Running fleet-ui behind Nginx - per unit operation doesn't work

[xueshanf]

I am trying to put Nginx before fleet-ui to protect the app. The first fleet dashboard renders fine, but when I click on a unit, the sub window doesn't show status and all buttons are inactive (un-clickable). Running it on port 3000 without the proxy works fine.

The flow is basically like this:

Client request -> ELB port 443 -> Nginx basic auth -> FleetUI port 3000.

Any ideas how to make this work?

[subicura]

It seems.. websocket issue.(not test yet) You should add websocket option to nginx. Or use socket.io library instead of websocket.

[xueshanf]

@subicura thank you for the reference! I was testing websocket configuration but could not make it work.

I disabled ELB SSL termination (just use plain TCP 443-> TCP->8083) and let Ngnix does the SSL termination. The basic function works like before, but when clicking on a unit to get status, I got no response. The same screenshot like above without websocket configuration. My Chrome browser does support websocket. The Chrome Dev Tool doesn't seem to show the ws connection upgrade hands-shaking.

More thoughts? I will document once I get this working!

Here is the nginx configuration:

upstream fleetui {
    server 10.0.42.12:3000;
}

# Websocket configuration
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    server_name fleetui.exmple.com;

    # Use websocket. cannot termiate SSL at ELB.
    listen 8083;

    ssl on;
    ssl_certificate /etc/nginx/certs/fleetui.crt;
    ssl_certificate_key /etc/nginx/certs/fleetui.key;
    proxy_set_header Host             $http_host;   # required for docker client's sake
    proxy_set_header X-Real-IP        $remote_addr; # pass on real client's IP
    client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

    # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
    chunked_transfer_encoding on;


    location / {
        auth_basic            "Restricted";
        auth_basic_user_file  /etc/nginx/certs/fleetui.htpasswd;
        proxy_pass http://fleetui;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    location /_ping {
        auth_basic off;
        proxy_pass http://fleetui;
   }
}

[xueshanf]

Okay I got it working. This setup uses HTTPS which requires secure websocket protocol wss://. I made changes in controller/unit.js file.

But this breaks the plain HTTP request for unit journal logs. Not sure what's the best solution. Maybe for dev environment, use ws://, for production, use wss://. Or make another configuration setting for it.

You can close this issue.