Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't connect to HTPPS Nginx reverse proxy serving a Meteor app #380

Closed
acib708 opened this issue Apr 26, 2016 · 7 comments
Closed

Can't connect to HTPPS Nginx reverse proxy serving a Meteor app #380

acib708 opened this issue Apr 26, 2016 · 7 comments
Labels
Server waiting-for-feedback wss

Comments

@acib708
Copy link

acib708 commented Apr 26, 2016

I'm trying to connect to my Meteor backend. When connecting via https, I sometimes get this BufferOverflowException:

Exception in thread "Thread-7" java.nio.BufferOverflowException
      at java.nio.DirectByteBuffer.put(DirectByteBuffer.java:363)
      at java.nio.DirectByteBuffer.put(DirectByteBuffer.java:342)
      at sun.nio.ch.IOUtil.write(IOUtil.java:60)
      at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471)
      at org.java_websocket.SSLSocketChannel2.close(SSLSocketChannel2.java:270)
      at org.java_websocket.WebSocketImpl.closeConnection(WebSocketImpl.java:453)
      at org.java_websocket.WebSocketImpl.closeConnection(WebSocketImpl.java:472)
      at org.java_websocket.WebSocketImpl.eot(WebSocketImpl.java:509)
      at org.java_websocket.client.WebSocketClient.interruptableRun(WebSocketClient.java:249)
      at org.java_websocket.client.WebSocketClient.run(WebSocketClient.java:188)
      at java.lang.Thread.run(Thread.java:745)

When the overflow doesn't happen, I can't connect to the server anyways. I get this .CLOSED message:

{msg=closed, reason=, code=-1, remote=true}

I analyzed the handshake with Wireshark and got this: https://drive.google.com/file/d/0B9cfrkkW62eIWHlzY2oyU0k5cDA/view?usp=sharing
I see the client gets the certificate, but then it doesn't respond with the handshake continuation, it sends a Hello again, and therefore the server resets the connection. I believe this is why the overflow happens, when the timing is right, the client tries to read from an empty socket.
But I'm obviously grasping at straws here, any help would be greatly appreciated. I can contribute with code if somebody pushes me in the right direction.

This is (some relevant part) of my nginx config, but I really doubt it'll do any difference:

# Load Balancing
upstream upstream {
    server 127.0.0.1:3001;
    keepalive 64;
}

# HTTPS
server {
    listen 443 ssl http2;

    ssl_protocols TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:2m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Public-Key-Pins 'pin-sha256="xxx"; pin-sha256="xxx"; max-age=10';
    ssl_certificate cert.pem;
    ssl_certificate_key key.pem;

    server_name server.com;

    # Proxy Meteor app running locally
    location ^~ / {
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header Upgrade websocket;
        proxy_set_header Connection Upgrade;
        proxy_http_version 1.1;
        proxy_pass http://upstream;
    }
}
@kirkmicz
Copy link

Yaeah same here

@marci4
Copy link
Collaborator

marci4 commented Mar 30, 2017

Hello @acib708 and @kirkmicz

do you still have this issue with the latest version?

Greetings
marci4

@h3adache
Copy link

I got this same error and it seems to be happening cause my cert was expired (but using version 1.3.0). Maybe the same for you guys?

@h3adache h3adache mentioned this issue Jun 27, 2017
Open
@marci4
Copy link
Collaborator

marci4 commented Jun 27, 2017

@h3adache the latest version is 1.3.4
Is this still an issue then?

@h3adache
Copy link

h3adache commented Jun 28, 2017
edited
Loading

Hi @marci4 it doesn't throw the BufferOverflow anymore but it doesn't give the correct error. It simply disconnects.

The error message is actually swallowed by an exception block that only calls engine.eot()

The linked source above is different because integrated wss support was added. It's L 232/233 in the 1.3.4 code.

Something is wrong when looking it up by the version tag. It shows it on L257 but when looking at the code in the 1.3.4 jar it's L233.

The actual exception message is correct it seems:
PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed

@marci4 marci4 mentioned this issue Jun 28, 2017
Closed
@marci4
Copy link
Collaborator

marci4 commented Jun 28, 2017

Hello @h3adache,

well at least the error should be displayed and then disconnect.

Opening a seperat issue for this!
Greetings
marci4

@marci4
Copy link
Collaborator

marci4 commented Aug 16, 2017

Hello @h3adache,
just an update for you.

SSLException will now also call onError ( see #516 )

Closing this issue!
Greetings
marci4

@marci4 marci4 closed this as completed Aug 16, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Server waiting-for-feedback wss
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@h3adache @acib708 @kirkmicz @marci4