xpra icon
Bug tracker and wiki

Opened 3 years ago

Closed 3 years ago

Last modified 19 months ago

#1349 closed enhancement (fixed)

HTML5 client: Nginx reverse and SSL proxy cause SSL error

Reported by: bboehmke Owned by: bboehmke
Priority: major Milestone: 1.0
Component: html5 Version: 0.17.x
Keywords: ssl Cc:

Description

I am using a Nginx web server as reverse and SSL proxy.

The HTML5 client work but I get a SSL error that the HTTPS page tries to load the non secure websocket. (If I can ignore the error then the page loads)

Maybe I already have a solution for this problem:
If I change the the line 188 of the index.html to
client.connect(server, port, location.protocol == 'https:'); the error is gone.

Change History (5)

comment:1 Changed 3 years ago by Antoine Martin

Status: newassigned

I actually merged code similar to this in r14437 (trac doesn't show the changeset unfortunately!) - many more changes in #1341.
Your simpler version could be applied to v0.17.x.

comment:2 Changed 3 years ago by Antoine Martin

Owner: changed from Antoine Martin to bboehmke
Status: assignednew

So I've applied to the v0.17.x branch in r14447.

Please close if this works for you. I recommend moving to the 1.0 branch now, as there are a lot more html5 client improvements there.

comment:3 Changed 3 years ago by Antoine Martin

Resolution: fixed
Status: newclosed

comment:4 Changed 19 months ago by vfclists

@bboehmke Can you share the nginx configuration you use for the proxying?

I am trying to accomplish something similar but am not getting anywhere quickly.

comment:5 Changed 19 months ago by bboehmke

I have not used this feature for month but this was the config I was using:

server {
    listen  443       ssl spdy;
    listen  [::]:443  ssl spdy;

    # domain of vhost
    server_name  xpra.domain.de;

    ssl on;

    ssl_certificate /etc/nginx/ssl/crt/all-chained.crt;
    ssl_certificate_key /etc/nginx/ssl/crt/all.key;

    error_log   /var/log/nginx/archTerm.error.log;


    ## Increase this if you want to upload large attachments
    ## Or if you want to accept large git objects over http
    client_max_body_size 20m;

    location / {
        # optional basic auth
        #auth_basic            "Arch";
        #auth_basic_user_file  /etc/nginx/xpra.htpasswd;

        resolver 127.0.0.1 valid=300s;
        resolver_timeout 300s;

        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_redirect          off;

        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-Ssl     on;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_set_header    X-Frame-Options     SAMEORIGIN;

        # 192.168.105.40 -> address of xpra daemon
        proxy_pass http://192.168.105.40:10000$request_uri;
    }
}

Note: See TracTickets for help on using tickets.