"disconnected" when opening a web client session

[aberoham]

What happened:

End-user received disconnected message in a terminal window when attempting to open a session through teleport-proxy's web UI.

What you expected to happen:

A web teleport session to be successfully opened, or an error message stating Websockets upgrade failed, please contact your Teleport administrator.

How to reproduce it (as minimally and precisely as possible):

Put a load balancer in front of teleport-proxy that does not support websockets connection upgrades. As a quick test, within Firefox's about:config, set network.websocket.max-connections to 0.

Note: The default HTTP profile used with Citrix NetScalers may not include websockets support. Various ways of terminating SSL on the edge of cloud provider load balancer products (where a clean layer4 VIP all the way to teleport-proxy is not available) cloud also trigger this behavior.

Environment:

• Teleport version (use teleport version): Teleport Enterprise v2.4.0
• Tsh version (use tsh version): same
• OS (e.g. from /etc/os-release): any

Browser environment

• Browser Version (for UI-related issues): Firefox 57
• Install tools: n/a
• Others: n/a

Relevant Debug Logs If Applicable

• tsh --debug

Within teleport-proxy logs, there's an entry showing that the session was attempted, but no hints that the upgrade to websockets failed: INFO Generated session ..

Hat tip to Daniel G for sleuthing this.

[aberoham]

This cryptic error message can occur if an admin is attempting to put a local Apache 2.x Proxy in front of teleport-proxy's web UI, where the Apache config does not explicitly support websockets (wss).

Folks tend to do this within enterprise environments so that end-users can access a vanity https URL without having to specify port :3080. (Or there may be firewalls in place that restrict traffic to 443)

[klizhentas]

yeah, let's improve error message in 2.5.1

[halfa]

If somebody come here looking for the nginx config to solve this, this one maybe isn't the best but it works:

	location / {
		proxy_pass https://127.0.0.1:3080;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "Upgrade";
	}

[swills]

LIkewise, the config I needed for apache looked like this:

RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:3080/$1 [P,L]

After loading mod_proxy_wstunnel.so of course. Good luck!

[alex-kovoy]

I looked at the javascript websocket events and unfortunately did not find a way to get it. Even though it is present in the error stack showing in the browser console, this particular messsage text is not available from the error event itself that gets passed to websocket event handlers. Found similar issue on Stackoverflow which confirms my findings. Thus closing it as "by design".