Encrypted SSL

Max

Administrator
Staff member
We checked the server. There are the following issues:
1. You have not opened the port 443 on the server, so connections to nginx reverse proxy cannot be established. Please open the port 443/tcp.
2. There is no /etc/passwd/.htaccess file on the server. Please create the file and add user and password to it (see htpasswd utility documentation) or remove the following lines from nginx config
1709772418915.png

3. A requests must be forwarded to WCS http port 8080, not 8443:
Code:
proxy_pass http://192.168.0.223:8080;
1709772646680.png
 

Arif Butt

Member
Hi there

we have applied the above changes as per your suggestions but still facing an issue of reaching to the site with this error The webpage at wss://systemuser:systempassword@apps.zrg.com/wss might be temporarily down or it may have moved permanently to a new web address.

https port 443 is enabled also;

[root@localhost ~]# sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
Warning: ALREADY_ENABLED: 443:tcp
success

kindly see if you can check the system again for any possible fix, or any other way to check it

Thnx
AB
 

Attachments

Arif Butt

Member
Hi there

The nginx service is running successfully, but I am unable to test the wss routing even I remove the authentication and give the following command on browser
wss://apps.zrg.com:443/wss
response in browser is same:
The webpage at wss://apps.zrg.com/wss might be temporarily down or it may have moved permanently to a new web address.

The command https://apps.zrg.com on browser is working ok and showing that nginx has loaded the SSL successfully
1710329453249.png


Current Nginx Config File

events {}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;


include /etc/nginx/conf.d/*.conf;

server {
listen 443 ssl;
ssl_certificate /etc/pki/tls/apps.zrg.com/apps_zrg_com.pem;
ssl_certificate_key /etc/pki/tls/apps.zrg.com/appszrgcom.key;
server_name apps.zrg.com;
server_tokens off;
client_max_body_size 500m;
proxy_read_timeout 10m;

include /etc/nginx/default.d/*.conf;

location / {
}

location /wss {
if ($http_connection !~* "upgrade") {
return 403;
}
if ($http_upgrade !~* "websocket") {
return 403;
}
proxy_set_header Host $host;
proxy_pass http://192.168.0.223:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}

error_page 404 /404.html;
location = /40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}

}
}

I appreciate your assistance, if you can kindly check the server again.

Thanks
AB
 

Max

Administrator
Staff member
Hello

URL wss://apps.zrg.com/wss should not be open in browsers
See our example:

1710341059090.png
 

Max

Administrator
Staff member
Now it seems like port 443 is opened at server side but blocked by router
1710466543466.png

Please check your NAT configuration.
 

Max

Administrator
Staff member
nginx displays the following error in /var/log/nginx/error.log
Code:
connect() to 192.168.0.223:8080 failed (13: Permission denied) while connecting to upstream
This means SELinux disables a local http connections. The following command enables them:
Code:
setsebool httpd_can_network_connect on -P
After that, websocket connections are establishing successfully via reverse proxy
1710724793272.png

But seems like a trial license is expired, so please contact sales@flashphoner.com to expand the trial license or to get a new one if you continue testing.
 

Arif Butt

Member
OK great, I will proceed for the trial license extension...

In the meantime this testing was for a POC, but in actual implementation we need to perform the same steps for the site which will have an encrypted SSL..

Will there be any extra steps for this or the above steps should work for the encrypted SSL site also?

Thnx
Av
 

Max

Administrator
Staff member
We recommend you to test an encrypted SSL private key on staging server before moving it to production.
 

Arif Butt

Member
Hi

While configuring the encrypted SSLat customer UAT we are facing the error that port 80 adddress already in use although we have checked and cannot see this usage anywhere

Kindly assist what can be wring and how to narrow the issue

Thnx
 

Attachments

Max

Administrator
Staff member
Please check if the port is busy by other application:
Code:
sudo netstat -nlp
Please also check nginx configuration: there should not be any server entities in nginx.conf listening for http port 80 unless they really needed.
 

Max

Administrator
Staff member
Check if some nginx configs contains listen 80 directive
Code:
grep -r listen /etc/nginx/*
Please read also this post.
 
Top