Re: mod_proxy_wstunnel ignores proxy_wstunnel_transfer errors

Wed, 18 Mar 2015 00:08:18 -0700 

On 03/17/2015 02:06 PM, Yann Ylavic wrote:

On Tue, Mar 17, 2015 at 1:47 PM, Jan Kaluža <jkal...@redhat.com> wrote:

On 03/17/2015 01:23 PM, Yann Ylavic wrote:


On Tue, Mar 17, 2015 at 12:38 PM, Jan Kaluža <jkal...@redhat.com> wrote:


Hi,

I have found out that when WSS is used and SSL handshake fails, httpd
closes
client connection without any response to the client.



If the SSL handshake fails, there is no SSL established connection
which we can send an HTTP response on.
We can only send an SSL alert in this case, and I think mod_ssl takes
care of this already (this occurs while reading the request header,
before mod_proxy_wstunnel IMHO).



Hm, maybe I described it wrongly. What I see here is "Empty response from
server"


Sorry, you were obviously talking about SSL handshake with the backend...


when I do following:

1. Use this configuration:

ProxyTimeout 2
SSLProxyEngine on
<Location /test/>
     ProxyPass https://localhost:8080/
     ProxyPassReverse https://localhost:8080/
     ProxyPass wss://localhost:8080/
     ProxyPassReverse wss://localhost:8080/
</Location>


2. nc -l 8080 < /dev/null

3. curl -v --insecure https://127.0.0.1/test/
(...)

GET /test/ HTTP/1.1
User-Agent: curl/7.29.0
Host: 127.0.0.1
Accept: */*


* Empty reply from server
* Connection #0 to host 127.0.0.1 left intact
curl: (52) Empty reply from server

With httpd-2.4.6 I see an error response in this case and I think it really
should do return something.


I see now, the handshake failure indeed occurs in the poll()ing loop
when the first packets are read/send from/to the backend.
But still once the connection is Upgrade-d, it is quite application
specific whether or not an HTTP response should be sent to the client,
and when (only if nothing has been sent already, anytime?). IOW, what
would the backend do if it fails after the Upgrade has been
negociated?



I have no big knowledge of WebSockets, but it should be possible to 
detect Switching Protocol header and return HTTP error if some error 
happens before we switch to WebSocket.



Would this be acceptable, or you think this empty reply is not worth 
fixing this way?



Regards,
Yann.



Regards,
Jan Kaluza























					Reply via email to