docker icon indicating copy to clipboard operation
docker copied to clipboard
verified publisher icon wger-project

nginx configuration causes issues in reverse proxy deployments

Open GhostInTheNN opened this issue 2 months ago • 0 comments

Problem Description

I encountered several issues when deploying wger in my home lab environment using the default docker configuration with a reverse proxy (Traefik).

Issues Encountered

  1. WebSocket connections fail - Login and real-time features don't work properly
  2. Django CSRF validation errors - Occurs when behind HTTPS reverse proxy
  3. Gunicorn connection failures - PROXY protocol mismatch between nginx and Gunicorn

Root Causes

1. Missing WebSocket Support

  • nginx config doesn't proxy Upgrade and Connection headers
  • This breaks WebSocket connections required for login and real-time features

2. X-Forwarded-Proto Handling

  • Current config sets X-Forwarded-Proto $scheme unconditionally
  • When behind reverse proxy (Traefik/Caddy), this overwrites the correct HTTPS value with HTTP
  • Django's CSRF protection fails because it thinks the request is HTTP when it's actually HTTPS

3. PROXY Protocol Mismatch

  • prod.env has --proxy-protocol True in GUNICORN_CMD_ARGS
  • nginx sends standard HTTP, not PROXY protocol format
  • This causes Gunicorn to fail parsing requests

Deployment Scenario

My setup (common for home labs):

User → [HTTPS] → Traefik → nginx → wger
  • Traefik terminates SSL and sets X-Forwarded-Proto: https
  • nginx currently overwrites this with http (its own $scheme)
  • Django sees HTTP and rejects CSRF tokens from HTTPS pages

Expected Behavior

The nginx configuration should:

  1. Support WebSocket connections
  2. Preserve X-Forwarded-Proto from upstream reverse proxy
  3. Fall back to nginx's $scheme for direct connections
  4. Use standard HTTP communication with Gunicorn (not PROXY protocol)

Impact

These issues prevent wger from working properly in common reverse proxy deployments, which are standard for:

  • Home labs with SSL termination
  • Enterprise environments with load balancers
  • Cloud deployments with ingress controllers

I've investigated these issues and have a PR ready with fixes and comprehensive tests. Happy to discuss the approach!

GhostInTheNN avatar Oct 20 '25 14:10 GhostInTheNN