Question posted in 
Trying to setup reverse proxy with WS support, but I’m getting 403 (forbidden). I’m confused why it happen, because everything works as expected without proxy. My config is here:
server {
root /var/www/html8080;
server_name game.memoux.com; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/game.memoux.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/game.memoux.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
# redirect all HTTP traffic to localhost:8080
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket support (nginx 1.4)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
If I’m trying to reach it with https: https://game.memoux.com/ websocket not work.
But if I’m trying to reach it with http://game.memoux.com:8080 everything works propoerly. It means, something wrong with my config, and not with application behind the proxy.
nginx error log from 05-11-2023
2023/11/05 01:46:15 [crit] 705581#705581: *2917 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 167.172.240.54, server: 0.0.0.0:443
2023/11/05 02:14:22 [error] 705581#705581: *2937 connect() failed (111: Connection refused) while connecting to upstream, client: 36.99.136.129, server: memoux.com, request: "GET / HTTP/1.1", upstream: "http://[::1]:3000/", host: "memoux.com"
2023/11/05 02:14:36 [error] 705581#705581: *2975 connect() failed (111: Connection refused) while connecting to upstream, client: 146.70.192.180, server: memoux.com, request: "GET /_next/static/chunks/framework-2c79e2a64abdb08b.js HTTP/1.1", upstream: >
2023/11/05 04:13:33 [crit] 705581#705581: *3022 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 65.49.1.17, server: 0.0.0.0:443
2023/11/05 06:51:34 [crit] 705581#705581: *3087 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 212.102.40.218, server: 0.0.0.0:443
2023/11/05 07:10:27 [crit] 705581#705581: *3110 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 68.183.200.199, server: 0.0.0.0:443
2023/11/05 07:44:42 [crit] 705581#705581: *3136 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 104.131.184.235, server: 0.0.0.0:443
2023/11/05 07:47:26 [crit] 705581#705581: *3147 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 35.216.204.22, server: 0.0.0.0:443
2023/11/05 08:25:08 [error] 705581#705581: *3177 connect() failed (111: Connection refused) while connecting to upstream, client: 3.249.231.245, server: memoux.com, request: "GET / HTTP/1.0", upstream: "http://[::1]:3000/", host: "memoux.com"
2023/11/05 11:02:06 [crit] 705581#705581: *3217 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 87.236.176.112, server: 0.0.0.0:443
2
Answers
It was application-server misconfiguration. It complain for CORS policies. Spring security CORS config is not related to websocket config (at least for me). I was able to find it only after I turn logs into debug mode, otherwise that error message was not shown by framework.
You should try to change your ‘proxy_set_header Connection "upgrade";’
I don’t think "upgrade" is the correct value for Connection.
Add
to server or http block and then
in your location block.