Having a very strange problem when trying to run an Anvil app (on my own Anvil appserver) that uses Microsoft Single Signon behind either an Apache2 or Nginx web server configured for reverse proxying.

I have the reverse proxy set up and working correctly, digital certs installed and tested working for both Anvil and the webserver. And I actually get the Microsoft login popup, everything works fine and authenticates with the Azure AD… until the authorization call back. I just see the anvil spinner animation and it sits there until it times out.

The last two entries in the webserver log are:

"POST /_/microsoft_auth_callback HTTP/1.1" 200 723 "https://login.microsoftonline.com/"

"GET /_/service-worker HTTP/1.1" 200 572091 "https://MYSERVER/_/service-worker"

(I just edited out the FQDN of the server Anvil is running on and replaced it with MYSERVER)

The strange thing is if I run Anvil on 443 without the webserver/reverse proxying, it works ok… Looks like something to do with the final callback and maybe headers getting stripped or mangled? Or maybe a bug in the server_worker? Not sure how to troubleshoot this further. It doesn’t seem to be related to a basic configuration problem with the webserver, since I’ve tried it with both Apache2 and Nginx and their configs are quite different.

Has anyone at Anvil seen something like this before, or have specific recommendations when reverse proxying with Apache2 or Nginx? This is the last hurdle to get my app up and usable, been banging my head against a wall for a day straight

Thanks!
Ken

A bit more info… I used Chrome’s Inspector to look at the Network requests and responses, compared the headers from the working Anvil-only app to the reverse proxy with Apache or Nginx.

The last request from the client where things hang is:

wss://MYSERVER/_/ws/?s=
and there’s a really long jumble of letters and numbers after the =

Ken

Got it working! Absolutely brutal. You have to setup the reverse proxy to add connection upgrade headers to the WSS connection. Here’s my location block for Nginx. The key is to do this for the /_/ws/ path.

location = /_/ws/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “Upgrade”;
proxy_pass https://localhost:8080;
proxy_read_timeout 60;
proxy_redirect https://localhost:8080/ https://MYSERVER/;
}

… where my anvil server is running with the same SSL key as Nginx and is running with the --port 8080 parameter. MYSERVER should be set to the same thing as your server block’s FQDN.

There’s a separate location block for the rest of the app’s reverse proxy, but it doesn’t need the match or the two upgrade lines.

Hope this helps save someone a day or two staring at raw header dumps and conf files…

Best,
Ken