Websocket error 403 when using ssl-termination

eee · November 17, 2022, 2:26pm

Hi,
I have datalore running as a docker container. Traffic needs to go through my haproxy, which performs ssl-termination.
Unfortunately when going through haproxy loading datalore fails. The browser tries to acces datalore using wss:// which results in an error 403.
Accessing the container directly (http://mydocker.host:8080) works since datalore is only accessed via ws://
This however is not an option for my deployment. I use the exact same haproxy configuration with other services which use websockets witthout any issues.

Do you have an ideas?

haproxy-config:

frontend extern
    mode http
    http-request set-header X-Forwarded-Proto https
    bind {external IPv4}:443 interface {interface} ssl crt {pathToCert} alpn h2,http/1.1
    bind {external IPv6}:443 interface {interface} ssl crt {pathToCert} alpn h2,http/1.1
    use_backend %[req.hdr(host),lower,map({pathToMapFile.map})]
    default_backend default

backend datalore
    mode http
    server datalore {myDockerHost}:8080

Socius · November 17, 2022, 11:27pm

Same Problem here using nginx. When I access it through the public ip it works. So it’s gotta be a problem with the reverse proxy. @eee did it work in previous versions?

eee · November 17, 2022, 11:42pm

@Socius this is my first time installing datalore therefore I have not and due to a lack of licenses can not test earlier versions.

Socius · November 18, 2022, 11:12am

Ok, so this is a problem with version 2022.3. It will work perfecty if you use version 2022.2.2 until a solution is found to nginx reverse proxy & sql command issue after upgrading to 2022.3 · Issue #25 · JetBrains/datalore-configs · GitHub. So just change the version number from 2022.3 to 2022.2.2 in your docker-compse.yaml

eee · November 18, 2022, 1:05pm

Can confirm, it works with 2022.2. Since I don’t have a license for this version, this is unfortunately not a solution

eee · November 18, 2022, 2:32pm

correction: also works with 2022.2.3 and my license seems to work with this version

Socius · November 18, 2022, 8:49pm

Yeah it is not an optimal solution because the wss connection for the collaboration socket still throws an error 403. But if you are solo you can use it without any problems

igro · November 21, 2022, 6:05pm

Hello @eee and @Socius,

Sorry for the confusion, it is required to specify DATALORE_PUBLIC_URL in the environment section (see example).

We will update the documentation to reflect that.

Thank you!

eee · November 21, 2022, 6:30pm

this resolves the issue