Has anyone tried to setup ssl on nginx working over cb app working with websocket?

[Mert Öztürk]

Hello,

I set up my cb app under nginx on vps. It is working fine with the path i followed from here: https://github.com/ChicagoBoss/ChicagoBoss/wiki/Deploy

Now i am trying to set up ssl on nginx and try to establish websocket handshake between the cb app.

My nginx default file looks like below;

server {

listen 80 default;

listen [::]:80 default_server ipv6only=on;

        listen 443 ssl;

root /usr/share/nginx/html;

index index.html index.htm;

# Make site accessible from http://localhost/

server_name localhost;

        ssl_certificate /etc/nginx/ssl/nginx.crt;

        ssl_certificate_key /etc/nginx/ssl/nginx.key;

location / {

proxy_pass http://127.0.0.1:8001;

proxy_redirect         off;

proxy_set_header       Host               $host; 

proxy_set_header       X-Real-IP          $remote_addr;

proxy_set_header       X-Forwarded-For    $proxy_add_x_forwarded_for;

}

When i start the application it gives me the error below;

[blocked] The page at 'https://localhost/' was loaded over HTTPS, but ran insecure content from 'ws://localhost:8001/websocket/ask_service': this content should also be loaded over HTTPS.

ask_something.js:53 Uncaught SecurityError: Failed to construct 'WebSocket': An insecure WebSocket connection may not be initiated from a page loaded over HTTPS.

Then i change the line in js file from: wsHost = "ws://localhost:8001/websocket/myWebsocket   to    wsHost = "wss://localhost:8001/websocket/myWebsocket

After this change, error message become like this;

WebSocket connection to 'wss://localhost:8001/websocket/ask_service' failed: Error in connection establishment: net::ERR_CONNECTION_CLOSED

(Also when i change {ssl_enable, true} in boss.config, app crashes. My app is working with cowboy)

Is there anyone who implemented ssl with a cb app working with websocket before?

Thanks

Mert

[Jesse Gumm]

The problem here is that you're trying to establish an insecure
websocket connection from a secure page - the browser won't like it,
and then your :8001 connection is not a secured connection.

You're much better off here using nginx to proxy the websocket
connection. If you modify your "location /" rule to add the following
lines:

proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

This *should* allow the websocket connection to succeed with nginx proxying it.

-Jesse

> --
> You received this message because you are subscribed to the Google Groups
> "ChicagoBoss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to chicagoboss...@googlegroups.com.
> Visit this group at http://groups.google.com/group/chicagoboss.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/chicagoboss/46c7bf7e-6699-46c3-95e5-b6cfc3783770%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Jesse Gumm
Owner, Sigma Star Systems
414.940.4866 || sigma-star.com || @jessegumm

[Mert Öztürk]

Thanks for your quick answer Jesse but i got the following error below;

01:12:59.517 [error] Error in process <0.332.0> on node 'asksomething@mert-VirtualBox' with exit value: {function_clause,[{cowboy_protocol,parse_method,[<<0 bytes>>,{state,#Port<0.21796>,ranch_tcp,[cowboy_router,cowboy_handler],false,[{listener,boss_http_listener},{dispatch,[{'_',[],[{[<<6 bytes>>,'...'],[],cowboy_static,{priv_dir,asksomething,"stat... 

01:12:59.517 [error] Ranch listener boss_http_listener had connection process started with cowboy_protocol:start_link/4 at <0.332.0> exit with reason: {function_clause,[{cowboy_protocol,parse_method,[<<>>,{state,#Port<0.21796>,ranch_tcp,[cowboy_router,cowboy_handler],false,[{listener,boss_http_listener},{dispatch,[{'_',[],[{[<<"static">>,'...'],[],cowboy_static,{priv_dir,asksomething,"static",[{mimetypes,cow_mimetypes,all}]}},{'_',[],boss_mochicow_handler,[{loop,{boss_mochicow_handler,loop,[boss_router]}}]}]}]}],undefined,undefined,5,1,100,4096,64,4096,100,5000,1429654384516},<<22,3,0,0,63,1,0,0,59,3,0,152,18,167,190,88,63,47,160,44,156,120,240,152,9,65,24,101,186,210,223,65,176,97,215,88,2,120,66,207,77,230,223,0,0,20,0,255,86,0,0,51,0,50,0,57,0,47,0,53,0,10,0,5,0,4,1,0>>],[{file,"src/cowboy_protocol.erl"},{line,168}]}]}

