reverse_proxy should not rewrite Sec-WebSocket-Key

[BenjaminBeichler]

I try to setup a reverse_proxy for GTK's broadwayd, which fails. I actually found the reason:

The Sec-WebSocket-Key header is changed at the proxy turnaround to Sec-Websocket-Key. Unfortunately, the broadwayd header parser is not standard-conform and parses the header case-sensitive. I already submitted a bug request for this: https://gitlab.gnome.org/GNOME/gtk/-/issues/3406

But I think this may also affect many web server implementations. I did not find the source code place, where this rewrite happens, but I sniffed the outgoing proxied http-request from caddy to broadwayd, where the Sec-WebSocket-Key-header is changed.

I think I found several forum posts, where this behavior could also cause problems.

[mholt]

Unfortunately, broadwayd is broken and will simply have to be fixed. If you want other servers to bend over in non-spec-conforming ways you'll have to take up the issue with the Go project / standard library, but they'll tell you to fix the application (and I agree).

[BenjaminBeichler]

Thanks for the hint ... I was hoping it will be a fix in caddy, which would published much more quickly than updates at the gtk framework, but I totally understand your statement.

[BenjaminBeichler]

FYI: I submitted a patch to the gtk repo https://gitlab.gnome.org/GNOME/gtk/-/merge_requests/2894 and compiled my local ubuntu version of gtk3 with this fix and now the reverse proxy is working.

Unfortunately, I don't think my merge request will be back ported to gtk3, so it will take some time to appear in upstream distributions.