We're Hiring!

Mattermost, Inc.

Mattermost on docker with host based nginx proxy giving websocket error

Hi,
I already have nginx running on a host and wanted to use Mattermost via docker. Here is what I did.

  • Cloned git repo
  • create and set folder permission
  • docker-compose up -d
  • created teams and logged in
  • enabled email notification via system settings and set SMTP host and other details. Test was successful.

Now I get 2 messages, one is to configure site url and then FF says “Firefox can’t establish a connection to the server at wss://mm.teej.xyz/api/v4/websocket.”

Here is my docker-compose.yml

    version: "3"

    services:

      db:
        build: db
        read_only: true
        restart: unless-stopped
        volumes:
          - ./volumes/db/var/lib/postgresql/data:/var/lib/postgresql/data
          - /etc/localtime:/etc/localtime:ro
        environment:
          - POSTGRES_USER=mmuser
          - POSTGRES_PASSWORD=mmuser_password
          - POSTGRES_DB=mattermost
        # uncomment the following to enable backup
        #  - AWS_ACCESS_KEY_ID=XXXX
        #  - AWS_SECRET_ACCESS_KEY=XXXX
        #  - WALE_S3_PREFIX=s3://BUCKET_NAME/PATH
        #  - AWS_REGION=us-east-1

      app:
        build:
          context: app
          # uncomment following lines for team edition or change UID/GID
          args:
            - edition=team
            - PUID=2000
            - PGID=2000
        restart: unless-stopped
        volumes:
          - ./volumes/app/mattermost/config:/mattermost/config:rw
          - ./volumes/app/mattermost/data:/mattermost/data:rw
          - ./volumes/app/mattermost/logs:/mattermost/logs:rw
          - ./volumes/app/mattermost/plugins:/mattermost/plugins:rw
          - ./volumes/app/mattermost/client-plugins:/mattermost/client/plugins:rw
          - /etc/localtime:/etc/localtime:ro
          # When you want to use SSO with GitLab, you have to add the cert pki chain of GitLab inside Alpine
          # to avoid Token request failed: certificate signed by unknown authority (link: https://github.com/mattermost/mattermost-server/issues/13059)
          # - <path_to_your_gitlab_pki>/pki_chain.pem:/etc/ssl/certs/pki_chain.pem:ro
        environment:
          # set same as db credentials and dbname
          - MM_USERNAME=mmuser
          - MM_PASSWORD=mmuser_password
          - MM_DBNAME=mattermost
     #     - VIRTUAL_HOST=mm.teej.xyz
          # use the credentials you've set above, in the format:
          # MM_SQLSETTINGS_DATASOURCE=postgres://${MM_USERNAME}:${MM_PASSWORD}@db:5432/${MM_DBNAME}?sslmode=disable&connect_timeout=10
          - MM_SQLSETTINGS_DATASOURCE=postgres://mmuser:mmuser_password@db:5432/mattermost?sslmode=disable&connect_timeout=10
      #  expose:
       #   - "8722:80"
          # in case your config is not in default location
          #- MM_CONFIG=/mattermost/config/config.json

      web:
        build: web
        ports:
          - "127.0.0.1:5880:80"
          - "127.0.0.1:6443:443"
        read_only: true
        restart: unless-stopped
        volumes:
          # This directory must have cert files if you want to enable SSL
          - ./volumes/web/cert:/cert:ro
          - /etc/localtime:/etc/localtime:ro

I know nginx is not required here but anyways I dont know if thats causing the issue.
on my server host, I have nginx running and config as below,

server {
  listen 443 ssl http2;
  server_name mm.teej.xyz;

  ssl_certificate /etc/letsencrypt/live/teej.xyz/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/teej.xyz/privkey.pem;

  #proxy_set_header X-Real-IP $remote_addr;

# Enable TLS versions (TLSv1.3 is required upcoming HTTP/3 QUIC).
   ssl_protocols TLSv1.2 TLSv1.3;

   # Enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to
   # prevent replay attacks.
   #
   # @see: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
  # ssl_early_data on;
#
   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES>
   ssl_prefer_server_ciphers on;
   #ssl_session_cache shared:SSL:50m;
   # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
   add_header Strict-Transport-Security max-age=15768000;
   # OCSP Stapling ---
   # fetch OCSP records from URL in ssl_certificate and cache them
   ssl_stapling on;
   ssl_stapling_verify on;

   #add_header X-Early-Data $tls1_3_early_data;

   location ~ /api/v[0-9]+/(users/)?websocket$ {
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       client_max_body_size 50M;
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Frame-Options SAMEORIGIN;
       proxy_buffers 256 16k;
       proxy_buffer_size 16k;
       client_body_timeout 60;
       send_timeout 300;
       lingering_timeout 5;
       proxy_connect_timeout 90;
       proxy_send_timeout 300;
       proxy_read_timeout 90s;
       proxy_pass http://localhost:5800;
   }

  location / {
    #proxy_read_timeout 310s;
    #proxy_set_header Host $host;
    #proxy_set_header Forwarded "for=$remote_addr;proto=$scheme";
    #proxy_set_header X-Forwarded-For $remote_addr;
    #proxy_set_header X-Forwarded-Proto $scheme;
    #proxy_set_header X-Real-IP $remote_addr;
    #proxy_set_header Connection "";
    #proxy_http_version 1.1;
    proxy_pass http://localhost:5880;
    client_max_body_size 50M;
       proxy_set_header Connection "";
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Frame-Options SAMEORIGIN;
       proxy_buffers 256 16k;
       proxy_buffer_size 16k;
       proxy_read_timeout 600s;
       #proxy_cache mattermost_cache;
       proxy_cache_revalidate on;
       proxy_cache_min_uses 2;
       proxy_cache_use_stale timeout;
       proxy_cache_lock on;
       proxy_http_version 1.1;
  }


}

I gave “https://mm.teej.xyz” as site url and left other values unchanged, restarted app docker. When I do Test Live URL, get error Test unsuccessful: This is not a valid live URL.

On top of the above, red ribbon with " Please check connection, Mattermost unreachable. If issue persists, ask administrator to check WebSocket port."

Can somebody please help.