Host Shinyproxy on a centos server managed by Cpanel. https redirection crash the app

ShinyProxy
#1

Hi,
I want to host shinyproxy on a server managed by cpanel.
I managed to get docker and shinyproxy working and opened the port 8080 (only for test purpose).
The app works well when I access it through https://domain.com:8080

Now I want to access the app through an apache2 https redirection. Cpanel use a custom file trick to be able to add custom configuration to appache2, I managed to create a subdomain where the https port redirect to the app something like :

 # Configure HTTP request headers
    RequestHeader set X-Forwarded-Proto https
# The ProxyPreserveHost On directive is
# used so that the desired hostname is passed through,
# in case we are proxying multiple hostnames to a single machine
    ProxyPreserveHost On

#  Maps remote servers into the local server URL-space using regex
ProxyPassMatch "^/(.+)/websocket""ws://127.0.0.1:8080//$1/websocket"keepalive=On


# Maps remote servers into the local server URL-space
ProxyPass / http://127.0.0.1:8080/

# Adjust the URL in HTTP response headers sent from reverse proxied server
ProxyPassReverse          /      http://127.0.0.1:8080/

ProxyRequests               Off

 # To customize this VirtualHost use an include file at the following location
 # Include "/etc/apache2/conf.d/userdata/ssl/2_4/__domain__.com/*.conf"

using this the https redirection seems to work at first the container starts but the app crash after one second.

Here is the stack trace of the shinyproxy error that is listed:

 Proxy activated [user: pJq2GPzxwlhC-M9WET3KjvMsxCQNt9VOnCyJQJeU] [spec: calculator] [id: 25f535ff-98f0-47ec-b786-cb90bd766dfc]
2020-12-07 03:35:53.347 ERROR 12431 --- [  XNIO-1 task-1] io.undertow.request                      : UT005023: Exception handling request to //app_direct/calculator/websocket

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String "//"
	at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:369) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
	at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:336) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) ~[spring-web-5.2.9.RELEASE.jar!/:5.2.9.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) ~[spring-web-5.2.9.RELEASE.jar!/:5.2.9.RELEASE]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.2.9.RELEASE.jar!/:5.2.9.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.9.RELEASE.jar!/:5.2.9.RELEASE]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:93) ~[spring-boot-actuator-2.3.4.RELEASE.jar!/:2.3.4.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.9.RELEASE.jar!/:5.2.9.RELEASE]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.2.9.RELEASE.jar!/:5.2.9.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.9.RELEASE.jar!/:5.2.9.RELEASE]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.server.handlers.PathHandler.handleRequest(PathHandler.java:91) ~[undertow-core-2.1.4.Final.jar!/:2.1.4.Final]
	at eu.openanalytics.containerproxy.util.ProxyMappingManager$ProxyPathHandler.handleRequest(ProxyMappingManager.java:160) ~[containerproxy-0.8.5.jar!/:0.8.5]
	at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269) [undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78) [undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133) [undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130) [undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) [undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249) [undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78) [undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99) [undertow-servlet-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:370) [undertow-core-2.1.4.Final.jar!/:2.1.4.Final]
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:836) [undertow-core-2.1.4.Final.jar!/:2.1.4.Final]
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) [jboss-threads-3.1.0.Final.jar!/:3.1.0.Final]
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:2019) [jboss-threads-3.1.0.Final.jar!/:3.1.0.Final]
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1558) [jboss-threads-3.1.0.Final.jar!/:3.1.0.Final]
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1449) [jboss-threads-3.1.0.Final.jar!/:3.1.0.Final]
	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_272]

Any idea how I could get that to work? Is there any error with the

"UT005023: Exception handling request to //app_direct/calculator/websocket

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String "//"

I have everything running on my own server (ubuntu without cpanel) and everything runs great.
Shinyproxy really is awesome I would like it to work on this other server too.

Also on the browser I get the following error

WebSocket connection to 'wss://apps2.ciaaw.org/app_direct/calculator/websocket/' failed: Error during WebSocket handshake: Unexpected response code: 500

#2

fix it removing the extra slash in

ProxyPassMatch “^/(.+)/websocket”"ws://127.0.0.1:8080//$1/websocket"keepalive=On

to
ProxyPassMatch “^/(.+)/websocket”"ws://127.0.0.1:8080/$1/websocket"keepalive=On

1 Like