Hello, I recently upgraded from 6.34 Pro to 7.13 Pro. After I upgraded I can no longer login when using my internet-exposed reverse proxy (local LAN is just fine.) Console logs from Chrome indicate that PM is trying to make a websocket connection at ws://box_a:8088 instead of wss://box_b:8088, throwing an error because you can't make an unsecured websocket connection on a secured https page.
box_a hosts NGINX reverse proxy and is exposed to the internet. It handles SSL encryption between client and reverse proxy. Reverse proxy then forwards on the traffic unencrypted to box_b (hosting Poker Mavens), on the same local network.
box_a Settings
Port 443 - SSL (forwards to HTTP port 8087 on box_b)
Port 8088 - SSL (forwards to WS port 8088 on box_b)
box_b Settings
SSL Encryption: Off
Proxy WSS: On
HTTP Port: 8087
WS Port: 8088
Can confirm that using 6.34 Pro still works with my reverse proxy setup. Did a setting change in the upgrade or something?
Thanks.
WSS Problems after Upgrade with Reverse Proxy
Re: WSS Problems after Upgrade with Reverse Proxy
Typo above in first paragraph. Corrected below.
Console logs from Chrome indicate that PM is trying to make a websocket connection at ws://box_a:8088 instead of wss://box_a:8088, throwing an error because you can't make an unsecured websocket connection on a secured https page.
Console logs from Chrome indicate that PM is trying to make a websocket connection at ws://box_a:8088 instead of wss://box_a:8088, throwing an error because you can't make an unsecured websocket connection on a secured https page.
-
- Site Admin
- Posts: 5923
- Joined: Wed Mar 19, 2008 8:47 pm
Re: WSS Problems after Upgrade with Reverse Proxy
Are you connecting to a raw IP address or a domain name? It should work via a domain name. This is because v7 supports SSL and non-SLL connections simultaneously and it keeps all raw IP connections to the HTTP port as non-SSL to prevent connection failures when SSL Redirect is enabled. And (currently) this applies to the Proxy WSS setting as well. Although I might need to rethink that part.
Re: WSS Problems after Upgrade with Reverse Proxy
Thanks Kent.
Domain name.
Domain name.
-
- Site Admin
- Posts: 5923
- Joined: Wed Mar 19, 2008 8:47 pm
Re: WSS Problems after Upgrade with Reverse Proxy
Is the box a to box b connection also via domain name? That's the one that matters to the poker software. By the way, the reason for this is to prevent a lockout condition described in this post:
viewtopic.php?p=15794#p15794
However, if SSL or SSL Redirect is off then that domain check wouldn't be needed so I'll change that in the next update.
Re: WSS Problems after Upgrade with Reverse Proxy
Box A to Box B is indeed based on an internal network 192.168.* IP address. Box B is not accessible from WAN.
I guess I could add a hosts entry to assign Box B a domain and connect that way. I’ll let you know if it works.
I guess I could add a hosts entry to assign Box B a domain and connect that way. I’ll let you know if it works.
Re: WSS Problems after Upgrade with Reverse Proxy
Kent,
I added a hosts entry for box_b.net on box_a and changed the forwarding to that and that worked. Thanks for your help.
One possible solution would be to use the X-Forwarded-For IP to see if it needs to prevent lockout, instead of the actual IP the data is coming from.
Thanks again!
I added a hosts entry for box_b.net on box_a and changed the forwarding to that and that worked. Thanks for your help.
One possible solution would be to use the X-Forwarded-For IP to see if it needs to prevent lockout, instead of the actual IP the data is coming from.
Thanks again!
-
- Site Admin
- Posts: 5923
- Joined: Wed Mar 19, 2008 8:47 pm
Re: WSS Problems after Upgrade with Reverse Proxy
The lockout could occur when you mistakenly turned on Proxy WSS when there was no proxy server (and thus no header) involved. And then you couldn't get back into the admin console to turn it off. Instead of ignoring Proxy WSS when any IP was used, I should have just checked for 127.0.0.1 instead and even then only for admin connections. Anyway since you have a good workaround in place I have time to study that some more.
-
- Site Admin
- Posts: 5923
- Joined: Wed Mar 19, 2008 8:47 pm