Avoid 302 response for secure websockets (WSS) when accessing HTTPS endpoint

[aku]

Do you want to request a feature or report a bug?

Feature

What did you expect to see?

Currently, if I define HTTPS entry point for my service WSS requests receive "302 Found" response from the server. Unfortunately, some clients won't handle the 302 response code and fail. It would be nice to be able to pass WSS requests to HTTPS endpoints transparently.

Example:
I have Rancher service defined in my docker-compose file with the following labels:

- traefik.http.routers.rancher.rule=Host(`rancher.alpha.cloud`)
- traefik.http.routers.rancher.entrypoints=web
- traefik.http.routers.rancher-ssl.rule=Host(`rancher.alpha.cloud`)
- traefik.http.routers.rancher-ssl.entrypoints=webSecure
- traefik.http.routers.rancher-ssl.tls=true

I can access the Rancher via https://rancher.alpha.cloud but WebSocket connection fails:

WebSocket connection to 'wss://rancher.alpha.cloud/v3/subscribe?sockId=1' failed: Error during WebSocket handshake: Unexpected response code: 302

Request:

GET wss://rancher.alpha.cloud/v3/subscribe?sockId=1 HTTP/1.1
Host: rancher.alpha.cloud
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Upgrade: websocket
Origin: https://rancher.alpha.cloud
Sec-WebSocket-Version: 13
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: CSRF=0009545479; R_SESS=token-pfszf:znj4dg9wbt5vmmmhnv54z4fd7g227cstkcnstc5tv472tzljdzkqqx; R_USERNAME=admin
x-compress: null
Sec-WebSocket-Key: Ser+8SG+syVgKZWG6lZM6Q==
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits

Response using Traefik:

HTTP/1.1 302 Found
Content-Length: 72
Content-Type: text/html; charset=utf-8
Date: Thu, 03 Oct 2019 12:27:42 GMT
Location: https://rancher.alpha.cloud/v3/subscribe?sockId=1

If I access service without proxy, I get 101 response as expected:

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: W5wUTlsSvLuhoRTZeaNtSVCid/4=

According to rfc6455:

If the status code received from the server is not 101, the
client handles the response per HTTP [RFC2616] procedures. In
particular, the client might perform authentication if it
receives a 401 status code; the server might redirect the client
using a 3xx status code (but clients are not required to follow
them), etc.

[donatasnicequestion]

Just to confirm: we have also the same issue with Rancher and Traefik 2.0.
There is no such issue with Traefik 1.X -Rancher and Websockets work like expected.

[aku]

@donatasnicequestion I think this issue might break a lot of services that depend on secure web sockets. Most of the clients won't support 3xx server responses.

[aku]

I found a solution to my problem in the related issue 5533

I have to add a middleware to my config:

- traefik.http.routers.rancher-ssl.middlewares=ssl-header
- traefik.http.middlewares.ssl-header.headers.customrequestheaders.X-Forwarded-Proto=https

I think this issue should be addressed in the documentation or there should be an easier way to support WSS out of box

[dduportal]

Hi @aku , thanks for linking the twin issue. We're closing as duplicate this one, let's follow the issue #5533 .