Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Demonstrating websocket support? #77

Open
abl opened this Issue Apr 4, 2019 · 4 comments

Comments

Projects
None yet
2 participants
@abl
Copy link

commented Apr 4, 2019

Describe the bug

I am unable to confirm that websocket support works in 0.0.3.

To Reproduce

  1. Deployed Pomerium 0.0.3
  2. Tried to connect to otherwise-working proxied apps where websocket-based features failed
  3. Websockets were unable to connect
  4. Added a proxy from https://websocket.corp.my-redacted-domain.com to https://websockets.org
  5. Demo was unable to connect to wss://websocket.corp.my-redacted-domain.com/
    6, Deployed Kaazing gateway at http://kaazing.corp.my-redacted-domain.com:8000
  6. Successfully demonstrated insecure websockets on port 8000
  7. Configured a policy to point at local gateway
  8. Local gateway cannot connect to websocket (this might be a Kaazing issue; it's expecting a particular host value, I think.)

Expected behavior

Websocket support works.

Environment:

  • Pomerium version (retrieve with pomerium --version): v0.0.3+41c42f5
  • Server Operating System/Architecture/Cloud: Synology x86 NAS running docker

Configuration file(s):

policy.yaml:

- from: kaazing.corp.my-redacted-domain.com
  to: http://kaazing.corp.my-redacted-domain.com:8000
  allowed_users:
  - <me>
- from: httpbin.corp.my-redacted-domain.com
  to: https://httpbin.org
  allowed_users:
  - <me>
- from: websocket.corp.my-redacted-domain.com
  to: https://websocket.org/
  allowed_users:
  - <me>

Logs(s):

There appear to be no logs associated with websocket connection attempts.

Additional context

Pomerium is bound directly to port 443.

Happy to add any Pomerium folks who want to try these routes to my allowed users (and share with them the actual URLs involved.) This is not a production system so I'm happy to make sweeping changes.

Connecting to wss://httpbin.corp.my-redacted-domain.com/anything yields an error 200; curiously, nothing is in the logs for this request. POMERIUM_DEBUG is true and LOG_LEVEL is default; l I am seeing DBG logs.

@abl

This comment has been minimized.

Copy link
Author

commented Apr 4, 2019

Trying to set up codercom/code-server and generated a self-signed certificate. I'm now seeing lots of lines like:

1:25AM ERR http: proxy error: can't switch protocols using non-Hijacker ResponseWriter type *http.timeoutWriter proxy=192.168.1.2:8943

Where 192.168.1.2:8943 is the locally bound port. Non-WSS content works fine.

@desimone

This comment has been minimized.

Copy link
Contributor

commented Apr 4, 2019

That you for the report @abl ; sorry this isn't working as expected.

Just to confirm, you were unable to ever connect to a web-socket service behind pomerium but all normal HTTP services ran fine? (e.g. when you say you successfully demonstrated insecure websockets on port 8000, was that by directly connecting without pomerium)?

If you don't mind detailing what docker images you used, I can try testing this on my end.

@desimone

This comment has been minimized.

Copy link
Contributor

commented Apr 4, 2019

Ok. I've reproduced the issue. This is a bug.

Quick hunch. Pomerium uses HTTP/2 by default and muxes both gRPC and HTTP on the same port depending on what type of payload it sees coming down the pipe.

What makes this tricky is web-sockets (seem to be?) incompatible with http2. Web-sockets were tested before pomerium used gRPC/HTTP2 on the same port. Hopefully we can still support downgraded http1.1.

@desimone desimone added the bug label Apr 4, 2019

@desimone desimone self-assigned this Apr 4, 2019

@abl

This comment has been minimized.

Copy link
Author

commented Apr 4, 2019

@desimone thanks for the quick reply! Happy to send my complete configuration over.

Yes, all normal HTTP/S services were fine. Successful insecure websockets were, as you said, by bypassing pomerium and connecting directly.

Tricky sounds right; I hadn't considered HTTP2.

@desimone desimone referenced this issue Apr 7, 2019

Merged

docs: add synology tutorial #79

3 of 3 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.