I’m running a go-ipfs daemon 0.4.23 on a dedicated server and activated the pubsub experiment. When I connect directly to that daemon from 2 clients I can publish on one client and all clients that subscribe get the message. Now, I’m putting that daemon behind an Nginx SSL proxy and when I connect using the official js- subscription (js-ipfs/ipfs-http-client, 43.0.1) the requests (
https://myhost:5051/api/v0/pubsub/sub?on-error=function+(err)+{
++++++++++console.error(err)%3B
++++++++}&arg=test) stall for 1 minute, then simply stop without yielding anything. Of course all Cors headers on that API port are set.
I already put a lot of things in the nginx config (nothing worked), so this is more or less the current thing:
location / {
proxy_pass http://127.0.0.1:5001;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Fowarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Headers' 'Authorization,X-Requested-With,User-Agent,Range';
add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
}
How to configure SSL/Nginx so the web based clients can subscribe?
I found the solution here: The progress=true option breaks upload via an Nginx reverse proxy · Issue #6402 · ipfs/go-ipfs · GitHub
the location / nginx directive needs these additional parameters:
proxy_request_buffering off;
proxy_buffering off;
proxy_http_version 1.1;
Uh wow, thank you for responding after a year. Must’ve figured that out somewhen last year as well. I just post my Nginx config here that just works and runs stable for more than a year now (includes a gateway to an WebRTC-star server)
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
#gateway 443
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name your.ipfs.host; # managed by Certbot
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/your.ipfs.host/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/your.ipfs.host/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
#p2p endpoint 4041
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name your.ipfs.host; # managed by Certbot
location / {
proxy_pass http://127.0.0.1:4001;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen [::]:4041 ssl ipv6only=on; # managed by Certbot
listen 4041 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/your.ipfs.host/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/your.ipfs.host/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
#wss endpoint
server {
server_name your.ipfs.host;
listen [::]:4002 ssl ipv6only=on;
listen 4002 ssl;
ssl_certificate /etc/letsencrypt/live/your.ipfs.host/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/your.ipfs.host/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://127.0.0.1:8081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
#webstar wss endpoint
server {
server_name your.ipfs.host;
listen [::]:9091 ssl ipv6only=on;
listen 9091 ssl;
ssl_certificate /etc/letsencrypt/live/your.ipfs.host/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/your.ipfs.host/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://127.0.0.1:9090;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
#basic authed api endpoint 5051
server {
server_name your.ipfs.host;
listen [::]:5051 ssl ipv6only=on;
listen 5051 ssl;
ssl_certificate /etc/letsencrypt/live/your.ipfs.host/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/your.ipfs.host/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://127.0.0.1:5001;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Fowarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Host $host;
client_body_buffer_size 128k;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Headers' 'Authorization,X-Requested-With,User-Agent,Range';
add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
auth_basic "Only authenticated users are allowed here.";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
#default http -> https redirection
server {
if ($host = your.ipfs.host) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name your.ipfs.host;
return 404; # managed by Certbot
}
1 Like