#StackBounty: #node.js #nginx #https #websocket Secure WebSocket Connection through nginx 1.10.3 and LetsEncrypt

Bounty: 500

Been ripping hair out because I cannot find out why I cannot connect to my WebSocket server through HTTPS.

So, I have an Express 4 server running a vue app. It uses the ws library from npm to connect to the WebSocket server. The nginx is 1.10.3. I use LetsEncrypt to secure it.

When I go online, I get (in the console):

main.js:12 WebSocket connection to ‘wss://play.mysite.com:8443/’ failed: Error in connection establishment: net::ERR_CONNECTION_CLOSED

Line 12:

window.ws = new WebSocket(${tls}://${window.location.hostname}:${port});`

That is wss://play.mysite.com:8443. It is indeed on a subdomain.

Here is my nginx block:

server {

    root /var/www/play.mysite.com/;
    index index.html;

    access_log /var/log/wss-access-ssl.log;
    error_log /var/log/wss-error-ssl.log;

    server_name play.mysite.com www.play.mysite.com;

    location / {

        proxy_pass http://localhost:4000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
    }

    listen [::]:443 ssl ipv6only=on default_server; # managed by Certbot
    listen 443 ssl default_server; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/play.mysite.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/play.mysite.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {

    if ($host = www.play.mysite.com) {
        return 301 https://$host$request_uri;
    }


    if ($host = play.mysite.com) {
        return 301 https://$host$request_uri;
    }


    listen 80;
    listen [::]:80;

    server_name play.mysite.com www.play.mysite.com;
    return 404;
}

As you see, we have the subdomain on https://play.mysite.com. My Express server always listen on port 4000 and my WebSocket server listens to wss / port 8443 on production.

When I view the /var/log/wss-error-ssl.log, I get:

2018/02/26 00:01:36 [error] 22894#22894: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 61.217.22.198, server: play.mysite.com, request: “GET /static/css/app.67b8cb3fda61e1e2deaa067e29b52040.css HTTP/1.1”, upstream: “http://[::1]:4000/static/css/app.67b8cb3fda61e1e2deaa067e29b52040.css“, host: “play.mysite.com”, referrer: “https://play.mysite.com/

So, what exactly am I doing wrong?

The proxy_pass was set right. Listening to port 8443 for WebSocket on both client/server. What is the meaning? Thank you.

edit: and yes, I know the port 8443 is running:

root@MySITE:/var/www/play.mysite.com# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:https                 *:*                     LISTEN
tcp        0      0 localhost:4000          *:*                     LISTEN
tcp        0      0 localhost:mysql         *:*                     LISTEN
tcp        0      0 *:http                  *:*                     LISTEN
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp6       0      0 [::]:8443               [::]:*                  LISTEN
tcp6       0      0 [::]:https              [::]:*                  LISTEN
tcp6       0      0 [::]:http               [::]:*                  LISTEN
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
udp        0      0 *:bootpc                *:*
udp        0      0 45.76.1.234.vultr.c:ntp *:*
udp        0      0 localhost:ntp           *:*
udp        0      0 *:ntp                   *:*
udp6       0      0 2001:19f0:5:2b9c:54:ntp [::]:*
udp6       0      0 fe80::5400:1ff:fe61:ntp [::]:*
udp6       0      0 localhost:ntp           [::]:*
udp6       0      0 [::]:ntp                [::]:*


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.