Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Demonstrating websocket support? #77
Describe the bug
I am unable to confirm that websocket support works in 0.0.3.
Websocket support works.
- from: kaazing.corp.my-redacted-domain.com to: http://kaazing.corp.my-redacted-domain.com:8000 allowed_users: - <me> - from: httpbin.corp.my-redacted-domain.com to: https://httpbin.org allowed_users: - <me> - from: websocket.corp.my-redacted-domain.com to: https://websocket.org/ allowed_users: - <me>
There appear to be no logs associated with websocket connection attempts.
Pomerium is bound directly to port 443.
Happy to add any Pomerium folks who want to try these routes to my allowed users (and share with them the actual URLs involved.) This is not a production system so I'm happy to make sweeping changes.
Connecting to wss://httpbin.corp.my-redacted-domain.com/anything yields an error 200; curiously, nothing is in the logs for this request.
Trying to set up codercom/code-server and generated a self-signed certificate. I'm now seeing lots of lines like:
That you for the report @abl ; sorry this isn't working as expected.
Just to confirm, you were unable to ever connect to a web-socket service behind pomerium but all normal HTTP services ran fine? (e.g. when you say you successfully demonstrated insecure websockets on port 8000, was that by directly connecting without pomerium)?
If you don't mind detailing what docker images you used, I can try testing this on my end.
Ok. I've reproduced the issue. This is a bug.
Quick hunch. Pomerium uses HTTP/2 by default and muxes both gRPC and HTTP on the same port depending on what type of payload it sees coming down the pipe.
What makes this tricky is web-sockets (seem to be?) incompatible with http2. Web-sockets were tested before pomerium used gRPC/HTTP2 on the same port. Hopefully we can still support downgraded http1.1.
@desimone thanks for the quick reply! Happy to send my complete configuration over.
Yes, all normal HTTP/S services were fine. Successful insecure websockets were, as you said, by bypassing pomerium and connecting directly.
Tricky sounds right; I hadn't considered HTTP2.