Websocket Dies when Proxy Host behind Wireguard VPN. #4680
Description
Checklist
- Have you pulled and found the error with
jc21/nginx-proxy-manager:latestdocker image?- Yes
- Are you sure you're not using someone else's docker image?
- Yes
- Have you searched for similar issues (both open and closed)?
- Yes
Describe the bug
NPM running in an LXC on Proxmox. Proxy Host, in this case Home Assistant, is behind NPM over a Wireguard VPN. The wireguard VPN ping across the VPN ranges from 45 to 100ms. The issue is that the Websocket connection dies after a period, circa 30s. The HTTP connection never drops and there is no network disruption between client, NPM, Wireguard and Home Assistant.
Topology is like this: HomeAssistant -> Wireguard VPN -> NPM (Proxmox Debian LXC) -> Browser (Mainly Firefox but tried Edge).
If I connect directly via IP:PORT to Home Assistant the websocket stays connected.
Interesting point - if I try the NPN community script (which I believe does not use docker) the connection remains up and tested for 14 hours. I have compared all the Nginx conf that I can find between a fresh NPM installation with only the one Proxy Host and the community version and there are no differences. I do not wish to use the community version, this is just a test.
It appears the only difference is one runs in docker and one does not (from what i can see). Looks like something about the docker setup does not like the latency.
Latest fresh docker from apt.
I have tried the following
- Running NPM in fresh Ubuntu LXC with only the Home Assistant Host configured.
- Running NPM in fresh Ubuntu VM with only the Home Assistant Host configured.
- Tried all manner of adding proxy_read_timeout, proxy_send_timeout, proxy_connect_timeout, keepalive_timeout, etc
- MTU is 1280 but tried down to 1200 on Proxmox Host, LXC, Docker, Wireguard. At both ends where applicable.
- Running docker as Privileged
- Compared LXC settings between community install and host running docker version - same.
- LXC TCP Keepalives
- Adding Healthcheck
- Adding IP_RANGES_FETCH_ENABLED: 'false'
- Adding X_FRAME_OPTIONS: "sameorigin"
- I have looked at the npm logs for the host and could not see any odd (but honestly not sure where to look)
TCP Keepalives i tried
sysctl -w net.ipv4.tcp_keepalive_time=120
sysctl -w net.ipv4.tcp_keepalive_intvl=30
sysctl -w net.ipv4.tcp_keepalive_probes=5
Docker config:
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
# These ports are in format <host-port>:<container-port>
- '80:80' # Public HTTP Port
- '443:443' # Public HTTPS Port
- '81:81' # Admin Web Port
# Add any other Stream port you want to expose
# - '21:21' # FTP
- 3478:3478
- 3478:3478/udp
- 8080:8080
- 8554:8554
- 222:222
environment:
# Uncomment this if you want to change the ___location of
# the SQLite DB file within the container
# DB_SQLITE_FILE: "/data/database.sqlite"
# Uncomment this if IPv6 is not enabled on your host
DISABLE_IPV6: 'true'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
Nginx Proxy Manager Version
v2.12.6
Expected behavior
Screenshots
Operating System
Proxmox Debian LXC, Proxmox Ubuntu LXC, Proxmox Ubuntu VM.
Additional context
I have 42 Proxy Hosts and any of those that use websocket do not suffer this, the only one that does is the host over the VPN.
One of those is a different Home Assistant instance but residing on the local lan being proxied by NPM. The websocket never dies in this case. The only host that suffers is the websocket proxied to an IP over the VPN. And if i use the Proxmox LXC community script version of NPM the websocket never dies.
As an additional note, the NPM install is to proxy hosts on my local network. For internet connections into my network I run native Nginx on an Ubuntu VPS tunneled over Wireguard to my network. A connection from the Internet to the Home Assistant via this route never drops the Websocket. Similar ping times.
I have exhausted everything I can think of! Any idea or request for logging most welcome!