Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Ambassador does not redirect plaintext websocket to secure websocket during handshake

See original GitHub issue

Describe the bug I have a backend service that exposes an HTTP API and a real time websocket endpoint. I recently went through the process of ensuring the HTTP endpoint is always communicated with over HTTPS by setting up Ambassadors HTTP -> HTTPS redirection.

Websockets start their life as an HTTP GET request with some specialized headers. I was expecting that Ambassador would just do the right thing and redirect the incoming request to the HTTPS endpoint. Instead Ambassador sent back a HTTP 403 Forbidden.

To Reproduce

  1. Setup a websocket backend.
  2. Setup TLS
  3. I used the below mapping:
      ---
      apiVersion: ambassador/v0
      kind: Mapping
      ambassador_id: {{ service.ambassador.id }}
      name: kubernaut-public-ws-hostroute
      prefix: /ws
      rewrite: /ws
      host: ^next\.kubernaut\.io(:443)?$
      host_regex: true
      use_websocket: true
      service: kubernaut-public
  1. I used the following Ambassador config:
      ---
      apiVersion: ambassador/v0
      kind: Module
      name: ambassador
      ambassador_id: "{{ service.ambassador.id }}"
      config:
        use_proxy_proto: false
        use_remote_address: true

      ---
      apiVersion: ambassador/v0
      kind: Module
      name: tls
      ambassador_id: "{{ service.ambassador.id }}"
      config:
        server:
          enabled: true
          secret: "ambassador-{{ service.ambassador.id }}-certs"
          redirect_cleartext_from: 80
        client:
          enabled: false
  1. Send a cURL request to inititate the handshake:
curl --include \
                             --no-buffer \
                             --header "Connection: Upgrade" \
                             --header "Upgrade: websocket" \
                             --header "Host: next.kubernaut.io" \
                             --header "Sec-WebSocket-Key: SGVsbG8sIHdvcmxkIQ==" \
                             --header "Sec-WebSocket-Version: 13" \
                             -k -L -v \
                        "http://next.kubernaut.io/ws/kapv1?agent-id=e7430ca7-fef8-48cf-b400-265c89e1c931"
*   Trying 35.225.224.51...
* TCP_NODELAY set
* Connected to next.kubernaut.io (35.225.224.51) port 80 (#0)
> GET /ws/kapv1?agent-id=e7430ca7-fef8-48cf-b400-265c89e1c931 HTTP/1.1
> Host: next.kubernaut.io
> User-Agent: curl/7.55.1
> Accept: */*
> Connection: Upgrade
> Upgrade: websocket
> Sec-WebSocket-Key: SGVsbG8sIHdvcmxkIQ==
> Sec-WebSocket-Version: 13
> 
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< date: Fri, 03 Aug 2018 14:19:33 GMT
date: Fri, 03 Aug 2018 14:19:33 GMT
< server: envoy
server: envoy
< content-length: 0
content-length: 0

< 
* Connection #0 to host next.kubernaut.io left intact

Expected behavior

  • Expected an HTTPS redirect.

Additional context Add any other context about the problem here.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:1
  • Comments:7 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
richarddlicommented, Jun 24, 2019

0.52 is pretty old; I’m pretty sure this was fixed subsequent to that. Please upgrade and try your issue.

0reactions
treethoughtcommented, Dec 22, 2021

experiencing the same issue. seems dupe of #2911

Read more comments on GitHub >

github_iconTop Results From Across the Web

Ambassador does not redirect plaintext websocket to ... - GitHub
I have a backend service that exposes an HTTP API and a real time websocket endpoint. I recently went through the process of...
Read more >
Secure Websocket (wss) Handshake does not happen using ...
When the session reuse happens the WebSocket server just gets string 'G' as the data and nothing else so the handshake fails. However...
Read more >
18 Using the WebSocket Protocol in WebLogic Server
Protocol fallback provides a mechanism for using an alternative transport for WebSocket messaging when the WebSocket protocol is not supported.
Read more >
Writing WebSocket servers - Web APIs | MDN
The handshake is the "Web" in WebSockets. It's the bridge from HTTP to WebSockets. In the handshake, details of the connection are negotiated,...
Read more >
What is web socket and how it is different from the HTTP?
When a client sends an HTTP request to the server, a TCP connection is open between the client and server and after getting...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Fine-grained logging configuration and consistency

Next page

Crash when adding request header `x-forwarded-proto`