Websocket connection works on localhost, but get 403 error when deployed via docker

For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error:

WebSocket connection to 'wss://web.my-app.convox/socket/websocket?userToken=726&vsn=1.0.0' failed: Error during WebSocket handshake: Unexpected response code: 403

I have also tried ws:// instead of wss:// and got the same result.

I used to have BasicAuth running in my app, but I have removed it.

My user_socket.ex file is as follows:

defmodule MyAppWeb.UserSocket do
	use Phoenix.Socket

	## Channels
	channel "vw:*", MyAppWeb.VowpalWabbitChannel

	## Transports
	transport :websocket, Phoenix.Transports.WebSocket, check_origin: false

	def connect(_params, socket) do
		{:ok, socket}
	end

	def id(_socket) do
		nil
	end
end

What can i do to connect to my websocket in a non-dev environment?

Thanks.

I decided to check some files in the config directory. prod.exs looks like this:

use Mix.Config

config :my_app, MyAppWeb.Endpoint,
  load_from_system_env: true,
  url: [host: "example.com", port: 80],
  cache_static_manifest: "priv/static/cache_manifest.json"

config :logger, level: :info

import_config "prod.secret.exs"

I’m not sure if there is any significance to url: [host: "example.com", port: 80], – I’m just running the app on some random AWS domain at the moment.

Would adjusting anything in this file help resolve the 403 I’m getting when trying to connect via websocket?

Ultimately I will want this app to be accessible via websockets from multiple domains – at least a dozen or so – do I have to list all these domains somewhere?

You probably want to set the check_origin option. By default I believe its whatever protocol, host, and port you set your host to. You’ll need to add any additional hosts to it there.

Thanks, @karmajunkie – I have set check_origin to false in both my user_socket.ex file as follows:

transport :websocket, Phoenix.Transports.WebSocket, check_origin: false

and also in my prod.exs file as follows:

config :my_app, MyAppWeb.Endpoint,
  load_from_system_env: true,
  # url: [host: "example.com", port: 80],
  check_origin: false,
  cache_static_manifest: "priv/static/cache_manifest.json"

Is there any other place where I would need to set check_origin to false?

You’ll probably want to do that in your socket transport as well, see options on the transport documentation: https://hexdocs.pm/phoenix/Phoenix.Transports.WebSocket.html#content

Isn’t this line doing it on the socket transport as well?

transport :websocket, Phoenix.Transports.WebSocket, check_origin: false

Yep, i missed that in your earlier message. Those are the only places you’d need to set it AFAIK. If its still an issue you’ll probably want to try to create a minimal reproduction repo and post a link here or ask on the slack phoenix channel.

Looking at your error, if you’re getting a 403 it may also be your authentication mechanism. Have you got any plugs like guardian that might be returning the 403 before your socket authenticates? You said earlier that you’d removed the Basic auth, so if that’s your only authentication you probably shouldn’t be getting a 403.

From a security perspective, I would defintely not recommend disabling the origin check. It’s there for a reason, and disabling it to “just make it work” isn’t the right way to go.

IF your issue has to do with the origin, make sure to provide a whitelist of allowed origins, instead of completely disabling the check.

1 Like

@matiso Yes, my intention is to add the security back in one step at a time, but first I just want to be able to connect to my websocket.

Did you ever solve this? I am having the same problem. Websocket works on localhost but get 403 Forbidden when deployed on DigitalOcean in a Docker container.

@jononomo I just ran into this too. The way I fixed it is to use the check_origin option as suggested above, but instead of setting it false set it to a list of domains like

check_origin: ["//localhost", "//mycoolwebsite.com"]

where mycoolwebsite.com is the domain for your DigitalOcean Docker container.

5 Likes

Hi, I was having this problem and your answer worked. I had to change it in user_socket.ex and prod.exs.

1 Like