[BUG] Websocket not working

[PastaGringo]

Describe the bug
Websocket is not working

To Reproduce
Steps to reproduce the behavior:

I just created a new proxy rule for my nostr relay which listen for clients through a websocket :

I saw in another post issue that it may concern the Custom Headers (Upgrade) but I didn't find any in its setting:

The https service is working as you can see: https://nostr.fractalized.net

But when I try open the wss://nostr.fractalized.net websocket with websocketking.com it fails with error message : "Could not connect to "wss://nostr.fractalized.net". You may be able to find more information using Inspector/Dev Tools on this page."

When I check the Inspector/Dev Tools from Chrome (Arc Browser in fact, but tried with Chome, Brave and Firefox. Result si the same.) I can see:

I have the same result if I use the website nostr.watch that verify NOSTR relay connectivity in live : https://nostr.watch/relay/nostr.fractalized.net

I can see this LOG message from Zoraxy docker live log:

2024/03/08 15:36:05 websocketproxy: couldn't upgrade websocket: request origin not allowed by Upgrader.CheckOrigin

Do I need to configure something manually to allow websockets on Proxy Rule ?
Thanks for your help!

Host Environment (please complete the following information):
Zoraxy running with docker compose:
Version 3.0.0
Build Release
Running Since 8 Mar 2024 15:38:40 ( 21 minutes, 40 seconds ago)
ZeroTier Linked Link Error
Enable SSH Loopback Disabled

[tobychui]

Hi @PastaGringo

Thanks for the well written bug report! I will look into it later this weekend.
If possible, could you also provide me the settings for reverse proxy which is supposed to be use with Nostr? (as I am not a nostr user so I got little to no knowledge in how it is suppose to be proxied). For example, a section of the apache or nginx config that works previously in your setup before you migrate to Zoraxy would be really helpful.

[PastaGringo]

Hi @tobychui,

You're welcome, Zoraxy seems very promising!

I don't have much information on the reverse proxy settings needed for a Nostr Relay, I think it's pretty basic. I wrote an article on how to self-host our Relay with Nginx Proxy Manager (here) but I didn't had to modify any setting in NPM except checking the option "websockets support" :

I will check into my NPM data today what setting it's applying to the proxy.

Thanks

[PastaGringo]

I checked the configration file from my nostr proxy with Nginx Proxy Manager.
The only difference when I check the box "Websockets Support" is that NPM is adding these lines into the "1.conf" file :

proxy_set_header Upgrade $http_upgrade;  
proxy_set_header Connection $http_connection;  
proxy_http_version 1.1;

Here is the complete nginx file:

# ------------------------------------------------------------
# nostr.fractalized.net
# ------------------------------------------------------------

map $scheme $hsts_header {
    https   "max-age=63072000;includeSubDomains; preload";
}

server {
  set $forward_scheme http;
  set $server         "strfry-fractalized-net";
  set $port           7777;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;

  server_name nostr.fractalized.net;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-6/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-6/privkey.pem;

# Asset Caching
  include conf.d/include/assets.conf;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security $hsts_header always;

    # Force SSL
    include conf.d/include/force-ssl.conf;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

  access_log /data/logs/proxy-host-1_access.log proxy;
  error_log /data/logs/proxy-host-1_error.log warn;

  location / {

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security $hsts_header always;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
    
    # Proxy!
    include conf.d/include/proxy.conf;
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

[tobychui]

I tried to fix it by adding an optional bypass in the origin checking for the websocket proxy. Currently this settings can only be changed in config file, so if you want to test it out asap, you can modify the following line in the config file with the v3.0.1 (require build from source)

{
 "ProxyType": 1,
 "RootOrMatchingDomain": "test.localhost",
 "Domain": "192.168.1.120",
 "RequireTLS": false,
 "BypassGlobalTLS": false,
 "SkipCertValidations": false,
 "SkipWebSocketOriginCheck": true, //Default this is false, change this to true and restart zroaxy
 "VirtualDirectories": [],
 "UserDefinedHeaders": [],
 "RequireBasicAuth": false,
 "BasicAuthCredentials": [],
 "BasicAuthExceptionRules": [],
 "DefaultSiteOption": 0,
 "DefaultSiteValue": "",
 "Disabled": false
}

UI elements will be added later after I fixed a few more things in coming weeks.

[PastaGringo]

Thanks for the fix!

