Issue with websocket behind nginx behind a haproxy SNI TLS reverse proxy
mdounin at mdounin.ru
Thu Nov 24 12:54:27 UTC 2016
On Wed, Nov 23, 2016 at 04:14:23AM -0500, noci wrote:
> I have a strange problem.
> Internet ---> haproxy (SNI TLS Routing) --> nginx (Webserver) --> Websocket
> based server (WebRTC)
> haproxy has no certificates, it checks the TLS Hello message for :443
> traffic and then forwards to the right server based on SNI.
> ==> haproxy cannot alter the stream sent through.
> Doing a request through this pipeline to start a websocket connection looses
> the Upgrade & Connection setting coming from the internet.
> When making a request that bypasses the haproxy those header elements ARE
> Unfortunately haproxy is a requirement because of various servers being
> Parsed by nginx:
> 2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Host:
> 2016/11/23 01:09:20 [debug] 25097#0: *309 http header: "Connection: close"
>From the nginx logs provided it is clear that Update and
Connection headers were removed/changed somewhere before nginx.
Additionally, it looks like the Host header was changed from
"nc.xxxxxxx.net" to "nc.xxxxxxx.net:443".
You have to look on what happens in haproxy and/or between haproxy
and nginx. A trivial thing to check is the client address as
seen by nginx - make sure it belongs to haproxy and there are no
additional intermediate proxies.
More information about the nginx