Recently, I have been toying around with GateOne, a web-based SSH client/terminal emulator. However, installing it on my server proved to be a bit challenging: it requires tornado as a webserver, and uses websockets, while I have an Apache 2.2 instance already running with a few sites on it (and my authentication system configured for my tastes)
So, I looked how to configure a reverse proxy for GateOne, but websockets were not officially supported by Apache… until recently! Jim Jagielski added the proxy_wstunnel module in trunk a few weeks ago. From what I have seen on the mailing list, backporting to 2.4 is easy to do (and was suggested as an official backport), but 2.2 required a few additional changes to the original patch (and current upstream trunk).
A few fixes later, I got a working patch (based on Apache 2.2.24), available here: https://cafarelli.fr/gentoo/apache-2.2.24-wstunnel.patch
2015/10 update: a rebased patch for 2.2.31 (with a few additional fixes) is also available now at https://cafarelli.fr/gentoo/apache-2.2.31-wstunnel.patch
2016/01 update: if you get segmentation faults, this Apache bug could be interesting
Recompile with this patch, and you will get a nice and shiny mod_proxy_wstunnel.so module file!
Now just load it (in /etc/apache2/httpd.conf in Gentoo):
<IfDefine PROXY> LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so </IfDefine>
and add a location pointing to your GateOne installation:
<Location /gateone/ws> ProxyPass wss://127.0.0.1:1234/gateone/ws ProxyPassReverse wss://127.0.0.1:1234/gateone/ws </Location> <Location /gateone> Order deny,allow Deny from all Allow from #your favorite rule ProxyPass http://127.0.0.1:1234/gateone ProxyPassReverse http://127.0.0.1:1234/gateone </Location>
Reload Apache, and you now have Gateone running behind your Apache server 🙂 If it does not work, first check GateOne log and configuration, especially the “origins” variable
For other websocket applications, Jim Jagielski comments here :
ProxyPass /whatever ws://websocket-srvr.example/com/
Basically, the new submodule adds the ‘ws’ and ‘wss’ scheme to the allowed protocols between the client and the backend, so you tell Apache that you’ll be talking ‘ws’ with the backend (same as ajp://whatever sez that httpd will be talking ajp to the backend).
Update 1: a user-friendly howto on how to apply this patch on Ubuntu is now available here
Hi Voyageur
Do you have any idea if this reverse proxy will also support load balancing the WebSocket connections?
Basically we will have no of users connecting to our WebSockets application and we would like to distribute the load over multiple WebSocket Server at backend.
Thanks
Good question! As this new module mostly adds support for "ws://" and "wss://" protocols in mod_proxy, it should work transparently with its load balancer part (mod_proxy_balancer module).
For a from-scratch setup though, nginx looks like a better solution as it supports websockets for some time and has known working examples for load balancing. haproxy should do the trick too
Yup, works. But I wanted to try to ssl proxy gdk’s Broadway backend websockets. Its working on my setup. I hunted for a few days looking. I do have one small problem were broadwayd gets hung up on orphaned connections. I have version 2.2.15 of apache I took the patch an applied it to the 2.2.24 base, complied the proxy modules only, and installed them, I’ll upgrade httpd in a few days, but for now I’m fine. Here are the lines I needed in ssl.conf
<Location /socket>
ProxyPass ws://127.0.0.1:8080/socket
ProxyPassReverse ws://127.0.0.1:8080/socket
</Location>
<Location /socket-bin>
ProxyPass ws://127.0.0.1:8080/socket-bin
ProxyPassReverse ws://127.0.0.1:8080/socket-bin
</Location>
for now I have the broadway.js in my doc root.
HTH