Can't connect when behind Nginx proxy

[MasterKTO]

Hey huashengdun.

First, thanks for this wonderful app. It comes very handy.

I run into the following problem, though:
webssh works correctly when I connect directly to it (I point my browser to server:8000 in my following example), be it with SSL enabled or not.
But if I try to connect when webssh runs behind an Nginx proxy (as detailed in the README), I can never get to a shell... I click "Connect", the site hangs for a second and just goes idle again.

Hereafter is the command I used to run webssh along with the related debug logs.

COMMAND PROMPT > $ python2 /<path>/webssh/run.py --address='0.0.0.0' --port=8000 --policy=reject --logging=debug
[D 191105 19:39:46 policy:29] {'autoaddpolicy': <class 'webssh.policy.AutoAddPolicy'>, 'rejectpolicy': <class 'paramiko.client.RejectPolicy'>, 'warningpolicy': <class 'paramiko.client.WarningPolicy'>}
[I 191105 19:39:46 settings:98] RejectPolicy
[I 191105 19:39:46 main:39] Listening on 0.0.0.0:8000 (http)
[D 191105 19:39:50 handler:204] netloc: <server_name>
[D 191105 19:39:50 handler:207] host: <server_name>
[D 191105 19:39:50 handler:148] Reset offset to 0.
[I 191105 19:39:50 handler:150] Parsing RSA key
[D 191105 19:39:50 handler:389] (u'<hostname>', 22, u'<user>', u'', <paramiko.rsakey.RSAKey object at 0xb6dd8e8c>)
[I 191105 19:39:50 handler:422] Connecting to <hostname>:22
[D 191105 19:39:50 transport:1819] starting thread (client mode): 0xb7150f0cL
[D 191105 19:39:50 transport:1819] Local version/idstring: SSH-2.0-paramiko_2.6.0
[D 191105 19:39:50 transport:1819] Remote version/idstring: SSH-2.0-OpenSSH_8.1
[I 191105 19:39:50 transport:1819] Connected (version 2.0, client OpenSSH_8.1)
[D 191105 19:39:50 transport:1819] kex algos:[u'curve25519-sha256', u'curve25519-sha256@libssh.org', u'ecdh-sha2-nistp256', u'ecdh-sha2-nistp384', u'ecdh-sha2-nistp521', u'diffie-hellman-group-exchange-sha256', u'diffie-hellman-group16-s
ha512', u'diffie-hellman-group18-sha512', u'diffie-hellman-group14-sha256', u'diffie-hellman-group14-sha1'] server key:[u'rsa-sha2-512', u'rsa-sha2-256', u'ssh-rsa', u'ecdsa-sha2-nistp256', u'ssh-ed25519'] client encrypt:[u'chacha20-poly
1305@openssh.com', u'aes128-ctr', u'aes192-ctr', u'aes256-ctr', u'aes128-gcm@openssh.com', u'aes256-gcm@openssh.com'] server<>```
 encrypt:[u'chacha20-poly1305@openssh.com', u'aes128-ctr', u'aes192-ctr', u'aes256-ctr', u'aes128-gcm@openssh.com
', u'aes256-gcm@openssh.com'] client mac:[u'umac-64-etm@openssh.com', u'umac-128-etm@openssh.com', u'hmac-sha2-256-etm@openssh.com', u'hmac-sha2-512-etm@openssh.com', u'hmac-sha1-etm@openssh.com', u'umac-64@openssh.com', u'umac-128@opens
sh.com', u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1'] server mac:[u'umac-64-etm@openssh.com', u'umac-128-etm@openssh.com', u'hmac-sha2-256-etm@openssh.com', u'hmac-sha2-512-etm@openssh.com', u'hmac-sha1-etm@openssh.com', u'umac-64@o
penssh.com', u'umac-128@openssh.com', u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1'] client compress:[u'none', u'zlib@openssh.com'] server compress:[u'none', u'zlib@openssh.com'] client lang:[u''] server lang:[u''] kex follows?False
[D 191105 19:39:50 transport:1819] Kex agreed: curve25519-sha256@libssh.org
[D 191105 19:39:50 transport:1819] HostKey agreed: ecdsa-sha2-nistp256
[D 191105 19:39:50 transport:1819] Cipher agreed: aes128-ctr
[D 191105 19:39:50 transport:1819] MAC agreed: hmac-sha2-256
[D 191105 19:39:50 transport:1819] Compression agreed: none
[D 191105 19:39:50 transport:1819] kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
[D 191105 19:39:50 transport:1819] Switch to new keys ...
[I 191105 19:39:50 handler:71] Trying publickey authentication
[D 191105 19:39:50 transport:1819] userauth is OK
[I 191105 19:39:50 transport:1819] Authentication (publickey) successful!
[D 191105 19:39:50 channel:1212] [chan 0] Max packet in: 32768 bytes
[D 191105 19:39:50 transport:1819] Received global request "hostkeys-00@openssh.com"
[D 191105 19:39:50 transport:1819] Rejecting "hostkeys-00@openssh.com" global request from server.
[D 191105 19:39:50 transport:1819] Debug msg: /home/<user>/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
[D 191105 19:39:50 channel:1212] [chan 0] Max packet out: 32768 bytes
[D 191105 19:39:50 transport:1819] Secsh channel 0 opened.
[D 191105 19:39:51 channel:1212] [chan 0] Sesch channel 0 request ok
[D 191105 19:39:51 channel:1212] [chan 0] Sesch channel 0 request ok
[D 191105 19:39:51 channel:1212] [chan 1] Max packet in: 32768 bytes
[D 191105 19:39:51 channel:1212] [chan 1] Max packet out: 32768 bytes
[D 191105 19:39:51 transport:1819] Secsh channel 1 opened.
[D 191105 19:39:51 channel:1212] [chan 1] Sesch channel 1 request ok
[D 191105 19:39:51 channel:1212] [chan 1] Sesch channel 1 request ok
[D 191105 19:39:51 channel:1212] [chan 1] EOF sent (1)
[D 191105 19:39:51 handler:411] '$SHELL -ilc "locale charmap"' => 'UTF-8\r\n'
[I 191105 19:39:51 web:2162] 200 POST / (<client_ip>) 878.86ms
[D 191105 19:39:51 channel:1212] [chan 1] EOF received (1)
[D 191105 19:39:51 handler:204] netloc: <server_name>
[D 191105 19:39:51 handler:207] host: <server_name>
[I 191105 19:39:51 web:2162] 101 GET /ws?id=3072742252 (<client_ip>) 4.66ms
[I 191105 19:39:51 handler:506] Connected from <client_ip>:47714                           // until here, everything's fine.
[I 191105 19:39:51 handler:552] Disconnected from <client_ip>:47714                        // but here, the connection is lost...
[I 191105 19:39:51 worker:115] Closing worker 3072742252 with reason: client disconnected
[D 191105 19:39:51 channel:1212] [chan 0] EOF sent (0)
[D 191105 19:39:51 transport:1819] EOF in transport thread
[I 191105 19:39:51 worker:122] Connection to <hostname>:22 lost
[D 191105 19:39:51 worker:125] {}

