And lessons from working with my reverse proxy….
The one good thing: Go is awesome when writing your own web code. Seriously.
The many bad things:
* HTTP/2 is fraught with compatibility weirdness. Specifically WebSockets which aren’t available with HTTP/2 at all. And if you open a wss:// or ws:// socket in most clients, they fall back to HTTP/1.1 perfectly. Most. Not all. So if there’s any need for WebSockets, then you’re stuck with HTTP/1.1 because it’s magic.
* TLS 1.3 is also fraught with compatibility weirdness. Found when Ubuntu updated their OpenSSL to 1.1.1 which transparently enables TLS 1.3, and suddenly FileZilla (which supports TLS 1.3 via GnuTLS) suddenly can’t talk to Pure-FTPD. This is not good as I no longer allow non-TLS connections. Fortunately, I found the setting change you need to make to force it all back to TLS 1.2, which makes it all work spiffy.
* Safari sucks balls. There’s a beautiful 2 y/o reported bug that makes it drop cookies and authentication information from requests that its not supposed to, which is grand when the cookie contains the information that says “you’re allowed to access this site” and suddenly half the pages are rejected because Safari is dropping the cookie. It requires ES6 modules and a lot of bad luck, but I found the perfect set of circumstances to make it unavoidable, and I’ve had to work around that for now.
It only occurs when loading anonymous cross-site JS modules that aren’t actually cross-site … the bug is that Safari isn’t checking the cross-site properly and so thinks they shouldn’t get authentication information. So my reverse proxy sets a timer on validation of a session cookie … if it gets a request for a JS file from a “known signature” browser within a few minutes of getting a valid request, it just lets it through and hopes the originating site doesn’t care about missing username/session information. Which in the cases where I’ve hit the bug, I’ve made damned sure they don’t care. One did, but it was only serving the static JS files, so I stopped it caring for those – they’re not user specific.
But I am back to working fully now with all browsers I’ve tested with, all applications – including some amazing uses of noVNC and Shell-in-a-box with some dinky wrappers to make them automatically manage “per-user”. So I can open things up to more than just myself if I wanted to.
The noVNC wrapper even opens multiple destination VNC servers/ports appropriately with one instance, so no messing about – just add a host configuration with appropriate users, reload to get the new configuration.