HTTP on chengzhycn's blog https://blog.jinzhi.site/tags/http/ Recent content in HTTP on chengzhycn's blog Hugo en-us Tue, 21 Oct 2025 15:18:28 +0800 WebSocket Origin Header 校验失败 https://blog.jinzhi.site/posts/2025-10/websocket-origin-header-%E6%A0%A1%E9%AA%8C%E5%A4%B1%E8%B4%A5/ Tue, 21 Oct 2025 15:18:28 +0800 https://blog.jinzhi.site/posts/2025-10/websocket-origin-header-%E6%A0%A1%E9%AA%8C%E5%A4%B1%E8%B4%A5/ <p>最近做 APISIX 线上服务时遇到一个场景:业务使用 websocket 转发时,在浏览器会出现 WebSocket close with status code 1006 的错误。打开调试工具查看发现在 websocket 握手时服务端返回了 403。</p> <p><img src="https://blog.jinzhi.site/images/notes/websocket-origin-header-%E6%A0%A1%E9%AA%8C%E5%A4%B1%E8%B4%A5/76f75e967736245ec923202987a22482_MD5.jpeg" alt="76f75e967736245ec923202987a22482_MD5"></p> <p><img src="https://blog.jinzhi.site/images/notes/websocket-origin-header-%E6%A0%A1%E9%AA%8C%E5%A4%B1%E8%B4%A5/4efbf4b7a2093ed4f1d6e522139dc92e_MD5.jpeg" alt="4efbf4b7a2093ed4f1d6e522139dc92e_MD5"></p> <p>非常奇怪的是,如果业务不经过 APISIX 直接访问后端 code-server 是没有问题的(中间也得经过一层 Ingress 转发)。</p> <p>简单的流量模型如下:</p> <pre tabindex="0"><code> +--------------+ +--------------+ +-------------+ https://domain.com:9443/xxx | | http://domain.com:23480/xxx | | | | -------------------------------- APISIX -------------------------------+ Ingress -----------+ code-server | | | | | | | +--------------+ +--------------+ +-------------+ </code></pre><p>经过对比发现,两者的请求头里面 Host 和 Origin 是存在差异的。尝试在 APISIX 中强制修改 Host 头部,问题没有解决。然后利用 proxy-rewrite 强制修改 Origin 头部,请求恢复正常。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"> <span class="s2">&#34;plugins&#34;</span><span class="err">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;proxy-rewrite&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;uri&#34;</span><span class="p">:</span> <span class="s2">&#34;/anything&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;headers&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;set&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Origin&#34;</span><span class="p">:</span> <span class="s2">&#34;http://domain.com&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span><span class="err">,</span> </span></span></code></pre></div><p>那么问题来了,为什么改完 Origin Header 就行了?code-server 是如何处理 Origin Header 的?为什么 Ingress 可以,APISIX 不行?</p>