Issue with LiveView using Dokku – websocket failing

Hello Folks!

I am deploying a small test project using Dokku and DigitalOcean, but I’m not able to get the LiveView working properly even after two days of experiments. I followed the steps as described in Deploy a Phoenix app with Dokku and Digital Ocean | AV with few tweaks on the elixir/erlang versions, and I’m using the default Esbuild.

The problem seems related to how Nginx is configured but even following these instructions Using NGINX as a WebSocket Proxy the websocket connection is still failing.

The issue might be somewhere else, maybe you can point me in the right direction. Below you find the error I get by enabling liveSocket.enableDebug() which you can also check at this URL https://evepeak.com/enduro-time

app-43225e7c9981857a04b1c349ea5eb174.js?vsn=d:1 WebSocket connection to 'wss://evepeak.com/live/websocket?_csrf_token=LG8SLy5zKx0BFlg9dwU8DQc9Gx07Ij0Lm5PaVCAtHP4Z5on8HDKZXJNQ&_track_static%5B0%5D=https%3A%2F%2Fevepeak.com%2Fassets%2Fapp-12403e086a772b88f325d7f94661e032.css%3Fvsn%3Dd&_track_static%5B1%5D=https%3A%2F%2Fevepeak.com%2Fassets%2Fapp-43225e7c9981857a04b1c349ea5eb174.js%3Fvsn%3Dd&_mounts=0&vsn=2.0.0' failed: 
connect @ app-43225e7c9981857a04b1c349ea5eb174.js?vsn=d:1
e @ app-43225e7c9981857a04b1c349ea5eb174.js?vsn=d:17
connect @ app-43225e7c9981857a04b1c349ea5eb174.js?vsn=d:17
(anonymous) @ app-43225e7c9981857a04b1c349ea5eb174.js?vsn=d:17
(anonymous) @ app-43225e7c9981857a04b1c349ea5eb174.js?vsn=d:17
app-43225e7c9981857a04b1c349ea5eb174.js?vsn=d:1 phx-FvDVpr_eT_6qxAah destroyed: the child has been removed from the parent -  undefined
app-43225e7c9981857a04b1c349ea5eb174.js?vsn=d:1 phx-FvDVpr_eT_6qxAah join: encountered 103 consecutive reloads -  undefined
app-43225e7c9981857a04b1c349ea5eb174.js?vsn=d:1 phx-FvDVpr_eT_6qxAah join: exceeded 10 consecutive reloads. Entering failsafe mode -  undefined
app-43225e7c9981857a04b1c349ea5eb174.js?vsn=d:1 phx-FvDVpr_eT_6qxAah error: view crashed -  undefined

This is my first post so thank you for having me here and sorry for jumping straight to a question… I hope I can be useful too in the future…

Thanks a lot in advance!
Tommaso

1 Like

What is the root folder of you app? Are you serving LiveView app directly from https://evepeak.com and enduro-time is route in Phoenix router? Or is NGINX serving it from enduro-time virtual directory? Because if it’s latter LiveSocket it trying to connect to wrong route wss://evepeak.com/live in that case it should be wss://evepeak.com/enduro-time/live. I think Phoenix supports base url/path.

Hi! /enduro-time is a live route of the main application running from evepeak.com

ws connection seems established, so possibly check_origin config issue causing the 403

1 Like

Hi @evadne how can you tell that there is a 403? This is my configuration with the check_origin details:

socket "/live", Phoenix.LiveView.Socket,
    websocket: [connect_info: [session: @session_options]],
    check_origin: ["http://evepeak.com", "https://evepeak.com", "ws://evepeak.com", "wss://evepeak.com"]

Hi. Possibly not it then. I got that myself when trying the endpoint.

Is nginx properly configured? I remember that I needed a file nginx.conf.sigil with something like this inside:

location ~ live/websocket {
    proxy_http_version 1.1;
    proxy_set_header Origin '';
    proxy_set_header X-Forwarded-Host $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_pass  http://{{ $.APP }}-{{ $upstream_port }};
    break;
  }

1 Like

Hi @egze, I did configure Nginx but I omitted the proxy_set_header Origin ... as @evadne suspected it was indeed an issue with check_origin configuration. I assumed it would be correctly set by the proxy but clearly it was not. After days of experiments now it’s solved! Thanks a lot to you all!

1 Like

With dokku 0.27.1 there is no need to modify the nginx configuration. If your websocket fails to connect then you probably aren’t telling your app what domain name you’re using and so the check_origin check is failing.

You can confirm this by looking in the logs of your app for a line like “Could not check origin for Phoenix.Socket transport”.

dokku config:set your-app-name PHX_HOST=your-public-domain-name is probably all you need.

If you instead do proxy_set_header Origin ''; in the nginx file, you’re removing all origin checks, which is equivalent to setting check_origin: false. The docs advise against doing this:

If false, your app is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. Only use in development, when the host is truly unknown or when serving clients that do not send the origin header, such as mobile apps.

The default liveview websockets use CSRF tokens, I think, so they’re probably not vulnerable, but it’s something to be careful about.

If your app uses liveview/websockets on multiple domains you will need to explicitly configure check_origin for your endpoint (this is the case whether or not you use dokku).

1 Like