Trying to get Websockify/noVNC to work through a reverse proxy

Question

I'm trying to figure out how to get noVNC to work through a reverse proxy, and while it works if I connect directly to it, it doesn't seem to work if I try to reverse proxy.

namely:

I run it as ./utils/launch.sh --vnc localhost:5901

if I connect to it as https://<machine>:6080/vnc.html?host=<machine>&port=6080

it works fine and I can connect to the vnc session

However, I want to be able to connect to it via a reverse proxy over port 443.

In Apache 2.4.10 (-8 in Debian Jessie), I've configured my proxy line to be

ProxyPass /home http://127.0.0.1:6080/
ProxyPassReverse /home http://127.0.0.1:6080/
ProxyPass /websockify wss://127.0.0.1:6080/websockify retry=3
ProxyPassReverse /websockify wss://127.0.0.1:6080/websockify retry=3

and I connect to it as https://<machine>/vnc.html?host=<machine>&port=6080

This still works, as while the fetch of the html/javascript is going through the reverse proxy, I'm still telling the websocket connection to go over 6080 and it works.

However, when I change it to https://<machine>/vnc.html?host=<machine>&port=443

I get the html/javascript just fine, but when it goes to make the connection, in firefox (and chrome and IE, but this error is from firefox in specific) I quickly get

Firefox can't establish a connection to the server at wss://<machine>/websockify.

and in noVNC I see the error message

127.0.0.1: ignoring socket not ready

Answer 1

Turns out, if one wants to proxy websockets through an https proxy, one should make the proxy part normal websockets (ws://) not secure web sockets (wss://) which makes sense as the https proxy would have handled the ssl portion already and there is nothing to do.

ProxyPass /websockify ws://127.0.0.1:6080/websockify retry=3
ProxyPassReverse /websockify ws://127.0.0.1:6080/websockify retry=3

make that change and everything works.