Apache mod_proxy: forward secure websocket to non-secure

Question

The websocket library I rely on (PHP-Websockets) does not yet support secure sockets (wss). My website is served over https though, so I cannot use insecure ws connections.

I'm trying to use Apache's mod_proxy to forward the secure request that comes from the browser on to the client.

Javascript

var ws = new Websocket('wss://example.com/_ws_/');

Apache VirtualHosts

ProxyPass        "/_ws_/" "ws://127.0.0.1:8080/"
ProxyPassReverse "/_ws_/" "ws://127.0.0.1:8080/"
# I've also tried "/_ws_/" "ws://example.com:8080/"  Same error below

Upon trying to connect, the browser receives a 500 Server Error. The logs show:

No protocol handler was valid for the URL /_ws_/. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

I've confirmed that if I remove the proxy rules, stop redirecting users to https and try to connect to insecure sockets from the browser: new Websocket('ws://example.com/'), things work just fine.

My loaded Apache modules include mod_ssl.c, mod_proxy.c and mod_proxy_http.c

Apache 2.4

BeetleJuice · Accepted Answer · 2016-09-30T18:49:50.240

13

To get things to work, I also needed to load mod_proxy_wstunnel

Once I did, this ruleset got things working: (in the VirtualHost of the domain that receives and proxies the websocket request)

<IfModule mod_proxy.c>
    ProxyPass "/_ws_/" "ws://127.0.0.1:8080/"
    ProxyPassReverse "/_ws_/" "ws://127.0.0.1:8080/"
</IfModule>

The browser can then contact the backend WS server through the HTTPS port:

var ws = new Websocket('wss://example.com/_ws_/');

edited Sep 30 '16 at 18:49

answered Sep 30 '16 at 16:48

BeetleJuice

411
2
4
11

How should this be applied if the socket url is of this format? ws://127.0.0.1:8080/script.php – Gilles Lesire Mar 24 '21 at 22:30

score 1 · Answer 2 · answered Jul 07 '22 at 02:07

My rep did not give me enough permission to upvote an upper comment, I really struggled to find the best answer so it is and I will share a complete example maybe it will be helpful for some of you.

<VirtualHost *:80>
    ServerName yourdomain.com
    DocumentRoot THEPATHGOESHERE/public
    DirectoryIndex index.php
    <Directory THEPATHGOESHERE/>
      AllowOverride All
      Order Deny,Allow
      Allow from all
    </Directory>
</VirtualHost>

<IfModule mod_ssl.c>
  <VirtualHost *:443>
      ServerName yourdomain.com
      DocumentRoot THEPATHGOESHERE/public
      DirectoryIndex index.php
      <Directory THEPATHGOESHERE/>
        AllowOverride All
        Order Deny,Allow
        Allow from all
      </Directory>

      SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/yourdomain.com/privkey.pem
      Include /etc/letsencrypt/options-ssl-apache.conf

      <IfModule mod_proxy.c>
          ProxyPass "/connection/websocket" "ws://yourdomain.com:8088/connection/websocket"
          ProxyPassReverse "/connection/websocket" "ws://yourdomain.com:8088/connection/websocket"
      </IfModule>

  </VirtualHost>
</IfModule>

Apache mod_proxy: forward secure websocket to non-secure

2 Answers2

Linked