Can connect via WebApp using DomainName, but, only through IP Address:port elsewhere


#1

Hello!

I’ve installed Rocket.Chat via Ubuntu Snap on a Vultr VPS running Ubuntu 16.04.
I’ve configured nginx according to the Rocket.Chat Documentation pages, and have the following setup:

NGINX

Upstreams

upstream backend {
server 127.0.0.1:3000;
}

server {
listen 443 ssl;
server_name chat.url;

error_log /var/log/nginx/rocketchat_error.log;

ssl_certificate /etc/letsencrypt/live/chat.url/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/chat.url/privkey.pem; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

location / {
    proxy_pass http://backend/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forward-Proto http;
    proxy_set_header X-Nginx-Proxy true;

    proxy_redirect off;
}

location /api {
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2c0f:f248::/32;
    set_real_ip_from 2a06:98c0::/29;

    proxy_pass http://localhost:5000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection keep-alive;
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header  X-Forwarded-Proto https;
    proxy_set_header  X-Real-IP $remote_addr;
    proxy_set_header  X-Forwarded-For $remote_addr;
    proxy_set_header  X-Forwarded-Host $remote_addr;

            real_ip_header X-Forwarded-For;

    client_max_body_size 100M;
}

}

server {
if ($host = chat.url) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;
server_name chat.url;
return 404; # managed by Certbot

}

I am able to access the RC server by visiting chat.url in any browser and it will load (mostly) correctly, but when attempting to visit using the desktop or mobile apps, nothing will load unless I put the server’s external IP address and port as the destination.

In addition to NGINX, I have UFW set up as well, with ports 22, NGINX Full, and 3000/TCP allowed, and have tried various version of that setup as well, opening the firewall completely, or completely turning it off. Nothing seemed to change the outcome.

Lastly, I have everything for this server’s routing being passed through CloudFlare, with this particular subdomain already routed through an A record to the server’s static external address. I assumed this is where my issue would lie, but, I’ve played with just about every toggle I could think of on there, and didn’t see any change whatsoever.

More maybe pertinent info:
{“version”:“0.62.2”,“success”:true} (Had to be gotten through the IP Address:port in a browser)

Log Details

e[34mI20180331-22:29:48.551(0) e[32m➔ e[32m±---------------------------------------------------+
e[34mI20180331-22:29:48.552(0) e[32m➔ e[32m| SERVER RUNNING |
e[34mI20180331-22:29:48.558(0) e[32m➔ e[32m±---------------------------------------------------+
e[34mI20180331-22:29:48.559(0) e[32m➔ e[32m| |
e[34mI20180331-22:29:48.560(0) e[32m➔ e[32m| Rocket.Chat Version: 0.62.2 |
e[34mI20180331-22:29:48.561(0) e[32m➔ e[32m| NodeJS Version: 8.8.1 - x64 |
e[34mI20180331-22:29:48.562(0) e[32m➔ e[32m| Platform: linux |
e[34mI20180331-22:29:48.570(0) e[32m➔ e[32m| Process Port: 3000 |
e[34mI20180331-22:29:48.571(0) e[32m➔ e[32m| Site URL: https://chat.url |
e[34mI20180331-22:29:48.574(0) e[32m➔ e[32m| ReplicaSet OpLog: Enabled |
e[34mI20180331-22:29:48.575(0) e[32m➔ e[32m| Commit Hash: 07f0e3f77c |
e[34mI20180331-22:29:48.578(0) e[32m➔ e[32m| Commit Branch: HEAD |
e[34mI20180331-22:29:48.579(0) e[32m➔ e[32m| |
e[34mI20180331-22:29:48.582(0) e[32m➔ e[32m±---------------------------------------------------+

Please feel free to ask for any other information I can provide to help with getting this last bit of initial setup done, and thank you very much for looking!

-Omni


#2

Just to make sure I understand your setup is:

  1. Cloudflare
  2. Nginx on your server
  3. Snap install on Vultr

My first guess would be websockets not being proxied through by cloudflare…

But then I saw this section:

Your proxying /api to a different address? Rocket.Chat serves that path also. Mobile apps also hit /api/info to see if the app is the right version needed to be compatible with the application.


#3

Thank you for the reply @aaron.ogle!

I’ll bet I misunderstood the function of location in nginx…

I currently have two apps running on this nginx service, the first being the RC chat server, and the second being a .netCore webapp, running off of port 5000. The netCore webapp is being served through CloudFlare at api.url to the same server IP I’d like the chat to be running off of as well. I’ve had the API app running for a good, long while, but when I pulled in the RC server into the config is when I started having issues, with one, the other, or both, depending on how I had nginx or CloudFlare set up.

As a side note, I have tried setting nginx up to where both are separate servers, with server names correlating to the url (api.url or chat.url) with no love. I have also completely copied the nginx configuration to another Vultr instance, and it worked beautifully after I got a new cert signed and implimented under a different subdomain (support.url, in this case, as that is what the chat will be used for in the end)

So, what I have is:

  1. CloudFlare
  2. nginx on the server with
    a. RC Chat served off :3000
    i. Installed via snap on a Vultr instance - Ver. 0.62.2
    b. .netCore App served off :5000
  3. An apparent misunderstanding on how to route the traffic through nginx for both those apps.

Sorry for the confusion!


#4

might do something like /appname for your .netCore App and adjust in cloudflare to look there instead of /api

Once all routes for Rocket.Chat reach actual rocket.chat then we should be able to get a better picture.


#5

So, I had someone else take a looksee at my nginx configuration, and after playing with it came up with the following config.

nginx config

Upstreams

upstream backend {
server 127.0.0.1:3000;
}

server {
listen 80;
server_name chat.url;

    error_log /var/log/nginx/rocketchat_error.log;
    access_log /var/log/nginx/rocketchat_access.log;

ssl_certificate /etc/letsencrypt/live/chat.url/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/chat.url/privkey.pem; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

location / {
    proxy_pass http://backend/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forward-Proto http;
    proxy_set_header X-Nginx-Proxy true;

    proxy_redirect off;
}

}

server {
listen 80;
server_name api.url;

location / {
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2c0f:f248::/32;
    set_real_ip_from 2a06:98c0::/29;

    proxy_pass http://localhost:5000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection keep-alive;
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header  X-Forwarded-Proto https;
    proxy_set_header  X-Real-IP $remote_addr;
    proxy_set_header  X-Forwarded-For $remote_addr;
    proxy_set_header  X-Forwarded-Host $remote_addr;

            real_ip_header X-Forwarded-For;

    client_max_body_size 100M;
}

}

The difference between this and the one I had posted before is a split of virtual servers, which I had tried, and more importantly, setting the rocket.chat server up to use port 80 as opposed to port 443.

With this, I am able to connect to the server on all tested clients (not Apple, because I don’t have one) and it seems to be working properly from each of them.

Thank you for the replies @aaron.ogle, and I’m sure I’ll have more questions in the future as I continue to much about with this.

Cheers!

-Omni


#6

Great to hear! If it works on Rocket.Chat+ on Android chances are it’ll work on iOS as well.


#7

The nginx config for the chat.url app in this post worked for me. Seems like listening on port 80 (vs 443) was the key. Thank you @omninweb and @arron.ogle. PS I am using a similar set-up - rocket.chat via snap on ubuntu 16.04 with cloudflare as CDN and ssl certs from Certbot / letsencrypt.