NGINX proxy for SmartApp Webhook Fails to Authorize

So I have a node.js app that is running the Smartthings node SDK and is hosted locally.
Then I have an AWS EC2 NGINX server, nested in a Docker container on port 1234. The NGINX server has an SSL set up using Lets Encrypt.

The local node.js app is connecting to the AWS NGINX server using an ssh tunnel.

The NGINX config looks like this. Where the webhook url for the SmartApp would be https://example.com/tunnel/

server {
    listen 80;

    server_name example.com;    

    location / {
       return 301 https://$host$request_uri;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }    
}

server {
    listen 443 ssl;

    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location /tunnel/ {
        proxy_pass_request_headers on;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $host/tunnel/;

        proxy_http_version 1.1;

        proxy_pass http://172.17.0.1:1234/;
    }
}

The issue is that when trying to authorize the SmartApp, I get a “Forbidden - failed verifySignature” error.
When changing the local node app to listen to a ngrok tunnel, the SmartApp will authorize successfully. I am not sure if there is some issue on Smartthings side, or if I’m missing something.

Did you ever figure out how to make it work with nginx? I am running into the same issue

Nope. The dev team told me to just comment out the authorization function in the SDK module

Yikes, that doesn’t seem like a great solution. I would much prefer to use the authorization properly and use nginx for the SSL offloading

I thought that I was going mad. I have managed to teach myself how to:

• Get DDNS working
• Map domains
• Set up a RPi
• Set up a Nginx
• Proxy requests to machines on my LAN
• Do firewalls on Linux
• Build Node.js apps

…but this whole SmartApp malarky is a nightmare!

After creating an automation in https://smartthings.developer.samsung.com/workspace/projects and clicking “verify” I can see a call being made to my Node SmartApp (lifted from the docs here)

logging req.header('Authorization'));

Signature keyId="/pl/useast1/18-7f-df-...",signature="...",headers="(request-target) digest date",algorithm="rsa-sha256"

Calling smartapp.handleHttpCallback(req, res):

2020-10-02T21:58:21.823Z error: Forbidden - failed verifySignature
2020-10-02T21:58:21.824Z error: Unauthorized

My Nginx config is:

server {
  listen 443 default_server;
  listen [::]:443 default_server;

  root /var/www/my.domain;

  index index.html;

  server_name my.domain;

  location /mayesguard/ {
    proxy_pass http://192.168.0.2:3000/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_buffering off;
  }

  location / {
    try_files $uri $uri/ =404;
  }

  ssl on;
  ssl_certificate /etc/letsencrypt/live/my.domain/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/my.domain/privkey.pem;
}

Is it just me or does reading the docs for this stuff feel like 3 different projects all incomplete but all smashed together in a really incomprehensible way?

Has anyone had any luck as of yet or can share some wisdom? I am weary.

[edit]

There is this conversation RE HomeAssistant which suggests that there might be something to do with SSL but…who knows?

Has anyone been able to figure this out? With groovy apps going away I’m looking at my options and if I have to self host my apps I would like them behind nginx.

Thanks