Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Websockets do not work with app_service if the upstream web server is using HTTP/2 #19022

Closed
webvictim opened this issue Dec 2, 2022 · 3 comments · Fixed by #19396
Closed

Websockets do not work with app_service if the upstream web server is using HTTP/2 #19022

webvictim opened this issue Dec 2, 2022 · 3 comments · Fixed by #19396
Assignees
@gabrielcorado
Labels
application-access bug c-gsd Internal Customer Reference c-tc Internal Customer Reference

Comments

@webvictim
Copy link
Contributor

Expected behavior: Teleport's application access service should be able to connect to an upstream server using HTTP/2, and using websockets over this connection should work.

Current behavior: Using Teleport application access to connect to an upstream server speaking HTTP/2 and using websockets does not work. An Unable to read websocket upgrade response: malformed HTTP response message appears over in the app_service logs whenever a websocket connection is attempted and the browser is unable to open the socket:

Nov 14 20:03:04 k700 teleport[1047682]: 2022-11-14T20:03:04Z             INFO Round trip: GET /discovery/api/v1/about, code: 200, duration: 8.678635ms tls:version: 304, tls:resume:true, tls:csuite:1301, tls:server:6f75737465722e74656c65706f72742e7368.teleport.cluster.local forward/fwd.go:182
Nov 14 20:03:04 k700 teleport[1047682]: 2022-11-14T20:03:04Z             INFO Round trip: GET /lidar-hub/api/v1/about, code: 200, duration: 12.96765ms tls:version: 304, tls:resume:true, tls:csuite:1301, tls:server:6f75737465722e74656c65706f72742e7368.teleport.cluster.local forward/fwd.go:182
Nov 14 20:03:04 k700 teleport[1047682]: 2022-11-14T20:03:04Z             ERRO Unable to read websocket upgrade response: malformed HTTP response "\x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x04\x00\x01\x00\x00\x00\x05\x00\xff\xff\xff\x00\x00\x04\b\x00\x00\x00\x00\x00\u007f\xff\x00\x00\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" forward/fwd.go:309
Nov 14 20:03:04 k700 teleport[1047682]: 2022-11-14T20:03:04Z             INFO Round trip: GET /perception/api/v1/telemetry, code: 200, duration: 4.053955ms tls:version: 304, tls:resume:true, tls:csuite:1301, tls:server:6f75737465722e74656c65706f72742e7368.teleport.cluster.local forward/fwd.go:182
Nov 14 20:03:04 k700 teleport[1047682]: 2022-11-14T20:03:04Z             INFO Round trip: GET /perception/api/v1/sensor, code: 200, duration: 3.568626ms tls:version: 304, tls:resume:true, tls:csuite:1301, tls:server:6f75737465722e74656c65706f72742e7368.teleport.cluster.local forward/fwd.go:182
Nov 14 20:03:05 k700 teleport[1047682]: 2022-11-14T20:03:05Z             ERRO Unable to read websocket upgrade response: malformed HTTP response "\x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x04\x00\x01\x00\x00\x00\x05\x00\xff\xff\xff\x00\x00\x04\b\x00\x00\x00\x00\x00\u007f\xff\x00\x00\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" forward/fwd.go:309
Nov 14 20:03:05 k700 teleport[1047682]: 2022-11-14T20:03:05Z             INFO Round trip: GET /perception/api/v1/telemetry, code: 200, duration: 3.860804ms tls:version: 304, tls:resume:true, tls:csuite:1301, tls:server:6f75737465722e74656c65706f72742e7368.teleport.cluster.local forward/fwd.go:182
Nov 14 20:03:05 k700 teleport[1047682]: 2022-11-14T20:03:05Z             INFO Round trip: GET /perception/api/v1/point_zones, code: 200, duration: 4.412703ms tls:version: 304, tls:resume:true, tls:csuite:1301, tls:server:6f75737465722e74656c65706f72742e7368.teleport.cluster.local forward/fwd.go:182
Nov 14 20:03:05 k700 teleport[1047682]: 2022-11-14T20:03:05Z             INFO Round trip: GET /event/api/v1/event_zones/, code: 200, duration: 4.107315ms tls:version: 304, tls:resume:false, tls:csuite:1301, tls:server:6f75737465722e74656c65706f72742e7368.teleport.cluster.local forward/fwd.go:182
Nov 14 20:03:05 k700 teleport[1047682]: 2022-11-14T20:03:05Z             INFO Round trip: GET /perception/api/v1/sensor, code: 200, duration: 3.654156ms tls:version: 304, tls:resume:true, tls:csuite:1301, tls:server:6f75737465722e74656c65706f72742e7368.teleport.cluster.local forward/fwd.go:182
Nov 14 20:03:06 k700 teleport[1047682]: 2022-11-14T20:03:06Z             ERRO Unable to read websocket upgrade response: malformed HTTP response "\x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x04\x00\x01\x00\x00\x00\x05\x00\xff\xff\xff\x00\x00\x04\b\x00\x00\x00\x00\x00\u007f\xff\x00\x00\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" forward/fwd.go:309
Nov 14 20:03:06 k700 teleport[1047682]: 2022-11-14T20:03:06Z             INFO Round trip: GET /perception/api/v1/telemetry, code: 200, duration: 4.031548ms tls:version: 304, tls:resume:true, tls:csuite:1301, tls:server:6f75737465722e74656c65706f72742e7368.teleport.cluster.local forward/fwd.go:182
Nov 14 20:03:06 k700 teleport[1047682]: 2022-11-14T20:03:06Z             INFO Round trip: GET /perception/api/v1/sensor, code: 200, duration: 3.84757ms tls:version: 304, tls:resume:false, tls:csuite:1301, tls:server:6f75737465722e74656c65706f72742e7368.teleport.cluster.local forward/fwd.go:182
Nov 14 20:03:07 k700 teleport[1047682]: 2022-11-14T20:03:07Z             ERRO Unable to read websocket upgrade response: malformed HTTP response "\x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x04\x00\x01\x00\x00\x00\x05\x00\xff\xff\xff\x00\x00\x04\b\x00\x00\x00\x00\x00\u007f\xff\x00\x00\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" forward/fwd.go:309
Nov 14 20:03:07 k700 teleport[1047682]: 2022-11-14T20:03:07Z             INFO Round trip: GET /event/api/v1/event_zones/, code: 200, duration: 5.208286ms tls:version: 304, tls:resume:false, tls:csuite:1301, tls:server:6f75737465722e74656c65706f72742e7368.teleport.cluster.local forward/fwd.go:182

