Error while upgrading cnx to http

[verbal666]

Describe the goal

ws server is the same on both env.
Connect wstunnel thru a proxy chains

• in a TEST environment, it works [wstunnel client]-> local http proxy -> remote http proxy -> remote socks5 proxy -> remote http proxy -> wstunnel server
• in a PROD environment, quite same chaining, got an error 🤔🤔🤔

Testing with a simple curl -kL https://url -x socks5h://wstunnel_ip:socks5_ip ,

• in TEST works perfect
• in PROD i got errors Error while upgrading cnx to http 🥲

Describe what does not work

Client side i have no errors, apparently, wstunnel starts and starts listening at its socks5.
Server side i got a strange error,

ERROR cnx{peer="1.2.3.4:31734"}: wstunnel::tunnel::server::server: Error while upgrading cnx to http: hyper::Error(Io, Custom { kind: UnexpectedEof, error: "connection closed before reading preface" })

Maybe production http proxy filter and alter https/ws packets? 🥲

Describe your wstunnel setup

server wss://local_ip:443 --tls-certificate \path_to\fullchain.pem --tls-private-key \path_to\privkey.pem --restrict-http-upgrade-path-prefix my_private_prefix --remote-to-local-server-idle-timeout 30m --websocket-ping-frequency-sec 600 --log-lvl DEBUG

 INFO cnx{peer="1.2.3.4:31734"}: wstunnel::tunnel::server::server: Accepting connection
 INFO cnx{peer="1.2.3.4:31734"}: wstunnel::tunnel::server::server: Doing TLS handshake
DEBUG cnx{peer="1.2.3.4:31734"}: rustls::server::hs: decided upon suite TLS13_AES_256_GCM_SHA384
DEBUG cnx{peer="1.2.3.4:31734"}: rustls::server::hs: Chosen ALPN protocol [104, 50]
ERROR cnx{peer="1.2.3.4:31734"}: wstunnel::tunnel::server::server: Error while upgrading cnx to http: hyper::Error(Io, Custom { kind: UnexpectedEof, error: "connection closed before reading preface" })

Desktop (please complete the following information):

Chaining many OS ==> Linux (Ubuntu / Debian / Alma) and also Windows

[erebe]

Are you starting your wstunnel client to use http2 ?

Because the server see an incoming TLS connection with Chosen ALPN protocol [104, 50] which means h2 (http2).
While for websocket the ALPN should be http/1.1

You can use TRACE log level on the server to get more info.

[verbal666]

I'll try tracing 👍

But i think it's the production proxy (it has also a firewall onboard!) which filters or alters the TLS communication with the ws server, and so the connection is for some networking reason not going well.

Considering the test proxy has no filters/firewall and it's full open, and ws client connects well 🤷‍♀️

PS. how can i force not using HTTP2? Can't see parameters client side 🤔🤔🤔

Attached a clean session with a single curl get. (hoping have removed all sensible data 🙏🙏🙏)

ws_session_Error while upgrading cnx to http.zip

[erebe]

Ha it seems you start your client with http2 as transport protocol

wstunnel client -L socks5://127.0.0.1:1080 --connection-min-idle 0 --tls-sni-override my.domain.com --http-upgrade-path-prefix my_path https://my.domain.com:443 --tls-certificate /etc/certs/fullchain.pem --tls-private-key /etc/certs/privkey.pem --tls-verify-certificate -p proxy:port --log-lvl TRACE

 https://my.domain.com:443

to use websocket as transport, you need to change it to

 wss://my.domain.com:443

It should work better after that

[verbal666]

Gosh! You're perfect right. Didn't noticed i started remote to https 🤦‍♂️force of habit 😉
I'll try again soon with remote wss:// .
But i really think the firewall as something which changes headers/packets 🥲
Thanks 👍👍👍