如何正确配置nginx ssl以使用docker-compose和django-channel ssl套接字

Question

I have a django project with django-channels 2.X inside. Locally it works perfect, but with production I have problem of connecting this socket with front-end.

8:675 WebSocket connection to 'wss://air.my-server.com/excel-worker/' failed: Error in connection establishment: net::ERR_NOT_IMPLEMENTED

My app has SSL certificate from LetsEncrypt.

I've alreday tried all recommendation from here https://channels.readthedocs.io/en/latest/deploying.html and almost all, what i've found on Stackoverflow, Github (example: https://github.com/django/channels/issues/919 ). Also i've tried to configure nginx according to this https://www.nginx.com/blog/websocket-nginx/ but wothout luck.

I'm sure problem is in my Nginx config.

docker-compose.yml

version: '3.0'

services:

  project_db:
    image: postgres:9.6
    container_name: air-db
    volumes:
      - ./src/data:/var/lib/postgresql/data
      - ./prj_config/docker-entrypoint-initdb.d/:/docker-entrypoint-initdb.d/
    restart: unless-stopped
    env_file:
      - prod.env

  project_redis:
    image: redis:latest
    container_name: aircraft-redis
    restart: unless-stopped
    expose:
      - 6379


  backend: &backend
    container_name: air-auto
    build:
      context: .
      dockerfile: Dockerfile
    command: sh -c "python manage.py makemigrations && python manage.py migrate && gunicorn service.wsgi -b 0.0.0.0:8112 --workers 1"
    restart: unless-stopped
    volumes:
      - ./src:/src
    depends_on:
      - project_db
      - project_redis
    ports:
      - 0.0.0.0:8112:8112
    env_file:
      - prod.env

  channel-worker:
    <<: *backend
    container_name: air-channels
    command: sh -c "daphne -e ssl:443:privateKey=privkey.pem:certKey=fullchain.pem -u /tmp/daphne.sock -p 8005 service.asgi:application -b 0.0.0.0"
    depends_on:
      - project_db
      - project_redis
    volumes:
      - /etc/letsencrypt/:/etc/letsencrypt/
    ports:
      - 0.0.0.0:8005:8005
      - 0.0.0.0:8006:443

nginx (sites-enabled)

server {
    listen 80;
    server_name my-server.com;

    include snippets/letsencrypt.conf;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name my-server.com;

    ssl_certificate /etc/letsencrypt/live/my-server.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/my-server.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/my-server.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    return 301 https://my-server.com.com$request_uri;

server {
    listen 443 ssl http2;
    server_name air.my-server.com;

    ssl_certificate /etc/letsencrypt/live/air.my-server.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/air.my-server.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/air.my-server.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    location / {
        proxy_pass http://localhost:8112/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }


    location /excel-worker/ {
        proxy_pass http://0.0.0.0:8005/excel-worker/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }

    location /static {
        alias /path/to/my/staticfiles/;
    }

    location /media {
        alias /path/to/my/media/;
    }

    location /robots.txt {
       alias /path/to/my/robots.txt;
    }
}

Logger result when containers start

air-redis    | 1:M 15 Feb 2019 15:07:40.292 * DB loaded from disk: 0.000 seconds
air-redis    | 1:M 15 Feb 2019 15:07:40.292 * Ready to accept connections
air-auto-db  | LOG:  database system was shut down at 2019-02-15 15:06:41 UTC
air-auto-db  | LOG:  MultiXact member wraparound protections are now enabled
air-auto-db  | LOG:  database system is ready to accept connections
air-auto-db  | LOG:  autovacuum launcher started
air-channels | 2019-02-15 15:07:41,548 INFO     Starting server at ssl:443:privateKey=/etc/letsencrypt/live/air.my-server.com/privkey.pem:certKey=/etc/letsencrypt/live/air.my-server.com/fullchain.pem, tcp:port=8005:interface=0.0.0.0, unix:/tmp/daphne.sock
air-channels | 2019-02-15 15:07:41,549 INFO     HTTP/2 support enabled
air-channels | 2019-02-15 15:07:41,550 INFO     Configuring endpoint ssl:443:privateKey=/etc/letsencrypt/live/air.my-server.com/privkey.pem:certKey=/etc/letsencrypt/live/air.my-server.com/fullchain.pem
air-channels | 2019-02-15 15:07:41,554 INFO     Listening on TCP address 0.0.0.0:443
air-channels | 2019-02-15 15:07:41,555 INFO     Configuring endpoint tcp:port=8005:interface=0.0.0.0
air-channels | 2019-02-15 15:07:41,555 INFO     Listening on TCP address 0.0.0.0:8005
air-channels | 2019-02-15 15:07:41,556 INFO     Configuring endpoint unix:/tmp/daphne.sock
air-auto     | No changes detected
air-auto     | Running migrations:
air-auto     |   No migrations to apply.
air-auto     | [2019-02-15 15:07:43 +0000] [1] [INFO] Starting gunicorn 19.9.0
air-auto     | [2019-02-15 15:07:43 +0000] [1] [INFO] Listening at: http://0.0.0.0:8112 (1)
air-auto     | [2019-02-15 15:07:43 +0000] [1] [INFO] Using worker: sync
air-auto     | [2019-02-15 15:07:43 +0000] [20] [INFO] Booting worker with pid: 20

I need than my django-channels aprt of the project and my front-end socket made a handshake. As I said earlier, locally it works fine.

Any suggestions are welcomed!

Answer 1

I figured out.

The problem was in using VPN. I switched it off and my websockets were able to perform handshake and return messages.

Don't really know why this happed, but hope this will help someone.