Apache reverse proxy for websockets

Question

I'm using Apache on my server to proxy traffic on port 80 and 443 out to separate VM's running different websites and services. I'm having trouble setting up a proxy for MeshCentral which requires websockets. I'm using Debian 10 with Apache 2.4.38.

I can load MeshCentral, but once I login it tries to use websockets and I get the following error;

Firefox can’t establish a connection to the server at wss://example.com/control.ashx?auth=Uu7PBFNsswzzWoQaVNPH2N3ZwkWbx7DSsljaaY8cxthO5fcPVSz@sqLbGzyOpvxTxvfmV7WgwLdRklqLNYC5KQTjrZPCYDcNDvJ0AY7V8DGdUk68jK3sPfnc$Sl7rvhaQwR1xBukiZ8=. meshcentral.js:27:21

I've added the wstunnel proxy

a2enmod proxy_wstunnel

And setup HTTP and HTTPS proxies which work fine

/etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
  ServerName example.com
  ProxyPreserveHost On
  ProxyPass        "/" "http://192.168.200.11/"
  ProxyPassReverse "/" "http://example.com/"
</VirtualHost>

/etc/apache2/sites-enabled/000-default-le-ssl.conf

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerName example.com

    RewriteEngine on
    RewriteCond ${HTTP:UPGRADE} websocket [NC]
    RewriteCond ${HTTP:CONNECTION} upgrade [NC]
    RewriteRule /(.*) "wss://example.com/$1" [P]

    ProxyPreserveHost On
    ProxyPass        "/" "https://192.168.200.11/"
    ProxyPassReverse "/" "https://example.com/"

    SSLProxyEngine On
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
  </VirtualHost>
</IfModule>

I've restarted apache before I tried loading the page in firefox and also tried google-chrome, same error.

Answer 1

You can try with:

Ubuntu

a2enmod proxy

a2enmod proxy_http

a2enmod proxy_wstunnel

Centos

1. Open the module configuration file for proxies. sudo vi /etc/httpd/conf.modules.d/00-proxy.conf
2. All modules related to proxying are listed in this configuration file. Verify that the following lines exist and are uncommented. LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_wstunnel modules/mod_proxy_wstunnel.so
3. If you made any changes to the file, save them now.
4. Restart Apache Web Server to apply your changes. sudo systemctl restart httpd

Configuration:

<VirtualHost *:443>
  ServerName ws.serverlab.ca
  
  RewriteEngine on
  RewriteCond ${HTTP:Upgrade} websocket [NC]
  RewriteCond ${HTTP:Connection} upgrade [NC]
  RewriteRule .* "wss:/localhost:3000/$1" [P,L]
  
  <Proxy balancer://backend-cluster>
    BalancerMember http://server01:3000
    BalancerMember http://server02:3000
    BalancerMember http://server03:3000
  </Proxy>

  ProxyPass / balancer://backend-cluster/
  ProxyPassReverse / balancer://backend-cluster/
  ProxyRequests off
</VirtualHost>

ServerName ws.serverlab.ca The hostname of the virtual web host that will handle the WebSocket connections.

RewriteEngine on Used to set the status of the RewriteEngine to either on or off. To support WebSockets it must be turned on.

RewriteCond ${HTTP:Upgrade} websocket [NC] A condition that must be matched in order for a request to be processed by the RewriteRule.

RewriteCond ${HTTP:Connection} upgrade [NC] To something

RewriteRule. “wss:/ws-backend%{REQUEST_URI}” [P] * Rewrite all incoming requests to use the wss protocol, and replace the destination hostname to that of a backend service.

Documentation from: How to Reverse Proxy Websockets with Apache 2.4