-
Notifications
You must be signed in to change notification settings - Fork 287
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Demonstrating websocket support? #77
Comments
Trying to set up codercom/code-server and generated a self-signed certificate. I'm now seeing lots of lines like:
Where |
That you for the report @abl ; sorry this isn't working as expected. Just to confirm, you were unable to ever connect to a web-socket service behind pomerium but all normal HTTP services ran fine? (e.g. when you say you successfully demonstrated insecure websockets on port 8000, was that by directly connecting without pomerium)? If you don't mind detailing what docker images you used, I can try testing this on my end. |
Ok. I've reproduced the issue. This is a bug. Quick hunch. Pomerium uses HTTP/2 by default and muxes both gRPC and HTTP on the same port depending on what type of payload it sees coming down the pipe. What makes this tricky is web-sockets (seem to be?) incompatible with http2. Web-sockets were tested before pomerium used gRPC/HTTP2 on the same port. Hopefully we can still support downgraded http1.1. |
@desimone thanks for the quick reply! Happy to send my complete configuration over. Yes, all normal HTTP/S services were fine. Successful insecure websockets were, as you said, by bypassing pomerium and connecting directly. Tricky sounds right; I hadn't considered HTTP2. |
Still working on this. Ref: |
Just for anyone googling this as a note. (keywords) To me it seems the following services are not working correctly because of this issue: Services working just fine: |
Also having issues with Home Assistant and Jupyter Notebook @desimone are there any known workarounds for websocket support? Is it difficult to downgrade the connection to HTTP/1.1? |
I'm actually no longer convinced it is the HTTP2 support that is breaking
web-sockets here.
After more testing, I found HTTP1.1 requests were being properly muxed.
Unfortunately, I wasn't able to find out why the web-socket requests were
not being hijacked because the default http handler is set to
https://golang.org/pkg/net/http/#TimeoutHandler which does not support
hijacking. However that still didn't fix the issue.
I sidetracked by other issues/features but that's basically where I left
this. Open to ideas.
…On Mon, May 20, 2019 at 1:01 PM Tejasvi (Teju) Nareddy < ***@***.***> wrote:
Also having issues with Home Assistant and Jupyter Notebook
@desimone <https://github.com/desimone> are there any known workarounds
for websocket support? Is it difficult to downgrade the connection to
HTTP/1.1?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#77?email_source=notifications&email_token=AALZFMKYMNBLQKDNZJZTUIDPWL7TNA5CNFSM4HDOVPDKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVZ5G5Q#issuecomment-494130038>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AALZFMJQK2GFSBR6X4ESO4TPWL7TNANCNFSM4HDOVPDA>
.
|
I started looking into this myself, and I think you're on the right track. For demonstration purposes, when I remove the TimeoutHandler in this line, the error message changes to
Looking at internal/log/wrap_writer.go, I see the go-martini/martini#45 mentions the following:
So if we rewrite Of course, even if this did work, we still need a workaround for TimeoutHandler. I'll look into that if I can correctly re-implement the wrapper. |
Nevermind, I was actually able to get websocket support working without having to re-write the wrapper. All I did was change the hardcoded HTTP protocol to Any ideas on how to proceed forward to enable websocket support based on this working prototype? I have created PR #151 to demonstrate the minimal code changes needed to support websockets. It would be great if you could mark that as a WIP PR. |
Solid sleuthing @nareddyt . I think you are right. I'm going to follow up on your PR with thoughts. |
Hi @abl -- wanted to check in to see if this solved your issue. Thanks! |
awesome! Yes, that was my primary use case - the errors I'm currently getting are from Synology's streaming console/terminal. It makes a lot of assumptions and I'm in the process of deprecating it in favor of proper Docker tooling anyways. |
Describe the bug
I am unable to confirm that websocket support works in 0.0.3.
To Reproduce
6, Deployed Kaazing gateway at http://kaazing.corp.my-redacted-domain.com:8000
Expected behavior
Websocket support works.
Environment:
pomerium --version
): v0.0.3+41c42f5Configuration file(s):
policy.yaml:
Logs(s):
There appear to be no logs associated with websocket connection attempts.
Additional context
Pomerium is bound directly to port 443.
Happy to add any Pomerium folks who want to try these routes to my allowed users (and share with them the actual URLs involved.) This is not a production system so I'm happy to make sweeping changes.
Connecting to wss://httpbin.corp.my-redacted-domain.com/anything yields an error 200; curiously, nothing is in the logs for this request.
POMERIUM_DEBUG
is true andLOG_LEVEL
is default; l I am seeing DBG logs.The text was updated successfully, but these errors were encountered: