Welcome! Log In Create A New Profile

Advanced

Re: help with https to http and WSS to WS reverse proxy conf

All files from this thread

File Name File Size   Posted by Date  
Screen Shot 2022-09-12 at 5.29.50 PM.png 194.6 KB open | download Michael Williams 09/12/2022 Read message
Michael Williams
September 11, 2022 02:56PM
Francis thanks very much for taking the time to look at this.
Based on your suggestion, I commented out these 3 lines and it got rid of
the looping. I thought the same process that wants the WS feed also looked
for inbound on port 80, but that is not the case after all.

location @ {

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host esports1.totalvu.live;

proxy_set_header Referer https://esports1.totalvu.live;

proxy_set_header Referrer https://esports1.totalvu.live;

# proxy_set_header X-Forwarded-Proto $scheme;

# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# proxy_pass http://localhost:80;

}

I thought that localhost was a different route to the Debian kernel, than
the network interface... so listening to localhost:80 wouldn't hear traffic
on the network interface port 80 and vice versa. Is that wrong? Anyway,
many thanks again if you can help with the next part, since that is the
real goal:

Unfortunately, WSS inbound proxied to WS on localhost isn't working. The
process that is listening is running inside a docker.
When the webpage tries to connect to NGINX to start a WSS from a testing
site like https://websocketking.com/ going to the host without the port,
just to test conf.d :

wss://myFQDN

the access log shows:

myIPAddr - - [11/Sep/2022:18:42:41 +0000] "GET / HTTP/1.1" 502 552 "-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/105.0.0.0 Safari/537.36" "-"


Should it say HTTPS here ? When I try with the port:

wss://myFQDN:25565

*the request hangs in Pending state forever.*

FYI here is some supporting info to help provide the context.

The up to date conf.d:

map $http_upgrade $connection_upgrade {

default upgrade;

'' close;

}


upstream to-websocket {

server localhost:25565;

}


server_tokens off;


# SSL requirements. We use Certbot and LetsEncrypt

#ssl_certificate /etc/letsencrypt/live/myFQDN/fullchain.pem; # managed by
Certbot

#ssl_certificate_key /etc/letsencrypt/live/myFQDN/privkey.pem; # managed by
Certbot

#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

#ssl_session_cache shared:SSL:1m;


#ssl_session_timeout 5m;

#ssl_ciphers HIGH:!aNULL:!MD5;

#ssl_prefer_server_ciphers on;


server {

# first redirect to https

if ($scheme = "http") {

return 301 https://$host$request_uri;

}


# Now webserver

# Port 80 shouldn't be accesed from outside

# listen 80 default_server;

# listen [::]:80 default_server;

# server_name myFQDN www.myFQDN;

# return 404; # managed by Certbot

# root /var/www/html;

}


server {

root /var/www/html;

index index.html index.htm;

server_name myFQDN;


# Proxy our outside https to local http

listen [::]:443 ssl ipv6only=on; # managed by Certbot

listen 443 ssl; # managed by Certbot

ssl_certificate /etc/letsencrypt/live/myFQDN/fullchain.pem; # managed
by Certbot

ssl_certificate_key /etc/letsencrypt/live/myFQDN/privkey.pem; # managed
by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


location / {

try_files /nonexistent @$http_upgrade;

}

location @websocket {

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection $connection_upgrade;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Host myFQDN;

proxy_set_header Referer https://myFQDN;

proxy_set_header Referrer https://myFQDN;

# proxy_pass http://localhost:25565;

proxy_pass http://to-websocket;

}


location @ {

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host myFQDN;

proxy_set_header Referer https://myFQDN;

proxy_set_header Referrer https://myFQDN;

# proxy_set_header X-Forwarded-Proto $scheme;

# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# proxy_pass http://localhost:80;

}

}

Here is the listener process on netstat:

netstat -a -o | grep 255

tcp 0 0 ip-172-31-24-191.:25565 0.0.0.0:* LISTEN
off (0.00/0/0)

udp 0 0 ip-172-31-24-191.:25565 0.0.0.0:*
off (0.00/0/0)

