400 and 522 errors since enabling SSL via Nginx proxy
-
Alternatively, my working configuration for clustering enabled + SSL:
# redirects http requests to https server { listen 80; # change this! server_name example.com; # change this! return 301 https://example.com$request_uri; } # create multiple instances for scaling upstream io_nodes { ip_hash; server 127.0.0.1:4567; server 127.0.0.1:4568; server 127.0.0.1:4569; } # the actual encrypted server server { listen 443 ssl spdy; # change this! server_name example.com; ssl on; # change this! ssl_certificate /etc/nginx/ssl/bundle.crt; #change this! ssl_certificate_key /etc/nginx/ssl/site.de.key; # enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # disables all weak ciphers ssl_ciphers 'AES128+EECDH:AES128+EDH'; ssl_prefer_server_ciphers on; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_redirect off; # Socket.io Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; # watch out - no quotes! proxy_set_header Connection upgrade; gzip on; gzip_min_length 1000; gzip_proxied off; gzip_types text/plain application/xml application/x-javascript text/css application/json; location @nodebb { proxy_pass http://io_nodes; } location ~ ^/(images|language|sounds|templates|uploads|vendor|src\/modules|nodebb\.min\.js|stylesheet\.css|admin\.css) { # change this! root /var/www/nodebb/public/; try_files $uri $uri/ @nodebb; } location / { proxy_pass http://io_nodes; } } -
An issue with terminating SSL connections?
http://blog.mixu.net/2011/08/13/nginx-websockets-ssl-and-socket-io-deployment/ -
@KingCat , if you run
sudo nginx -t, what happens exactly? -
@julian said:
It's cloudflare. Keep using it, but disable acceleration. Websocket issues will be fixed.
I did what you suggested and it seems to have fixed the issue in chrome. However in safari it still happens. I'm gonna wait a while and see if maybe safari just has something weird cached (even though i cleared browser and dns cache).
-
So it's been a few days and i'm still getting the errors in safari. The errors don't show up in any other browser though.
If I had to guess, I'd say theres some kind of technology or protocol that safari doesn't support (maybe the wss:// protocol?) so the socket.io has to fallback to using http instead and that seems to be why the error happens. Totally a guess though.
If this is the best I can do I'm OK with that as 0.1% of my users are on safari and it's not a site-breaking bug either. I'll consider this closed unless anyone has anything else to try.
Also, not sure if it matters but I'm using a free StartSSL certificate. It's not a self-signed one and it gives the green lock in safari but just in case it matters for some reason.
-
By the way, I visited the link in the error messages in safari (https://forum.nzb.cat/socket.io/?EIO=3&transport=polling&t=1429031828694-10&sid=E7eEDbKPU53mKENvAAW3)
and got this:
{"code":1,"message":"Session ID unknown"}Not sure what this means for the cause of the 400/502 errors.
-
Welp, I solved it.
Turns out I had the wrong directory specified in nginx for static assets. It was pointing to a different install of nodebb. For some reason that caused issues with socket.io (and only with safari/opera for some reason).
Now, here's the weird thing. I only recently started using nginx to serve the assets. Recently as in like this morning. Before that I simply had a proxy pass setup and let nodebb serve the assets. I'm not sure what was causing the 400/502 errors then but I'm just glad their solved now.
I'm behind cloud flare ssl so I'm not sure if that's what's causing it (even though I disabled it completely for awhile and it still happened)
