httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Kaluža <jkal...@redhat.com>
Subject Re: mod_proxy_wstunnel ignores proxy_wstunnel_transfer errors
Date Wed, 18 Mar 2015 07:07:20 GMT
On 03/17/2015 02:06 PM, Yann Ylavic wrote:
> On Tue, Mar 17, 2015 at 1:47 PM, Jan Kaluža <jkaluza@redhat.com> wrote:
>> On 03/17/2015 01:23 PM, Yann Ylavic wrote:
>>>
>>> On Tue, Mar 17, 2015 at 12:38 PM, Jan Kaluža <jkaluza@redhat.com> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I have found out that when WSS is used and SSL handshake fails, httpd
>>>> closes
>>>> client connection without any response to the client.
>>>
>>>
>>> If the SSL handshake fails, there is no SSL established connection
>>> which we can send an HTTP response on.
>>> We can only send an SSL alert in this case, and I think mod_ssl takes
>>> care of this already (this occurs while reading the request header,
>>> before mod_proxy_wstunnel IMHO).
>>
>>
>> Hm, maybe I described it wrongly. What I see here is "Empty response from
>> server"
>
> Sorry, you were obviously talking about SSL handshake with the backend...
>
>> when I do following:
>>
>> 1. Use this configuration:
>>
>> ProxyTimeout 2
>> SSLProxyEngine on
>> <Location /test/>
>>      ProxyPass https://localhost:8080/
>>      ProxyPassReverse https://localhost:8080/
>>      ProxyPass wss://localhost:8080/
>>      ProxyPassReverse wss://localhost:8080/
>> </Location>
>>
>>
>> 2. nc -l 8080 < /dev/null
>>
>> 3. curl -v --insecure https://127.0.0.1/test/
>> (...)
>>> GET /test/ HTTP/1.1
>>> User-Agent: curl/7.29.0
>>> Host: 127.0.0.1
>>> Accept: */*
>>>
>> * Empty reply from server
>> * Connection #0 to host 127.0.0.1 left intact
>> curl: (52) Empty reply from server
>>
>> With httpd-2.4.6 I see an error response in this case and I think it really
>> should do return something.
>
> I see now, the handshake failure indeed occurs in the poll()ing loop
> when the first packets are read/send from/to the backend.
> But still once the connection is Upgrade-d, it is quite application
> specific whether or not an HTTP response should be sent to the client,
> and when (only if nothing has been sent already, anytime?). IOW, what
> would the backend do if it fails after the Upgrade has been
> negociated?

I have no big knowledge of WebSockets, but it should be possible to 
detect Switching Protocol header and return HTTP error if some error 
happens before we switch to WebSocket.

Would this be acceptable, or you think this empty reply is not worth 
fixing this way?

> Regards,
> Yann.
>

Regards,
Jan Kaluza


Mime
View raw message