Issue with websocket behind nginx behind a haproxy SNI TLS reverse proxy

Wed Nov 23 09:14:23 UTC 2016

Hi,

I have a strange problem. 

Setup:
Internet ---> haproxy (SNI TLS Routing) --> nginx (Webserver) --> Websocket
based server (WebRTC)
haproxy has no certificates, it checks the TLS Hello message for :443
traffic and then forwards to the right server based on SNI.
==> haproxy cannot alter the stream sent through.

Doing a request through this pipeline to start a websocket connection looses
the Upgrade & Connection setting coming from the internet.
When making a request that bypasses the haproxy those header elements ARE
present.
Unfortunately haproxy is a requirement because of various servers being
used. 

The only difference i can see is that in the case of haproxy the request
comes from a local address (same subnet as nginx server) .
I tried to follow the processing of data through haproxy but that takes a
lot more time...

Curl Request:

GET /webrtc/ws?curl HTTP/1.1
Host: nc.xxxxxxx.net
Accept: /
Pragma: no-cache
Origin: https://nc.xxxxxxx.net
Accept-Encoding: gzip, deflate, sdch, br
Sec-WebSocket-Version: 13
Accept-Language: en-US,en;q=0.8,nl;q=0.6
Sec-WebSocket-Key: QBKcxyaLv5Om+scMeDUbBg==
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/54.0.2840.59 Safari/537.36
Upgrade: websocket
Cache-Control: no-cache
Cookie: oc_sessionPassphrase=XcOZFOaPnqqbv1
Connection: Upgrade
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
DNT: 1
Parsed by nginx:
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Host:
nc.xxxxxxx.net:443"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Connection: close"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Accept: /"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Pragma: no-cache"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Origin:
https://nc.xxxxxxx.net"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Accept-Encoding:
gzip, deflate, sdch, br"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header:
"Sec-WebSocket-Version: 13"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Accept-Language:
en-US,en;q=0.8,nl;q=0.6"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Sec-WebSocket-Key:
QBKcxcxxxcxcxyaLv5Om+scMeDUbBg=="
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "User-Agent:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/54.0.2840.59 Safari/537.36"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Cache-Control:
no-cache"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Cookie:
oc_sessionPassphrase=XcOZ9q5bYP%
2016/11/23 01:09:20 [debug] 25097#0: *309 http header:
"Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "DNT: 1"
2016/11/23 01:09:20 [debug] 25097#0: *309 http header done

The UserAgent & Cookie get followed by Upgrade & Connection resp.
but they are NOT seen/parsed by nginx code....

Note that when i Force the Upgrade & Connection headers on the /webrtc/ws
URI (using a specific location) every thing works as designed, it is just
that 
the Upgrade & Connection headers seem to be dropped from the incomming
request. ($http_upgrade is empty).

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271128,271128#msg-271128