Websocket does not support NTLM proxy

[stonecai]

With latest version (2.1.0-alpha1), As the following codes, it works fine while connectiong to server with http; but it is failed for websocket, it alway returns 501 status code. does asynch-http-client support the proxy with NTML schema?

Scenario 1: connecting www.google.com, connection established

String url="http://www.google.com";
DefaultAsyncHttpClientConfig.Builder configBuilder = new DefaultAsyncHttpClientConfig.Builder();
configBuilder.setWebSocketMaxFrameSize(WEBSOCKET_MAX_FRAME_SIZE);
boolean isWss = SSLConfigurationUtil.isWssConnection(url);
setProxyConfig(configBuilder);
AsyncHttpClientConfig cf = configBuilder.build();
client = new DefaultAsyncHttpClient(cf);
Future<Response> responseFuture = client.prepareGet(url).execute();
int status = responseFuture.get().getStatusCode(); //status ==200, success

Scenario 2: connecting to websocket, failed. return 501 status code

String url="ws://192.168.1.100/hello";
DefaultAsyncHttpClientConfig.Builder configBuilder = new DefaultAsyncHttpClientConfig.Builder();
configBuilder.setWebSocketMaxFrameSize(WEBSOCKET_MAX_FRAME_SIZE);
boolean isWss = SSLConfigurationUtil.isWssConnection(url);
setProxyConfig(configBuilder);
AsyncHttpClientConfig cf = configBuilder.build();
client = new DefaultAsyncHttpClient(cf);
WebSocketUpgradeHandler.Builder wsHandlerBuilder = new WebSocketUpgradeHandler.Builder();
wsHandlerBuilder.addWebSocketListener(new NettyWebSocketByteListener());
WebSocketUpgradeHandler upgradeHandler = wsHandlerBuilder.build();
WebSocket session = client.prepareGet(url).execute(upgradeHandler).get(); //Invalid Status Code 501

private void setProxyConfig(Builder configBuilder) {
    try {
        ProxyServer.Builder psBuilder = new ProxyServer.Builder(proxyHost, Integer.valueOf(proxyPort));

        Realm.Builder realmBuilder = new Realm.Builder(proxyUsername, proxyPassword);
        realmBuilder.setUsePreemptiveAuth(true);
        realmBuilder.setNtlmDomain(proxyUserDomain);
        realmBuilder.setNtlmHost(proxyHost);
        realmBuilder.setScheme(AuthScheme.NTLM);
        Realm realm = realmBuilder.build();
        psBuilder.setRealm(realm);

        ProxyServer proxyServer = psBuilder.build();
        configBuilder.setProxyServer(proxyServer);
    } catch (Exception e) {
        log.error(e.getMessage(), e);
    }
}

[slandelle]

does asynch-http-client support the proxy with NTML schema?

Yes, it's supposed to. But NTLM support might not be bullet-proof, as I can't get my hands on such environment.
Honestly, the best way to get this right is to investigate it yourself.

[stonecai]

Thanks slandelle!
If I use the CONNECT method. That is something like client.prepareConnect(), then it can route to the websocket server success. But unfortunately websocket seems only support GET method, the 405 status code returned.

[slandelle]

Do you have any idea how I could easily get a NTLM proxy running (without a Windows host)?

[stonecai]

Hi @slandelle, we hava a NTLM server in internal network for testing. Currently I can not find a NTLM proxy can be reached on the internet.

[stonecai]

Might I ask one more question? WebSocketUpgradeHandler in asynch-http-client requires CONNECT or GET method; According to the information from RFC (https://tools.ietf.org/html/rfc6455), the method of the WEBSOCKET request MUST be GET. So is there a way to use CONNECT for negotiating with NTLM proxy then use GET for WEBSOCKET in asynchttpclient?

[slandelle]

According to the information from RFC (https://tools.ietf.org/html/rfc6455), the method of the WEBSOCKET request MUST be GET.

Read 4.1.3, client must perform a CONNECT when connecting through a proxy.

Currently I can not find a NTLM proxy can be reached on the internet.

Me neither. Nor a virtual box or docker image. NTLM is an entreprisey thingy, and sadly entreprises tend to rarely share. Except if I can get my hands on an NTLM environment, I won't be able to investigate this myself without a contract.

[stonecai]

Hi slandelle, thanks for the update.
After degrading the version from 2.1.0-alpha1 to 2.0.14, use wss instead of ws, the websocket can go through the proxy and connect to server successful. It might be some bugs within websocket in version 2.1.0-alpha1 but I can not identify it. We will keep investigating on it and provide the update if any finding. Thank you.

[slandelle]

use wss instead of ws

CONNECT is used for HTTP proxy tunneling, ie HTTS. You use a different path in the code. I don't think the fact that it works now has anything to do with downgrading.

[potatop]

commit d596056 seems to have broken ntlm proxy.

[potatop]

Changing

if (attribute instanceof OnLastHttpContentCallback && msg instanceof LastHttpContent) {
    ((OnLastHttpContentCallback) attribute).call();
}

to

if (attribute instanceof OnLastHttpContentCallback) {
    if (msg instanceof LastHttpContent) {
        ((OnLastHttpContentCallback) attribute).call();
    }
}

fix the problem

[slandelle]

??? Both are absolutely identical!!!

[slandelle]

Ah, ok, there's a second branch that is missing from your code.

[potatop]

when msg is DefaultHttpContent and not LastHttpContent the channel is closed by the last if else.

[slandelle]

Thanks!

[potatop]

Wow, that was fast. Thank you!

Will this be back ported to the 2.0 branch, and do you know when the next release is going to be?

[slandelle]

Will this be back ported to the 2.0 branch

No. I don't do backports, and anyway, AHC 2.0 is based on Netty 4.0 which is EOL'ed too.

do you know when the next release is going to be?

Maybe today