websockets blocked by a basic auth on reverse proxy (Nginx or haproxy)

[wiseflat]

Hi,

I would like to install vscode behind a reverse proxy (haproxy). I want to set up a basic auth on haproxy. But vscode doesn't seem to pass credentials trough websockets so, haproxy block connections (with an HTTP 401 response).

If I disable basic_auth mecanism, vscode works ! that's a good point right ? :-)

I finally followed this link to set up Nginx properly behind haproxy but it doesn't work either, same naughty HTTP 401 response...

Nginx configuration

# cat default
server {
  listen 80;
  server_name code.domain.com;

  auth_basic           "Administrator’s Area";
  auth_basic_user_file /etc/nginx/.htpasswd;

  location / { 
      proxy_pass http://localhost:8080/;
      proxy_set_header Host $host;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection upgrade;
      proxy_set_header Accept-Encoding gzip;
  }
}

Nginx logs

==> /var/log/nginx/access.log <==
1.2.3.4 - admin [07/Feb/2020:10:51:59 +0000] "GET / HTTP/1.1" 200 1943 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - admin [07/Feb/2020:10:51:59 +0000] "GET /static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/workbench/workbench.web.api.css HTTP/1.1" 200 301389 "https://code.domain.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - admin [07/Feb/2020:10:51:59 +0000] "GET /static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/loader.js HTTP/1.1" 200 33566 "https://code.domain.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - admin [07/Feb/2020:10:51:59 +0000] "GET /static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/workbench/workbench.web.api.nls.js HTTP/1.1" 200 261464 "https://code.domain.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - admin [07/Feb/2020:10:52:00 +0000] "GET /static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/workbench/workbench.web.api.js HTTP/1.1" 200 6126509 "https://code.domain.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - admin [07/Feb/2020:10:52:00 +0000] "GET /static-f51e045cd5483561afc07694f39307fb673b6d1d/node_modules/semver-umd/lib/semver-umd.js HTTP/1.1" 200 119668 "https://code.domain.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - admin [07/Feb/2020:10:52:00 +0000] "GET /static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/code/browser/workbench/workbench.js HTTP/1.1" 200 5474 "https://code.domain.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - - [07/Feb/2020:10:52:00 +0000] "GET /favicon.ico HTTP/1.1" 401 204 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - - [07/Feb/2020:10:52:00 +0000] "GET /favicon.ico HTTP/1.1" 401 204 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - - [07/Feb/2020:10:52:00 +0000] "GET /?reconnectionToken=e3ea3c17-a1a7-494e-9032-d11ca11486e3&reconnection=false&skipWebSocketFrames=false HTTP/1.1" 401 204 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - admin [07/Feb/2020:10:52:00 +0000] "GET /static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/workbench/services/extensions/worker/extensionHostWorkerMain.js HTTP/1.1" 200 740 "https://code.domain.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - admin [07/Feb/2020:10:52:00 +0000] "GET /static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/loader.js HTTP/1.1" 200 33527 "https://code.domain.com/static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/workbench/services/extensions/worker/extensionHostWorkerMain.js" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - - [07/Feb/2020:10:52:00 +0000] "GET /?reconnectionToken=acc247d4-2dcc-449f-a7a5-5722b0412bb9&reconnection=false&skipWebSocketFrames=false HTTP/1.1" 401 204 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - admin [07/Feb/2020:10:52:00 +0000] "GET /static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/workbench/services/extensions/worker/extensionHostWorker.js HTTP/1.1" 200 1764037 "https://code.domain.com/static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/workbench/services/extensions/worker/extensionHostWorkerMain.js" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"
1.2.3.4 - admin [07/Feb/2020:10:52:00 +0000] "GET /static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/workbench/services/extensions/worker/extensionHostWorker.nls.js HTTP/1.1" 200 17880 "https://code.domain.com/static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/workbench/services/extensions/worker/extensionHostWorkerMain.js" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/22.0 Safari/605.1.15"

#80 : same problem but the first answer was to remove the basic auth :-(

Logs from my browser, if it can help...

safari

[Error] WebSocket connection to 'wss://code.domain.com/?reconnectionToken=3d924282-0f4c-4111-9913-9ac44e3217fe&reconnection=false&skipWebSocketFrames=false' failed: Unexpected response code: 401
[Error] Error: WebSocket close with status code 1006

s@https://code.domain.com/static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/workbench/workbench.web.api.js:1648:744
https://code.domain.com/static-f51e045cd5483561afc07694f39307fb673b6d1d/out/vs/workbench/workbench.web.api.js:1650:372
	(fonction anonyme) (workbench.web.api.js:51:618)
[Error] Error: Handler already set!
	setHandler (workbench.web.api.js:3129:881)
	initialize (workbench.web.api.js:4566:122)
	g (workbench.web.api.js:4566:94)
	B (workbench.web.api.js:4568:541)
	_createInstance (workbench.web.api.js:1498:207)
	_createAndCacheServiceInstance (workbench.web.api.js:1499:475)
	_createInstance (workbench.web.api.js:1497:804)
	createInstance (workbench.web.api.js:1497:628)
	acquireInstantiationService (workbench.web.api.js:4388:548)
	(fonction anonyme) (workbench.web.api.js:5524)
[Error] WebSocket connection to 'wss://code.domain.com/?reconnectionToken=cee4de9b-e590-47b5-828f-a05e0660e4c4&reconnection=false&skipWebSocketFrames=false' failed: Unexpected response code: 401
[Error] Error received from starting extension host
	(fonction anonyme) (workbench.web.api.js:3386:579)
	promiseReactionJob
[Error] Error: WebSocket close with status code 1006
	(fonction anonyme) (workbench.web.api.js:3386:640)
	promiseReactionJob
[Error] Error received from starting extension host
	(fonction anonyme) (workbench.web.api.js:3386:579)
	promiseReactionJob
[Error] Error: WebSocket close with status code 1006
	(fonction anonyme) (workbench.web.api.js:3386:640)
	promiseReactionJob

Any ideas ?
Cheers

[nhooyr]

See https://stackoverflow.com/questions/6714966/basic-authentication-for-websockets

Its a browser limitation.

[perelin]

Just a remark: I also encountered this behaviour, but only on Safari (Safari/Mac:13.0.5 + iOS 13.4). Chrome (80.0.3987.149) works fine.