https and http2 NGINX config for socket.io

June 1, 2017 10.2k views
Nginx Node.js Ubuntu 16.04
MakiJS
By:
MakiJS

I have node.js app which is served by NGINX. I can’t connect socket.io. I got 404 for POST request for establising socket connection.

It’s working locally, so it must be an NGINX problem.

# HTTP - redirect all requests to HTTPS:
  server {
     listen 80;
     listen [::]:80;
     return 301 https://$host$request_uri;
  }
  # HTTPS - proxy requests on to local Node.js app:
  server {
     listen 443 ssl http2;
     server_name example.com;
     ssl on;
     ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
     ssl_session_timeout 5m;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_prefer_server_ciphers on;
     ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
     location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header X-Forwarded-Proto https;
        proxy_pass http://127.0.0.1:8080;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
     }
}

Thanks for any help.

Log In to Comment
5 Answers
kamaln7 MOD June 1, 2017

Try adding the Connection and Upgrade headers as described in the NGINX docs:

     location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass http://127.0.0.1:8080;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
     }

along with the following inside the http {} block and outside server {} (you can just add it at the top of your virtual host config above the server { line):

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

Make sure to restart nginx so that the changes take effect. Does that help?

Reply
jtittle1 June 1, 2017

@MakiJS

Let’s run a test, replace your location / {} block with this one:

location / {
    proxy_pass http://127.0.0.1:8080;
    proxy_buffers 16 32k;
    proxy_buffer_size 64k;
    proxy_busy_buffers_size 128k;
    proxy_cache_bypass $http_pragma $http_authorization;
    proxy_connect_timeout 59s;
    proxy_hide_header X-Powered-By;
    proxy_http_version 1.1;
    proxy_ignore_headers Cache-Control Expires;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_404;
    proxy_no_cache $http_pragma $http_authorization;
    proxy_pass_header Set-Cookie;
    proxy_read_timeout 600;
    proxy_redirect off;
    proxy_send_timeout 600;
    proxy_temp_file_write_size 64k;
    proxy_set_header Accept-Encoding '';
    proxy_set_header Cookie $http_cookie;
    proxy_set_header Host $host;
    proxy_set_header Proxy '';
    proxy_set_header Referer $http_referer;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Original-Request $request_uri;
}

It’s a bit more detailed, but it’ll definitely tell us whether or not the issue is with NGINX or the app. If the above doesn’t work, there’s an issue somewhere in the app. If it does work, then we shouldn’t need to do anything else :-).

I would, however, recommend replacing:

     ssl on;
     ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
     ssl_session_timeout 5m;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_prefer_server_ciphers on;
     ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

with:

    ssl on;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_session_tickets off;
    ssl_session_timeout 5m;

It too is a little more detailed, but worth making the change to ensure specifics are added.

Once you’re done making changes, restart NGINX and test the connection.

Reply
jtittle1 June 1, 2017

@MakiJS

Is your socket.io application listening on 127.0.0.1 and port 8080? If so, please run:

tail -20 /var/log/nginx/error.log

and post the output to a code block as you did with your server block. If it’s not, you’ll need to make sure the application is listening on that IP and port, otherwise it won’t work.

Reply
MakiJS June 1, 2017

@jtittle
Thank you for taking the time.

Yes, my app is listening on that port.

It look’s like the output is blank in error log nothing is reffering to socket connection.

Here is the client request response.
https://snag.gy/GUM2s5.jpg

Reply
MakiJS June 2, 2017

@kamaln7
I try to add the first block and it seem’s nothing changed, but can you please be more specific with the second one.

@jtittle
I replace config with the following and again nothing changes.

Thanks guys for taking the time.

Reply
  • kamaln7 MOD June 2, 2017

    Sorry, that might not have been super clear. Just place the second block at the very top of your vhost config, above the # HTTP - redirect all requests to HTTPS line.

Have another answer? Share your knowledge.

Related Questions