The Great Open Source Debate with Elastic, Gluu and GitHub 🎤 Oct 27

Disabled web socket behind Load Balancer

Hello everyone,

Yesterday I have set up Rocket.Chat instance on VMWare Virtual Machine installed on dedicated server.
Rocket.Chat is installed on Ubuntu 20.04 LTS and as Load Balancer I am using Nginx Proxy Manager.
To forward traffic from another ports than 80/443 (TCP and UDP) directly to Rocket VM (in case of Rocket this is 3000), I am using firewall-cmd and the rules for Rocket.Chat are as below (masquerade enabled):

	port=3000:proto=tcp:toport=3000:toaddr=192.168.200.8
	port=3000:proto=udp:toport=3000:toaddr=192.168.200.8

Webapp is working fine, the desktop application also works fine, but the mobile app (on Samsung A6 2018 and iPhone 12 Pro Max) is not working, because I am getting an error:
**Ooops! Websocket îs disabled for this server. Contact your server admin. **

Also, I am using nginx as web server, please find the config below:

upstream rocket_backend {
  server 127.0.0.1:3000;
}

server {
    listen 80;
    server_name chat.it-party.xyz;
    access_log /var/log/nginx/rocketchat-access.log;
    error_log /var/log/nginx/rocketchat-error.log;

    location / {
        proxy_pass http://rocket_backend/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;

        proxy_redirect off;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/chat.it-party.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/chat.it-party.xyz/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;


}

server {
    if ($host = chat.it-party.xyz) {
        return 301 https://$host$request_uri;
    }


    listen 80;
    server_name chat.it-party.xyz;
    return 404;
}

Server Setup Information

  • Version of Rocket.Chat Server: 3.18
  • Operating System: Ubuntu 20.04
  • Deployment Method: manual using nom
  • Number of Running Instances: 1
  • DB Replicaset Oplog:
  • NodeJS Version: 12.22.4
  • MongoDB Version: 4.4.8
  • Proxy: Nginx
  • Firewalls involved: FirewallD

Hi.

You need to run https for mobile apps. http will not work.

You mention you are using nginx proxy manager but then say you are “nginx as web server”

So a little confused here.

I suggest you start by setting up a standard nginx web server correctly and forward 80 and 443 to the it.

Really, do not allow direct access to 3000. In your example above I think it it has bypassed your web proxy anyway.

Let us know how you get along.

Hi, thank you for answer.
Let me explain nginx: the first Nginx instance is installed on hypervisor with public IPv4. I have created a NAT network on it so all VMs have access to Internet. The role of this Nginx is load balancing (it works fine with ie. mail server and some other stuff). The second Nginx (routed by Nginx LB) is holding Rocket.Chat on local IPv4 192.168.200.8
I removed 3000 forwarding.
Also, HTTPS is being forced on the level of load balancer - HTTP Requests are being redirected to HTTPS requests immediately, so all traffic goes to 443 anytime.

I edited the nginx config to comply with HTTPS as I think I made a mistake in config (port 80 is no longer in use on Rocket.Chat VM), but it still does not work:

# Upstreams
upstream backend {
    server 127.0.0.1:3000;
}

# HTTPS Server
server {
    listen 443 ssl;
    server_name chat.it-party.xyz;

    client_max_body_size 200M;

    error_log /var/log/nginx/rocketchat.access.log;

    ssl_certificate /etc/letsencrypt/live/chat.it-party.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/chat.it-party.xyz/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE

    location / {
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Nginx-Proxy true;

        proxy_redirect off;
    }
}

Adding /etc/systemd/system/rocketchat.service file:

[Unit]
Description=The Rocket.Chat server
After=network.target remote-fs.target nss-lookup.target nginx.service mongod.service
[Service]
ExecStart=/usr/local/bin/node /opt/Rocket.Chat/main.js
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=rocketchat
User=rocketchat
Environment=MONGO_URL=mongodb://localhost:27017/rocketchat?replicaSet=rs01 MONGO_OPLOG_URL=mongodb://localhost:27017/local?replicaSet=rs01 ROOT_URL=https://chat.it-party.xyz/ PORT=3000
[Install]
WantedBy=multi-user.target

I’m not 100% sure why but somewhere your websockets are probably getting mangled.

That means Rocket will work - albeit very slowly via XHR - but won’t run mobile apps.

Read here on testing Websockets right at the end:

Also try here.

https://www.websocket.org/echo.html