Can't get Rocket.Chat to run behind nginx reverse proxy


Access to the Server thru the machine’s IP and default port (10.xx.xx.64:3000) works. However, when I open the URL from outside nginx reverse proxy the browser loads only the page name but nothing else (blank page).

Server Setup Information

  • Version of Rocket.Chat Server: 0.74.3
  • Operating System: Ubuntu 18.04.2
  • Deployment Method: snap
  • Number of Running Instances: 1
  • DB Replicaset Oplog:
  • NodeJS Version:
  • MongoDB Version:
  • Proxy: nginx
  • Firewalls involved: none

Even though I use my setup in LAN only I want to have SSL, therefore I wanted to use nginx as a reverse proxy using a self signed certificate. I setup nginx according to this instructions:

According to this instructions: I tried to set ROOT_URL to the new URL (http*s://10.xx.xx.64). I put a file with the line OVERWRITE_SETTING_ROOT_URL=https://10.xx.xx.64 in /var/snap/rocketchat-server/common

Somewhere I found a hint that IP-Adress as URL is not supported (which is bad for me because I want to have access thru VPN as well where no DNS is available) so I also tried with the machines hostname as URL with the same result (http*s://hostname)

Can anyone assist how to troubleshoot this?

  • I had to put this * in there due to limitation of new forum users only allowed to post 2 links

First, what you want to do is non trivial. As a result you need to do is a lot of reading on DNS, SSL, Proxies and firewalls. Educating yourself will help a lot. The interwebs have a gazzilion pages on this sort of stuff.

Is nginx on the same machine as Rocket or a different machine? Can the nginx machine be accessed from the internet in general ?

Please post your nginx config file.

Firewalls involved: none


I want to have access thru VPN as well where no DNS is available

Exactly what do you mean??

nginx conf:

upstream backend {

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name srv-chat;
	location / {
		return 301 https://$server_addr$request_uri;

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name srv-name 10.xx.xx.64;
	client_max_body_size 200M;  
	# Certificates used
	ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
	ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

	ssl_protocols TLSv1.2;
#	ssl_protocols TLSv1.1;	
	# Cipher suite from
	# Max. security, but lower compatibility 
	# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
	#ssl_dhparam /etc/nginx/ssl/dhparams.pem;
  	ssl_dhparam /etc/nginx/dhparam.pem;

	ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
	# Server should determine the ciphers, not the client
	ssl_prefer_server_ciphers on;
	# OCSP Stapling
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;
	# SSL session handling
	ssl_session_timeout 24h;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Robots-Tag none always;
	add_header X-Download-Options noopen always;
	add_header X-Permitted-Cross-Domain-Policies none always;
	add_header Referrer-Policy no-referrer always;
	location = / {
		proxy_pass http://backend/;
		proxy_http_version 1.1;
   	proxy_set_header Upgrade $http_upgrade;
   	proxy_set_header Connection "upgrade";
   	proxy_set_header Host $http_host;
   	proxy_set_header X-Real-IP $remote_addr;
   	proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
   	proxy_set_header X-Forward-Proto http;
   	proxy_set_header X-Nginx-Proxy true;
   	proxy_redirect off;

nginx is on the same machine. For now this is only a test setup and the whole machine cannot be reached from the internet. So yes, really no firewall for now.

Forget about the VPN thing because it is not in use here and not relevant for this issue.

try removing the trailing slash

I did now, with the same result

are you able to telnet to the port you are trying to server? if not, than you issue may be something else…ie software/os firewall

the browser shows the page title, so a no communication issue is not the case

Use a much much simple nginx conf to start with.

Here’s my basic one for testing.

The problem is going to be your nginx conf and probably websockets. It’s always the same :frowning: