Proxying secure websockets to insecure ws applicaton

I’m trying to wrap my brain around running a particular application with OOD. I am running CARTA inside a singularity container, which fires up the application and listens on a port that it picks (stolen from the Jupyter startup scripts). The application works by sending you first over http to the port CARTA is listening on, then changing you over to a WSS connection. Unfortunately, the application doesnt’ have the option for me to start it in secure mode, so the whole thing fails. Does anyone have any experience setting up the PUN to act as WSS termination, then proxying the traffic back to an insecure app?

Hi and welcome!

I’ll have to check, but I believe this is how noVNC works. We have SSL termination on apache and proxy everything else over plain http/ws. We’ll have to look into it further to see what may be the issue, but it seems (at a glance) like this is how everything runs. All apps run in plain http/ws and apache is configured with SSL, so we terminate SSL at the apache layer. We don’t run CARTA here (though it looks very cool), can you share your repository? Maybe we can check it out and see if there’s anything else that can be done.

I don’t have it in a repo, but I could push it up somewhere, it’s very basic. I think I was barking up the wrong tree a bit because I was looking for the logs in nginx, not realizing that the proxying was happening in mod_ood_proxy (seems obvious though!). I’ll reply back when I have things in a repo, and see if anything pops out in the apache logs.

Now that I’m looking in the right place, I see the SSL termination happening in Apache , and it’s proxying it to ws://nameofnode:port/?token=blah. So something else strange is happening there, that is almost certainly “Not Your Problem ™”. : )

1 Like