Websocket balance & Cross-Origin Request Blocked


#1

Hi,

I am upgrading my haproxy configuration to handle load balance with websockets. The new configuration is shown bellow. Modifications from previous configuration that was functional, are specified.

I do have the following error message once connected to corresponding website :
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://helping-pong.com/socket.io/?EIO=3&transport=polling&t=LqQEI5-. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)

Haproxy config file (global and defaults put at the end) :

#front-end
frontend https_app
        bind 0.0.0.0:443 ssl no-sslv3 crt /etc/ssl/letsencrypt
        default_backend  http_app

#back-end
backend http_app
        option httpchk
        http-request add-header X-Forwarded-Proto https if { ssl_fc }
        http-request set-header X-Forwarded-Port %[dst_port]

        ####### Code removed to handle balance 
        server server_app_1  127.0.0.1:3001 maxconn 100

        ####### Code added to handle balance
        balance roundrobin              
        cookie SERVERID insert indirect 
        server server_app_1  127.0.0.1:3001 maxconn 100 weight 10 cookie server_app_1 check
        server server_app_2  127.0.0.1:3002 maxconn 100 weight 10 cookie server_app_2 check


global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        maxconn 10000
        debug

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES$
        ssl-default-bind-options no-sslv3

        ssl-default-server-options no-sslv3
        ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+$

defaults http
        log   global
        mode  http
        option  httplog
        option  dontlognull
        retries  3
        option  redispatch
        option  http-server-close
        option forceclose
        option forwardfor except 127.0.0.1
        timeout connect 5s
        timeout client 30s
        timeout client-fin 30s
        timeout tunnel 1h
        timeout server 30s

Help will be much appreciated


#2

This is not haproxy related, the browsers bocks this request for security reasons.

I suggest a read here:


#3

Many thanks for your reply.
I do not have this error when do not implement (try at least), the load balance. therefore just using reverse proxy and terminate ssl.


#4

Nonetheless it is an application problem which you have to troubleshoot on the application layer.

If you can tell what has to be done on the HTTP layer to fix this application problem, then we can help you.


#5

Many thanks,

I believe I understand the problem…

The problem happens when I try to connect to my “socket.io” server (port 8000 proxyed to ports 8001 or 8002) from the main application server (port 443 proxyed to ports 3001 or 3002).
All the backend is made with nodejs.

For now I have not been able to make it works using main recommendations on stack overflow and equivalents, i.e. implementing within the server code :

io.origins([’:’])

or

app.use(function(req, res, next) {
res.header(“Access-Control-Allow-Origin”, “*”)
res.header(“Access-Control-Allow-Headers”, “Origin, X-Requested-With, Content-Type, Accept”)
next()
})

Any suggestion will be much appreciated

Matthieu


#6

Hi,

I did not managed to handle cors issues so as to have a socket server separated from the main application server.
I have merged both nodejs applications server into a single one.

Load balance seems to work very well with this configuration.

Matthieu


#7

Hi,

I have to split my application in to server so as to separate two socket.io usages.
My main application frontend is one the port 443, while the websocket application frontend is on the port 8000.

I would like to allow the access to my-domain.com:8000, from my-domain.com:443.

I have tried to allow access domain within my node application , unsuccessfully… I suppose I have to do this via HAProxy. i have used the following instructions In the HAProxy conf file shown bellow…

capture request header origin len 128
 http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)]

What am I doing wrong ?

Many thanks for your help

global
log 127.0.0.1 local0
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 10000
debug
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

        ssl-default-server-options no-sslv3
        ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3D$

defaults http
        log             global
        mode            http
        option          httplog
        option          dontlognull
        retries         3
        option          http-server-close
        option          forwardfor except 127.0.0.1
        timeout         connect 5s
        timeout         client 30s
        timeout         client-fin 30s
        timeout         tunnel 1h
        timeout         server 30s

#front-end
frontend https_app
        bind 0.0.0.0:443 ssl no-sslv3 crt /etc/ssl/letsencrypt
        default_backend  http_app

frontend https_webconf
        bind 0.0.0.0:8000 ssl no-sslv3 crt /etc/ssl/letsencrypt
        capture request header origin len 128
        http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)]
        default_backend  http_webconf


#back-end
backend http_app
        http-request add-header X-Forwarded-Proto https if { ssl_fc }
        http-request set-header X-Forwarded-Port %[dst_port]
        server server_app_1  127.0.0.1:3001 maxconn 100

backend http_webconf
        http-request add-header X-Forwarded-Proto https if { ssl_fc }
        http-request set-header X-Forwarded-Port %[dst_port]
        server server_webconf_1  127.0.0.1:8001 maxconn 100

#8

I posted the question on stackoverflow too.


Help will be much appreciated
Matthieu


#9

I have finally found the origin of all these difficulties…that’s embarrassing but I was using two configuration files so the modifications I tried to apply did not have any impact on the HAProxy behavior…
The configuration above mentioned works if put in the right file.
I am happy this basic problem is solved.