docker icon indicating copy to clipboard operation
docker copied to clipboard
verified publisher icon wger-project

Fix nginx WebSocket and X-Forwarded-Proto handling for all deployment scenarios

Open GhostInTheNN opened this issue 2 months ago • 1 comments

Proposed Changes

  • Added map directive to nginx.conf for universal X-Forwarded-Proto handling (works with/without upstream reverse proxy)
  • Added WebSocket support headers (Upgrade, Connection) to nginx.conf
  • Extended timeouts for WebSocket connections in nginx.conf
  • Removed --proxy-protocol True from GUNICORN_CMD_ARGS in prod.env (incompatible with standard HTTP from nginx)
  • Added pytest test suite (7 tests with value validation) to validate nginx configuration
  • Added mock backend server for header validation testing
  • Added Docker Compose test environment
  • Added GitHub Actions CI/CD workflow for automated testing
  • Added test documentation in tests/README.md

Related Issue(s)

Closes wger-project/docker#138

Background

I encountered issues integrating wger into my home lab environment using the default docker configuration. After investigation, I identified two issues that affect deployments across various network configurations:

  1. Missing X-Forwarded-Proto fallback - The nginx configuration didn't handle scenarios without an upstream reverse proxy, causing Django CSRF validation failures
  2. Gunicorn PROXY protocol mismatch - The --proxy-protocol True flag was incompatible with nginx's standard HTTP communication

Testing

All changes have been validated locally and pass the test suite:

cd tests
docker compose -f docker-compose.test.yml up --abort-on-container-exit test
# Result: 7 passed

Tests cover:

  • Reverse proxy scenarios (HTTP/HTTPS preservation)
  • Direct connection fallback
  • WebSocket header proxying
  • Standard proxy headers (X-Real-IP, X-Forwarded-For, Host)

Deployment Scenarios Supported

✅ Behind reverse proxy (Traefik, Caddy, nginx) ✅ Direct connection ✅ Port forwarding with/without reverse proxy ✅ WebSocket connections

These changes are backwards compatible and don't break existing deployments.

GhostInTheNN avatar Oct 20 '25 15:10 GhostInTheNN

@GhostInTheNN I just now opened the pr, I had thought it was just a missing header or something like that, but you included a whole test suite! I'll properly look at it next ween when I'll have time

rolandgeider avatar Oct 29 '25 11:10 rolandgeider