Redirect websocket and json in SSL with NGINX

Question

I'm getting crazy to solve a problem with the neginx configuration of a live blogging platform.

In http it works, and here is the configuration:

/etc/nginx/conf.d/default.conf

server {
    listen 80 default;
    include /etc/nginx/conf.d/*.inc;
}

/etc/nginx/conf.d/default.inc

location /ws {
    proxy_pass http://localhost:5100;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_read_timeout 3600;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "Upgrade";
}

location /api {
    proxy_pass http://localhost:5000;
    proxy_set_header Host $HOST;
    expires epoch;

    sub_filter_once off;
    sub_filter_types application/json;
    sub_filter 'http://localhost' 'http://\$host';
}


location /.well-known {
    root /var/tmp;
}
location / {
    root /opt/liveblog/client/dist;
    sub_filter_once off;
    sub_filter_types application/javascript;
    sub_filter 'http://localhost' 'http://\$host';
    sub_filter 'ws://localhost/ws' 'ws://\$host/ws';
}

/etc/nginx/conf.d/params.conf

tcp_nopush on;
tcp_nodelay on;
output_buffers 1 256k;
postpone_output 0;
keepalive_requests 210;
reset_timedout_connection on;
ignore_invalid_headers  on;
server_tokens off;
client_max_body_size 1024m;
recursive_error_pages   on;
server_name_in_redirect off;

gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 1;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript;

proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_buffering on;
proxy_ignore_client_abort off;
proxy_intercept_errors on;
proxy_next_upstream error timeout invalid_header;
proxy_redirect off;
proxy_buffer_size 32k;
proxy_buffers 8 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
client_body_buffer_size 128k;
proxy_connect_timeout 1;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_cache_min_uses 1;
proxy_temp_path /var/tmp;

Here is my configuration to go in SSL.

server {
    listen 80 default;
    listen  443 ssl;
    server_name live.dmove.it;
    include /etc/nginx/conf.d/*.inc;

    ssl_certificate /etc/letsencrypt/live/live.dmove.it/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/live.dmove.it/privkey.pem; # managed by Certbot
}

and /etc/nginx/conf.d/default.inc

location /ws {
    proxy_pass http://localhost:5100;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_read_timeout 3600;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
}

location /api {
    proxy_pass http://localhost:5000;
    proxy_set_header Host live.dmove.it;
    expires epoch;

    sub_filter_once off;
    sub_filter_types application/json;
    sub_filter 'http://localhost' 'https://$host';
}


location /.well-known {
    root /var/tmp;
}
location / {
    root /opt/liveblog/client/dist;

    # TODO: use "config.js:server" for user installations
    sub_filter_once off;
    sub_filter_types application/javascript;
    sub_filter 'http://localhost' 'http://$host';
    sub_filter 'ws://localhost/ws' 'ws://$host/ws';
}

The javascript app cannot connect to websocket or api

WebSocket connection to 'wss://live.dmove.it:5100/' failed: Error in connection establishment: net::ERR_SSL_PROTOCOL_ERROR

app.bundle.js:142659 GET https://live.dmove.it:5000/api net::ERR_TIMED_OUT

If I try in console

curl -i -H "Accept: application/json" http://localhost/api

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 20 Dec 2018 10:04:56 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT

So the server is working...

Is not firewalled, is a digital ocean bucket created yesterday by me with a vanilla ubuntu 16.04 UFW Status: inactive — Roberto Pezzali, Dec 20 '18 at 10:23

score 0 · Answer 1 · answered Dec 20 '18 at 11:26

0

You set up a server on a public IP at ports 80 (plain) and 443 (tls) only. This server forwards specific URLs to port 5000 or port 5100 on the local server (localhost). This means that to access the websocket part you need to access wss://live.dmove.it/ws which forwards to localhost:5100 and not as you've tried wss://live.dmove.it:5100/.... There is no public listener on port 5100, only a listener on localhost.

answered Dec 20 '18 at 11:26

Steffen Ullrich

12,227
24
37

So the javascript app is trying to connect to port 5000 and 5100 and this is wrong? I have to connect to wss://live.dmove.it/ws and the call is forwarder to localhost:5100? And the same for the api, I just need to call https:/live.dmove.it/api and nginx redirect to http://localhost:5000? – Roberto Pezzali Dec 20 '18 at 11:32
@RobertoPezzali: Correct, this is what you have configured. If this is what you've actually intended to do I have no idea. – Steffen Ullrich Dec 20 '18 at 11:36
Is not an app I write. But seems logic, so I keep just the 4333 open – Roberto Pezzali Dec 20 '18 at 11:40

Redirect websocket and json in SSL with NGINX

1 Answers1