Score:0

Forward local generated Secure Websocket traffic (wss) through an HTTP/HTTPS proxy to reach internet

cm flag

I have a python webex_bot application (https://github.com/fbradyirl/webex_bot) which uses websockets for webex cloud communication. The problem is that the server in which the bot is being hosted on, does not have direct reachability to the internet, you need to use a proxy server (10.13.140.88:3128).

WSS client -> HTTP/HTTPS Proxy -> Internet (WSS server)

After investigating, the bot does not accepts any proxy related arguments and was in the need to search for any alternatives.

First resolution attempt: Forwarding the local proxy generated traffic with iptables:

sudo nano /etc/sysctl.conf
Uncomented: net.ipv4.ip_forward=1
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.13.140.88:3128
sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 10.13.140.88:3128

But after attempting to run the bot, an SSL error was observed:

2023-08-13 13:51:40  [INFO]  [webex_websocket_client.webex_bot.websockets.webex_websocket_client._connect_and_listen]:160 Opening websocket connection to wss://mercury-connection-partition0-a.wbx2.com/v1/apps/wx2/registrations/78f90e01-df70-405f-89c9-a8fe3a1bdad8/messages
2023-08-13 13:51:40  [ERROR]  [webex_websocket_client.webex_bot.websockets.webex_websocket_client.run]:175 runException: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1007)

After researching this issue, i think i was able to find the reason why it is failing:

"You cannot do this directly with iptables, because doing the "redirect" at layer 3/4 will not allow SSL negotiation to take place, as the client's browser will still being using plain HTTP.

What you need to do is use an HTTP 302 (or other 300-level) response code to redirect users to the HTTPS verison of your site."

Second resolution attempt: Forwarding the local proxy generated traffic with nginx:

Tried the following configuration, but no success:

#ocation ~ /ws.* {
    proxy_http_version 1.1;
    proxy_set_header Accept-Encoding "";
    proxy_set_header X-Real-IP 10.13.140.88;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For 10.13.140.88:3128;
    proxy_set_header XFORWARDEDPROTO https;
    proxy_set_header X-NginX-Proxy true;
    proxy_buffers 8 32k;
    proxy_buffer_size 64k;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_read_timeout 86400;
    proxy_pass http://10.13.140.88:3128;
}

Third resolution attempt: Forwarding the local proxy generated traffic with haproxy:

It seems that you need to perform a layer 7 redirect (302) for the HTTPS traffic to allow SSL negotiation, after researching, it seems that haproxy has the ability to perform this L7 (application layer) forwarding: https://www.haproxy.com/blog/redirect-http-to-https-with-haproxy

frontend local_ssl
        bind *:443 ssl crt /home/admin/apps/webex-bot/server.pem
        mode http
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }
        use_backend redirect_https_proxy if { req_ssl_sni -i 10.13.140.88:3128 }

backend redirect_https_proxy
        mode http
        server proxy_server 10.13.140.88:3128

But no success as well, it indicates an error on the process level:

haproxy -f /etc/haproxy/haproxy.cfg -c
[WARNING]  (10715) : Proxy 'local_ssl': L6 sample fetches ignored on HTTP proxies (declared at /etc/haproxy/haproxy.cfg:41).
[WARNING]  (10715) : Proxy 'local_ssl': L6 sample fetches ignored on HTTP proxies (declared at /etc/haproxy/haproxy.cfg:40).
Warnings were found.
Configuration file is valid

Where the service fails to run:

sudo systemctl status haproxy
× haproxy.service - HAProxy Load Balancer
     Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Sun 2023-08-13 14:18:36 CST; 1h 11min ago
       Docs: man:haproxy(1)
             file:/usr/share/doc/haproxy/configuration.txt.gz
    Process: 10243 ExecStartPre=/usr/sbin/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=0/SUCCESS)
    Process: 10245 ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=1/FAILURE)
   Main PID: 10245 (code=exited, status=1/FAILURE)
        CPU: 122ms

Is the redirect even possible? Any workaround for this issue?

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.