Here is the interface being used:

ifconfig

pterodactyl0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255

inet6 fdba:17c8:6c94::1011 prefixlen 64 scopeid 0x0<global>

inet6 fe80::42:34ff:fecd:a2ca prefixlen 64 scopeid 0x20<link>

inet6 fe80::1 prefixlen 64 scopeid 0x20<link>

ether 02:42:34:cd:a2:ca txqueuelen 0 (Ethernet)

RX packets 531199 bytes 44240022 (42.1 MiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 599094 bytes 2239954356 (2.0 GiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Here are the iptables stats:

iptables -L -n -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source
destination


Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source
destination

26591 3605K DOCKER-USER all -- * * 0.0.0.0/0
0.0.0.0/0

26591 3605K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0
0.0.0.0/0

0 0 ACCEPT all -- * docker0 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED

0 0 DOCKER all -- * docker0 0.0.0.0/0
0.0.0.0/0

0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0
0.0.0.0/0

0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0
0.0.0.0/0

555K 2230M ACCEPT all -- * pterodactyl0 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED

754 43364 DOCKER all -- * pterodactyl0 0.0.0.0/0
0.0.0.0/0

487K 43M ACCEPT all -- pterodactyl0 !pterodactyl0 0.0.0.0/0
0.0.0.0/0

0 0 ACCEPT all -- pterodactyl0 pterodactyl0 0.0.0.0/0
0.0.0.0/0


Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source
destination


Chain DOCKER (2 references)

pkts bytes target prot opt in out source
destination

285 17856 ACCEPT tcp -- !pterodactyl0 pterodactyl0 0.0.0.0/0
172.18.0.2 tcp dpt:25565

0 0 ACCEPT udp -- !pterodactyl0 pterodactyl0 0.0.0.0/0
172.18.0.2 udp dpt:25565


Chain DOCKER-ISOLATION-STAGE-1 (1 references)

pkts bytes target prot opt in out source
destination

0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0
0.0.0.0/0

13358 1529K DOCKER-ISOLATION-STAGE-2 all -- pterodactyl0 !pterodactyl0
0.0.0.0/0 0.0.0.0/0

26591 3605K RETURN all -- * * 0.0.0.0/0
0.0.0.0/0


Chain DOCKER-ISOLATION-STAGE-2 (2 references)

pkts bytes target prot opt in out source
destination

0 0 DROP all -- * docker0 0.0.0.0/0
0.0.0.0/0

0 0 DROP all -- * pterodactyl0 0.0.0.0/0
0.0.0.0/0

13358 1529K RETURN all -- * * 0.0.0.0/0
0.0.0.0/0


Chain DOCKER-USER (1 references)

pkts bytes target prot opt in out source
destination

1535K 4381M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0







On Sun, Sep 11, 2022 at 1:45 AM Francis Daly <francis@daoine.org> wrote:

> On Sat, Sep 10, 2022 at 05:47:29PM -0700, Michael Williams wrote:
>
> Hi there,
>
> > Can someone with fresh eye please review this config and tell me why
> > requests are infinite redirection to https?
>
> I suspect that whatever you are proxy_pass'ing to is seeing that it
> is getting a http connection, and it has been configured to insist on
> having a https connection.
>
> In this particular case, your "listen 80 default_server" server
> block presumably includes "localhost"; and so your "proxy_pass
> http://localhost:80;" directive is talking back to that. Which is where
> the loop is.
>
> So - proxy_pass to something that will return content.
>
> Cheers,
>
> f
> --
> Francis Daly francis@daoine.org
> _______________________________________________
> nginx mailing list -- nginx@nginx.org
> To unsubscribe send an email to nginx-leave@nginx.org
>
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org
Subject Author Posted

help with https to http and WSS to WS reverse proxy conf

Michael Williams September 10, 2022 08:48PM

Re: help with https to http and WSS to WS reverse proxy conf

Francis Daly September 11, 2022 04:46AM

Re: help with https to http and WSS to WS reverse proxy conf

Michael Williams September 11, 2022 02:56PM

Re: help with https to http and WSS to WS reverse proxy conf

Francis Daly September 12, 2022 04:36PM

Re: help with https to http and WSS to WS reverse proxy conf Attachments

Michael Williams September 12, 2022 08:48PM

Re: help with https to http and WSS to WS reverse proxy conf

Francis Daly September 15, 2022 10:30AM

Re: help with https to http and WSS to WS reverse proxy conf

Michael Williams September 15, 2022 01:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 75
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready