WebSocket connections return 403 when isolation mode is enabled

Question

WebSocket connections return 403 when isolation mode is enabled

hendrikgaffo opened this issue a year ago · 5 comments

Describe the bug
We are running a WebSocket Service (using Socket.IO) on an AKS cluster with Bridge to Kubernetes installed. We are using the NGINX Ingress Controller for our services.

We are currently working on a different service, for which we use B2K to access data from other services in our cluster.

Now, whenever we are running the B2K debugger task with isolation mode enabled, any attempt to connect to the WebSocket service returns a 403:
"GET /socket.io/?EIO=3&transport=websocket HTTP/1.1" 403

If we turn isolation mode off, we get the proper 101 (Switching Protocols):
"GET /socket.io/?EIO=3&transport=websocket HTTP/1.1" 101

This has to do with the fact that in isolation mode, the request is being made to the Envoy pod instead of the original pod. I think the default Envoy configuration does now allow WebSocket connections.

In order to enable WebSocket connections, we thought about adding this part to the Envoy routing config of our WebSocket service, which gets automatically created by B2K:

upgrade_configs:
  upgrade_type: "websocket"

However, when updating the Envoy config for the service, it immediately gets set to the default value again (this is also mentioned in #159).

Mention the platform you are using
VS Code: 1.83.0
Bridge to Kubernetes Extension: v2.0.120231004
AKS: 1.24.15

To Reproduce
Steps to reproduce the behavior:

Deploy a Socket.IO server to AKS
Open up another service in VS Code and run the B2K debugger task with isolation mode enabled
Try to connect to the Socket.IO service

Expected behavior
We expect the request to return a 101 - Switching Protocols, so that a WebSocket connection is established.

Screenshots
This is a screenshot of Postman, showing an attempt to connect to the WebSocket Service with B2K isolation mode enabled.

Desktop (please complete the following information):

OS: Ubuntu 22.04
Browser: Edge for Business 117.0.2045.55 (Official build) (64-bit)

Answer 1 · 2023-10-11T15:31:50.000Z

@hendrikgaffo Thanks for raising this issue. we will check this and get back to you.

Answer 2 · 2023-11-02T17:37:55.000Z

@hendrikgaffo I looked into it, I have a question this upgrade_configs needs to be added only for websocket services right ? Not for all services, also you are looking for communication between ws --> ws not ws --> wss ? because ws --> wss need transport socket added with certificates in them. Please confirm on this. If you are willing to contribute here is the place where you can add this feature. Thanks for your patience.

Reference : https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/websocket#step-3-test-proxying-ws-ws

Answer 3 · 2024-01-09T23:46:56.000Z

@hendrikgaffo can you confirm on the above one please ? thank you.

Answer 4 · 2024-02-08T15:23:56.000Z

some news about it??

Answer 5 · 2024-03-04T14:48:42.000Z

Hi , can I ask if this problem will be fixed ?

It's very time locking debug only in non isolated way...
If we are activating the isolated mode, wss can't work anymore as described

reagards