Search code examples
node.jsnginxmeteorwebsocketsafari

Nginx: proxy_pass + websocket + basic authentication + Safari = endless loop in access log

Safari (Desktop & iOS)

Meteor web application protected by nginx basic authentication.

I see the following access log records in an endless loop when I visit the app on Safari. Chrome works as expected. No record appears in nginx error logs. My guess is that for some reason the user/password auth does not work and the request gets redirected in a loop, causing new sockets / sockjs connections to be opened.

The application does not produce any output, a white screen of death is shown.

144.MY.IP.ADDR - - [25/Sep/2018:17:48:06 -0400] "GET /sockjs/958/msx234wb/websocket HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15"
144.MY.IP.ADDR - username [25/Sep/2018:17:48:06 -0400] "POST /sockjs/656/mgln1mi5/xhr_send HTTP/1.1" 204 0 "https://my.site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15"
144.MY.IP.ADDR - username [25/Sep/2018:17:48:06 -0400] "POST /sockjs/958/x9wngcy3/xhr HTTP/1.1" 200 12 "https://my.site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15"
144.MY.IP.ADDR - username [25/Sep/2018:17:48:06 -0400] "POST /sockjs/958/x9wngcy3/xhr_send HTTP/1.1" 204 0 "https://my.site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15"
144.MY.IP.ADDR - username [25/Sep/2018:17:48:06 -0400] "GET /sockjs/info?cb=35tsuy5ber HTTP/1.1" 200 90 "https://my.site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15"
144.MY.IP.ADDR - username [25/Sep/2018:17:48:06 -0400] "POST /sockjs/958/x9wngcy3/xhr_send HTTP/1.1" 204 0 "https://my.site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15"

Here is my nginx configuration:

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
    listen 80;
    listen 443 ssl http2;
    server_name my.site.com;

    ssl_certificate /etc/letsencrypt/live/my.site.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/my.site.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Xss-Protection "1";

    ssl_stapling on;
    ssl_stapling_verify on;

    root html; # irrelevant
    index index.html; # irrelevant

    location / {

        # forward http to https
        if ($scheme = http) {
            return 301 https://$server_name$request_uri;
        }

        proxy_pass      http://localhost:8080;

        proxy_redirect off;
        proxy_intercept_errors on;


        proxy_http_version 1.1; # recommended with keepalive connections - http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        proxy_set_header Host $host;  # pass the host header - http://wiki.nginx.org/HttpProxyModule#proxy_pass

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Forwarded-Proto http;
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP

        proxy_set_header X-Nginx-Proxy true;

        auth_basic "Restricted Access";         # auth realm
        auth_basic_user_file .htpasswd-users;   # htpasswd file

        # the root path (/) MUST NOT be cached
        if ($uri != '/') {
            expires 30d;
        }

    }
}

I have no idea why this happens where Chrome works as expected and safari does not.

Solution

  • Here is the solution. Saved by the magic proxy_read_timeout line:

    location / {          

    auth_basic "Restricted Access"; # auth realm
    auth_basic_user_file .htpasswd-users-paco; # htpasswd file

    proxy_set_header   X-Forwarded-For $remote_addr;
    proxy_set_header   Host $http_host;

    proxy_pass         "http://127.0.0.1:SOME_PORT";
    proxy_http_version 1.1;

    proxy_set_header   Upgrade $http_upgrade;
    proxy_set_header   Connection "upgrade";            

    proxy_read_timeout 86400;            

    # the root path (/) MUST NOT be cached
    if ($uri != '/') {
        expires 30d;
    }
}