this post was submitted on 12 Jun 2023
10 points (100.0% liked)

Selfhosted

573 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Resources:

> Any issues on the community? Report it using the report flag.

> Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
10
[SOLVED] How to configure Lemmy instance nginx proxy for websockets? (lemmy.world)
submitted 1 year ago* (last edited 1 year ago) by penguin_ex_machina@lemmy.world to c/selfhosted@lemmy.world
24 comments fedilink hide all child comments
 

I'm playing around with my own instance of Lemmy but I keep getting a "websocket connection failed" error in my console. I'm having a really hard time understanding how to set up nginx for websockets - I'm more used to Apache and not familiar with WS at all. Is there documentation hiding somewhere that will help me set up my proxy forwarding properly?

EDIT: Solved! Check out my solution here: https://lemmy.world/comment/141648. Thanks everyone!

top 18 comments
sorted by: hot top controversial new old
[–] ubergeek77@lemmy.ubergeek77.chat 3 points 1 year ago (2 children)

If you're willing to use Caddy instead, it's infinitely easier. Websockets is just enabled by default, no shenanigans. Here is an example Caddyfile to use in a Docker deployment (but you can change those http urls to point to localhost for a non Docker deployment):

(caddy-common) {
    encode gzip
    header {
        -Server
        Strict-Transport-Security "max-age=31536000; include-subdomains;"
        X-XSS-Protection "1; mode=block"
        X-Frame-Options "DENY"
        X-Content-Type-Options nosniff
        Referrer-Policy  no-referrer-when-downgrade
        X-Robots-Tag "none"
    }
}

your.lemmy.url {
    import caddy-common
    reverse_proxy   http://lemmy-ui:1234

    @lemmy {
        path    /api/*
        path    /pictrs/*
        path    /feeds/*
        path    /nodeinfo/*
        path    /.well-known/*
    }

    @lemmy-hdr {
        header Accept application/*
    }

    handle @lemmy {
        reverse_proxy   http://lemmy:8536
    }

    handle @lemmy-hdr {
        reverse_proxy   http://lemmy:8536
    }

    @lemmy-post {
        method POST
    }

    handle @lemmy-post {
        reverse_proxy   http://lemmy:8536
    }
}

Caddy has some great plugins that allow you to automate https certificate renewal too, easy to add to any config.

I know you asked about nginx and I'm just telling you "haha just switch," but I had similar headaches with my own deployment when I tried using nginx, and I eventually just gave up and used Caddy. Saved me at least a few hours of headache.

[–] falcon15500@lemmy.nine-hells.net 2 points 1 year ago

A +1 from me for Caddy. It works quite well.

[–] penguin_ex_machina@lemmy.world 1 points 1 year ago

Hmmm I might consider this. I'll need to look into it more though, I've never heard of Caddy before. Thanks for the heads up :D

[–] nulldev@lemmy.vepta.org 2 points 1 year ago* (last edited 1 year ago) (1 children)

The default Lemmy nginx config should handle websockets properly. Are you putting it behind a second nginx layer?

[–] penguin_ex_machina@lemmy.world 1 points 1 year ago (1 children)

I might be. See my response here: https://lemmy.world/comment/101425

[–] nulldev@lemmy.vepta.org 2 points 1 year ago* (last edited 1 year ago)

I would recommend you ditch the second nginx layer. It's a waste of resources and it can cause a multitude of issues if the configuration isn't done correctly.

  • If you are hosting multiple domains on the same server, disable the nginx container in the docker-compose.yml file and copy Lemmy's nginx config into your system's nginx config (e.g. /etc/nginx/).
    • If you go this route you should also delete the lemmyexternalproxy network, delete internal: true on the lemmyinternal network (required to enable port forwarding) and add port forwards to the lemmy and lemmy-ui docker services. Here's what that would look like: https://www.diffchecker.com/vjfEFuz6/
  • If you are not hosting multiple domains on the same server, simply edit the port forwards in the docker-compose.yml file for the proxy service to bind to whatever your external facing IP is.
[–] aucubin@lemmy.aucubin.de 1 points 1 year ago (1 children)

The nginx config provided in the Docker installation part contains everything needed for nginx. If you are installing lemmy directly on the machine you may need to use different upstreams.

The websocket part is basically the

            # proxy common stuff
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";```
part in the nginx config on that page.
[–] penguin_ex_machina@lemmy.world 1 points 1 year ago (1 children)

I seem to be having a lot of lag at the moment, and my post was created twice so I'm just going to delete the other one and start from here...

