nginx configuration causes issues in reverse proxy deployments #138
Description
Problem Description
I encountered several issues when deploying wger in my home lab environment using the default docker configuration with a reverse proxy (Traefik).
Issues Encountered
- WebSocket connections fail - Login and real-time features don't work properly
- Django CSRF validation errors - Occurs when behind HTTPS reverse proxy
- Gunicorn connection failures - PROXY protocol mismatch between nginx and Gunicorn
Root Causes
1. Missing WebSocket Support
- nginx config doesn't proxy
UpgradeandConnectionheaders - This breaks WebSocket connections required for login and real-time features
2. X-Forwarded-Proto Handling
- Current config sets
X-Forwarded-Proto $schemeunconditionally - When behind reverse proxy (Traefik/Caddy), this overwrites the correct HTTPS value with HTTP
- Django's CSRF protection fails because it thinks the request is HTTP when it's actually HTTPS
3. PROXY Protocol Mismatch
prod.envhas--proxy-protocol Truein GUNICORN_CMD_ARGS- nginx sends standard HTTP, not PROXY protocol format
- This causes Gunicorn to fail parsing requests
Deployment Scenario
My setup (common for home labs):
User → [HTTPS] → Traefik → nginx → wger
- Traefik terminates SSL and sets
X-Forwarded-Proto: https - nginx currently overwrites this with
http(its own $scheme) - Django sees HTTP and rejects CSRF tokens from HTTPS pages
Expected Behavior
The nginx configuration should:
- Support WebSocket connections
- Preserve
X-Forwarded-Protofrom upstream reverse proxy - Fall back to nginx's
$schemefor direct connections - Use standard HTTP communication with Gunicorn (not PROXY protocol)
Impact
These issues prevent wger from working properly in common reverse proxy deployments, which are standard for:
- Home labs with SSL termination
- Enterprise environments with load balancers
- Cloud deployments with ingress controllers
I've investigated these issues and have a PR ready with fixes and comprehensive tests. Happy to discuss the approach!