Encrypted SSL

[Max]

We checked the server. There are the following issues:
1. You have not opened the port 443 on the server, so connections to nginx reverse proxy cannot be established. Please open the port 443/tcp.
2. There is no /etc/passwd/.htaccess file on the server. Please create the file and add user and password to it (see htpasswd utility documentation) or remove the following lines from nginx config

3. A requests must be forwarded to WCS http port 8080, not 8443:

proxy_pass http://192.168.0.223:8080;

 

[Arif Butt]

Hi there

we have applied the above changes as per your suggestions but still facing an issue of reaching to the site with this error The webpage at wss://systemuser:systempassword@apps.zrg.com/wss might be temporarily down or it may have moved permanently to a new web address.

https port 443 is enabled also;

[root@localhost ~]# sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
Warning: ALREADY_ENABLED: 443:tcp
success

kindly see if you can check the system again for any possible fix, or any other way to check it

Thnx
AB

 

[Max]

Seems like nginx failed on startup:

Please see here for possible fix.

 

[Max]

The webpage at wss://systemuser:systempassword@apps.zrg.com/wss might be temporarily down or it may have moved permanently to a new web address.

You don't need to set user and password to websocket URL if you do not use a basic authentication on nginx.

 

[Arif Butt]

Hi there

The nginx service is running successfully, but I am unable to test the wss routing even I remove the authentication and give the following command on browser
wss://apps.zrg.com:443/wss
response in browser is same:
The webpage at wss://apps.zrg.com/wss might be temporarily down or it may have moved permanently to a new web address.

The command https://apps.zrg.com on browser is working ok and showing that nginx has loaded the SSL successfully

Current Nginx Config File

events {}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;


include /etc/nginx/conf.d/*.conf;

server {
listen 443 ssl;
ssl_certificate /etc/pki/tls/apps.zrg.com/apps_zrg_com.pem;
ssl_certificate_key /etc/pki/tls/apps.zrg.com/appszrgcom.key;
server_name apps.zrg.com;
server_tokens off;
client_max_body_size 500m;
proxy_read_timeout 10m;

include /etc/nginx/default.d/*.conf;

location / {
}

location /wss {
if ($http_connection !~* "upgrade") {
return 403;
}
if ($http_upgrade !~* "websocket") {
return 403;
}
proxy_set_header Host $host;
proxy_pass http://192.168.0.223:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}

error_page 404 /404.html;
location = /40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}

}
}

I appreciate your assistance, if you can kindly check the server again.

Thanks
AB

 

[Max]

Hello

URL wss://apps.zrg.com/wss should not be open in browsers
See our example:

 

[Max]

This URL wss://apps.zrg.com:443 should be reachable using Websocket connection, not from a browser directly
See our example:

Two-way Streaming

 

[Arif Butt]

Unfortunately still unable to connect to 443

Pls see the screen shot

Pls assist

Ab

 

[Arif Butt]

Where as the normal 8443 port is connected successfully

 

[Max]

Seems like the whole server is down, so we cannot check

 

[Arif Butt]

Hi

Sorry about the inconvenience, the IP link was gone down, now its up, kindly check and feedback

Thnx
AB

 

[Max]

Now it seems like port 443 is opened at server side but blocked by router

Please check your NAT configuration.

 

[Arif Butt]

ok, now its opened https://apps.zrg.com:443 working ... and showing the centos page, but still unable connect with websocket wss:/apps.zrg.com:443

pls assist
Thnx
AB

 

[Max]

nginx displays the following error in /var/log/nginx/error.log

connect() to 192.168.0.223:8080 failed (13: Permission denied) while connecting to upstream

This means SELinux disables a local http connections. The following command enables them:

setsebool httpd_can_network_connect on -P

After that, websocket connections are establishing successfully via reverse proxy

But seems like a trial license is expired, so please contact sales@flashphoner.com to expand the trial license or to get a new one if you continue testing.

 

[Arif Butt]

OK great, I will proceed for the trial license extension...

In the meantime this testing was for a POC, but in actual implementation we need to perform the same steps for the site which will have an encrypted SSL..

Will there be any extra steps for this or the above steps should work for the encrypted SSL site also?

Thnx
Av

 

[Max]

Will there be any extra steps for this or the above steps should work for the encrypted SSL site also?

This should work for encrypted SSL private key too. You should pass a passphrase to nginx as recommended in this post.

 

[Max]

We recommend you to test an encrypted SSL private key on staging server before moving it to production.

 

[Arif Butt]

Hi

While configuring the encrypted SSLat customer UAT we are facing the error that port 80 adddress already in use although we have checked and cannot see this usage anywhere

Kindly assist what can be wring and how to narrow the issue

Thnx

 

[Max]

Please check if the port is busy by other application:

sudo netstat -nlp

Please also check nginx configuration: there should not be any server entities in nginx.conf listening for http port 80 unless they really needed.

 

[Max]

Check if some nginx configs contains listen 80 directive

grep -r listen /etc/nginx/*

Please read also this post.