I tried the new release v.3.0.1 but I've a 404 error when I start the container:

Here is my docker-compose file used to build and run the v3.0.1 (nearly the same as the main):

  zoraxy:
    image: zoraxydocker/zoraxy:v3.0.1
#    image: zoraxydocker/zoraxy:latest
    build:
      # src has been copied to docker directory to permit the image build
      context: ./BUILD/zoraxy/v3.0.1/docker
      dockerfile: Dockerfile
    container_name: zoraxy
    ports:
      - 80:80
      - 443:443
      - 8000:8000
    volumes:
      - ./zoraxy:/opt/zoraxy/config/
    environment:
      ARGS: '-noauth=false'

Here is the container logs:

Zoraxy version 
2024/03/10 10:34:52 [Auth] New authentication session key generated
2024/03/10 10:34:52 Static Web Server started. Listeing on :5487
2024/03/10 10:34:52 Environment variable ZT_AUTH not defined. Trying to load authtoken from file.
2024/03/10 10:34:52 Unable to read authkey at /var/lib/zerotier-one/authtoken.secret:  exit status 1
2024/03/10 10:34:52 [INFO] Failed to load ZeroTier controller API authtoken
2024/03/10 10:34:53 [INFO] Starting ACME handler
2024/03/10 10:34:53 [INFO] Inbound port not set. Using default (80)
2024/03/10 10:34:53 [INFO] TLS mode disabled. Serving proxy request with plain http
2024/03/10 10:34:53 [INFO] Force latest TLS mode disabled. Minimum TLS version is set to v1.0
2024/03/10 10:34:53 [INFO] Development mode disabled. Proxying with default Cache Control policy
2024/03/10 10:34:53 [INFO] Port 80 listener disabled
2024/03/10 10:34:53 [INFO] Force HTTPS mode disabled
2024/03/10 10:34:53 Reverse proxy service started in the background (Plain HTTP mode)
2024/03/10 10:34:53 [INFO] Dynamic Reverse Proxy service started
2024/03/10 10:34:53 [INFO] Uptime Monitor background service started
2024/03/10 10:34:53 [INFO] Assigned temporary port:56507
2024/03/10 10:34:53 [INFO] Zoraxy started. Visit control panel at http://localhost:8000
2024/03/10 10:35:22 [INFO] mDNS Startup scan completed
2024/03/10 10:39:53 Uptime updated -  1710067193
2024/03/10 10:44:53 Uptime updated -  1710067493
2024/03/10 10:49:53 Uptime updated -  1710067793

When I check the Zoraxy version running into the container:

docker exec -it zoraxy zoraxy -version
Zoraxy - Version 3.0.1

Did you run your test with the v3.0.1 containerized or installed locally?
Thanks

[tobychui]

@PastaGringo The latest commit on v3.0.1 is running in debug mode, all the web files are not packed into the executable to reduce compile time.
If you can ssh into the container, copy the web folder into it and the web UI should be shown correctly.

[PastaGringo]

Thanks @tobychui.

I succeed to get back the web UI by copying "web" to its local docker zoraxy config folder:

cp -R BUILD/zoraxy/v3.0.1/src/web zoraxy/

I could also have done with:

docker cp BUILD/zoraxy/v3.0.1/src/web zoraxy:/opt/zoraxy/config

I created the Proxy Rule as before, set the parameter "SkipWebSocketOriginCheck" to true, restarted Zoraxy and the websocket is now available 👍 :

I will stay on the version v3.0.1 because I need the websocket working, I will let you know if I found new bugs!

Thanks for your help! (please come on Nostr, I will zap you few sats ⚡ to thank you!)

[chatainsim]

Is this feature available through webui now?
Thanks

[tobychui]

Is this feature available through webui now? Thanks

@chatainsim If an issue is closed, which means it is already available in the current build or it will not be fixed (usually with a won't fix label). If you have issues on websocket, feel free to create a new issue.

[chatainsim]

Hi @tobychui no issue here. Just to know if we still need to edit file directly or if there is now a checkbox or a switch to activate web socket. Thanks

[tobychui]

Hi @tobychui no issue here. Just to know if we still need to edit file directly or if there is now a checkbox or a switch to activate web socket. Thanks

Websocket is now automated with a check box for Websocket origin check. But in 90% of casual self hosting use cases you can leave that setting to Zoraxy default.