Recently, I have been toying around with GateOne, a web-based SSH client/terminal emulator. However, installing it on my server proved to be a bit challenging: it requires tornado as a webserver, and uses websockets, while I have an Apache 2.2 instance already running with a few sites on it (and my authentication system configured for my tastes)
So, I looked how to configure a reverse proxy for GateOne, but websockets were not officially supported by Apache… until recently! Jim Jagielski added the proxy_wstunnel module in trunk a few weeks ago. From what I have seen on the mailing list, backporting to 2.4 is easy to do (and was suggested as an official backport), but 2.2 required a few additional changes to the original patch (and current upstream trunk).
A few fixes later, I got a working patch (based on Apache 2.2.24), available here: https://cafarelli.fr/gentoo/apache-2.2.24-wstunnel.patch
2015/10 update: a rebased patch for 2.2.31 (with a few additional fixes) is also available now at https://cafarelli.fr/gentoo/apache-2.2.31-wstunnel.patch
2016/01 update: if you get segmentation faults, this Apache bug could be interesting
Recompile with this patch, and you will get a nice and shiny mod_proxy_wstunnel.so module file!
Now just load it (in /etc/apache2/httpd.conf in Gentoo):
<IfDefine PROXY> LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so </IfDefine>
and add a location pointing to your GateOne installation:
<Location /gateone/ws> ProxyPass wss://127.0.0.1:1234/gateone/ws ProxyPassReverse wss://127.0.0.1:1234/gateone/ws </Location> <Location /gateone> Order deny,allow Deny from all Allow from #your favorite rule ProxyPass http://127.0.0.1:1234/gateone ProxyPassReverse http://127.0.0.1:1234/gateone </Location>
Reload Apache, and you now have Gateone running behind your Apache server If it does not work, first check GateOne log and configuration, especially the “origins” variable
For other websocket applications, Jim Jagielski comments here :
ProxyPass /whatever ws://websocket-srvr.example/com/
Basically, the new submodule adds the ‘ws’ and ‘wss’ scheme to the allowed protocols between the client and the backend, so you tell Apache that you’ll be talking ‘ws’ with the backend (same as ajp://whatever sez that httpd will be talking ajp to the backend).
Update 1: a user-friendly howto on how to apply this patch on Ubuntu is now available here