Page MenuHomePhabricator

Following documentation on Aphlict+nginx results in empty client-port for Aphlict
Closed, DuplicatePublic

Description

When using nginx to route WebSockets traffic, documentation specifies that notification.client-uri should be set to http://localhost/ws/resulting in Aphlict client-port argument being set to an empty string. notification.client-uri should be set to http://localhost:22280/ws/ instead, or when parsing the uri, no empty client-port should be sent to Aphlict in order to use the default client port.
Aphlict should probably check the passed value is not empty before overwriting the default one.

Event Timeline

pmoreau raised the priority of this task from to Needs Triage.
pmoreau updated the task description. (Show Details)
pmoreau added a subscriber: pmoreau.

Out of curiosity, what's your reasoning for passing this through nginx instead of configuring a direct connection?

Getting through nginx I don't need to open another port in my firewall - I tend to close everything, and use SSH tunnels to connect to my IRC bouncer and so on - and I don't have to authorise aphlict to read my SSL private key as nginx is already configured to use SSL.

I think I fixed this in D11423, particularly:

$client_port = coalesce($this->clientPort, $client_uri->getPort());
if ($client_port) {
  $server_argv[] = '--client-port='.$client_port;
}

I have a few ideas on how to improve this.

Cool! :-)

The client-port parameter is parsed from notification.client-uri and automatically passed as an argument to aphlict start. Could the same behaviour be added to client-host? Maybe I should create a new task for that.

Some more comments, now that I managed to get it working - aka. the server receives connection from Phabricator, though it creates a new listener every 2 seconds and they never disconnect (due to passing through nginx?).

Setting a port in notification.client-uri sets it for client-port for the Aphlict daemon, but also for the WebSocket uri used by the "Phabricator web interface" (seems logical). However, if using nginx as a passthrough, we don't want to set a custom port for the WebSocket uri - as we will use either port 80 or 443-, only the client-port should be customised.

Regarding use cases, I have TLS locked down in Nginx and neither want to maintain a TLS configuration in multiple places nor even understand how to properly configure cipher suites, stapling, and other such things in the aphlict daemon (if it's even possible). A reverse proxy allows me to re-use my known good TLS configuration.

There's actually nothing wrong with the configuration in documentation, it's simply missing a piece of information (that you need to specify the port when starting aphlict). So that's the super easy fix.

The better fix, IMHO, would be to have aphlict use its default port if no port can be parsed from the URI, rather than its current behavior of simply not starting a listener.

eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

I plan to separate this configuration and make these options all explicit, see T10697.