Does apache ProxyPass handle tls for websocket too?

Steve Moretz

12/26/23, 6:02 PM

I'm new to proxypass, Let's say this is our config:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf


ServerName www.xzos.net
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias xzos.net
SSLCertificateFile /etc/letsencrypt/live/www.xzos.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.xzos.net/privkey.pem

<LocationMatch "/ray/">
        ProxyPass ws://127.0.0.1:1080/ray/ upgrade=WebSocket
        ProxyAddHeaders Off
        ProxyPreserveHost On
        RequestHeader set Host %{HTTP_HOST}s
        RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
</LocationMatch>
</VirtualHost>
</IfModule

Since we provided these to apache

SSLCertificateFile /etc/letsencrypt/live/www.xzos.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.xzos.net/privkey.pem

We shouldn't need to use them in the websocket server running on ws://127.0.0.1:1080/ray/ as well, is that correct?

Even though we can do that but apache handles it right? and that's redundant to do it twice specially since this is a local server, I guess. I think if we do that then ws://127.0.0.1:1080/ray/ needs to become wss://127.0.0.1:1080/ray/ and inside of that websocket server we provide the same certificate keys.

325

2 + 0

reverse-proxy

websocket

apache2

Score:1

Server

schezel2000

12/26/23, 10:14 PM

Using proxyPass to proxy to an unsecured listener on localhost can still expose an attack surface. Are you concerned about somebody sniffing traffic on localhost? If I were a nefarious person with the appropriate access i could tcpdump on the loopback interface on port 1080 and read the traffic. If you use wss:// then it would be more difficult to do so. I would use TLS on both links unless there is a technical reason not to or if I was debugging the application and needed to get more information during that process.

+ 1

Steve Moretz

12/27/23, 7:51 AM

I just didn't know if apache handles tls for websocket at all or not so it does and that's my answer, but still who can access to your localhost on a VPS? If somebody has access to your vps to run tcpdump on it you should be more worried about the other things he/she can do!

Score:0

Server

colemar

4/9/24, 12:27 PM

I can add my two cents.

Let's focus on <LocationMatch "/ray/">. How is Apache supposed to recognize the path /ray/ if it is encapsulated in a TLS encrypted channel? Of course Apache has to handle TLS in order to decrypt the http handshake and see GET /whatever/, then decide if it matches the location.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Does apache ProxyPass handle tls for websocket too?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.