Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scheme wss is not allowed #1730

Closed
nuux opened this issue Jan 15, 2021 · 4 comments · Fixed by #1742
Closed

scheme wss is not allowed #1730

nuux opened this issue Jan 15, 2021 · 4 comments · Fixed by #1742

Comments

@nuux
Copy link

nuux commented Jan 15, 2021
edited
Loading

Hello,

my ActionCable connections stopped working after I have upgraded Traefik. After some investigation, I think the problem is the changed X-Forwarded-Proto header which now ist set to wss instead of https. ActionCable verifies the origin of a request and if the request is allowed with the help of the Rack::Request#ssl? method.
The method ssl? would return true if the scheme is detected as https or wss.
The problem is that scheme returns nil although the header X-Forwarded-Proto is set to wss.

I suggest to add wss and maybe ws to the ALLOWED_SCHEMES constant so that the forwarded_scheme method can extract it.

What do you think?
@ghost
Copy link

ghost commented Apr 13, 2021

I found a related issue on Traefik's tracker, where the maintainers argue that ws & wss are valid schemes.

To work around the present issue in Rack, it is possible to rely on one of the alternative detection mechanisms implemented in Request#ssl?.

For example, setting the X-Forwarded-Ssl: on header on each HTTPS request by adding the following labels to my HTTPS router did the trick:

labels:
  # ...
  - 'traefik.http.middlewares.forward_ssl.headers.customrequestheaders.x-forwarded-ssl=on'
  - 'traefik.http.routers.https_router.middlewares=forward_ssl'

This feels hacky though, and adding wss/ws to the ALLOWED_SCHEMES constant seems to be a more reliable fix indeed.

@ioquatix
Copy link
Member

I think adding it to ALLOWED_SCHEMES makes sense.

@nuux
Copy link
Author

nuux commented Apr 13, 2021

@erwanst Yeah, that how I solved the issue temporally. Sorry for not mentioning, it would have been helpful for others.

@ioquatix Great. From my perspective, it makes especially sense after Rack::Request#ssl? is already checking scheme == 'wss'. But if I'm not missing something, the only way that scheme is wss is when the rack.url_scheme header/env is defined as wss.

@ghost ghost mentioned this issue Apr 14, 2021
Merged
@ghost
Copy link

ghost commented Apr 14, 2021

#1742 adds both ws and wss to ALLOWED_SCHEMES.

ioquatix pushed a commit that referenced this issue Apr 14, 2021
@ioquatix
Allow ws and wss as forwarded scheme/proto headers
8be612a 
This change improves SSL detection in apps running behind some
reverse-proxies.

Fixes #1730
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow ws and wss as forwarded scheme/proto headers
2 participants
@ioquatix @nuux