Running IPFS pubsub behind an ssl proxy

I’m running a go-ipfs daemon 0.4.23 on a dedicated server and activated the pubsub experiment. When I connect directly to that daemon from 2 clients I can publish on one client and all clients that subscribe get the message. Now, I’m putting that daemon behind an Nginx SSL proxy and when I connect using the official js- subscription (js-ipfs/ipfs-http-client, 43.0.1) the requests (
https://myhost:5051/api/v0/pubsub/sub?on-error=function+(err)+{ ++++++++++console.error(err)%3B ++++++++}&arg=test) stall for 1 minute, then simply stop without yielding anything. Of course all Cors headers on that API port are set.

I already put a lot of things in the nginx config (nothing worked), so this is more or less the current thing:

location / {
    proxy_pass http://127.0.0.1:5001;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Fowarded-Proto $scheme;
proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;

    if ($request_method = 'OPTIONS') {
          add_header 'Access-Control-Allow-Origin' '*';
          add_header 'Access-Control-Allow-Headers' 'Authorization,X-Requested-With,User-Agent,Range';
          add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT';
          add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      add_header 'Content-Length' 0;
      return 204;
}
}

How to configure SSL/Nginx so the web based clients can subscribe?

I found the solution here: The progress=true option breaks upload via an Nginx reverse proxy · Issue #6402 · ipfs/go-ipfs · GitHub

the location / nginx directive needs these additional parameters:

                proxy_request_buffering off;
                proxy_buffering off;
                proxy_http_version 1.1;

Uh wow, thank you for responding after a year. Must’ve figured that out somewhen last year as well. I just post my Nginx config here that just works and runs stable for more than a year now (includes a gateway to an WebRTC-star server)

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  root /var/www/html;
  index index.html index.htm index.nginx-debian.html;
  server_name _;
  location / {
    try_files $uri $uri/ =404;
  }
}

#gateway 443
server {
  root /var/www/html;
  index index.html index.htm index.nginx-debian.html;
  server_name your.ipfs.host; # managed by Certbot
  location / {
      proxy_pass http://127.0.0.1:8080; 
      proxy_set_header Host $host;
      proxy_cache_bypass $http_upgrade;
  }
  
  listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/your.ipfs.host/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/your.ipfs.host/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

#p2p endpoint 4041
server {
      root /var/www/html;
      index index.html index.htm index.nginx-debian.html;
      server_name your.ipfs.host; # managed by Certbot
      location / {
            proxy_pass http://127.0.0.1:4001;
            proxy_http_version 1.1;  
            proxy_set_header Host $host;         
            proxy_cache_bypass $http_upgrade;         
        }
    listen [::]:4041 ssl ipv6only=on; # managed by Certbot
    listen 4041 ssl; # managed by Certbot

    ssl_certificate /etc/letsencrypt/live/your.ipfs.host/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/your.ipfs.host/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

#wss endpoint
server {
    server_name your.ipfs.host;
    listen [::]:4002 ssl ipv6only=on;
    listen 4002 ssl;

    ssl_certificate /etc/letsencrypt/live/your.ipfs.host/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/your.ipfs.host/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_pass http://127.0.0.1:8081;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

#webstar wss endpoint
server {
    server_name your.ipfs.host;
    listen [::]:9091 ssl ipv6only=on;
    listen 9091 ssl;

    ssl_certificate /etc/letsencrypt/live/your.ipfs.host/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/your.ipfs.host/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_pass http://127.0.0.1:9090;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

#basic authed api endpoint 5051
server {
    server_name your.ipfs.host;
    listen [::]:5051 ssl ipv6only=on;
    listen 5051 ssl;

    ssl_certificate /etc/letsencrypt/live/your.ipfs.host/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/your.ipfs.host/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_pass http://127.0.0.1:5001;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Fowarded-Proto $scheme;
        proxy_http_version 1.1;
        
        proxy_set_header Host $host;
        client_body_buffer_size 128k;

        if ($request_method = 'OPTIONS') {
              add_header 'Access-Control-Allow-Origin' '*';
              add_header 'Access-Control-Allow-Headers' 'Authorization,X-Requested-With,User-Agent,Range';
              add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT';
              add_header 'Access-Control-Max-Age' 1728000;
              add_header 'Content-Type' 'text/plain charset=UTF-8';
              add_header 'Content-Length' 0;
              return 204;
        }
        auth_basic "Only authenticated users are allowed here.";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
}

#default http -> https redirection
server {
    if ($host = your.ipfs.host) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80 ;
    listen [::]:80 ;
    server_name your.ipfs.host;
    return 404; # managed by Certbot
}