search cancel

ProxySG not converting wss:// to ws:// or the other way around between downstream and upstream

book

Article ID: 173044

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Proxy set up as a reverse proxy.

Proxy finishes the connection upstream when client connection is using Websockets, is upgraded and the policy performs URL rewriting (HTTPS used on only one side of the streams).


At high level, the below shows when the issue is replicable:
1.- Client <------> (HTTPS) Reverse Proxy <------> (HTTP) Backend
2
.- Client <------> (HTTP) Reverse Proxy <------> HTTPS) Backend

 

Issue not replicable when:

3.-  Client <------> (HTTPS) Reverse Proxy <------> (HTTPS) Backend
4.- Client <------> (HTTP) Reverse Proxy <------> (HTTP) Backend


The issue only appears when SSL is used on one side of the Reverse Proxy and not on the other one.

 

Backend is coded to use wss (Websocket over TLS) when connection is HTTPS upstream. Alternatively, upstream connection is to be performed via ws when using plan HTTP.

Debug logs when replicating the environment:

Client <------> (HTTPS) Reverse Proxy <------> HTTP) Backend

 

 

HTTP INFO HTTP CW 70FBCB90 Tunnel: conversions between tcp and ssl not supported 5072.766

HTTP DEBUG HTTP CW 70FBCB90 [Prepare_tunnel_data] 5072.766

HTTP INFO HTTP CW 70FBCB90 SET_FUNCTION_PTR: CW_Object::Prepare_tunnel_data line: 15187 5072.766

HTTP DEBUG HTTP CW 70FBCB90 [SetChunkSize] 5072.766

HTTP DEBUG HTTP CW 70FBCB90 [Reset_per_usage_information] 5072.766

HTTP INFO HTTP CW 70FBCB90 Starting Websocket tunneling

 

Cause

After upgrading, proxy does not convert ws:// to wss:// (web socket over TLS) or the other way around when Secure connection is set up only on one proxy's stream.

 

Environment

Reverse Proxy environment.

Websocket connections.

Resolution

At this moment, there is no workaround to rewrite wss to ws (or the other way around) on the proxy.