Mattermost, Inc.

[Solved] Safari failing in SSL with Ngnix as reverse proxy

I can access my MM server with any browser and it works great in SSL except safari (Mobile or Desktop). It fails with a generic 50X Server unexpectedly dropped the connection error. I use SSL on my Nginx reverse proxy with a CertCom cert.

If I browse locally (not encapsulated in SSL) or disable the SSL, it works fine. All my other SSL sites work fine. So it’s localized to my Nginx or SSL config for the specific site.

I see 2 errors I think may be a symptom.

[EROR] websocket connect err: web socket: could not find connection header with token ‘upgrade’

[EROR] /api/v1/websocket:connect code=500 rid=[random characters] uid=[random characters] ip=192.168.1.10 Failed to upgrade web socket connection [details: ]

=========================NGINX CONFIG====================

map $http_upgrade $connection_upgrade {
default upgrade;
’’ close;
}

upstream mattermost {
server 17.0.0.50:8065;
}

server{
listen 80;
server_name __________.com;
return 301 https://$server_name$request_uri;
}

server{
listen 443 ssl;
server_name _____________.com;

access_log	/var/log/nginx/chat-access.log;
error_log	       /var/log/nginx/chat-error.log;
   
ssl on;
ssl_certificate /etc/nginx/certs/chat/ssl.crt;
    ssl_certificate_key /etc/nginx/certs/chat/dssl.key;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

location / {
    proxy_pass http://192.168.1.2:8065;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
client_max_body_size 4G;
keepalive_timeout 10;
}

}

Any chance you’re using Cloudflare or another proxy?

See: Cloudflare and websockets with SSL (free Cloudflare accounts block websocket connection)

I’m just using Nginx as my reverse proxy. There aren’t any more proxies in my set-up. Although that error is similar

I got it. This serverfault post suggested that the poster add

ssl_session_cache shared:SSL:10m;

to the global Nginx config file, and it eliminated my problem as well.

http serverfault.com /questions /646142 /ssl-proxying-on-nginx-different-behavior-in-different-clients
(had to chop it up. it’s not letting me post any links since i’m a new user)