How to configure Apache mod_proxy for use with TSPlus

[EDV-Team]

Hi!

We want to use TSPlus behind an Apache 2.4 web-server with mod_proxy enabled.

This is what we set in our Apache default-ssl.conf for our TSPlus host:

Code: Select all

<VirtualHost *:443>
  ServerName tsplus.mydomain.com
  Redirect / https://tsplus.mydomain.com/
  ProxyRequests off
  ProxyPreserveHost on
  ProxyPass / https://tsplus.mydomain.com/
  ProxyPassReverse / https://tsplus.mydomain.com/
  SSLEngine on
  SSLProxyEngine on
  SSLProtocol ALL -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
  SSLCertificateKeyFile /etc/apache2/ssl/myserver.key
  SSLCertificateFile /etc/apache2/ssl/myserver.crt
  ErrorLog /var/log/apache2/tsplus-ssl-error.log
  CustomLog /var/log/apache2/tsplus-ssl-access.log common
</VirtualHost>

I can successfully connect with the HTML5 client to the TSPlus server, but when the RDP session is initiated all things are extremely slow!
First it takes round about 5 Minutes till I see the Windows Desktop, when I start an application it also takes 5 minutes until I see it on
the remote session, and when I type in a user name or something like that, it also takes 5 minutes until I see what I was typing.

In the Apache access.log I get this entries every few seconds:

[29/Oct/2015:10:19:32 +0100] "GET /socket.io/xhr-polling/ea085b41-6b2c-43f0-890c-22910847638b/1446110387506 HTTP/1.1" 200 378
[29/Oct/2015:10:19:36 +0100] "POST /socket.io/xhr-polling/ea085b41-6b2c-43f0-890c-22910847638b/send HTTP/1.1" 200 248
[29/Oct/2015:10:19:36 +0100] "GET /socket.io/xhr-polling/ea085b41-6b2c-43f0-890c-22910847638b/1446110392326 HTTP/1.1" 200 391

In the Apache error.log I see this sometimes:

[Thu Oct 29 08:55:12.361116 2015] [proxy_http:error] [pid 17611] (70014)End of file found: [client xxx.xxx.xxx.xxx:33776] AH01102: error reading status line from remote server tsplus.mydomain.com:443, referer: tsplus.mydomain.com/
[Thu Oct 29 08:57:22.995342 2015] [proxy_http:error] [pid 17574] (70014)End of file found: [client xxx.xxx.xxx.xxx:33194] AH01102: error reading status line from remote server tsplus.mydomain.com:443
[Thu Oct 29 08:57:22.995511 2015] [proxy:error] [pid 17574] [client xxx.xxx.xxx.xxx:33194] AH00898: Error reading from remote server returned by /socket.io/websocket_https

Can anybody help us to get this running please?

Thx

[juwagn]

Hello,

what you have configurated with Apache mod is called reverse proxy.
The problem is used transport xhr-polling instead Websockets. It is pure fallback solution, where I do not say, reverse proxies are absolutely unsupported, but surely only partially.
What you could try:
by default under www\software\html5\settings.js you will find variable
W.xhrreverse = true; //use xhr instead websockets, if recognized the usage of reverse proxies in environment, it may help 50/50
The problem for today, I am not up to date, if Apache_mod learned to support Websockets, highly not, but I am not sure, have no such environment where I could check things, but you can
set W.xhrreverse = false; and deleted cookies in browser (very important, else it will take last succeed transport from cookies - in your case xhr-polling) and retry again.
With W.xhrreverse = false; it will try Websockets as first transport forcibly.
If it helped, please report, I will than reset W.xhrreverse to be default false, but if not... well, you can try other reverse proxy modules that support Websockets.. I know only few proxies on Linux that have support for Websockets, but who knows, may be Apache fixed it in last few years.

[juwagn]

Hello again,

by the way, googled and found
httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
so possibly
1. mod_proxy_wstunnel
2. W.xhrreverse = false;
3. ProxyPass "/" "ws://tsplus.mydomain.com/"
ProxyPassPassReverse "/" "ws://tsplus.mydomain.com/"
could do the trick, but absolutely unsure about, surely mod_proxy seems not to support it, only mod_proxy_wstunnel

[EDV-Team]

Thank you very much for your reply!

I've changed settings.js file for the HTML5 client and added the lines for wstunnel in default-ssl.conf, but it doesn't work.
The HTML 5 Clients now tries to connect with websocket first, but seems to get a timeout. After that the client tries a connection over flashsocket which also don't work, so it switches again to xhr-polling as fallback.

[juwagn]

Code: Select all

Hello,

ok, according to your experience, if I now understand the info form Apache correctly, this proxy_wstunnel_module does not support auto recognizing of Websockets headers to take decision to switch to websockets handling, instead you tell via directive that subpath xyz is meant to be Websocket forwarded traffic.
ProxyPass / https://tsplus.mydomain.com/
ProxyPassReverse / https://tsplus.mydomain.com/
ProxyPass / ws://tsplus.mydomain.com/
ProxyPassPassReverse / ws://tsplus.mydomain.com/
So possibly that can not be mixed, so I assume, subpaths for http and ws requests have to be different... however it is only assumption, i have not the right environment to check these things..
another few things to check..


ProxyPass / https://tsplus.mydomain.com/
ProxyPassReverse / https://tsplus.mydomain.com/
for regular http
and plus additionally
ProxyPass /socket.io/websocket ws://tsplus.mydomain.com/socket.io/websocket
ProxyPassReverse /socket.io/websocket ws://tsplus.mydomain.com/socket.io/websocket
ProxyPass /socket.io/flashsocket ws://tsplus.mydomain.com/socket.io/flashsocket
ProxyPassReverse /socket.io/flashsocket ws://tsplus.mydomain.com/socket.io/flashsocket

ProxyPass /socket,io/websocket ws://tsplus.mydomain.com/socket,io/websocket
ProxyPassReverse /socket,io/websocket ws://tsplus.mydomain.com/socket,io/websocket
ProxyPass /socket,io/flashsocket ws://tsplus.mydomain.com/socket,io/flashsocket
ProxyPassReverse /socket,io/flashsocket ws://tsplus.mydomain.com/socket,io/flashsocket

I hope so, that when request comes beginning as example with /socket.io/websocket it will be autohandled as ws connection, and being forwarded by preserving same subpath ws://tsplus.mydomain.com/socket.io/websocket

I think it is worth of try this way too.
PS: if I had access to your environment and test everything out, things could go faster.

[juwagn]

ps: the forum discarded the links inside my answer, so i had to post message as code..