Configure secured websockets using Apache httpd 2.4.6 and Tomcat 8

Question

I'm trying to configure websockets using httpd proxy and reverse proxy but it doesn't seem to work. If I use directly the tomcat server everything is fine, if I call it through apache httpd, the response status is 200. This means apache httpd cannot interpret the websocket request and switch the protocol, right?

This is my httpd config for my app:

LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so

Listen 443 https


SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin


<VirtualHost 10.224.130.50:80>

    ServerName myhost
    Redirect permanent / https://myhost/

</VirtualHost>

<VirtualHost 10.224.130.50:443>

    ServerName myhost
    ErrorLog logs/myhost.error.log
    CustomLog logs/myhost.access.log common

    ProxyPass /ws/       wss://localhost:8443/ws/ retry=0
    ProxyPassReverse /ws/ wss://localhost:8443/ws/ retry=0

    ProxyPass / https://myhost:8443/ connectiontimeout=600 timeout=1200
    ProxyPassReverse / https://myhost:8443/


    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLProxyEngine on
        SSLProxyVerify none 
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
    SSLCertificateFile    "/etc/pki/tls/certs/myhost.cer"
    SSLCertificateKeyFile "/etc/pki/tls/private/myhost.key"

</VirtualHost>

And this is the Connector config for Apache Tomcat:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
           keystoreFile="/root/.keystore"
           keystorePass="password" />

Answer 1

I think the problem may be slashes:

NOTE: Pay strict attention to the slashes "/" or lack thereof! WebSocket url endpoint

ProxyPass /ws/ wss://localhost:8443/ws

ProxyPassReverse /ws/ wss://localhost:8443/ws

More information here: tunneling-secure-websocket-connections-with-apache

Answer 2

This worked for me, but I needed one additional line because of Java Spring framework on my internal application.

Here's the whole solution as a proxy file:

<Location /outside-app>
    # WEBSOCKET
    Header always add "Access-Control-Allow-Origin" "*"
    ProxyPass wss://internal.company.com:11111/application

    RewriteEngine on
    Require all granted
    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
    RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
    RewriteRule .* https://internal.company.com:11111/application/$1 [P,L]

    # REVERSE PROXY
    ProxyPass https://internal.company.com:11111/application
    ProxyPassReverse https://internal.company.com:11111/application
</Location>