Announcement

Collapse
No announcement yet.

Websocket with SSL reverse proxy is not working correctly

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Websocket with SSL reverse proxy is not working correctly

    Hi everyone,

    i have a problem connecting to the websocket in my espocrm instance.

    Code:
    WebSocket connection to 'wss://mydomain/?authToken=0586c18e2007cc616c1869bbd2282062&userId=63d912a067faaa322' failed:
    The current setup is based on a docker container VM with FPM configuration (nginx-mysql-espocrm-websocket-daemon). The VM is behind a reverse proxy which handles the SSL connection; I followed the configuration reported in the documentation https://docs.espocrm.com/administrat...t/#ssl-support but the problem persists.

    When the application was not behind the http reverse proxy everything works fine.

    Can you help me? What's wrong?

    docker-compose.yml

    Code:
    version: "3.8"
    services:
        mysql:
            image: mysql:8
            container_name: mysql
            command: --default-authentication-plugin=mysql_native_password
            environment:
                MYSQL_ROOT_PASSWORD: mypsw
                MYSQL_DATABASE: espocrm
                MYSQL_USER: espocrm
                MYSQL_PASSWORD: mypsw
            volumes:
                - mysql:/var/lib/mysql
            restart: always
            ports:
                - "33060:3306"
            networks:
                - internal
                - external
        nginx:
            image: nginx:mainline
            container_name: nginx
            volumes:
                - ./data/nginx/conf.d/:/etc/nginx/conf.d/
                - ./data/espocrm:/var/www/html
                - ./data/nginx/logs:/var/log/nginx
            restart: always
            ports:
                - "80:80"
            networks:
                - external
        espocrm:
            image: espocrm/espocrm:fpm
            container_name: espocrm
            environment:
                ESPOCRM_DATABASE_HOST: mysql
                ESPOCRM_DATABASE_USER: espocrm
                ESPOCRM_DATABASE_PASSWORD: mypsw
                ESPOCRM_ADMIN_USERNAME: Admin
                ESPOCRM_ADMIN_PASSWORD: mypsw
                ESPOCRM_SITE_URL: "https://mydomain/"
            volumes:
                - espocrm:/var/www/html
            restart: always
            networks:
                - external
                - internal
        espocrm-daemon:
            image: espocrm/espocrm:fpm
            container_name: espocrm-daemon
            volumes:
                - espocrm:/var/www/html
            restart: always
            entrypoint: docker-daemon.sh
            networks:
                - external
                - internal
        espocrm-websocket:
            image: espocrm/espocrm:fpm
            container_name: espocrm-websocket
            environment:
                ESPOCRM_CONFIG_USE_WEB_SOCKET: "true"
                ESPOCRM_CONFIG_WEB_SOCKET_URL: "wss://mydomain"
                # ESPOCRM_CONFIG_WEB_SOCKET_ZERO_M_Q_SUBSCRIBER_DSN: "tcp://*:7777"
                # ESPOCRM_CONFIG_WEB_SOCKET_ZERO_M_Q_SUBMISSION_DSN: "tcp://espocrm-websocket:7777"
            volumes:
                - espocrm:/var/www/html
            restart: always
            entrypoint: docker-websocket.sh
            ports:
                - 8081:8080
            networks:
                - external
                - internal
    networks:
        external:
            external: true
        internal:
            external: false
    volumes:
        mysql:
            driver: local
            driver_opts:
                type: "none"
                o: "bind"
                device: "/var/www/espocrm/data/mysql/data"
        espocrm:
            driver: local
            driver_opts:
                type: "none"
                o: "bind"
                device: "/var/www/espocrm/data/espocrm"
    ​


    conf nginx reverse proxy

    Code:
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }
    
    upstream webosocket {
        server ip-VM:8081;
    }
    
    server {
        listen reverse-ip1:80;
        listen reverse-ip2:80;
    
        server_name mydomain;
    
        rewrite ^/(.*) https://mydomain/$1 permanent;
    }
    
    server {
        listen reverse-ip1:443 ssl;
        listen reverse-ip2:443 ssl;
    
