Websocket Cloudflare with Nginx 520 error

Question

I am jumping in on a project with some socket issues over SSL and Cloudflare... I know.. I have read about 50 different stack overflow posts and 200 blog posts to try to figure this out. The project works on my local dev server/computer just fine...

I think I am on the right track - But could use some help/pointers if ya'll can.

First, I thought it was weird that the /socket-io/ proxy_pass was at port 6379, the same as redis... Maybe it should be? When this was set at 6379, the socket connection will not connect - With or Without Cloudflare enabled ( I paused cloudflare to test this out).

I read through the express server and saw that the socket server seems like it's linked to the express server at port 4000... so I changed the proxy_pass for /socket-io/ to port 4000 and it reconnects. This works with Cloudflare paused/running... so maybe it's not cloudflare after all. Still, even though it says the socket has reconnected in the browser, nothing is working.

I'll start by sharing my NGINX config - Let me know what else ya'll need to see, please. Thanks for taking your time to help me out/pointing me in the right direction! I really appreciate learning about this stuff.

server {
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name dev-app.myapp.com;

  location / {
    root /var/www/myapp_frontend/build/;
    try_files $uri $uri/ /index.html;
    #proxy_pass http://localhost:8080;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
  }

  location /api/ {
    proxy_pass http://localhost:4000/;
    include /etc/nginx/proxy_params;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }

  location /socket.io/ {
    proxy_pass http://localhost:6379;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_read_timeout 86400;
  }

location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
  }
  location ~ /\.ht {
    deny all;
  }

  ssl_certificate /etc/letsencrypt/live/dev-app.myapp.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/dev-app.myapp.com/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = dev-app.myapp.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name  dev-app.myapp.com;
    listen 80 default_server;
    listen [::]:80 default_server;

    return 404; # managed by Certbot
}

Edit-1 I did see that cloudflare requires certain ports... Am I wrong to think that these ports only refer to the initial listening port, for example 443 above, since the proxy_pass ports are all using localhost?

Do any errors appear when you change the /socket-io config to use port 4000, or just the application doesn't work? It looks like the application is connecting directly to redis, so changing the proxy port would make it impossible to connect correctly — Adam Jeliński, Dec 30 '20 at 21:11
[A quick search](https://redis.io/topics/security) suggests that exposing redis in such a way is not safe, so maybe you should consider accessing it via a custom built API, instead of opening it to untrusted clients — Adam Jeliński, Dec 30 '20 at 21:18
Yes!! I read the same stuff~ I think you right!! That's one of the first things I did. I have changed the port to 4000 before I read this - The errors stop, but it still doesn't really connect. It 'reconnects' but the socket connection still reads as false if I log it... and none of the socket notifications work... hmm... I'd love to show you somehow if you have time!? — Nick McLean, Jan 03 '21 at 02:13

Websocket Cloudflare with Nginx 520 error

0 Answers0

Linked