Announcement

Collapse
No announcement yet.

Websocket with SSL reverse proxy is not working correctly

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Websocket with SSL reverse proxy is not working correctly

    Hi everyone,

    i have a problem connecting to the websocket in my espocrm instance.

    Code:
    WebSocket connection to 'wss://mydomain/?authToken=0586c18e2007cc616c1869bbd2282062&userId=63d912a067faaa322' failed:
    The current setup is based on a docker container VM with FPM configuration (nginx-mysql-espocrm-websocket-daemon). The VM is behind a reverse proxy which handles the SSL connection; I followed the configuration reported in the documentation https://docs.espocrm.com/administrat...t/#ssl-support but the problem persists.

    When the application was not behind the http reverse proxy everything works fine.

    Can you help me? What's wrong?

    docker-compose.yml

    Code:
    version: "3.8"
services:
    mysql:
        image: mysql:8
        container_name: mysql
        command: --default-authentication-plugin=mysql_native_password
        environment:
            MYSQL_ROOT_PASSWORD: mypsw
            MYSQL_DATABASE: espocrm
            MYSQL_USER: espocrm
            MYSQL_PASSWORD: mypsw
        volumes:
            - mysql:/var/lib/mysql
        restart: always
        ports:
            - "33060:3306"
        networks:
            - internal
            - external
    nginx:
        image: nginx:mainline
        container_name: nginx
        volumes:
            - ./data/nginx/conf.d/:/etc/nginx/conf.d/
            - ./data/espocrm:/var/www/html
            - ./data/nginx/logs:/var/log/nginx
        restart: always
        ports:
            - "80:80"
        networks:
            - external
    espocrm:
        image: espocrm/espocrm:fpm
        container_name: espocrm
        environment:
            ESPOCRM_DATABASE_HOST: mysql
            ESPOCRM_DATABASE_USER: espocrm
            ESPOCRM_DATABASE_PASSWORD: mypsw
            ESPOCRM_ADMIN_USERNAME: Admin
            ESPOCRM_ADMIN_PASSWORD: mypsw
            ESPOCRM_SITE_URL: "https://mydomain/"
        volumes:
            - espocrm:/var/www/html
        restart: always
        networks:
            - external
            - internal
    espocrm-daemon:
        image: espocrm/espocrm:fpm
        container_name: espocrm-daemon
        volumes:
            - espocrm:/var/www/html
        restart: always
        entrypoint: docker-daemon.sh
        networks:
            - external
            - internal
    espocrm-websocket:
        image: espocrm/espocrm:fpm
        container_name: espocrm-websocket
        environment:
            ESPOCRM_CONFIG_USE_WEB_SOCKET: "true"
            ESPOCRM_CONFIG_WEB_SOCKET_URL: "wss://mydomain"
            # ESPOCRM_CONFIG_WEB_SOCKET_ZERO_M_Q_SUBSCRIBER_DSN: "tcp://*:7777"
            # ESPOCRM_CONFIG_WEB_SOCKET_ZERO_M_Q_SUBMISSION_DSN: "tcp://espocrm-websocket:7777"
        volumes:
            - espocrm:/var/www/html
        restart: always
        entrypoint: docker-websocket.sh
        ports:
            - 8081:8080
        networks:
            - external
            - internal
networks:
    external:
        external: true
    internal:
        external: false
volumes:
    mysql:
        driver: local
        driver_opts:
            type: "none"
            o: "bind"
            device: "/var/www/espocrm/data/mysql/data"
    espocrm:
        driver: local
        driver_opts:
            type: "none"
            o: "bind"
            device: "/var/www/espocrm/data/espocrm"
​


    conf nginx reverse proxy

    Code:
    map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

upstream webosocket {
    server ip-VM:8081;
}

server {
    listen reverse-ip1:80;
    listen reverse-ip2:80;

    server_name mydomain;

    rewrite ^/(.*) https://mydomain/$1 permanent;
}

server {
    listen reverse-ip1:443 ssl;
    listen reverse-ip2:443 ssl;

    server_name mydomain;

    proxy_set_header X-Forwarded-Port 443;

    resolver 127.0.0.1;

    ssl_certificate         /usr/local/ssl/certs/fullchain.pem;
    ssl_certificate_key     /usr/local/ssl/private/star2.domaint.key;
    ssl_dhparam             /usr/local/ssl/private/dhparam.pem;