Mert

22 Nisan 2015 Çarşamba 00:58:23 UTC+3 tarihinde Jesse Gumm yazdı:

[Mert Öztürk]

Final default looks like this above but nginx is not restarting like this;

        location / {

               proxy_pass http://127.0.0.1:8001;

               proxy_redirect          off;

               proxy_set_header        Host            $host;

               proxy_set_header        X-Real-IP       $remote_addr;

               proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

               proxy_http_version 1.1;

               proxy_set_header X-Forwarded-For $remote_addr;

               proxy_set_header Upgrade $http_upgrade;

               proxy_set_header Connection "upgrade";

        }

Mert

22 Nisan 2015 Çarşamba 00:51:46 UTC+3 tarihinde Mert Öztürk yazdı:

[Jesse Gumm]

What does the nginx log file say when it fails. It should have some
entry about why it's not restarting it.

> --
> You received this message because you are subscribed to the Google Groups
> "ChicagoBoss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to chicagoboss...@googlegroups.com.
> Visit this group at http://groups.google.com/group/chicagoboss.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/chicagoboss/5ae1739e-236e-4aeb-93fc-03cad7c232c8%40googlegroups.com.

[Jesse Gumm]

Maybe it just doesn't like having the X-Forwarded-For header being set
twice, you could remove one of them and see if that makes a
difference.

[Mert Öztürk]

Sorry. Here it is;

nginx: [emerg] could not build the proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64

22 Nisan 2015 Çarşamba 01:30:54 UTC+3 tarihinde Jesse Gumm yazdı:

[Jesse Gumm]

Interesting, I'm not familiar with those errors, so I'd just google
around to see what that means exactly.

-Jesse

> https://groups.google.com/d/msgid/chicagoboss/598daf32-74e7-4712-ab53-7b7507c943fb%40googlegroups.com.

[Mert Öztürk]

I made the diffrence you said and nginx restarted without fail. This is the final modified location/

        location / {

               proxy_pass http://127.0.0.1:8001;

               proxy_redirect          off;

               proxy_set_header        Host            $host;

               proxy_set_header        X-Real-IP       $remote_addr;

               proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

               proxy_http_version 1.1;

               proxy_set_header Upgrade $http_upgrade;

               proxy_set_header Connection "upgrade";

        }

But unfortunately i get the same error on browser again as below :(

WebSocket connection to 'wss://localhost:8001/websocket/ask_service' failed: Error in connection establishment: net::ERR_CONNECTION_CLOSED

Mert

22 Nisan 2015 Çarşamba 01:34:39 UTC+3 tarihinde Jesse Gumm yazdı:

[Jesse Gumm]

Oh you're going to want to remove the :8001 from the wss:// request. Since you're proxying the connection, you can use the default wss:// port.

To view this discussion on the web visit https://groups.google.com/d/msgid/chicagoboss/29482e39-5bc2-41cd-92e9-347fc711d023%40googlegroups.com.

[Mert Öztürk]

Thanks Jesse. It worked.

I couldnt have done it for forever without your help :))

Mert

22 Nisan 2015 Çarşamba 01:43:05 UTC+3 tarihinde Jesse Gumm yazdı:

[Jesse Gumm]

Exxxxxxxxxcelent!

Glad we were able to get it going!

-Jesse

To view this discussion on the web visit https://groups.google.com/d/msgid/chicagoboss/ba32ab27-cc3b-4ab2-81c0-c991ebcef4cc%40googlegroups.com.

[Mert Öztürk]

Also i now see that web socket connection drops after a small amount of time automatically. When i also add the following line;

proxy_read_timeout 86400;

It doesnt :) Well i believe that ssl will bring more multiple issues. I will note here the ones i face up with.

Thanks again

Mert

22 Nisan 2015 Çarşamba 02:04:05 UTC+3 tarihinde Jesse Gumm yazdı:

[Mert Öztürk]

Hello,

I set it up on my vps now. Everything works fine except production mode.

init-dev.sh works fine and connects to websocket but when i start cb in production mode, it does not connect to the websocket and also it doesnt give any error so icant track what the problem is.

I am sure that i ve done rebar get-deps compile about 4-5 times with also rebar clean. But i couldnt figure out what the problem is :(

Can there be any other issue with the SSL and production mode?

Thanks

Mert

22 Nisan 2015 Çarşamba 02:04:05 UTC+3 tarihinde Jesse Gumm yazdı:

[Jesse Gumm]

Could try doing

./rebar boss c=compile

And see if that helps.

> https://groups.google.com/d/msgid/chicagoboss/3fa7a87d-d930-4257-8cbc-45ba037bb5f7%40googlegroups.com.