Disabling HTTP/2 on the upstream web server worked around this issue - websocket upgrades work fine with application access when using HTTP/1.1.

cc @tigrato who had theories about this being related to the reuse of tls.Config internally.

Bug details:

  • Teleport version: 10.3.6
@Clinton-Groundspeed
Copy link

I'm experiencing the same error when attempting to use Application Access service (Teleport Cloud) to connect to an HTTP/2 app using WebSockets.

@WilliamLoy - This is a critical internal app. Could you please research this internally? Thanks!

@pschisa pschisa mentioned this issue Dec 6, 2022
Closed
@pschisa pschisa added c-tc Internal Customer Reference c-gsd Internal Customer Reference labels Dec 6, 2022
@gs-rickchristy
Copy link

bump

@Clinton-Groundspeed
Copy link

Clinton-Groundspeed commented Dec 6, 2022
edited
Loading

FYI, this issue (exact same error) also occurs with version 11.1.1 - tested with a standalone Enterprise cluster as well:

2022-12-06T20:49:18Z ERRO             Unable to read websocket upgrade response: malformed HTTP response "\x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x04\x00\x01\x00\x00\x00\x05\x00\xff\xff\xff\x00\x00\x04\b\x00\x00\x00\x00\x00\x7f\xff\x00\x00\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" forward/fwd.go:309

If it helps, the web app I am attempting to configure Application Access for is a MeteorJS app hosted on EKS through Istio. Please let me know if I can provide any more details. Thanks!

@gabrielcorado gabrielcorado mentioned this issue Dec 15, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gabrielcorado gabrielcorado

Labels
application-access bug c-gsd Internal Customer Reference c-tc Internal Customer Reference
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Clone TLS configuration for WebSocket dialer gravitational/teleport
5 participants
@webvictim @gabrielcorado @gs-rickchristy @pschisa @Clinton-Groundspeed