        server_name mydomain;
    
        proxy_set_header X-Forwarded-Port 443;
    
        resolver 127.0.0.1;
    
        ssl_certificate         /usr/local/ssl/certs/fullchain.pem;
        ssl_certificate_key     /usr/local/ssl/private/star2.domaint.key;
        ssl_dhparam             /usr/local/ssl/private/dhparam.pem;
    
        location / {
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_read_timeout 5m;
            proxy_send_timeout 5m;
            proxy_pass http://ip-VM;
        }
    
        location /wss {
            proxy_pass https://websocket;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_read_timeout 12h;
        }
    
        access_log      /var/log/nginx/mydomain-access.log;
        error_log       /var/log/nginx/mydomain-error.log;
    }​
    log reverse proxy

    Code:
    10.10.123.108 - - [17/Feb/2023:13:17:10 +0100] "GET /?authToken=970f5768dca2318272d33f0e7fb39dd8&userId=63d912a067faaa322 HTTP/1.1" 200 990 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
    10.10.123.108 - - [17/Feb/2023:13:17:16 +0100] "GET /?authToken=970f5768dca2318272d33f0e7fb39dd8&userId=63d912a067faaa322 HTTP/1.1" 200 990 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
    10.10.123.108 - - [17/Feb/2023:13:17:22 +0100] "GET /?authToken=970f5768dca2318272d33f0e7fb39dd8&userId=63d912a067faaa322 HTTP/1.1" 200 991 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
    ​
    Last edited by Virtute90; 03-08-2023, 11:07 AM.

  • #2
    We have similar issue. We're using cloudflare proxy in dns websocket don't want to work in this configuration

    Comment


    • #3
      +1 : not find a solution too... try many.

      client -> debian:nginx:443 -> centos/almalinux/debian:apache:80

      Comment


      • #4
        Originally posted by emillod View Post
        We have similar issue. We're using cloudflare proxy in dns websocket don't want to work in this configuration
        Damnation

        Originally posted by item View Post
        +1 : not find a solution too... try many.

        client -> debian:nginx:443 -> centos/almalinux/debian:apache:80

        My situation is very similar to yours

        Any work around?

        Comment


        • #5
          For Brainstorm

          requirement :
          - espocrm site url must be https with domain for Office365 Extension and OAuth.

          In my case, site url in espocrm setting is very important, and in my case. 443 => 80 is certainly the problem.


          For your problem, i see : ESPOCRM_SITE_URL: "https://mydomain/" : so maybe try


          ping https://mydomain
          - it's ip of proxy or docker ? (docker i don't know)
          - mydomain must be resolved somewhere !?
          - ping from any computer in lan ?
          - ping if you can ssh (docker) ... try add in host file..

          for me, in espocrm admin setting site url must be resolved by ip of ReverseProxy ?

          Maybe.​

          Comment


          • #6
            Hi,
            i have my VM reverse proxy and VM espoCRM websocket working
            for info : wan => vm proxy nginx:443 => vm espocrm apache:80
            for info : i have a lan dns server and not same A/CNAME of wan dns server

            if i see your config,.. your problem is here (at 98%):


            PHP Code:

                map $http_upgrade $connection_upgrade 
            {
                    default 
            upgrade;
                    
            '' close;
                }

                
            upstream websocket {
                  
            server BACK_END_VM_IP:8080;  // it's open in firewall of backend vm where espocrm.
                
            }

              
            server {
                
            server_name mycrm.domain.be;  // domaine name of espocrm but it's ip of proxy : sample : mycrm.domain.be => ip of proxy
                
            set $upstream BACK_END_VM_IP;
                
            server_tokens off;

                
            location /wss {
                    
            proxy_pass http://websocket;
                    
            proxy_http_version 1.1;
                    
            proxy_set_header Upgrade $http_upgrade;
                    
            proxy_set_header Connection $connection_upgrade;
                    
            proxy_read_timeout 12h;
                }
            ​ 
            So i just see in http log, status 101 Switching Protocol
            Last edited by item; 02-28-2023, 05:41 PM.

            Comment

            Working...
            X