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_read_timeout 5m;
        proxy_send_timeout 5m;
        proxy_pass http://ip-VM;
    }

    location /wss {
        proxy_pass https://websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 12h;
    }

    access_log      /var/log/nginx/mydomain-access.log;
    error_log       /var/log/nginx/mydomain-error.log;
}​
    log reverse proxy

    Code:
    10.10.123.108 - - [17/Feb/2023:13:17:10 +0100] "GET /?authToken=970f5768dca2318272d33f0e7fb39dd8&userId=63d912a067faaa322 HTTP/1.1" 200 990 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
10.10.123.108 - - [17/Feb/2023:13:17:16 +0100] "GET /?authToken=970f5768dca2318272d33f0e7fb39dd8&userId=63d912a067faaa322 HTTP/1.1" 200 990 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
10.10.123.108 - - [17/Feb/2023:13:17:22 +0100] "GET /?authToken=970f5768dca2318272d33f0e7fb39dd8&userId=63d912a067faaa322 HTTP/1.1" 200 991 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
​
    Last edited by Virtute90; 03-08-2023, 11:07 AM.
    Tags: None
  • #2
    We have similar issue. We're using cloudflare proxy in dns websocket don't want to work in this configuration

    Comment

    • #3
      +1 : not find a solution too... try many.

      client -> debian:nginx:443 -> centos/almalinux/debian:apache:80

      Comment

      • #4
        Originally posted by emillod View Post
        We have similar issue. We're using cloudflare proxy in dns websocket don't want to work in this configuration
        Damnation

        Originally posted by item View Post
        +1 : not find a solution too... try many.

        client -> debian:nginx:443 -> centos/almalinux/debian:apache:80

        My situation is very similar to yours

        Any work around?

        Comment

        • #5
          For Brainstorm

          requirement :
          - espocrm site url must be https with domain for Office365 Extension and OAuth.

          In my case, site url in espocrm setting is very important, and in my case. 443 => 80 is certainly the problem.


          For your problem, i see : ESPOCRM_SITE_URL: "https://mydomain/" : so maybe try


          ping https://mydomain
          - it's ip of proxy or docker ? (docker i don't know)
          - mydomain must be resolved somewhere !?
          - ping from any computer in lan ?
          - ping if you can ssh (docker) ... try add in host file..

          for me, in espocrm admin setting site url must be resolved by ip of ReverseProxy ?

          Maybe.​

          Comment

          • #6
            Hi,
            i have my VM reverse proxy and VM espoCRM websocket working
            for info : wan => vm proxy nginx:443 => vm espocrm apache:80
            for info : i have a lan dns server and not same A/CNAME of wan dns server

            if i see your config,.. your problem is here (at 98%):


            PHP Code:

                map $http_upgrade $connection_upgrade             {
                    default             upgrade;
                                '' close;
                }

                            upstream websocket {
                              server BACK_END_VM_IP:8080;  // it's open in firewall of backend vm where espocrm.
                            }

                          server {
                            server_name mycrm.domain.be;  // domaine name of espocrm but it's ip of proxy : sample : mycrm.domain.be => ip of proxy
                            set $upstream BACK_END_VM_IP;
                            server_tokens off;

                            location /wss {
                                proxy_pass http://websocket;
                                proxy_http_version 1.1;
                                proxy_set_header Upgrade $http_upgrade;
                                proxy_set_header Connection $connection_upgrade;
                                proxy_read_timeout 12h;
                }            ​ 
            So i just see in http log, status 101 Switching Protocol
            Last edited by item; 02-28-2023, 05:41 PM.

            Comment

            Previous template Next
            Working...
            X