wss or ws connections won't work on a http or https tunnel🐛

Question

wss or ws connections won't work on a http or https tunnel🐛

SymphonyCR opened this issue 5 months ago · comments

Describe the bug
Accordingly to the docs, websockets are supported by cloudflare, but after I did set a hostname in Zero trust Dashboard -> Access -> Tunnels -> mytunnel -> Public Hostname

This is the hostname config:

subdomain: mysubdomain
domain: mydomain.com

type: HTTPS
url: localhost:443
noTLSVerify: true

I can get access to my site perfectly, here's the problem, my server web-application, needs to stream content from multiple websocket ports, specifically from port 2100 to port 2140, this is because my web-application is divided in multiple modules and every module has to communicate through a websocket port... here is my apache https configuration:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so

Listen 443 https

<IfDefine ENABLE_TLS13>
	***some tls content here***
</IfDefine>

<IfDefine !ENABLE_TLS13>
	***some tls content here***
</IfDefine>

SSLHonorCipherOrder On
SSLPassPhraseDialog  builtin

SSLSessionCache        "shmcb:${SRVROOT}/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

<FilesMatch "\.(cgi|shtml|phtml|php)$">
	SSLOptions +StdEnvVars
</FilesMatch>
<Directory "${SRVROOT}/cgi-bin">
	SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

CustomLog "${SRVROOT}/logs/ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" env=HTTPS

<VirtualHost *:443>

	SSLEngine On
        SSLProxyEngine On
	# ServerName mydomain.com:443

#Tried with and without all this block

# RewriteEngine on
# RewriteCond %{HTTP:Upgrade} websocket [NC]
# RewriteCond %{HTTP:Connection} upgrade [NC]
# RewriteRule ^/?(.*) "ws://localhost:2100/$1" [P,L]
# ProxyRequests On
# ProxyPreserveHost On

	SSLCertificateFile "C:\Certbot\archive\sub.mydomain.com\cert1.pem"
	SSLCertificateKeyFile "C:\Certbot\archive\sub.mydomain.com\privkey1.pem"

	# HARBOUR BEGIN - AUTO-GENERATED

# Module Accounting
ProxyPass /harbour/2100 ws://127.0.0.1:2100/harbour
ProxyPassReverse /harbour/2100 ws://127.0.0.1:2100/harbour
ProxyPass /monitor/2100 ws://127.0.0.1:2100/monitor
ProxyPassReverse /monitor/2100 ws://127.0.0.1:2100/monitor

# Module Reservations
ProxyPass /harbour/2102 ws://127.0.0.1:2102/harbour
ProxyPassReverse /harbour/2102 ws://127.0.0.1:2102/harbour
ProxyPass /monitor/2102 ws://127.0.0.1:2102/monitor
ProxyPassReverse /monitor/2102 ws://127.0.0.1:2102/monitor

# Module Reception
ProxyPass /harbour/2101 ws://127.0.0.1:2101/harbour
ProxyPassReverse /harbour/2101 ws://127.0.0.1:2101/harbour
ProxyPass /monitor/2101 ws://127.0.0.1:2101/monitor
ProxyPassReverse /monitor/2101 ws://127.0.0.1:2101/monitor

# Module Banking
ProxyPass /harbour/2105 ws://127.0.0.1:2105/harbour
ProxyPassReverse /harbour/2105 ws://127.0.0.1:2105/harbour
ProxyPass /monitor/2105 ws://127.0.0.1:2105/monitor
ProxyPassReverse /monitor/2105 ws://127.0.0.1:2105/monitor

# Module Owners
ProxyPass /harbour/2104 ws://127.0.0.1:2104/harbour
ProxyPassReverse /harbour/2104 ws://127.0.0.1:2104/harbour
ProxyPass /monitor/2104 ws://127.0.0.1:2104/monitor
ProxyPassReverse /monitor/2104 ws://127.0.0.1:2104/monitor

# Module Restaurant
ProxyPass /harbour/2106 ws://127.0.0.1:2106/harbour
ProxyPassReverse /harbour/2106 ws://127.0.0.1:2106/harbour
ProxyPass /monitor/2106 ws://127.0.0.1:2106/monitor
ProxyPassReverse /monitor/2106 ws://127.0.0.1:2106/monitor

# Module Hotel Configuration
ProxyPass /harbour/2107 ws://127.0.0.1:2107/harbour
ProxyPassReverse /harbour/2107 ws://127.0.0.1:2107/harbour
ProxyPass /monitor/2107 ws://127.0.0.1:2107/monitor
ProxyPassReverse /monitor/2107 ws://127.0.0.1:2107/monitor

