I'm on a journey to figure out if and how to use NGINX as a reverse proxy for an app server in a docker that needs WS, but we need the clients to use a secure WSS connection. At first I thought of just using a WSS to WS NGINX reverse proxy. We implemented it, but our app server didn't work. It closed the connections as soon as NGINX was done negotiating the WSS handshake.
I think the app server must still be part of the negotiation because the app server logic cannot just start at the point where the WS is connected. I believe that the client app starts the WS negotiation on port 25565 not on port 80 or port 443. Is that possible?
So I added proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; to the NGINX conf, but it didn't solve the issue.
Note that if I turn of NGINX, the client and app server in the docker connect just fine, but over WS, not WSS.
FYI here is the current conf.d:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream to-websocket {
server 172.31.24.191:25565;
}
server_tokens off;
server {
# first redirect to https
if ($scheme = "http") {
return 301 https://$host$request_uri;
}
}
server {
server_name esports1.totalvu.live;
root /var/www/html;
index index.html index.htm;
# Proxy our outside https to local http
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
# listen 25565 ssl;
ssl_certificate /etc/letsencrypt/live/esports1.totalvu.live/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/esports1.totalvu.live/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_protocols TLSv1.1 TLSv1.2;
location / {
try_files $uri /static/ @wss;
}
location @wss {
error_log /var/log/nginx/wsserror.log;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
proxy_ssl_name $host;
proxy_ssl_session_reuse off;
proxy_set_header Host esports1.totalvu.live;
proxy_set_header Referer https://esports1.totalvu.live;
proxy_set_header Referrer https://esports1.totalvu.live;
proxy_pass http://172.31.24.191:25565;
# proxy_pass http://to-websocket;
}
location /static/ {
try_files $uri =404;
}
}
Many thanks for helping to understand and solve this.
