Unable to connect over NGINX with cloudflare

[GhostDog98]

Describe the goal

My main domain (foo.com) is used for multiple purposes. Thus, I'd like to add a domain (bar.foo.com) to use for wstunnel.
My setup is:
Foreign <=> Cloudflare <=> NGINX (a.b.c.d) <=> Wstunnel (e.f.g.h)

Describe what does not work

When testing the websocket locally:

curl -i -N   -H "Connection: Upgrade"   -H "Upgrade: websocket"   -H "Sec-WebSocket-Version: 13"   -H "Sec-WebSocket-Key: $(echo -n 'randomkey123' | base64)" --http0.9  http://localhost:3932 --output -

2

When attempting to test remotely I get a 502 error, and get the following in error logs:

2026-02-04T00:22:40.607689Z ERROR cnx{peer="a.b.c.d:41390"}: wstunnel::tunnel::server::server: error while accepting TLS connection received corrupt message of type InvalidContentType

Describe your wstunnel setup

Command line used: /home/app/wstunnel server --restrict-to localhost:51825 wss://0.0.0.0:3932 inside docker container with port passthrough.

My nginx config:

upstream server_backend {
        server e.f.g.h:3932;
}

server {
    listen 443 ssl;

    server_name bar.foo.com;

    ssl_certificate /etc/ssl/foo.pem;
    ssl_certificate_key /etc/ssl/foo.key;

    access_log /var/log/nginx/wstunnel.success.log;
    error_log /var/log/nginx/wstunnel.error.log;



location / {

    proxy_pass http://server_backend;
    proxy_http_version 2;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_cache_bypass $http_upgrade;
    proxy_read_timeout 86400;  # Prevent timeout
}
}

[GhostDog98]

Additionally, I am using STRICT ssl mode in cloudflare, and do not have any firewalling on the docker machine.
If I run the test command in my nginx machine, it is able to output the same 2 value as locally available.

[GhostDog98]

Also this is what the test outputs when external and domain based:

* Host bar.foo.com:443 was resolved.
* IPv6: (none)
* IPv4: x.x.x.x, y.y.y.y
*   Trying x.x.x.x:443...
* Connected to bar.foo.com (x.x.x.x) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=foo.com
*  start date: Dec 14 03:03:22 2025 GMT
*  expire date: Mar 14 04:01:53 2026 GMT
*  subjectAltName: host "bar.foo.com" matched cert's "*.foo.com"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://bar.foo.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: bar.foo.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
* [HTTP/2] [1] [sec-websocket-version: 13]
* [HTTP/2] [1] [sec-websocket-key: cmFuZG9ta2V5MTIz]
> GET / HTTP/2
> Host: bar.foo.com
> User-Agent: curl/8.7.1
> Accept: */*
> Connection: Upgrade
> Upgrade: websocket
> Sec-WebSocket-Version: 13
> Sec-WebSocket-Key: cmFuZG9ta2V5MTIz
>
* Request completely sent off
< HTTP/2 502
HTTP/2 502
< date: Wed, 04 Feb 2026 00:42:00 GMT
date: Wed, 04 Feb 2026 00:42:00 GMT
< content-type: text/plain; charset=UTF-8
content-type: text/plain; charset=UTF-8
< content-length: 15
content-length: 15
< cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< expires: Thu, 01 Jan 1970 00:00:01 GMT
expires: Thu, 01 Jan 1970 00:00:01 GMT
< referrer-policy: same-origin
referrer-policy: same-origin
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< expect-ct: max-age=86400, enforce
expect-ct: max-age=86400, enforce
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< server: cloudflare
server: cloudflare
< cf-ray: <id>
cf-ray: <id>
< alt-svc: h3=":443"; ma=86400
alt-svc: h3=":443"; ma=86400
<

error code: 502* Connection #0 to host bar.foo.com left intact

[GhostDog98]

Interestingly, if i force my nginx config to forward to https://e.f.g.h:3932 (instead of plain http), it gives me a different set of errors.

The error on the client stays the same, but on the server it now simply loops on:

2026-02-06T02:33:28.251948Z  INFO cnx{peer="a.b.c.d:52324"}: wstunnel::tunnel::server::server: Accepting connection
2026-02-06T02:33:28.252030Z  INFO cnx{peer="a.b.c.d:52324"}: wstunnel::tunnel::server::server: Doing TLS handshake
2026-02-06T02:33:28.760579Z  INFO cnx{peer="a.b.c.d:52326"}: wstunnel::tunnel::server::server: Accepting connection
2026-02-06T02:33:28.760638Z  INFO cnx{peer="a.b.c.d:52326"}: wstunnel::tunnel::server::server: Doing TLS handshake

With the same "502" complaint on the client side...

[GhostDog98]

It appears to that changing the HTTP version from 2.0 to 1.1 in my nginx config fixed it, partially. It now completes a handshake successfully, but eventually logs error while reading from tunnel rx Connection refused (os error 111) and forces a reconnect on my client end, which then loops...

[Orbit173]

Nginx is not required for using wstunnel behind CF.
My setup, works perfect.

On server create new service wstunnel.service

[Unit]
Description=wstunnel
After=network.target nss-lookup.target

[Service]
User=wstunnel
Group=wstunnel
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ExecStart=/opt/wstunnel/wstunnel server wss://0.0.0.0:443 --restrict-http-upgrade-path-prefix "MySuperPrefix" --restrict-to "127.0.0.1:4443" --tls-certificate "/opt/ssl/foo.bar.com.pem" --tls-private-key "/opt/ssl/foo.bar.com.key"
Restart=on-failure
RestartPreventExitStatus=23
LimitNPROC=10000
LimitNOFILE=1000000

[Install]
WantedBy=multi-user.target

On client: wstunnel.service

[Unit]
Description=wstunnel
After=network.target nss-lookup.target

[Service]
User=wstunnel
Group=wstunnel
NoNewPrivileges=true
ExecStart=/opt/wstunnel/wstunnel client --log-lvl INFO --http-headers='host: foo.bar.com' -L 'tcp://12345:127.0.0.1:4443' --http-upgrade-path-prefix "MySuperPrefix" --tls-ech-enable --tls-verify-certificate wss://foo.bar.com:443
Restart=on-failure
RestartPreventExitStatus=23
LimitNPROC=10000
LimitNOFILE=1000000

[Install]
WantedBy=multi-user.target