apache 2.4.6 reverseproxy mod_proxy_wstunnel for secure websocket wss:// fails

Question

I'm trying to configure apache server 2.4.6 the newest version that support websocket proxy.

I got non-secure websocket connection to work as expected and HTTPS proxy working as well[this to remove SSL config as the root cause] But my wss:// connection fails. While troubleshooting with wireshark i learned that on wss:// connection is made via plain text.

Here's my apache configuration:

<VirtualHost *:4043>

ServerName cbscclrd.ca.wm.com
LogLevel debug
ErrorLog "/apps/apache/httpd-2.4.6/logs/errorSSL_log"
TransferLog "/apps/apache/httpd-2.4.6/logs/access_log"

SSLCertificateFile "/apps/FXD1D2/SSLKeyStore/sdpssl_cert-dev.cer"
SSLCertificateKeyFile "/apps/FXD1D2/SSLKeyStore/sdp-private-key-no-password.pem"
SSLCACertificateFile "/tmp/Apache-PKG/CAchain.pem"

    SSLEngine on
    SSLProxyEngine on
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass / wss://cbscclrd.ca.wm.com:443 retry=0 keepalive=On
    ProxyPassReverse / wss://cbscclrd.ca.wm.com:443 retry=0

</VirtualHost>

When the connection initiated to wss://cbscclrd.ca.wm.com:443 it's plaintext format hence the server listening on "cbscclrd.ca.wm.com:443" rejects the connection with the following error message;javax net ssl SSLException

Any help will be greatly appreciated.

Answer 1

This is a bug in mod_proxy_wstunnel. It will always send plaintext to the backend server regardless of the url scheme (ws:// or wss://).

The bug is reported here: https://issues.apache.org/bugzilla/show_bug.cgi?id=55320

The bugfix is rather simple (and provided in the bug report). So if you really need the wss:// backend communication, you might want to apply it yourself & rebuild the module.

Answer 2

in Apache-2.4_server.conf

ProxyPass "/ws/" "ws://127.0.0.1:4002/"
ProxyPass "/wss/" "wss://127.0.0.1:4002/"

...
LoadModule   proxy_module            modules/mod_proxy.so
LoadModule   proxy_wstunnel_module   modules/mod_proxy_wstunnel.so