Project

General

Profile

Actions

Support #11564

open

force TLS from behind a proxy

Added by mat Sch 11 months ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
05/02/2023
Due date:
% Done:

0%

Estimated time:

Description

My application is running behind a AWS load balancer proxy and I believe the upgrade to wss is not working because the wt application thinks it should load the insecure version since that's how it was requested.

*browser makes https request for a widget.
*aws proxy takes https request and sends http request to widget. There is no X-Forwarded-Proto in the request header when received by Wt.
*wt widget sends back response with request to upgrade to a insecure websocket.
*browser tries to make insecure websocket connection but it fails because aws proxy is only forwarding https

Is there any way to force a wss upgrade response only even if the request comes in over http?

Thanks

Actions #1

Updated by Roel Standaert 11 months ago

*aws proxy takes https request and sends http request to widget. There is no X-Forwarded-Proto in the request header when received by Wt.

Your answer is in the question. Wt needs to know it's behind a reverse proxy, and needs to get some information from the reverse proxy. This includes the X-Forwarded-Proto header.

Your load balancer will thus need to be configured to send that header, and Wt needs to be configured to trust the reverse proxy (the <trusted-proxy-config> section in wt_config.xml)

Actions

Also available in: Atom PDF