[FAQ] Websockets not working due to misconfigured origins


  • Global Moderator

    This FAQ is applicable for the following situations:

    • You're receiving the following error in the Javascript console:
    WebSocket connection to 'wss://<site>/socket.io/?EIO=3&transport=websocket' failed:
    Error during WebSocket handshake: Unexpected response code: 400
    
    • The "Looks like your connection to NodeBB was lost, please wait while we try to reconnect." alert box and the spinner in the navbar consistently appear
    • You want your users to be able to access NodeBB from multiple subdomains on your site

    Background

    By default, NodeBB only allows websocket connections from the "url" value in config.json. This is because of what is called Cross-Site Websocket Hijacking. By restricting the origin at which sockets can connect, we prevent this attack from taking place.

    Diagnosis

    To make sure that your issue is in fact caused by an origin mismatch, try this:

    1. Stop the NodeBB server: ./nodebb stop
    2. Start NodeBB in dev mode: ./nodebb dev
    3. Visit your site, and see if the issue is resolved.
    4. Ctrl+C to exit dev mode

    If the issue disappeared when visiting your site running in dev mode, then your problem is in fact an origin mismatch. If not, it is likely something else, so look around or ask a question here on the forum.

    Solutions

    The easiest solution is to set the "url" value in config.json to exactly the URL at which you access your NodeBB forum. For instance, the configuration for this site is

    {
      "url": "https://community.nodebb.org",
      ...
    }
    

    If you want your forum to work from multiple origins (like www.yoursite.com and yoursite.com) the preferred option is to just redirect one to the other. For instance, redirect www.yoursite.com to yoursite.com within your reverse proxy.

    If you absolutely must have full access from multiple origins, you can configure the accepted origins directly. As documented here, you can add a socket.io:origins property to config.json.

    For example, to allow accessing the forum sockets from the main NodeBB site, nodebb.org, the following would be added to our config:

    {
      ...
      "socket.io": {
        "origins": "https://community.nodebb.org:* https://nodebb.org:*"
      }
    }
    

    Make sure your original site is included in the new origins property, and that you add :*, otherwise it's invalid.

    Still having issues?

    It's likely a reverse proxy configuration issue. Take a look at the proxy documentation for examples. If you still have issues, ask a question here on the forum.


Log in to reply
 

Suggested Topics

| |