search cancel

ProxySG not converting wss:// to ws:// or the other way around between downstream and upstream


Article ID: 173044


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


Proxy set up as a reverse proxy.

Proxy finishes the connection upstream when client connection is using Websockets, is upgraded and the policy performs URL rewriting (HTTPS used on only one side of the streams).

At high level, the below shows when the issue is replicable:
1.- Client <------> (HTTPS) Reverse Proxy <------> (HTTP) Backend
.- Client <------> (HTTP) Reverse Proxy <------> HTTPS) Backend


Issue not replicable when:

3.-  Client <------> (HTTPS) Reverse Proxy <------> (HTTPS) Backend
4.- Client <------> (HTTP) Reverse Proxy <------> (HTTP) Backend

The issue only appears when SSL is used on one side of the Reverse Proxy and not on the other one.


Backend is coded to use wss (Websocket over TLS) when connection is HTTPS upstream. Alternatively, upstream connection is to be performed via ws when using plan HTTP.

Debug logs when replicating the environment:

Client <------> (HTTPS) Reverse Proxy <------> HTTP) Backend



HTTP INFO HTTP CW 70FBCB90 Tunnel: conversions between tcp and ssl not supported 5072.766

HTTP DEBUG HTTP CW 70FBCB90 [Prepare_tunnel_data] 5072.766

HTTP INFO HTTP CW 70FBCB90 SET_FUNCTION_PTR: CW_Object::Prepare_tunnel_data line: 15187 5072.766

HTTP DEBUG HTTP CW 70FBCB90 [SetChunkSize] 5072.766

HTTP DEBUG HTTP CW 70FBCB90 [Reset_per_usage_information] 5072.766

HTTP INFO HTTP CW 70FBCB90 Starting Websocket tunneling



Reverse Proxy environment.

Websocket connections.


After upgrading, proxy does not convert ws:// to wss:// (web socket over TLS) or the other way around when Secure connection is set up only on one proxy's stream.



At this moment, there is no workaround to rewrite wss to ws (or the other way around) on the proxy.