Welcome! Log In Create A New Profile

Advanced

Re: help with https to http and WSS to WS reverse proxy conf

All files from this thread

File Name File Size   Posted by Date  
Screen Shot 2022-09-12 at 5.29.50 PM.png 194.6 KB open | download Michael Williams 09/12/2022 Read message
Francis Daly
September 15, 2022 10:30AM
On Mon, Sep 12, 2022 at 05:46:21PM -0700, Michael Williams wrote:

Hi there,

> Wow thank you. This really helps all the guidance and instruction. I really
> appreciate your time.

No worries.

> One thing to clarify, is that if I turn off NGINX, the client page works
> fine and connects to the app server inside the docker OK.

I confess that I am confused as to what your current architecture is.

Can you describe it? Along the lines of:

Without nginx involved, we have (http service) running on (docker
ip:port) and when we tell the client to access (http:// docker ip:port)
everything works, including the websocket thing.

With nginx involved to test reverse-proxying http, the docker side is
identical, but we tell the client to access (http:// nginx ip:port)
and everything works? Or not everything works?

With nginx involved to test reverse-proxying https, the docker side is
identical, and we tell the client to access (https:// nginx ip:port),
and some things work?

With that information, it might be clear to someone where the first
problem appears.

In this configuration:

> server {
> index index.html index.htm;
> listen [::]:443 ssl ipv6only=on; # managed by Certbot
> listen 443 ssl; # managed by Certbot
> listen 25566 ssl;

nginx is listening for https on two ports.

What test are you running? Which port are you using?

> location @wss {

> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection $connection_upgrade;

> proxy_pass http://172.31.24.191:25565;

nginx is talking to this port without https.

What works here / what fails here? What do the logs say?

> My idea was to try changing our client webpage to access a different port #
> than the one our app server in the docker is listening to.

I'm afraid I am not sure what that means. I thought the client webpage
was accessing nginx on port 443 and the backend / upstream http server
was listening on the high port?

Maybe I am getting confused among multiple tests that you are running.

> With that change
> I see from WIreshark on my local that the WSS connection seems to go
> through OK with NGINX:
>
> [image: Screen Shot 2022-09-12 at 5.29.50 PM.png]

I'm seeing a picture; but I'm not seeing anything that obviously says
that a WSS connection is working anywhere.

I'm seeing a TLS connection between the client and nginx that is cleanly
closed after a fraction of a second. I see nothing that suggests that
nginx is doing a proxy_pass to the upstream server. (But maybe that was
excluded from the tcpdump?)

> Our app server shows that the connection to the server also starts but then
> disconnect it:
> (22:36:59) Disconnected <client IP address> (unknown opcode 22)

With nginx involved, the app server should never see the client IP
address directly; it should only see connections from nginx. (It might
see the client IP listed in the http headers.)

> My question here, does NGINX negotiate the entire handshake for HTTPS to
> WSS upgrade itself, without forwarding the same pages to our app server ?
> Is there a way to forward those pages to the app server also ? I think our
> app server may insist on negotiating a ws:// connection itself, but not a
> wss:// connection.

As I understand it: the client makes a TLS connection to nginx,
and sends a http request inside that TLS connection (== a https
request). Separately, nginx makes a http connection to the upstream
server, and (through config) passes along the Upgrade-and-friends headers
that the client sent to nginx, requesting that this connection switch to
a websocket connection. And after that works, nginx effectively becomes a
"blind tunnel" for the connection contents, passing unencrypted things
on the nginx-to-upstream side and encrypted things on the nginx-to-client
side, and generally not caring about what is inside.


If things are still not working as wanted, I suggest simplifying things
as much as possible.

Make the nginx config be not much more than what step 6 on
https://www.nginx.com/blog/websocket-nginx/ shows, and include enough
information in any report of a test, so that someone else will be able
to repeat the test on their system to see what happens there.

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org
Subject Author Posted

help with https to http and WSS to WS reverse proxy conf

Michael Williams September 10, 2022 08:48PM

Re: help with https to http and WSS to WS reverse proxy conf

Francis Daly September 11, 2022 04:46AM

Re: help with https to http and WSS to WS reverse proxy conf

Michael Williams September 11, 2022 02:56PM

Re: help with https to http and WSS to WS reverse proxy conf

Francis Daly September 12, 2022 04:36PM

Re: help with https to http and WSS to WS reverse proxy conf Attachments

Michael Williams September 12, 2022 08:48PM

Re: help with https to http and WSS to WS reverse proxy conf

Francis Daly September 15, 2022 10:30AM

Re: help with https to http and WSS to WS reverse proxy conf

Michael Williams September 15, 2022 01:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 81
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready