[Bug 1445914] Re: Secure web socket proxy does not work in Apache 2.4.7

Marc Deslauriers marc.deslauriers at canonical.com
Tue Sep 15 12:38:33 UTC 2015


Thanks for the debdiff. The patch looks good, but could you please add
proper DEP-3 patch tags, including the Origin tag?

For example:

Description: xxx
Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1594625
Author: xxx

See the following for more information:

http://dep.debian.net/deps/dep3/

Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1445914

Title:
  Secure web socket proxy does not work in Apache 2.4.7

Status in Apache2 Web Server:
  Fix Released
Status in apache2 package in Ubuntu:
  Triaged

Bug description:
  [Impact]

  In Apache 2.4.7 the wstunnel proxy has a bug where a plain-text
  request is sent to a WSS URL. The bug is described in
  https://bz.apache.org/bugzilla/show_bug.cgi?id=55320 and fixed in
  2.4.10 with a very short and non-invasive patch.

  [Test Case]

  This is a testcase involving websockify and NoVNC.

  On Host A install a VNC server listening on port 5900. On the same
  host also install websockify to make VNC accessible through websocket.
  Launch websockify with

  websockify --cert privatecert.pem --ssl-only 6080 localhost:5900

  where privatecert.pem contains both a certificate and the
  corresponding private key.

  On Host B install Apache 2.4 and download NoVNC in the directory /vnc
  inside the document root. Enable SSL and the websocket proxy with

  a2enmod proxy proxy_http proxy_wstunnel ssl

  Add the following configuration directives for Apache:

  <Location /ws/client>
     ProxyPass wss://HostA:6080
  </Location>

  Now, connecting with a browser at the following URL:

  https://HostB/vnc/vnc.html?host=HostB&path=/ws/client/websockify&connectTimeout=5&disconnectTimeout=5&port=443&autoconnect=1

  should launch a remote VNC session on HostB, but it does not work
  because the tunnel created by ProxyPass does not really use SSL.

  [Regression Potential]

  If someone had incorrectly configured Apache to use a WSS proxy
  towards a server which only supports WS, this would stop working after
  the bug is fixed. This can be fixed replacing the WSS schema with WS.

  OS: Ubuntu 14.04.2 LTS
  Package:  2.4.7-1ubuntu4.4

To manage notifications about this bug go to:
https://bugs.launchpad.net/apache2/+bug/1445914/+subscriptions



More information about the Ubuntu-sponsors mailing list