Websockets and Reverse Proxy

[paulb-smartit]

I see a lot of issues on here about using web sockets. It certainly took a little fudgery for me to get it working.

If you are going to expose the same port that is listed in the --port=7890 parameter, then you should be able to get the .html output file to reference that port and connect to it.

But connecting to it securely via an Nginx reverse proxy is the angle I went for.

Setup and Nginx virtual host with TLS cert from Let's Encrypt and let it serve the static .html page. I also wanted to use Nginx to serve the web sockets, but because it's served on a port that is detailed in the static .html you can never get to it.

It works, but only because something doesn't behave as expected.

I used a docker-compose.yml to serve GoAccess.

version: '3.7'

services:
  goaccess:
    image: allinurl/goaccess
    command: "/var/log/nginx/access.log --log-format COMBINED --real-time-html -o /output/index.html --ws-url=wss://HOST.DOMAIN/ws/"
    volumes:
      - "/usr/share/nginx/html:/output:rw"
      - "/var/log/nginx:/var/log/nginx:ro"
    ports:
      - "12390:7890"

The clever bit that makes this work is the --ws-url In my Nginx config I'm going to capture /ws and redirect it to port 12390. But what actually happens is that the url that gets put into the html file is wss://host.domain/ws:7890 Why does this work? It's not a valid url the port should be before the /ws/ - thankfully it's not, because traffic is sent to wss://host.domain/ws/:7890 but the :7890 gets ignored, and web sockets gets served currently over port 443, the same as the static page is on!

upstream goaccess {
    server server:12390 weight=1 fail_timeout=30s;
}

server {
    listen 	443 ssl;
    server_name  host.domain;

    ssl_certificate_key     /etc/letsencrypt/live/host.domain/privkey.pem;
    ssl_certificate         /etc/letsencrypt/live/host.domain/fullchain.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/host.domain/fullchain.pem;

    location / {
        root /usr/share/nginx/html;
        try_files /index.html =404; 
    }

    location /ws {
        proxy_pass http://goaccess;
        # force timeouts if the backend dies
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

        # set headers
        proxy_buffer_size                  128k;
        proxy_buffers                      4 256k;
        proxy_busy_buffers_size            256k;
        proxy_set_header Referer           $http_referer;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-Host  $host;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Server-Select   $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port  $server_port;
        proxy_set_header X-Url-Scheme      $scheme;
        proxy_set_header Cookie            $http_cookie;
        proxy_set_header Host              $host;
        proxy_http_version                 1.1;
        proxy_set_header                   Upgrade $http_upgrade;
        proxy_set_header                   Connection ‘upgrade’;

        # by default, do not forward anything
        proxy_redirect off;         
    }

}

My suggestion here is to not fix the --ws-url and if is specified please don't add the port, let that be done manually.

[allinurl]

Thanks for sharing these findings! I'm glad we're on the same page about the issue with the port. I'm happy to submit a patch for this, but I wanted to make sure you will be able to update your configuration after this change.

[paulb-smartit]

I can always update my config. But need to be sure that fixing the port does not break the --ws-url. I would suggest that if a --ws-url is specified that it does not rebuild it from other parameters, but overrides it. So even if a port is specified, it gets ignored unless no --ws-url is specified.

PS. Well done this is a great product.

[allinurl]

I made some changes to this where it should work as expected. The idea behind configuring the port via the ws-url is to get to goaccess via a reverse proxy. For instance, if you only have port 443 available/open, you could reach a goaccess instance running on 7890 as:

goaccess access.log --log-format=COMBINED --port=7890 --ws-url=wss://goaccess.io:443 --real-time-html -o out.html

Please feel free to build from development and let me know if that addresses the issue on your end. Otherwise, it will be shipped in v1.7.2 soon. Thanks again!