Nginx Reverse Proxy - websocket config to make Fortigate CLI interface work properly

Question

I am trying to get my fortigate router's web interface behind my reverse proxy, not to be accessible from the internet, but to use my LetsEncrypt cert on my internal network. This is the config I'm using:

upstream websockets {
    server 192.168.1.99:443;
}

server {
    listen 443 ssl;
    allow 192.168.1.0/24;
    deny all;
    server_name f60e.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Authorization "";
        proxy_redirect off;
        
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Origin "";
        proxy_pass_header X-XSRF-TOKEN;
        proxy_pass https://192.168.1.99;
        proxy_send_timeout      300;
        proxy_read_timeout      300;
        send_timeout            300;
        client_max_body_size    1000m;
  
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        } 

     location /websockets/ {
        proxy_pass https://websockets;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header Origin "";
        }
   
}

Everything appears to work except for the "Edit in CLI" button. When I attempt to use it, the interface window comes up blank and after a few seconds it says "Connection lost" and I get this error in my browser console

GET https://f60e.walnuthomelab.com/favicon/site.webmanifest net::ERR_CONNECTION_TIMED_OUT
main.js:1 
WebSocket connection to 'wss://f60e.walnuthomelab.com/ws/cli/open?cols=66&rows=34' failed: 
createWebSocket @ main.js:1

Answer 1

I was able to get this working without specifying a websockets block for the reverse proxy config. I've also got buffering disabled because the console seemed to be a bit laggy while it was enabled, but this could be in my head.

The SSL/TLS configuration on this will severely limit your ability to connect with older clients, limit your connection to {{ ADMIN_IP }} and will lock you out of the hostname if you break your certificate configuration, or want to remove TLS in the future. So make sure you're using modern browsers, and your LetsEncrypt setup is working properly.

I've tested this both with the default FortiGate self-signed certificate, one from a private trusted CA, and with a LetsEncrypt cert through the FortiGate's built-in ACME engine. This is working across three Nginx servers listening on a keepalived vIP.

server {
    listen 443 ssl;
    server_name {{ HOSTNAME }};

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_certificate      /etc/letsencrypt/live/{{ HOSTNAME }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ HOSTNAME }}/privkey.pem;

    resolver         {{ PrimaryDNSServer }} {{ SecondaryDNSServer }} valid=300s;
    resolver_timeout 5s;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_session_tickets  off;

    ssl_prefer_server_ciphers   on;
    ssl_protocols               TLSv1.3;
    ssl_ciphers                 EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve              secp384r1;
    ssl_stapling                on;
    ssl_stapling_verify         on;

    add_header  X-Frame-Options         DENY;
    add_header  X-Content-Type-Options  nosniff;
    add_header  X-XSS-Protection        "1; mode=block";

    access_log  /var/log/nginx/{{ HOSTNAME }}.log;

    location / {
        allow {{ ADMIN_IP }}; 
        deny all;

        proxy_pass          https://{{ FG_IPAddress }};
        proxy_set_header    X-Real-IP         $remote_addr;
        proxy_set_header    Host              $host;
        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto $scheme;

        proxy_http_version  1.1;
        proxy_redirect      http:// https://;
        proxy_buffering     off;
        proxy_set_header    Upgrade     $http_upgrade;
        proxy_set_header    Connection  "upgrade";
    }
}