Using go-websocket behind Apache mod_proxy_wstunnel

Note: Updated config and added trailing slash to websocket path. Still same problem

Is it possible to use go-websocket behind a Apache reverse proxy with mod_proxy_wstunnel?

I tried and failed to get things working.

I tried to use the Chat example behind an Apache reverse proxy (with mod_proxy_wstunnel enabled). And it doesn't work. The proxy is a success, while the websocket part does not work at all.

My Apache config looks similar to this:

<VirtualHost *:80>
    DocumentRoot /var/www/foobar
    ServerName foobar.com
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    ProxyPass /ws/ ws://localhost:8080/ws/
    ProxyPassReverse /ws/ ws://localhost:8080/ws/
    ErrorLog logs/error_log-foobar
    CustomLog logs/access_log-foobar common
    LogLevel debug
</VirtualHost>

And of course I'm running the chat server on port 8080. I've tested it with SSH tunnel, and things work perfectly. Then I moved on to Apache.

The first time I tried, the javascript console complains this:

NetworkError: 403 Forbidden - http://foobar.com/ws/

The request seems to be stucked at the origin check.
Then I tried again after comment out the origin check, it get this:

NetworkError: 400 Bad Request - http://foobar.com/ws/

It seems the chat server do not get the upgrade request at all.

How should I debug this?
Where should I start looking?

Thanks everyone! After taking several advices above, I found the solution.

And for someone who might have similar issue, here is the solution to my question:

1. As Aralo suggested, trailing slash must be added to the WebSocket path (in my case: "/ws/"). It looks Apache will only handle WebSocket with a valid GET request.

2. James Henstridge was right. The order of ProxyPass relevant. ProxyPass of /ws/ must be put before the / line.

3. After consulting the Chat example code, I found an origin check in the function ServeWs() and removed.

Everything works now.

And thanks covener, reading logs does help.

I am using Go secure WebSocket (wss://) server behind Apache 2.4.18 on CentOS 7. Here are the settings:

Make sure the system has mod_proxy_wstunnel:

# find /usr/lib64/httpd/modules/ | grep ws

/usr/lib64/httpd/modules/mod_proxy_wstunnel.so

Add the following line in 00-proxy.conf:

# vim /etc/httpd/conf.modules.d/00-proxy.conf

LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so

Restart Apache:

# systemctl restart httpd

Check the setting:

# httpd -M | grep -iE 'proxy'

 proxy_module (shared)
 proxy_fcgi_module (shared)
 proxy_http_module (shared)
 proxy_wstunnel_module (shared)

Edit httpd-vhosts.conf:

# vim /etc/httpd/conf.d/httpd-vhosts.conf

<VirtualHost *:443>
    ServerName go.mydomain.com:443

    ProxyPreserveHost On
    ProxyRequests off

    SSLProxyEngine On
    SSLCertificateFile "/etc/pki/tls/certs/mydomain.com/mydomain.crt"
    SSLCertificateKeyFile "/etc/pki/tls/certs/mydomain.com/mydomain.key"

    ### The configured ProxyPass and ProxyPassMatch rules are checked
    ### in the order of configuration. The first rule that matches wins.
    ProxyPassMatch ^/(ws(/.*)?)$ wss://192.168.0.1:443/$1

    ProxyPass / https://192.168.0.1:443/
    ProxyPassReverse / https://192.168.0.1:443/

    ErrorLog "/var/log/httpd/go.mydomain.com-error_log"
    CustomLog "/var/log/httpd/go.mydomain.com-access_log" common
</VirtualHost>

<VirtualHost *:80>
    ServerName go.mydomain.com:80

    ProxyPreserveHost On
    ProxyRequests off

    ###
    ProxyPassMatch ^/(ws(/.*)?)$ ws://192.168.0.1:80/$1

    ProxyPass / http://192.168.0.1:80/
    ProxyPassReverse / http://192.168.0.1:80/

    ErrorLog "/var/log/httpd/go.mydomain.com-error_log"
    CustomLog "/var/log/httpd/go.mydomain.com-access_log" common
</VirtualHost>