Detail the solution for Nginx reverse agent WebSocket to respond to 403
- 2020-05-14 05:58:01
- OfStack
When Nginx reverse agent 1 Spring Web program (source code address) with WebSocket function, it is found that 403 response always appears when accessing WebSocket interface. The configuration of Nginx refers to the official documents:
http {
// ssl The related configuration ...
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 8020;
location /ws {
proxy_pass http://some-ip:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
}
The only difference is that our Nginx is configured with https.
Open the Spring log to see the difference between direct access and access via Nginx.
Direct access log:
DEBUG ... o.s.web.servlet.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/ws/gs-guide-websocket/786/kz0qai5l/websocket]
DEBUG ... s.w.s.m.m.a.RequestMappingHandlerMapping : Looking up handler method for path /gs-guide-websocket/786/kz0qai5l/websocket
DEBUG ... s.w.s.m.m.a.RequestMappingHandlerMapping : Did not find handler method for [/gs-guide-websocket/786/kz0qai5l/websocket]
DEBUG ... o.s.w.s.s.s.WebSocketHandlerMapping : Matching patterns for request [/gs-guide-websocket/786/kz0qai5l/websocket] are [/gs-guide-websocket/**]
DEBUG ... o.s.w.s.s.s.WebSocketHandlerMapping : URI Template variables for request [/gs-guide-websocket/786/kz0qai5l/websocket] are {}
DEBUG ... o.s.w.s.s.s.WebSocketHandlerMapping : Mapping [/gs-guide-websocket/786/kz0qai5l/websocket] to HandlerExecutionChain with handler [org.springframework.web.socket.sockjs.support.SockJsHttpRequestHandler@307f6b8c] and 1 interceptor
DEBUG ... o.s.web.servlet.DispatcherServlet : Last-Modified value for [/ws/gs-guide-websocket/786/kz0qai5l/websocket] is: -1
DEBUG ... o.s.web.cors.DefaultCorsProcessor : Skip CORS processing: request is from same origin
DEBUG ... o.s.w.s.s.t.h.DefaultSockJsService : Processing transport request: GET http://localhost:8080/ws/gs-guide-websocket/786/kz0qai5l/websocket
DEBUG ... o.s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG ... o.s.web.servlet.DispatcherServlet : Successfully completed request
Logs accessed via Nginx:
DEBUG ... o.s.web.servlet.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/ws/gs-guide-websocket/297/jp1c3ab5/websocket]
DEBUG ... s.w.s.m.m.a.RequestMappingHandlerMapping : Looking up handler method for path /gs-guide-websocket/297/jp1c3ab5/websocket
DEBUG ... s.w.s.m.m.a.RequestMappingHandlerMapping : Did not find handler method for [/gs-guide-websocket/297/jp1c3ab5/websocket]
DEBUG ... o.s.w.s.s.s.WebSocketHandlerMapping : Matching patterns for request [/gs-guide-websocket/297/jp1c3ab5/websocket] are [/gs-guide-websocket/**]
DEBUG ... o.s.w.s.s.s.WebSocketHandlerMapping : URI Template variables for request [/gs-guide-websocket/297/jp1c3ab5/websocket] are {}
DEBUG ... o.s.w.s.s.s.WebSocketHandlerMapping : Mapping [/gs-guide-websocket/297/jp1c3ab5/websocket] to HandlerExecutionChain with handler [org.springframework.web.socket.sockjs.support.SockJsHttpRequestHandler@307f6b8c] and 1 interceptor
DEBUG ... o.s.web.servlet.DispatcherServlet : Last-Modified value for [/ws/gs-guide-websocket/297/jp1c3ab5/websocket] is: -1
DEBUG ... o.s.w.s.s.t.h.DefaultSockJsService : Processing transport request: GET http://localhost:8080/ws/gs-guide-websocket/297/jp1c3ab5/websocket
DEBUG ... o.s.w.s.s.s.OriginHandshakeInterceptor : Handshake request rejected, Origin header value https://some-host.com not allowed
DEBUG ... o.s.w.s.s.s.HandshakeInterceptorChain : org.springframework.web.socket.server.support.OriginHandshakeInterceptor@25ce6ad4 returns false from beforeHandshake - precluding handshake
DEBUG ... o.s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG ... o.s.web.servlet.DispatcherServlet : Successfully completed request
Note the following entry in the direct access log:
DEBUG ... o.s.web.cors.DefaultCorsProcessor : Skip CORS processing: request is from same origin
The log accessed via Nginx contains the following:
DEBUG ... o.s.w.s.s.s.OriginHandshakeInterceptor : Handshake request rejected, Origin header value https://some-host.com not allowed
Then Google queries the relevant solution and finds this issue on github, so just modify the configuration of Nginx and add proxy_set_header Origin ""; We have to do is:
http {
// ssl The related configuration ...
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 8020;
location /ws {
proxy_pass http://some-ip:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Origin "";
}
}
}