Backporting Apache support for websockets reverse proxy (aka getting GateOne to work behind Apache)

Recently, I have been toying around with GateOne, a web-based SSH client/terminal emulator. However, installing it on my server proved to be a bit challenging: it requires tornado as a webserver, and uses websockets, while I have an Apache 2.2 instance already running with a few sites on it (and my authentication system configured for my tastes)

So, I looked how to configure a reverse proxy for GateOne, but websockets were not officially supported by Apache… until recently! Jim Jagielski added the proxy_wstunnel module in trunk a few weeks ago. From what I have seen on the mailing list, backporting to 2.4 is easy to do (and was suggested as an official backport), but 2.2 required a few additional changes to the original patch (and current upstream trunk).

A few fixes later, I got a working patch (based on Apache 2.2.24), available here:
2015/10 update: a rebased patch for 2.2.31 (with a few additional fixes) is also available now at
016/01 update: if you get segmentation faults, this Apache bug could be interesting

Recompile with this patch, and you will get a nice and shiny module file!

Now just load it (in /etc/apache2/httpd.conf in Gentoo):

<IfDefine PROXY>
LoadModule proxy_wstunnel_module modules/

and add a location pointing to your GateOne installation:

<Location /gateone/ws>
ProxyPass wss://
ProxyPassReverse wss://

<Location /gateone>
Order deny,allow
Deny from all
Allow from #your favorite rule


Reload Apache, and you now have Gateone running behind your Apache server 🙂 If it does not work, first check GateOne log and configuration, especially the “origins” variable

For other websocket applications, Jim Jagielski comments here :

ProxyPass /whatever ws://websocket-srvr.example/com/

Basically, the new submodule adds the ‘ws’ and ‘wss’ scheme to the allowed protocols between the client and the backend, so you tell Apache that you’ll be talking ‘ws’ with the backend (same as ajp://whatever sez that httpd will be talking ajp to the backend).

Update 1: a user-friendly howto on how to apply this patch on Ubuntu is now available here