[Mert Öztürk]

Thanks but it didnt work. Is it possible for cb app to connect websocket in dev mode and doesnt in production although every file is compiled.

Is there any reasons for this because i am curious if i am doing something wrong

Thanks

Mert

22 Nisan 2015 Çarşamba 20:46:43 UTC+3 tarihinde Jesse Gumm yazdı:

[Mert Öztürk]

It is strange that after that compile i cant start in dev mode also and i get this error in the attachment.

22 Nisan 2015 Çarşamba 20:46:43 UTC+3 tarihinde Jesse Gumm yazdı:

[Mert Öztürk]

I am actually checking the logs now. I tried with dev and also production.

PROD;

2015-04-22 23:29:06.864 [notice] <0.68.0>@lager_app:132 Deprecated lager_file_backend config detected, please consider updating it

2015-04-22 23:29:07.775 [info] <0.7.0> Application lager started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:29:07.838 [info] <0.56.0> Starting Boss in production mode....

2015-04-22 23:29:07.860 [info] <0.56.0>@boss_db:start:77 Start Database Adapter boss_db_adapter_mock options [{adapter,mock},{cache_enable,false},{cache_prefix,db},{shards,[[{db_host,"localhost"},{db_adapter,mongodb},{db_port,27017},{db_write_mode,safe},{db_read_mode,master},{db_name,"ask_database"},{db_shard_id,asksomething},{db_shard_models,[saved_client]}],[{db_host,"localhost"},{db_adapter,mock},{db_port,1978},{db_write_mode,safe},{db_read_mode,master},{db_name,"ask_database2"},{db_shard_id,asksomething2},{db_shard_models,[ip_database]}]]},{is_master_node,true}]

2015-04-22 23:29:07.948 [info] <0.7.0> Application mongodb started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:29:08.053 [info] <0.56.0> Starting master services on 'asksomething@mert-VirtualBox'

2015-04-22 23:29:08.071 [info] <0.7.0> Application tinymq started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:29:08.142 [info] <0.56.0> SSL:[]

2015-04-22 23:29:08.144 [info] <0.56.0> Starting cowboy... on 'asksomething@mert-VirtualBox'

2015-04-22 23:29:08.159 [info] <0.7.0> Application cowlib started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:29:08.175 [info] <0.7.0> Application ranch started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:29:08.246 [info] <0.7.0> Application cowboy started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:29:08.246 [info] <0.56.0> Starting http listener... on 0.0.0.0:8001 

2015-04-22 23:29:08.336 [notice] <0.56.0>@boss_compiler:compile:47 Compile file "../asksomething/priv/init/ask_something_01_news.erl" with options [{include_dirs,["/home/mert/Desktop/asksomething/asksomething/include"]}]

AND DEV;

2015-04-22 23:31:05.386 [notice] <0.63.0>@lager_app:132 Deprecated lager_file_backend config detected, please consider updating it

2015-04-22 23:31:06.036 [info] <0.7.0> Application lager started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:31:06.076 [info] <0.7.0> Application crypto started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:31:06.157 [info] <0.7.0> Application mimetypes started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:31:06.240 [info] <0.95.0> Starting Boss in development mode....

2015-04-22 23:31:06.257 [info] <0.95.0>@boss_db:start:77 Start Database Adapter boss_db_adapter_mock options [{adapter,mock},{cache_enable,false},{cache_prefix,db},{shards,[[{db_host,"localhost"},{db_adapter,mongodb},{db_port,27017},{db_write_mode,safe},{db_read_mode,master},{db_name,"ask_database"},{db_shard_id,asksomething},{db_shard_models,[saved_client]}],[{db_host,"localhost"},{db_adapter,mock},{db_port,1978},{db_write_mode,safe},{db_read_mode,master},{db_name,"ask_database2"},{db_shard_id,asksomething2},{db_shard_models,[ip_database]}]]},{is_master_node,true}]

2015-04-22 23:31:06.355 [info] <0.7.0> Application mongodb started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:31:06.512 [info] <0.95.0> Starting master services on 'asksomething@mert-VirtualBox'

2015-04-22 23:31:06.544 [info] <0.7.0> Application tinymq started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:31:06.638 [info] <0.95.0> SSL:[]

2015-04-22 23:31:06.640 [info] <0.95.0> Starting cowboy... on 'asksomething@mert-VirtualBox'

2015-04-22 23:31:06.657 [info] <0.7.0> Application cowlib started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:31:06.684 [info] <0.7.0> Application ranch started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:31:06.762 [info] <0.7.0> Application cowboy started on node 'asksomething@mert-VirtualBox'

