Doc: fixing Apache websocket example #3174
Conversation
The configuration example simply did not work for 2.4.25 on Debian 9 (if I remember correctly, I am the author of that example): it gave a 403 Forbidden response on the /ws URI, with nothing showing up in Apache or Buildbot logs. Using a separate location to dispatch ProxyPass directives is a method that I have carried out for so long I don't even remember if I originally got it from someone else's samples or not. A fresh look at mod_proxy documentation indicates that the ProxyPass directives are evaluated as "first match wins" My best guess is that the order of precedence between Location and ProxyPass ! directives must have changed a bit between 2.4.10 and 2.4.25, hence the latter gives the 403 before the <Location /ws> is evaluated. The new provided example is both simpler and working in all cases.
This additional comment is rather obvious, but explicit is better than implicit.
|
@gracinet, thanks for your PR! By analyzing the history of the files in this pull request, we identified @tardyp, @sa2ajj and @benallard to be potential reviewers. |
Codecov Report
@@ Coverage Diff @@
## master #3174 +/- ##
=======================================
Coverage 88.05% 88.05%
=======================================
Files 317 317
Lines 33146 33146
=======================================
Hits 29187 29187
Misses 3959 3959Continue to review full report at Codecov.
|
|
|
||
| ProxyPass /ws ! | ||
| # replace with actual port of your Buildbot master | ||
| ProxyPass ws://127.0.0.1:8020/ws |
There was a problem hiding this comment.
did you verify it worked on 2.4.10, or this is just with 2.4.25?
There was a problem hiding this comment.
Hi @tardyp, yes I am using it currently with both versions
There was a problem hiding this comment.
@gracinet at least it doesn't work with httpd-2.4.6-45.el7.centos.4.x86_64
There was a problem hiding this comment.
@Frodox thanks for the feedback. I don't have a buildmaster on-hand on CentOS 7. Does the previous version work in that context ?
There was a problem hiding this comment.
@Frodox, sure here it is
<VirtualHost *:443>
ServerName bb9.example
ServerAdmin webmaster@bb9.example
<Location />
AuthType Basic
AuthBasicProvider ldap
AuthName "Please login"
AuthLDAPUrl "ldaps://ldap1.example ldap2.example/dc=example?uid?sub?(objectClass=*)" NONE
AuthLDAPBindDN cn=apache,dc=example
AuthLDAPBindPassword SECRET
Require valid-user
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)$
RewriteRule . - [E=RU:%1,NS]
RequestHeader set REMOTE_USER %{RU}e
</Location>
ProxyPass /ws ws://localhost:8011/ws
ProxyPassReverse /ws ws://localhost:8011/ws
ProxyPass / http://localhost:8011/
ProxyPassReverse / http://localhost:8011/
SetEnvIf X-Url-Scheme https HTTPS=1
ProxyPreserveHost On
SSLEngine on
# more SSL stuff
</VirtualHost>
As you can see, I'm doing basic auth on LDAP (don't think it should interfere too much).
This is a Debian 8 system, with the standard current apache2 package, and the default MPM config.
$ apt-cache policy apache2
apache2:
Installed: 2.4.10-10+deb8u8
Candidate: 2.4.10-10+deb8u8
Version table:
*** 2.4.10-10+deb8u8 0
500 http://ftp.debian.org/debian/ jessie/main amd64 Packages
500 http://security.debian.org/ jessie/updates/main amd64 Packages
100 /var/lib/dpkg/status
As you may know, Debian's configuration is split in several files. I don't have anything special besides the virtualhost. Notably, /etc/apache2/mods-enabled/proxy.conf is the stock one.
A side effect is always possible, but it doesn't seem very likely.
Hope this helps.
There was a problem hiding this comment.
@gracinet hey, are you kidding me? :D Well, you use
ProxyPass /ws ws://localhost:8011/ws
ProxyPassReverse /ws ws://localhost:8011/ws
which is same as
<Location /ws>
ProxyPass ws://127.0.0.1:8011/ws
ProxyPassReverse ws://127.0.0.1:8011/ws
</Location>
but without <Location /ws>, or without ProxyPass /ws it would be broken. So, in PR you just remove Location but didn't add /ws, which you are using actually :) So, original config in docs was correct.
There was a problem hiding this comment.
Gosh you're right, seems I made a copy-paste error while contributing to the doc, and my eyes siliently corrected the line each time I reread it (including this morning).
That being said, no the previous version doesn't work on 2.4.25, and that's because of the ProxyPass /ws !
For the record, my configurations on Debian 9 and 8 are managed by configuration manager, using the same template.
Anyway, yes, the /ws is missing and the simplest is to add it, alongside with the info that it also works on CentOS version.
There was a problem hiding this comment.
and we should stop discussing on this closed PR, switch to #3299
|
@gracinet thanks for confirmation |
|
Thanks ! |
4 participants
Hello,
after upgrading one of my masters to Debian 9 (Stretch) I found the Apache configuration to be broken, here's an updated working one.
Regards