.net/deps/dep3/
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1445914
Title:
Secure web socket proxy does not work in Apache 2.4.7
Status in Apache2 Web Server:
Fix Released
Status in apache2 package in Ubuntu:
Triaged
Bug description:
[Impact]
In Apache 2.4.7 the wstunnel proxy has a bug where a plain-text
request is sent to a WSS URL. The bug is described in
https://bz.apache.org/bugzilla/show_bug.cgi?id=55320 and fixed in
2.4.10 with a very short and non-invasive patch.
[Test Case]
This is a testcase involving websockify and NoVNC.
On Host A install a VNC server listening on port 5900. On the same
host also install websockify to make VNC accessible through websocket.
Launch websockify with
websockify --cert privatecert.pem --ssl-only 6080 localhost:5900
where privatecert.pem contains both a certificate and the
corresponding private key.
On Host B install Apache 2.4 and download NoVNC in the directory /vnc
inside the document root. Enable SSL and the websocket proxy with
a2enmod proxy proxy_http proxy_wstunnel ssl
Add the following configuration directives for Apache:
<Location /ws/client>
ProxyPass wss://HostA:6080
</Location>
Now, connecting with a browser at the following URL:
https://HostB/vnc/vnc.html?host=HostB&path=/ws/client/websockify&connectTimeout=5&disconnectTimeout=5&port=443&autoconnect=1
should launch a remote VNC session on HostB, but it does not work
because the tunnel created by ProxyPass does not really use SSL.
[Regression Potential]
If someone had incorrectly configured Apache to use a WSS proxy
towards a server which only supports WS, this would stop working after
the bug is fixed. This can be fixed replacing the WSS schema with WS.
OS: Ubuntu 14.04.2 LTS
Package: 2.4.7-1ubuntu4.4
To manage notifications about this bug go to:
https://bugs.launchpad.net/apache2/+bug/1445914/+subscriptions
More information about the Ubuntu-sponsors
mailing list