Issue with websocket behind nginx behind a haproxy SNI TLS reverse proxy

Maxim Dounin mdounin at
Thu Nov 24 12:54:27 UTC 2016


On Wed, Nov 23, 2016 at 04:14:23AM -0500, noci wrote:

> I have a strange problem. 
> Setup:
> Internet ---> haproxy (SNI TLS Routing) --> nginx (Webserver) --> Websocket
> based server (WebRTC)
> haproxy has no certificates, it checks the TLS Hello message for :443
> traffic and then forwards to the right server based on SNI.
> ==> haproxy cannot alter the stream sent through.
> Doing a request through this pipeline to start a websocket connection looses
> the Upgrade & Connection setting coming from the internet.
> When making a request that bypasses the haproxy those header elements ARE
> present.
> Unfortunately haproxy is a requirement because of various servers being
> used. 


> Parsed by nginx:
> 2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Host:
> 2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Connection: close"


>From the nginx logs provided it is clear that Update and 
Connection headers were removed/changed somewhere before nginx.  
Additionally, it looks like the Host header was changed from 
"" to "".

You have to look on what happens in haproxy and/or between haproxy 
and nginx.  A trivial thing to check is the client address as 
seen by nginx - make sure it belongs to haproxy and there are no 
additional intermediate proxies.

Maxim Dounin

More information about the nginx mailing list