[solved] Debian freezes dead while proxying WebSocket via 443 (https) from iPhone


ESXi v6.5.0
Debian v9.6
Nginx v1.10.3

System parameters:
CPU - 4
RAM - 2 GB


Debian 9.6 with 4 CPU cores is installed on the virtual machine.
On Debian, Nginx costs (I tried it with Apache2, the situation is the same).
Nginx is configured for websocket-a reverse proxy (config at the end), everything works fine until the moment someone logs in from the iPhone, after which the system hangs tight.
The virtual machine shows that the CPU of the system is loaded at 25% ie 1 core (2.5 GHz), the memory freezes in one position, the network bitrate is 0, the system is completely dead.
Virtually no logs for the system does not have time to react …
It helps only restart the system.

What I tried to do:

  1. Wait, suddenly come to life … no, it does not come to life.
  2. Try to track the CPU utilization by the htop utility, nothing is visible, the system dies instantly and htop does not have time to show anything.
  3. I tried using the htop utility to distribute the load of the processes on the cores, that is, I hung the nginx processes on the 4th core and all other processes on 1,2,3 (tried several different configurations) … no, it does not help.

Interesting fact:

If the certificate is incorrect, access.log is not visible in the logs so that the iphone goes to / ws, and the system does not die.
Ie, if the certificate is wrong, then the iPhone asks for permission to connect to an unprotected host, and after permission it does not establish a connection with the websocket, but only loads the web page, and the system works further.

If you configure via port 80 (http) then everything works fine.

What we have … Anyone with an iPhone takes and kills a proxy server along with the entire system …

Nginx configuration:

upstream websocket {
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
root /var/www/html;
client_max_body_size 50M;
index index.html index.htm index.nginx-debian.html;
server_name some.host.com;
ssl_certificate /some_host_com_certificate.cert;
ssl_certificate_key /some_host_com_key.key;
location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “Upgrade”;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_pass http://websocket;

Problem solved by adding the following lines to the nginx configuration:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- 
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

Thanks for sharing the solution! :slight_smile:

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.