Looks like I’m unable to change the headline later on - so I have created this one with focus on NGINX configuration.
Post: Mattermost Discussion Forums - Discussion forums for Mattermost and our open source community is related to Apache2 configuration.
Based on the fact, that I’m unable to get Mattermost working via https, I decided to go with recommended way → NGINX
NGINX is running on a separate device (192.168.56.134). Mattermost is on 192.168.56.131.
Status is - http is blockt by NGINX - what is fine - and HTTPS is working.
The BIG but is again the WebSocket Error.
Interesting bit is - if I’m accessing mattermost from the local server via HTTP (with Apach2), I don’t see any WebSocket errors. Just issues with HTTPS.
If I’m accessing mattermost via NGINX server via HTTPS, I’m getting the following WebSocket error:
Here is my configuration (NGINX):
upstream backend {
server 192.168.56.131:8065;
keepalive 32;
}
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
server {
server_name vmproxy-rd2.privat-net.intranet;
location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60s;
send_timeout 300s;
lingering_timeout 5s;
proxy_connect_timeout 90s;
proxy_send_timeout 300s;
proxy_read_timeout 90s;
proxy_http_version 1.1;
proxy_pass http://backend;
}
location / {
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_pass http://backend;
}
listen 443 ssl http2;
ssl_certificate /etc/ssl/certs/vmproxy-rd2.privat-net.intranet-self.crt;
ssl_certificate_key /etc/ssl/private/vmproxy-rd2.privat-net.intranet-self.key;
ssl_session_timeout 1d;
# Enable TLS versions (TLSv1.3 is required upcoming HTTP/3 QUIC).
ssl_protocols TLSv1.2 TLSv1.3;
# Enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to
# prevent replay attacks.
#
# @see: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
ssl_early_data on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = six months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
}
server {
if ($host = vmproxy-rd2.privat-net.intranet) {
return 301 https://$host$request_uri;
}
listen 80 default_server;
server_name vmproxy-rd2.privat-net.intranet;
return 404;
}
FYI: I have to use self-singed certs and can’t use Let’s Encrypt. Let’s Encrypt is already once installed in the organisation. So let’S forget that part of the moment.
The Mattermost config file looks like this:
I searched now nearly the hole day with minimal success - so big frustration.
Any help is more than welcome - it doesn’t matter if it is a solution for apache2 or NGINX.
Thank you in advance