So I have this set up per the instructions. My instance is on a Digital Ocean instance, and I'm using nginx on the host to point to localhost:1235, but that's about all that conf file is doing. Is there something else I need to do?

[–] aucubin@lemmy.aucubin.de 1 points 1 year ago* (last edited 1 year ago) (1 children)

Ok, just to understand what you did. You got an Digital Ocean droplet with Docker and used the instructions in the link I posted or different ones?

If you are using the instructions from my link nginx will also run in a docker container, which means that your upstream will not be on localhost, but rather the lemmy and lemmy-ui containers.

If you did install it locally then localhost:1235 could be correct.

[–] penguin_ex_machina@lemmy.world 0 points 1 year ago (1 children)

I think this is where my lack of experience with Docker is showing.

I spun up a DO droplet and installed nginx, Docker CE, and Docker Compose. Then I went through the instructions on the page you linked to and it set it up just fine but when I went to my droplets IP address it wouldn't connect. I had to add a config file that pointed traffic coming into the droplet on port 80 to redirect to the Docker container instead. Am I overcomplicating it?

[–] aucubin@lemmy.aucubin.de 1 points 1 year ago (1 children)

No, you are right. If you are using the nginx container from the docker installation guide then you will also need to add port 80 atleast in order to see anything, as nginx will otherwise not listen on the port 80 of the droplet.

How does your nginx.conf look now?

[–] penguin_ex_machina@lemmy.world 0 points 1 year ago (1 children)

The one meant for the Docker container or the one on the host?

[–] aucubin@lemmy.aucubin.de 2 points 1 year ago (2 children)

Ah, so you added another nginx on the host by installing it from the package store of the distro and have that proxy port 80 to the docker nginx?

If you do that then you also need to add the websocket settings I had in the first comment to the host nginx.

What I meant what that the nginx in the docker-compose from lemmy also listens to port 80 and you just need to add

server {
    listen 80;
    server_name my_domain.tld;

    location / {
        proxy_pass http://localhost:LEMMY_PORT;
        proxy_set_header Host $host;
        include proxy_params;
    }
}

to the nginx.conf of the container.

Then you should have it accessable from port 80 without the host nginx (of course you need to stop the host nginx then).

[–] penguin_ex_machina@lemmy.world 1 points 1 year ago

Ahaaaa ok. I'll try that a little later this afternoon. Thanks for explaining it to me.

[–] penguin_ex_machina@lemmy.world 1 points 1 year ago

So looking at this again now, am I taking that whole block and adding it to the container's nginx.conf? If so, does that mean I have to change what port it's currently listening to (because there's already a rule in the file for port 80)?

There's a comment in that server rule that says "this is the port inside docker" and a comment immediately after that says "this is facing the public web", which confuses me.

[–] pcouy@lemmy.pierre-couy.fr 1 points 1 year ago* (last edited 1 year ago)

Got it working on my instance by using the following config for the nginx outside of the docker container (you'll need to change the server_name from the server sections and the path to the ssl keys) :

upstream lemmy {
    # depending on your setup, you may want to update this
    server 127.0.0.1:1380;
}

server {
    listen 80;
    listen [::]:80;
    server_name lemmy.pierre-couy.fr;
    location / { return 301 https://$host$request_uri; }
}
server {
    listen      443 ssl;
    listen [::]:443 ssl;
    server_name lemmy.pierre-couy.fr;

    # TLS
    ssl_protocols TLSv1.2;
    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_certificate     /etc/ssl/certs/pcouy.pem;
    ssl_certificate_key /etc/ssl/private/pcouy.key;

    # HSTS
    add_header Strict-Transport-Security "max-age=31536000";

    location / {
        proxy_pass http://lemmy;
        proxy_set_header Host $host;
        # include proxy_params;
    }

    location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
        proxy_pass "http://lemmy";
        # proxy common stuff
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Send actual client IP upstream
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
[–] thorfinn@lemmypets.xyz 1 points 1 year ago* (last edited 1 year ago) (1 children)

You can try add these to your nginx conf inside location / {:

proxy_set_header Connection "keep-alive, Upgrade";
proxy_set_header Upgrade websocket;

like this:

location / {
         .... 
         proxy_set_header Connection "keep-alive, Upgrade";
         proxy_set_header Upgrade websocket;
}

I launched my instance last weekend and this was my issue as too.

[–] penguin_ex_machina@lemmy.world 2 points 1 year ago

It's turns out, my issue was that I had nginx on both the host and Docker container, so the host wasn't forwarding the websocket requests like this. I just removed the host nginx and configured the Docker conf to look at port 80 and it worked!

load more comments
view more: next ›