Forum Discussion

Becooked_349400's avatar
Becooked_349400
Icon for Altostratus rankAltostratus
Jan 22, 2018

HTTP and HTTPS Proxy generates websocket error 403 and 503.

Hello. My name is Byung.

 

I am able 3 years into F5 and still feel like a newbie. I came across a very weird websocket issue. My DB admin ask to proxy a web server listening on port 8888(http). So, I created a VIP listening on port 80 forwarding it to pool member on port 8888. Forwarding works fine, but DB came back stating site is not functional. After some analyse on Chrome, websocket is generating error 503, when using http and error 403, when VIP uses https.

 

I have tried it without http profile, with http profile and winsock profile, http profile with iRule disabling http profile, if header contains "websocket". Nothing seems to fix this issue.

 

It looks like something called "spring-websocket.js" fails to contact the server. Accessing server directly on port 8888 does not have this issue.

 

Any suggestion will be greatly appreciated. This has been day 5.

 

Thank you all and have a wonderful day.

 

  • when HTTP_REQUEST {

     

    HTTP::header insert X-Forwarded-Host [HTTP::host] X-Forwarded-Port 443 }

     

4 Replies

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    What does the log of the web server on port 8888 say about the errors?

     

  • The 503 will because websocket is not HTTP -- https://support.f5.com/csp/article/K14754. The 403 is because your app is using port 8888 and the virtual is on port 80. Have you analysed the TCP connections leaving the client machine using Tcpdump? You will need to ensure that its not trying to communicate on different ports. Alternatively you can make your virtual server listen on all ports by specifying 0 (remove the HTTP profile, add a simple iRule to CLIENT_ACCEPTED to log incoming connects with [TCP::local_addr]) then you will see from the logs what ports are being used from your clients address.

     

  • I sent message to the Server admin. I will let you know as soon as I get some responds back. Meanwhile, is there any thing I can take a look on F5? I ran a tcpdump, but it was all encrypted(TLS) trafffic.

     

    Thank you and have a nice day.

     

  • when HTTP_REQUEST {

     

    HTTP::header insert X-Forwarded-Host [HTTP::host] X-Forwarded-Port 443 }