As you can see, the connection to the websocket is dropped as soon as the SSH connection is established.
I should add that sometimes, the client fails to fetch some resources (404 on GET /static/css/bootstrap.min.css.map for instance). This never happens while connecting directly to webssh.

I guess I'm missing something here, any assistance would be very much appreciated. :)

Thanks.

[huashengdun]

Hi MasterKTO,

Can you show me your Nginx configuration?

[MasterKTO]

There you go:

server {
    listen      80; 
    server_name <server_name>;
    return      301 https://$server_name$request_uri;
}

server {
    listen      443 ssl;
    server_name <server_name>;

    ssl on; 
    ssl_protocols TLSv1.2;
    ssl_certificate /path/to/cert;
    ssl_certificate_key /path/to/key;

    access_log  /path/to/access.log;
    error_log   /path/to/error.log;

    location / { 
        proxy_pass                              http://localhost:8000/;
        proxy_set_header Upgrade                $http_upgrade;
        proxy_set_header Connection             "Upgrade";
        proxy_set_header Host                   $http_host;
        proxy_set_header X-Real-IP              $remote_addr;
        proxy_set_header X-Real-PORT            $remote_port;
    }   
}

[huashengdun]

I think the error comes from your location part.
You can replace your location part with following location example in your Nginx configuration.

location / {
    proxy_pass http://127.0.0.1:8888;
    proxy_http_version 1.1;
    proxy_read_timeout 300;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Real-PORT $remote_port;
}

[MasterKTO]

OK, turns out that the proxy_http_version 1.1 directive did the trick.
This is quite weird as I can see in my logs that all connections are set in HTTP/1.1...
Anyway.
Thanks for your help!

[huashengdun]

OK, turns out that the proxy_http_version 1.1 directive did the trick.
This is quite weird as I can see in my logs that all connections are set in HTTP/1.1...
Anyway.
Thanks for your help!

I guess you checked http requests version on client side not on server side.

By default Nginx uses version 1.0 for proxy_http_version directive.
As it is not a keep-alive connection so the webssh server closes it immediately after the Websocket connection is established.