Backporting Apache support for websockets reverse proxy (aka getting GateOne to work behind Apache)

Recently, I have been toying around with GateOne, a web-based SSH client/terminal emulator. However, installing it on my server proved to be a bit challenging: it requires tornado as a webserver, and uses websockets, while I have an Apache 2.2 instance already running with a few sites on it (and my authentication system configured for my tastes)

So, I looked how to configure a reverse proxy for GateOne, but websockets were not officially supported by Apache… until recently! Jim Jagielski added the proxy_wstunnel module in trunk a few weeks ago. From what I have seen on the mailing list, backporting to 2.4 is easy to do (and was suggested as an official backport), but 2.2 required a few additional changes to the original patch (and current upstream trunk).

A few fixes later, I got a working patch (based on Apache 2.2.24), available here: http://cafarelli.fr/gentoo/apache-2…

Recompile with this patch, and you will get a nice and shiny mod_proxy_wstunnel.so module file!

Now just load it (in /etc/apache2/httpd.conf in Gentoo):

<IfDefine PROXY>
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
</IfDefine>

and add a location pointing to your GateOne installation:

<Location /gateone/ws>
ProxyPass wss://127.0.0.1:1234/gateone/ws
ProxyPassReverse wss://127.0.0.1:1234/gateone/ws
</Location>

<Location /gateone>
Order deny,allow
Deny from all
Allow from #your favorite rule

ProxyPass http://127.0.0.1:1234/gateone
ProxyPassReverse http://127.0.0.1:1234/gateone
</Location>

Reload Apache, and you now have Gateone running behind your Apache server :) If it does not work, first check GateOne log and configuration, especially the “origins” variable

For other websocket applications, Jim Jagielski comments here :

ProxyPass /whatever ws://websocket-srvr.example/com/

Basically, the new submodule adds the ‘ws’ and ‘wss’ scheme to the allowed protocols between the client and the backend, so you tell Apache that you’ll be talking ‘ws’ with the backend (same as ajp://whatever sez that httpd will be talking ajp to the backend).

Update 1: a user-friendly howto on how to apply this patch on Ubuntu is now available here

3 thoughts on “Backporting Apache support for websockets reverse proxy (aka getting GateOne to work behind Apache)”

  1. Hi Voyageur

    Do you have any idea if this reverse proxy will also support load balancing the WebSocket connections?
    Basically we will have no of users connecting to our WebSockets application and we would like to distribute the load over multiple WebSocket Server at backend.

    Thanks

  2. Good question! As this new module mostly adds support for "ws://" and "wss://" protocols in mod_proxy, it should work transparently with its load balancer part (mod_proxy_balancer module).

    For a from-scratch setup though, nginx looks like a better solution as it supports websockets for some time and has known working examples for load balancing. haproxy should do the trick too

  3. Yup, works. But I wanted to try to ssl proxy gdk’s Broadway backend websockets. Its working on my setup. I hunted for a few days looking. I do have one small problem were broadwayd gets hung up on orphaned connections. I have version 2.2.15 of apache I took the patch an applied it to the 2.2.24 base, complied the proxy modules only, and installed them, I’ll upgrade httpd in a few days, but for now I’m fine. Here are the lines I needed in ssl.conf

    <Location /socket>
    ProxyPass ws://127.0.0.1:8080/socket
    ProxyPassReverse ws://127.0.0.1:8080/socket
    </Location>

    <Location /socket-bin>
    ProxyPass ws://127.0.0.1:8080/socket-bin
    ProxyPassReverse ws://127.0.0.1:8080/socket-bin
    </Location>

    for now I have the broadway.js in my doc root.

    HTH

Comments are closed.