2015-04-22 23:31:06.762 [info] <0.95.0> Starting http listener... on 0.0.0.0:8001 

2015-04-22 23:31:06.863 [info] <0.95.0>@boss_load:load_all_modules:57 Loading application asksomething

2015-04-22 23:31:06.893 [notice] <0.95.0>@boss_compiler:compile:47 Compile file "/home/mert/Desktop/asksomething/asksomething/src/websocket/asksomething_ask_service_websocket.erl" with options [{out_dir,undefined},{include_dirs,["/home/mert/Desktop/asksomething/asksomething/include"]},{compiler_options,[{parse_transform,lager_transform},return_errors]}] 

2015-04-22 23:31:14.791 [info] <0.95.0>@boss_load:compile_view_dir_erlydtl:308 Compile Modules "src/view/lib/tag_html"  asksomething_view_lib_tags

2015-04-22 23:31:15.076 [warning] <0.6.0> lager_error_logger_h dropped 19 messages in the last second that exceeded the limit of 50 messages/sec

2015-04-22 23:31:15.077 [notice] <0.95.0>@boss_compiler:compile:47 Compile file "/home/mert/Desktop/asksomething/asksomething/priv/init/ask_something_01_news.erl" with options [{include_dirs,["/home/mert/Desktop/asksomething/asksomething/include"]}]

Now i realized that production mode does not compile websocket. ( I am not sure but there is no websocket compile lines on prod)

Strange thing is, in production mode when i write init.sh stop i can see from my app on the browser that connection is down. It works fine in dev but there isnt any action in production mode. And also there is no errors :(

Can you please check?

Thanks for the support

Mert

22 Nisan 2015 Çarşamba 20:46:43 UTC+3 tarihinde Jesse Gumm yazdı:

[chan sisowath]

this is one of problem of the the actual compile scheme, in dev mod no beam are generated, compile and load in memory.

in prod you need to compile your app before to start it.

you may try this branch i made earlier this year to fix many problem of compile scheme.

https://github.com/mihawk/ChicagoBoss/tree/new_compile_scheme

chan.

To view this discussion on the web visit https://groups.google.com/d/msgid/chicagoboss/aa171ec3-4e9c-4f9b-9e60-505cd4551dba%40googlegroups.com.

[Mert Öztürk]

Hello Chan,

I cloned it and make.

Then recompile again (./rebar get-deps compile)

But didnt work again. The worst thing is that it doesnt show any errors to track. Just dont compile websocket in production mode but compiles and works great in dev :(

Thanks

Mert

23 Nisan 2015 Perşembe 05:27:49 UTC+3 tarihinde mihawk yazdı:

[Mert Öztürk]

Hello,

Thanks for all your support.

I solved my problem.

Thanks

Mert

23 Nisan 2015 Perşembe 11:18:18 UTC+3 tarihinde Mert Öztürk yazdı:

[Kai Janson]

Hi Mert,

How did you solve it?

--Kai

Sent from my iPhone

To view this discussion on the web visit https://groups.google.com/d/msgid/chicagoboss/a0a1e18d-a738-4853-a2f7-d9630e9fe291%40googlegroups.com.

[chan sisowath]

forgot to say:

 if you are using my branch
https://github.com/mihawk/ChicagoBoss/tree/new_compile_scheme

this branch allow compilation like n2o does and fix many problem of actual compilation scheme: some time the compilation doesn't compile, stop ... and many other problem ..., in order to use it you need to install on ubuntu

sudo apt-get install inotify-tools

for other system: mac or windows check this link
https://github.com/synrc/fs

also, i am not maintaining anymore this branch. i can push to upstream if people want to, IMHO it is quite stable for me.

To view this discussion on the web visit https://groups.google.com/d/msgid/chicagoboss/9FB9FE16-1978-495E-BC7E-04C812E633BE%40gmail.com.

[Mert Öztürk]

Hello Kai,

Sorry for the late response.

I made a common mistake by writing the websocket module name wrong with the title of the websocket file. Thats why it was not compiling the file.

Thanks
Mert

23 Nisan 2015 Perşembe 19:58:58 UTC+3 tarihinde Kai Janson yazdı:

...

[Mert Öztürk]

Thanks it was my mistake about the compiling problem.

Module name and the title of the erl file did not match which caused not to compile the websocket.

24 Nisan 2015 Cuma 05:41:08 UTC+3 tarihinde mihawk yazdı: