I have a python webex_bot application (https://github.com/fbradyirl/webex_bot) which uses websockets for webex cloud communication. The problem is that the server in which the bot is being hosted on, does not have direct reachability to the internet, you need to use a proxy server (10.13.140.88:3128).
WSS client -> HTTP/HTTPS Proxy -> Internet (WSS server)
After investigating, the bot does not accepts any proxy related arguments and was in the need to search for any alternatives.
First resolution attempt: Forwarding the local proxy generated traffic with iptables:
sudo nano /etc/sysctl.conf
Uncomented: net.ipv4.ip_forward=1
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.13.140.88:3128
sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 10.13.140.88:3128
But after attempting to run the bot, an SSL error was observed:
2023-08-13 13:51:40 [INFO] [webex_websocket_client.webex_bot.websockets.webex_websocket_client._connect_and_listen]:160 Opening websocket connection to wss://mercury-connection-partition0-a.wbx2.com/v1/apps/wx2/registrations/78f90e01-df70-405f-89c9-a8fe3a1bdad8/messages
2023-08-13 13:51:40 [ERROR] [webex_websocket_client.webex_bot.websockets.webex_websocket_client.run]:175 runException: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1007)
After researching this issue, i think i was able to find the reason why it is failing:
"You cannot do this directly with iptables, because doing the "redirect" at layer 3/4 will not allow SSL negotiation to take place, as the client's browser will still being using plain HTTP.
What you need to do is use an HTTP 302 (or other 300-level) response code to redirect users to the HTTPS verison of your site."
Second resolution attempt: Forwarding the local proxy generated traffic with nginx:
Tried the following configuration, but no success:
#ocation ~ /ws.* {
proxy_http_version 1.1;
proxy_set_header Accept-Encoding "";
proxy_set_header X-Real-IP 10.13.140.88;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For 10.13.140.88:3128;
proxy_set_header XFORWARDEDPROTO https;
proxy_set_header X-NginX-Proxy true;
proxy_buffers 8 32k;
proxy_buffer_size 64k;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
proxy_pass http://10.13.140.88:3128;
}
Third resolution attempt: Forwarding the local proxy generated traffic with haproxy:
It seems that you need to perform a layer 7 redirect (302) for the HTTPS traffic to allow SSL negotiation, after researching, it seems that haproxy has the ability to perform this L7 (application layer) forwarding: https://www.haproxy.com/blog/redirect-http-to-https-with-haproxy
frontend local_ssl
bind *:443 ssl crt /home/admin/apps/webex-bot/server.pem
mode http
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend redirect_https_proxy if { req_ssl_sni -i 10.13.140.88:3128 }
backend redirect_https_proxy
mode http
server proxy_server 10.13.140.88:3128
But no success as well, it indicates an error on the process level:
haproxy -f /etc/haproxy/haproxy.cfg -c
[WARNING] (10715) : Proxy 'local_ssl': L6 sample fetches ignored on HTTP proxies (declared at /etc/haproxy/haproxy.cfg:41).
[WARNING] (10715) : Proxy 'local_ssl': L6 sample fetches ignored on HTTP proxies (declared at /etc/haproxy/haproxy.cfg:40).
Warnings were found.
Configuration file is valid
Where the service fails to run:
sudo systemctl status haproxy
× haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sun 2023-08-13 14:18:36 CST; 1h 11min ago
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: 10243 ExecStartPre=/usr/sbin/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=0/SUCCESS)
Process: 10245 ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=1/FAILURE)
Main PID: 10245 (code=exited, status=1/FAILURE)
CPU: 122ms
Is the redirect even possible? Any workaround for this issue?
