Setting up haproxy as loadbalancer for nodebb but having problems with socket.io

Question

I am trying to run nodebb on two nodes behind haproxy. Simple browsing works but socket.io keeps getting 403.

My haproxy.cfg looks like this:

frontend http-in
    mode http
    bind 0.0.0.0:80
    redirect scheme https code 301 if !{ ssl_fc }

frontend https-in
    bind 0.0.0.0:443 ssl crt /etc/letsencrypt/live/test/test.pem
    http-response set-header strict-transport-security "max-age=31536000; includeSubDomains"
    http-response set-header Content-Security-Policy "default-src 'self' wss: https: *.startech-rd.tk/*; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://code.jquery.com; style-src 'self' 'unsafe-inline' https:; img-src 'self' https://casper.ghost.org/ https://www.gravatar.com/ data:; font-src 'self' https:"
    http-response set-header X-XSS-Protection "1; mode=block"
    http-response set-header X-Content-Type-Options "nosniff"
    http-response set-header Referrer-Policy "no-referrer"
    reqadd X-Forwarded-Proto:\ https
    acl is_websocket hdr(Upgrade) -i WebSocket
    acl is_websocket path_sub -i /socket.io/
    use_backend bk_ws if is_websocket
    acl acl_comments path_beg -i /comments
    use_backend comments if acl_comments

backend comments
mode         http
balance      leastconn
timeout      connect 1s
timeout      server  600s
timeout      queue   600s
option redispatch
retries 3
acl is_woff capture.req.uri -m sub .woff
acl is_ttf capture.req.uri -m sub .ttf
acl is_eot capture.req.uri -m sub .eot
http-response set-header Cache-Control public if is_eot or is_woff or is_ttf
http-response set-header Expires -1 if is_eot or is_woff or is_ttf
http-response set-header Pragma cache if is_eot or is_woff or is_ttf
cookie nodebb insert indirect nocache secure

server node1 10.160.125.81:4567 cookie nodebb_node1 check inter 1000 fastinter 500 rise 2 fall 1
server node2 10.160.125.82:4567 cookie nodebb_node2 check inter 1000 fastinter 500 rise 2 fall 1

backend bk_ws
option redispatch
balance roundrobin
option forwardfor
option httpclose
server node1 10.160.125.81:4567 maxconn 30000 weight 10 cookie ws_node1 check
server node2 10.160.125.82:4567 maxconn 30000 weight 10 cookie ws_node2 check

Websocket connections are getting 403 all the time.

Update: I have tried to connect directly without haproxy and the websockets are connecting correctly. However I've seen that using the haproxy the websocket protocol changed from wss to https.

Any way to prevent that from happening?

Read the HAProxy logs. Verify that the request goes to the correct backend, `bk_ws`. Then read the logs on the specific server. — Michael - sqlbot, Jul 14 '18 at 21:45
Yes it goes to the correct backend however on the backend in the nodebb logs I cannot see anything. — zozo6015, Jul 15 '18 at 06:25

Setting up haproxy as loadbalancer for nodebb but having problems with socket.io

0 Answers0