Reverse Proxy to Websocket does not work via HTTPS

fhurlbrink · October 1, 2025, 11:25am

1. The problem I’m having:

I have done this tutorial

The file app.js is configured to

const stompClient = new StompJs.Client({
    brokerURL: '/gs-guide-websocket'
});

[...]

It works, when I call it directly via http://localhost:8080.

It works, when it is reverse proxied via Caddy Server using HTTP without TLS via http://sophienzentrum.org.

It does not work, when it is reverse proxied via Caddy Server using HTTPS with TLS via https://sophienzentrum.org.

2. Error messages and/or full log output:

stomp.umd.min.js:1 WebSocket connection to 'wss://sophienzentrum.org/gs-guide-websocket' failed

via F12 developer console.

3. Caddy version:

2.6.2

4. How I installed and ran Caddy:

a. System environment:

fhurlbrink@suada
----------------
OS: Debian GNU/Linux 13 (trixie) x86_64
Host: KVM/QEMU Standard PC (i440FX + PIIX, 1996) (pc-i440fx-6.1)
Kernel: Linux 6.12.48+deb13-amd64
Uptime: 57 mins
Packages: 348 (dpkg)
Shell: bash 5.2.37
Terminal: /dev/pts/0
CPU: AMD EPYC-Milan (2) @ 2.00 GHz
GPU: Red Hat, Inc. QXL paravirtual graphic card
Memory: 457.21 MiB / 1.83 GiB (24%)
Swap: Disabled
Disk (/): 1.23 GiB / 78.54 GiB (2%) - ext4
Local IP (ens6): 87.106.216.175/32
Locale: C.UTF-8

b. Command:

sudo apt install caddy
systemctl reload caddy

d. My complete Caddy config:

sophienzentrum.org:80 {
        reverse_proxy localhost:8080
}

sophienzentrum.org:443 {
        reverse_proxy localhost:8080
}

ferrybig · October 1, 2025, 12:29pm

The problem is your backend server, it only accepts the origin header as HTTP

# Works:
curl -v 'wss://sophienzentrum.org/gs-guide-websocket' -H 'Origin: http://sophienzentrum.org'
# Fails:
curl -v 'wss://sophienzentrum.org/gs-guide-websocket' -H 'Origin: https://sophienzentrum.org'

Note that both requests are over WSS, only the latter sends the HTTPS host in the header, while the top one

ferrybig · October 1, 2025, 12:32pm

Your backend server is spring server

You need to allow the origin for the websockets:

    registry.addEndpoint("/gs-guide-websocket").setAllowedOrigins("https://sophienzentrum.org");

fhurlbrink · October 2, 2025, 12:05pm

Thank you very much! This helped me a lot!

system · November 1, 2025, 12:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.