Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

cloudflare + nginx + uptime-kuma = wss broken

See original GitHub issue

Hello there, as the title states my setup looks like this:

  • Cloudflare as DNS and proxy
  • Nginx as reverse proxy on my machine
  • uptime-kuma as a docker container (on 127.0.0.1:3001)

Since cloudflare offers some kind of protection I want to ensure everyone that visits my website, connects through cloudflare:

allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 172.64.0.0/13;
allow 131.0.72.0/22;
allow 104.16.0.0/13;
allow 104.24.0.0/14;

allow 192.168.0.0/16;
allow 172.16.0.0/16;
allow 10.0.0.0/8;

deny all;

However if I proxy traffic through cloudflare and apply these rules I cannot use kuma.

I am not entirely sure if this is an issue with kuma. However, Cloudflare states that Websockets (with SSL) are 100% supported by them and I have had other applications running with Websockets before.

If I skip cloudflare and allow all connections, kuma works but my SSL certificate is broken, which is kinda ugly.

I am open for suggestions on how to improve my setup since I am not sure if this is an issue with kuma.

Errors I am getting with my configuration: grafik grafik Response (no content): grafik

nginx access.log

[31/Jul/2021:21:27:29 +0200] "GET /socket.io/?EIO=4&transport=websocket HTTP/1.1" 400 45 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0"

my nginx config:

server {
    listen 443 ssl http2;

    ssl_certificate /etc/nginx/keys/origin.pem;
    ssl_certificate_key /etc/nginx/keys/private.key;

    server_name status.zaanposni.com;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://localhost:3001/;

        proxy_http_version 1.1;
        
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host "status.zaanposni.com";
        proxy_read_timeout 86400;
    }
}

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

2reactions
louislamcommented, Aug 1, 2021

Ok guys I found the problem. Kinda stupid 😄

Cloudflare Dashboard -> Network -> Enable WebSockets.

I thought they were enabled by default, sorry to waste your time… grafik grafik

For anyone reading in the future: My initial posted config works, no additional stuff required, just be sure to enable WS in Cloudflare 😵.

Lol, glad you found the solution. I did not know that too. Will mention it in the wiki too

0reactions
louislamcommented, Sep 20, 2021

Hi, I’m having this exact same issue, wss is enabled in cloudflare, same error: image image I’m using cloudflare ssl certificates & proxying through cloudflare. I’m reverse proxying in nginx, here is my nginx config:

server {
    server_name status.nucker.me;
    listen 443 ssl;

    location / {
            proxy_pass    http://0.0.0.0:3001;
            proxy_set_header    X-Real-IP $remote_addr;
            proxy_set_header    Host      $http_host;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }

    ssl_certificate     /root/certs/cert.pem;
    ssl_certificate_key /root/certs/key.pem;
    ssl on;
}

Please read wiki, you are missing some headers.

https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy

Read more comments on GitHub >

github_iconTop Results From Across the Web

Nginx Proxy Manager Not Passing WebSocket : r/selfhosted
I have a fresh install of NginxProxyManager on a RHEL 8 host ( with SELINUX ) turned off. It will not pass WSS...
Read more >
Nginx Reverse Proxy and Cloudflare issues - DNS & Network
I am using Cloudflare as my DNS for my website everything works great. I recently setup a Nginx Reverse Proxy in order to...
Read more >
Simple index - piwheels
... bgwpy textfield-parser odoo12-addon-stock-removal-location-by-priority matplotlib-stream pelican-nginx-alias-map django-property-filter ansys-grpc-mapdl ...
Read more >
topics.1.xml - Cloudron Forum
... -namecheap-s-free-dns-service-broken-links 2018-08-31T19:17:03.788Z daily ... https://forum.cloudron.io/topic/3834/nginx-setting-to-allow-wss-sockets-to ...
Read more >
subdomains.txt - GitHub
... montana jinsanjiaoyulecheng epay wss webext tk onyx mta30 landunzaixian hot ... mx153 mingsheng88yulecheng dss dingjianbocai diet cloudflare-resolve-to ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

x.509 SSL Client Certificate Authentication

Next page

Simple Domains Like Google.com are Getting `getaddrinfo EAI_AGAIN` Errors