# Module Payroll
ProxyPass /harbour/2108 ws://127.0.0.1:2108/harbour
ProxyPassReverse /harbour/2108 ws://127.0.0.1:2108/harbour
ProxyPass /monitor/2108 ws://127.0.0.1:2108/monitor
ProxyPassReverse /monitor/2108 ws://127.0.0.1:2108/monitor

# Module Accounts Payable
ProxyPass /harbour/2109 ws://127.0.0.1:2109/harbour
ProxyPassReverse /harbour/2109 ws://127.0.0.1:2109/harbour
ProxyPass /monitor/2109 ws://127.0.0.1:2109/monitor
ProxyPassReverse /monitor/2109 ws://127.0.0.1:2109/monitor

# Module Accounts Receivable
ProxyPass /harbour/2110 ws://127.0.0.1:2110/harbour
ProxyPassReverse /harbour/2110 ws://127.0.0.1:2110/harbour
ProxyPass /monitor/2110 ws://127.0.0.1:2110/monitor
ProxyPassReverse /monitor/2110 ws://127.0.0.1:2110/monitor

# Module Payroll Configuration
ProxyPass /harbour/2111 ws://127.0.0.1:2111/harbour
ProxyPassReverse /harbour/2111 ws://127.0.0.1:2111/harbour
ProxyPass /monitor/2111 ws://127.0.0.1:2111/monitor
ProxyPassReverse /monitor/2111 ws://127.0.0.1:2111/monitor

# Module Inventory
ProxyPass /harbour/2112 ws://127.0.0.1:2112/harbour
ProxyPassReverse /harbour/2112 ws://127.0.0.1:2112/harbour
ProxyPass /monitor/2112 ws://127.0.0.1:2112/monitor
ProxyPassReverse /monitor/2112 ws://127.0.0.1:2112/monitor

# Module Fixed Assets
ProxyPass /harbour/2113 ws://127.0.0.1:2113/harbour
ProxyPassReverse /harbour/2113 ws://127.0.0.1:2113/harbour
ProxyPass /monitor/2113 ws://127.0.0.1:2113/monitor
ProxyPassReverse /monitor/2113 ws://127.0.0.1:2113/monitor

# Module Spa
ProxyPass /harbour/2114 ws://127.0.0.1:2114/harbour
ProxyPassReverse /harbour/2114 ws://127.0.0.1:2114/harbour
ProxyPass /monitor/2114 ws://127.0.0.1:2114/monitor
ProxyPassReverse /monitor/2114 ws://127.0.0.1:2114/monitor

# Module Events
ProxyPass /harbour/2115 ws://127.0.0.1:2115/harbour
ProxyPassReverse /harbour/2115 ws://127.0.0.1:2115/harbour
ProxyPass /monitor/2115 ws://127.0.0.1:2115/monitor
ProxyPassReverse /monitor/2115 ws://127.0.0.1:2115/monitor

# Module Tours
ProxyPass /harbour/2116 ws://127.0.0.1:2116/harbour
ProxyPassReverse /harbour/2116 ws://127.0.0.1:2116/harbour
ProxyPass /monitor/2116 ws://127.0.0.1:2116/monitor
ProxyPassReverse /monitor/2116 ws://127.0.0.1:2116/monitor

# HARBOUR END - AUTO-GENERATED

	DocumentRoot "C:\my-path\www"
	CustomLog "${SRVROOT}/logs/ssl_request.log" \
		"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

	<Directory "C:\my-path\www">

		Options +ExecCGI +Indexes +FollowSymLinks

		DirectoryIndex index.html index.exe

		AllowOverride All
		Require all granted

		Require all granted

	</Directory>

</virtualhost>

When I serve my web-app without cloudflare tunnels, everything works as expected... no errors... but with cloudflare tunnel my site loads, but as soon as I launch any modules from my webapp, this is shown in console:

webSocket address:  wss://sub.mydomain.com/harbour/2100
webview.js:706 WebSocket connection to 'wss://sub.mydomain.com/harbour/2100' failed: 
initialize @ webview.js:706
(anonymous) @ webview.js:4264
dispatch @ jquery.min.js:2407
y.handle @ jquery.min.js:2312

Any ideas about how to make it work with cloudflare tunnel?

Thanks in advance, if there's any other information you need from me, please let me know.

João "Pisco" Fernandes · Answer 1 · Sat Jan 20 2024 07:55:49 GMT+0800 (China Standard Time)

Hi, check if this might help you: https://lmei88.medium.com/websocket-with-cloudflare-tunnel-reversed-proxy-to-self-hosted-ubuntu-server-95625475c610

João "Pisco" Fernandes · Answer 2 · Fri Mar 01 2024 01:31:49 GMT+0800 (China Standard Time)

Closing because we don't have a response for over a month.