Browser do not connect to aphlict (notification) server using ssl terminating nginx reverse proxy
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	cguenther
	Jun 6 2016, 4:53 PM

Description

Verison Information

phabricator e3f4f051fea261c2f009b5a5d5b2f5b037d5d80b (Sat, Jun 4)
arcanist 2234c8cacc21ce61c9c10e8e5918b6a63cc38fc8 (Mon, May 16)
phutil e4f8b70e73faff0edeb3a310c0ff1d10b4b54949 (Fri, Jun 3)
sprint df6e9dee03e4dd0da551199df33b6d04bf096d32 (Apr 11 2016)

Setup (Steps to Reproduce)

use current phabricator version
- https://hub.docker.com/r/hachque/phabricator/
I am using a derived image (https://hub.docker.com/r/cguenther/docker-phabricator-sprint/), which contains additionally the sprint extension, but it should not be related to the issue
use nginx ssl terminating reverse proxy
configure exactly as the setup guide instructs https://secure.phabricator.com/book/phabricator/article/notifications/

Aphlict config

My aphlict.conf contains:

{
  "servers": [
    {
      "type": "client",
      "port": 22280,
      "listen": "0.0.0.0",
      "ssl.key": null,
      "ssl.cert": null,
      "ssl.chain": null
    },
    {
      "type": "admin",
      "port": 22281,
      "listen": "127.0.0.1",
      "ssl.key": null,
      "ssl.cert": null,
      "ssl.chain": null
    }
  ],
  "logs": [
    {
      "path": "/dev/stdout"
    }
  ],
  "pidfile": "/run/watch/aphlict"
}

Configure nginx ssl terminating reverse proxy

The ssl terminating nginx reverse proxy config is taken from the guide page:
https://secure.phabricator.com/book/phabricator/article/notifications/:

/etc/nginx/conf.d/connection_upgrade.conf
/etc/nginx/conf.d/websocket_pool.conf

i changed the 127.0.0.1 to the phabricator container

/etc/nginx/sites-enabled/phabricator.example.com.conf

Configure phabricator notification server connection

The notification.servers config contains:

[
  {
    "type": "client",
    "host": "phabricator.<changedForPrivacyReasons>.net",
    "port": 443,
    "protocol": "https",
    "path": "/ws/"
  },
  {
    "type": "admin",
    "host": "127.0.0.1",
    "port": 22281,
    "protocol": "http"
  }
]

Validating functionality

The notification server status page shows that everything is ready to start. The client connects to the port 443 using https at /ws/ subpath . The nginx proxy maps that to the non ssl 22280 port of the aphlict server. The status shows 'connected'. The server itself is also connected.

The problem

The strange part is, that the the browser (chromium and firefox) are not connecting as clients. The status page shows 0 active clients all the time. Nevertheless the server generates correctly the messages as In messages, but also here the Out count remains 0. The chrome developer tools shows that non websocket connection is tried to be established. So it seem that the browsers are not aware of being able to connect to the websocket.

So i tested with external sites, like this:
https://www.websocket.org/echo.html
Using this site, i am able to connect to my notification server as client using wss://phabricator.<changedForPrivacyReasons>.net/ws/. Also the client count raises in the notification server status page. So i think the nginx reverse proxy configuration seems valid. But something prevents the phabricator in the browser from connecting.

Is someone able to run the phabricator notifications through the ssl terminating nginx reverse proxy? Is somewhere a flag to enable those notifications, which i missed?

Related Objects

Mentioned Here: T10402: Add a client setup check to detect that the browser is using HTTPS but Phabricator does not recognize it
rARC2234c8cacc21: Fix `arc which` for svn repos
rPHUe4f8b70e73fa: Fix Bitbucket profile URL
rPe3f4f051fea2: Add --purge-user to bin/cache purge

Event Timeline

cguenther created this task.Jun 6 2016, 4:53 PM

https://hub.docker.com/r/hachque/phabricator/

is not supported by this install

Also have you configured preamble.php?

We ran into this on a recent install - the fix was to configure the Preamble script to tell Phabricator it was being accessed over HTTPS (else it filtered out the HTTPS notification server) - check to see if "Connected" or "Disconnected" at the bottom of the notification popup (menu at the top of the screen - see this install). If you just get a grey bar at the bottom without either, you're hitting the same case where the client doesn't think it has a valid notification server.

Wow, thanks for your fast and precise answers!! Using the file

phabricator/support/preamble.php

with the content of

<?php

$_SERVER['HTTPS'] = true;

solved the problem. Thanks very much.

I would recommend to highlight the necessity to configure the preamble.php also in the notifications configuration guide:
https://secure.phabricator.com/book/phabricator/article/notifications/

chad closed this task as Resolved.Jun 6 2016, 6:44 PM

Configuring the Preamble script is important for reverse-proxied configurations (you probably need to set REMOTE_ADDR up as well), and required for many things - which is why it is part of the install guide.

Ad hoc linking all the documentation together isn't very useful, it might as well say "You need to have Phabricator installed to set up notifications".

EDIT: That mid-air collision status change survived better than expected.

EDIT 2: There is a task open to add client-side setup warnings for this stuff, which would be very useful - you sunk N hours into it, someone else in another task sunk 2 hours, and I lost about 2 hours as well trying to figure out what was going on (I trusted that the person doing the install had followed the documentation).

T10402 is the "check client/server agreement about HTTPS" task.

Browser do not connect to aphlict (notification) server using ssl terminating nginx reverse proxyClosed, ResolvedPublicActions