help with https to http and WSS to WS reverse proxy conf
Michael Williams
michael.glenn.williams at totalvu.tv
Sun Sep 11 18:53:43 UTC 2022
Francis thanks very much for taking the time to look at this.
Based on your suggestion, I commented out these 3 lines and it got rid of
the looping. I thought the same process that wants the WS feed also looked
for inbound on port 80, but that is not the case after all.
location @ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host esports1.totalvu.live;
proxy_set_header Referer https://esports1.totalvu.live;
proxy_set_header Referrer https://esports1.totalvu.live;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_pass http://localhost:80;
}
I thought that localhost was a different route to the Debian kernel, than
the network interface... so listening to localhost:80 wouldn't hear traffic
on the network interface port 80 and vice versa. Is that wrong? Anyway,
many thanks again if you can help with the next part, since that is the
real goal:
Unfortunately, WSS inbound proxied to WS on localhost isn't working. The
process that is listening is running inside a docker.
When the webpage tries to connect to NGINX to start a WSS from a testing
site like https://websocketking.com/ going to the host without the port,
just to test conf.d :
wss://myFQDN
the access log shows:
myIPAddr - - [11/Sep/2022:18:42:41 +0000] "GET / HTTP/1.1" 502 552 "-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/105.0.0.0 Safari/537.36" "-"
Should it say HTTPS here ? When I try with the port:
wss://myFQDN:25565
*the request hangs in Pending state forever.*
FYI here is some supporting info to help provide the context.
The up to date conf.d:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream to-websocket {
server localhost:25565;
}
server_tokens off;
# SSL requirements. We use Certbot and LetsEncrypt
#ssl_certificate /etc/letsencrypt/live/myFQDN/fullchain.pem; # managed by
Certbot
#ssl_certificate_key /etc/letsencrypt/live/myFQDN/privkey.pem; # managed by
Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#ssl_session_cache shared:SSL:1m;
#ssl_session_timeout 5m;
#ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;
server {
# first redirect to https
if ($scheme = "http") {
return 301 https://$host$request_uri;
}
# Now webserver
# Port 80 shouldn't be accesed from outside
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name myFQDN www.myFQDN;
# return 404; # managed by Certbot
# root /var/www/html;
}
server {
root /var/www/html;
index index.html index.htm;
server_name myFQDN;
# Proxy our outside https to local http
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/myFQDN/fullchain.pem; # managed
by Certbot
ssl_certificate_key /etc/letsencrypt/live/myFQDN/privkey.pem; # managed
by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
try_files /nonexistent @$http_upgrade;
}
location @websocket {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host myFQDN;
proxy_set_header Referer https://myFQDN;
proxy_set_header Referrer https://myFQDN;
# proxy_pass http://localhost:25565;
proxy_pass http://to-websocket;
}
location @ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host myFQDN;
proxy_set_header Referer https://myFQDN;
proxy_set_header Referrer https://myFQDN;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_pass http://localhost:80;
}
}
Here is the listener process on netstat:
netstat -a -o | grep 255
tcp 0 0 ip-172-31-24-191.:25565 0.0.0.0:* LISTEN
off (0.00/0/0)
udp 0 0 ip-172-31-24-191.:25565 0.0.0.0:*
off (0.00/0/0)
Here is the interface being used:
ifconfig
pterodactyl0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
inet6 fdba:17c8:6c94::1011 prefixlen 64 scopeid 0x0<global>
inet6 fe80::42:34ff:fecd:a2ca prefixlen 64 scopeid 0x20<link>
inet6 fe80::1 prefixlen 64 scopeid 0x20<link>
ether 02:42:34:cd:a2:ca txqueuelen 0 (Ethernet)
RX packets 531199 bytes 44240022 (42.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 599094 bytes 2239954356 (2.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Here are the iptables stats:
iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
26591 3605K DOCKER-USER all -- * * 0.0.0.0/0
0.0.0.0/0
26591 3605K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0
0.0.0.0/0
555K 2230M ACCEPT all -- * pterodactyl0 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
754 43364 DOCKER all -- * pterodactyl0 0.0.0.0/0
0.0.0.0/0
487K 43M ACCEPT all -- pterodactyl0 !pterodactyl0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- pterodactyl0 pterodactyl0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source
destination
285 17856 ACCEPT tcp -- !pterodactyl0 pterodactyl0 0.0.0.0/0
172.18.0.2 tcp dpt:25565
0 0 ACCEPT udp -- !pterodactyl0 pterodactyl0 0.0.0.0/0
172.18.0.2 udp dpt:25565
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source
destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0
0.0.0.0/0
13358 1529K DOCKER-ISOLATION-STAGE-2 all -- pterodactyl0 !pterodactyl0
0.0.0.0/0 0.0.0.0/0
26591 3605K RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * docker0 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * pterodactyl0 0.0.0.0/0
0.0.0.0/0
13358 1529K RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source
destination
1535K 4381M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
On Sun, Sep 11, 2022 at 1:45 AM Francis Daly <francis at daoine.org> wrote:
> On Sat, Sep 10, 2022 at 05:47:29PM -0700, Michael Williams wrote:
>
> Hi there,
>
> > Can someone with fresh eye please review this config and tell me why
> > requests are infinite redirection to https?
>
> I suspect that whatever you are proxy_pass'ing to is seeing that it
> is getting a http connection, and it has been configured to insist on
> having a https connection.
>
> In this particular case, your "listen 80 default_server" server
> block presumably includes "localhost"; and so your "proxy_pass
> http://localhost:80;" directive is talking back to that. Which is where
> the loop is.
>
> So - proxy_pass to something that will return content.
>
> Cheers,
>
> f
> --
> Francis Daly francis at daoine.org
> _______________________________________________
> nginx mailing list -- nginx at nginx.org
> To unsubscribe send an email to nginx-leave at nginx.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20220911/ad0f71b0/attachment.htm>
More information about the nginx
mailing list