Unable to send websocket requests through WAF

For feature requests, please see: http://www.mattermost.org/feature-requests/.

For troubleshooting questions, please post in the following format:

Summary

Our installation of Mattermost was partially working, however, without the support of websockets, we are unable to use most of the useful functionalities, such as notifications and other UI features.

Steps to reproduce

Install mattermost behind a Web Application Firewall (WAF).

Expected behavior

The following functionalities should be working:

  • Notifications
  • Able to delete and edit messages
  • Able to send reaction emojis
  • The system admin able to manage mattermost

Observed behavior

The functionalities documented above are not working without websockets. I can confirm it is working if I ssh tunnel to the designated port - then I can use the functionalities above.

I need help in how to disable websockets functionality and fallback to other mechanism?

Or any suggestion on how to enable WAF to support websockets? Unfortunately we have no control over the WAF but according to the vendor, the WAF does not support websockets.

Another idea - is it possible to send websocket requests as https? then change it to wss protocol?

Any advice would be much appreciated.

Hi @zhaokoh,

Websocket support is a prerequisite for Mattermost.

Also, from a community member:

" Web Application Firewall " is rather generic, a software name and version would be helpful. Furthermore, more details regarding your network topology / security requirements are needed for suggestions. (But if you cannot modify the WAF and the vendor told you that your WAF doesn’t support Websockets, then that’s a bad omen, in my opinion.)

A WAF that does not support standards like websockets is not worth the money you (or your company) are paying for it (personal opinion: most WAFs are not worth the money).

FWIW, the main goal of most WAFs is to give bad programmers an excuse for not caring as much about XSS, SQL Injection and similar vulnerabilities as they should. This often includes incredibly stupid rules such as “if a POST request contains ‘SELECT’ or ‘UNION’, reject it”. I guess you can already imagine how utterly bad this is for a chat system where legitimate conversation might contain such keywords.

Thanks @amy.blais and @ThiefMaster. I will try to find out the software and version of the WAF.

@ThiefMaster, I like your opinion about WAF, haha. I agree it is part of the responsibilities of programmers to prevent malicious attack :slight_smile:. However, from an organisation point of view, there are management, infrastructure and other teams who are not part of the coding team, and they probably have no clue in what is in the code. So WAF could give them a peace of mind :wink:, and unfortunately, human (or programmers in this case) are not perfect, so mistakes will be make. Having said that, WAF is not an excuse for programmers to ignore the responsibilities to understand web vulnerabilities when coding.

Something strange though, the mattermost functionalities that are hidden in the browser (due to the websockets), such as deleting a post, adding reaction emoji, etc are available and working in iOS, although in iOS, the message “Connecting…” keeps showing at the top.

Does that mean the iOS mattermost is working differently compare to the browser-based mattermost?

Just found out from the solution team that we are using Imperva Web Application Firewall. Anyone familiar with this product and how to allow secure websocket traffic?

Thanks.