routing-release icon indicating copy to clipboard operation
routing-release copied to clipboard
verified publisher icon cloudfoundry

WebSocket Support for Apps with Route-Services

Open Dariquest opened this issue 8 months ago • 1 comments

Summary

Route services should be able to handle web socket requests.

The Gorouter flag "route_services.disable_websockets" is introduced to enable fast feature disablement possibility for security reasons.

 router.route_services.disable_websockets:
    description: Disable websocket connections for application routes bound to Route Services.

Web socket upgrades on routes with an attached route service were prevented previously. This issue has been brought up by one of our customers, who needed a route service to rate-limit their app.

GitHub Issue

Backward Compatibility

Breaking Change? No

Test

Scenario: A web socket app needs rate limiting via a route service. Given

cf push websocket-app
cf push ratelimiter
cf create-user-provided-service ratelimiter-service -r https://ratelimiter.cfapps.xxx.sapcloud.io
cf bind-route-service cfapps.xxx.sapcloud.io ratelimiter-service --hostname websocket-app

When I connect to wss://websocket-app.cfapps.xxx.sapcloud.io using a web socket client or simply curl it with the corresponding websocket request headers Then The connection will work through the route service as expected

Dariquest avatar May 05 '25 14:05 Dariquest

Performed a test of this Routing-release Gorouter change on a dev landscape with a sample websocket-app to show that the apps with bound route services support web sockets:

cf push websocket-app
cf push ratelimiter
cf create-user-provided-service ratelimiter-service -r https://ratelimiter.cfapps.xxx.sapcloud.io
cf bind-route-service cfapps.xxx.sapcloud.io ratelimiter-service --hostname websocket-app
  1. Using a web socket client wss:

wscat -c wss://websocket-app.cfapps.xxx.sapcloud.io/ws Connected (press CTRL+C to quit)

test < test

  1. Curling the sample app with the corresponding websocket connection headers:
$ curl -i -N -H "Connection: Upgrade"      -H "Upgrade: websocket"      -H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ=="      -H "Sec-WebSocket-Version: 13"      -H "Origin: https://websocket-app.cfapps.xxx.sapcloud.io"      https://websocket-app.cfapps.xxx.sapcloud.io/ws --http1.1
HTTP/1.1 101 Switching Protocols
connection: Upgrade
sec-websocket-accept: xxx
upgrade: websocket
x-vcap-request-id: 0237d2fc-72f6-4905-71c3-88a2419fd40e
strict-transport-security: max-age=31536000; includeSubDomains; preload;

Dariquest avatar May 16 '25 07:05 Dariquest

GitHub seems confused about workflows being there while also not being there on this branch. @Dariquest can you rebase once more?

maxmoehl avatar May 20 '25 18:05 maxmoehl

GitHub seems confused about workflows being there while also not being there on this branch. @Dariquest can you rebase once more?

Everything looks good to me. Once the rebasing + GH actions are sorted out feel free to approve + merge.n

geofffranks avatar May 20 '25 21:05 geofffranks

The workflow uses secrets, e.g. ${{ secrets.GCP_SERVICE_ACCOUNT_TAS_RUNTIME_BUILD_IMAGE_READER }} and those are inaccessible if your PR is coming from a fork due to security policies.

We will ignore the validation for now but can have a discussion on how to fix this for future contributions.

/fyi @geofffranks @kart2bc

maxmoehl avatar May 21 '25 08:05 maxmoehl