Using nodebb with haproxy as a frontend



  • Hello,

    I am trying to setup nodebb with haproxy instead of nginx as frontend. Everything seam to be working however I am getting lots of 403 on /socket.io/ requests.

    frontend http-in
    mode http
    bind 0.0.0.0:80
    redirect scheme https code 301 if !{ ssl_fc }
    
    frontend https-in
    bind 0.0.0.0:443 ssl crt /etc/letsencrypt/live/test/test.pem
    http-response set-header strict-transport-security "max-age=31536000; includeSubDomains"
    http-response set-header Content-Security-Policy "default-src 'self' wss: https: *.startech-rd.tk/*; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://code.jquery.com; style-src 'self' 'unsafe-inline' https:; img-src 'self' https://casper.ghost.org/ https://www.gravatar.com/ data:; font-src 'self' https:"
    http-response set-header X-XSS-Protection "1; mode=block"
    http-response set-header X-Content-Type-Options "nosniff"
    http-response set-header Referrer-Policy "no-referrer"
    reqadd X-Forwarded-Proto:\ https
    acl is_websocket hdr(Upgrade) -i WebSocket
    acl is_websocket path_sub -i /socket.io/
    use_backend bk_ws if is_websocket
    acl acl_comments path_beg -i /comments
    use_backend comments if acl_comments
    
    backend comments
    mode         http
    balance      leastconn
    timeout      connect 1s
    timeout      server  600s
    timeout      queue   600s
    option redispatch
    retries 3
    acl is_woff capture.req.uri -m sub .woff
    acl is_ttf capture.req.uri -m sub .ttf
    acl is_eot capture.req.uri -m sub .eot
    http-response set-header Cache-Control public if is_eot or is_woff or is_ttf
    http-response set-header Expires -1 if is_eot or is_woff or is_ttf
    http-response set-header Pragma cache if is_eot or is_woff or is_ttf
    cookie nodebb insert indirect nocache secure
    
    server node1 10.160.125.81:4567 cookie nodebb_node1 check inter 1000 fastinter 500 rise 2 fall 1
    server node2 10.160.125.82:4567 cookie nodebb_node2 check inter 1000 fastinter 500 rise 2 fall 1
    
    backend bk_ws
    option redispatch
    balance roundrobin
    option forwardfor
    option httpclose
    server node1 10.160.125.81:4567 maxconn 30000 weight 10 cookie ws_node1 check
    server node2 10.160.125.82:4567 maxconn 30000 weight 10 cookie ws_node2 check```
    

    I have tried to connect directly without haproxy and the websockets are connecting correctly. However I've seen that using the haproxy the websocket protocol changed from wss to https.

    Any suggestions on how to fix this?



Suggested Topics

  • 2
  • 2
  • 22
  • 3
  • 2
| |