Server info
I have a server with nginx 1.12.1 enabled sni and resin 3.1.6 on jdk 1.6.0
The nginx here use 80 port to proxy 8080 and 443 port to proxy 8443 of resin.
First issue
When the nginx is running, I can get access with 80. But access to 443, I will get a 502 error, and in the error log, I got dh key too small.
Second issue
Then I compile the nginx with openssl-0.9.8f,and sni is disabled.This time I got everything to be done.But when I compile the nginx with openssl-0.9.8f and enable the sni.I got a 502 again,and error log is SSL: error:1
40773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
What I confused
So,the first issue about dh key too small is belong to Weak Diffie-Hellman ? The reason is my jdk is too old?
And the second issue is because nginx send sni information to resin,but resin doesn't support sni,so can't do ssl handshake?
Related
I'm new to networking and I need to add an SSL certificate to my load balancer. For that, I'm using Certbot.
Instructions: https://certbot.eff.org/instructions?ws=haproxy&os=ubuntufocal
Basically it says to login to the server using SSH and then install certbot
Then, to run this command
sudo certbot certonly --standalone
It tells me to temporarily stop my web server to get the certificate, so I ran:
sudo service ssh stop
After running the certbot command I get the following error:
Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.
So I ran:
sudo netstat -tulpn | grep :80
Output:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 59283/nginx: master
tcp6 0 0 :::80 :::* LISTEN 59283/nginx: master
Now, If I stop the nginx service with "sudo service nginx stop" and run the above command again I don't get any services listening in port 80. So I retry the Certbot command once more:
sudo certbot certonly --standalone
I get the following error:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: totaldomainoftheworldclub.tech
Type: dns
Detail: no valid A records found for totaldomainoftheworldclub.tech; no valid AAAA records found for totaldomainoftheworldclub.tech
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
And that's it, I don't know what else to do.
If you have trouble with normal validation, you can try using DNS challenge
Please note, that for DNS challenges, the following DNS providers are supported: cloudflare, cloudxns, digitalocean, dnsimple, dnsmadeeasy, gehirn, google, linode, luadns, nsone, ovh, rfc2136, route53, sakuracloud.
You can check how to use DNS challenges and what additional configuration it requires in the certbot docs. But basically, you will need to create some kind API key in your domain DNS server and then provide it to certbot. Then when validating it will automatically add a new DNS record using API for validation purposes.
You can also run DNS challenges in different machines or even in Google Function or AWS lambda. Check certbot-lambda for example.
I am using kubernetes-dashboard to view all pods, check status, login, pass commands, etc. It works good, but there is a lot of connectivity issues related to it. I am currently running it on port-8443, and forwarding the connection from 443 to 8443 via Nginx's proxy pass. But I keep getting bad gateway, and connection keeps dropping. It's not an nginx issue, since I have kubernetes error. I am using Letsencrypt certificate in nginx, What am I doing wrong?
Error log :
E0831 05:31:45.839693 11324 portforward.go:385] error copying from local connection to remote stream: read tcp4 127.0.0.1:8443->127.0.0.1:33380: read: connection reset by peer
E0831 05:33:22.971448 11324 portforward.go:340] error creating error stream for port 8443 -> 8443: Timeout occured
Theses are the 2 errors I constantly get. I am running this command as a nohup process :
nohup kubectl port-forward -n kubernetes-dashboard service/kubernetes-dashboard 8443:443 --address 0.0.0.0 &
And finally my nginx config :
default :
location / {
proxy_intercept_errors off;
proxy_pass https://localhost:8443/;
}
Thank you. :-)
Unfortunately this is an on-going issue with Kubernetes' port forwarding. You may find it not particularly reliable when used for long-running connections. If possible, try to setup a direct connection instead. A more extended discussion regarding this can be found here and here.
I'm trying to setup a Docker registry with Artifactory 5.2.1. It's a virtual repo that includes a docker-remote and docker-local (previously defined in Artifactory). I'd like to use the Port method of mapping and I"m running HAProxy 1.5 as a reverse proxy.
HAProxy has a SSL cert with a long list of SANs.
artifactrepo.company.com points to the main artifactory instance and works fine.
docker.company.com points to same server but HAProxy routes this to a Nexus served registry.
www.docker.company.com we intend to route to this Artifactory registry and
Per the HAProxy docs, I've set the reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker/v2\2 to get me to the intended port and path.
I have the "Registry Port" set to the default 6555 yet there is no process listening on that port. Artifactory and HAProxy have been restarted.
netstat -tulpn | grep 6555
gives no results.
Shouldn't Artifactory be listening on the Registry Port?
I figured this out. Turns out it was imagination poisoning from running Nexus repos.
Unlike Nexus, Artifactory doesn't actually listen on any port but the default (8081). The reference to a mapped port for a docker repo is simply to seed the generated reverse-proxy configs they give you. Those configs will have apache listen on 6555 (their default for docker) and then do the path rewrite and port map to 8081. I had intended to do this reverse-proxying using the hostname and had not scrolled all the way through their example to see that they had apache listening on 6555.
I am trying to setup rabbitmq it can be accessed externally (from non-localhost) through nginx.
nginx-rabbitmq.conf:
server {
listen 5672;
server_name x.x.x.x;
location / {
proxy_pass http://localhost:55672/;
}
}
rabbitmq.conf:
[
{rabbit,
[
{tcp_listeners, [{"127.0.0.1", 55672}]}
]
}
]
By default guest user can only interact from localhost, so we need to create another user with required permissions, like so:
sudo rabbitmqctl add_user my_user my_password
sudo rabbitmqctl set_permissions my_user ".*" ".*" ".*"
However, when I attempt a connection to rabbitmq through pika I get ConnectionClosed exception
import pika
credentials = pika.credentials.PlainCredentials('my_username', 'my_password')
pika.BlockingConnection(
pika.ConnectionParameters(host=ip_address, port=55672, credentials=credentials)
)
--[raises ConnectionClosed exception]--
If I use the same parameters but change host to localhost and port to 5672 then I connect ok:
pika.ConnectionParameters(host=ip_address, port=55672, credentials=credentials)
I have opened port 5672 on the GCE web console, and communication through nginx is happening: nginx access.log file shows
[30/Apr/2014:22:59:41 +0000] "AMQP\x00\x00\x09\x01" 400 172 "-" "-" "-"
Which shows a 400 status code response (bad request).
So by the looks the request fails when going through nginx, but works when we request rabbitmq directly.
Has anyone else had similar problems/got rabbitmq working for external users through nginx? Is there a rabbitmq log file where I can see each request and help further troubleshooting?
Since nginx 1.9 there is stream module for the tcp or udp (not compiled with by default).
I configured my nginx (1.13.3) with ssl stream
stream {
upstream rabbitmq_backend {
server rabbitmq.server:5672
}
server {
listen 5671 ssl;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_handshake_timeout 30s;
ssl_certificate /path/to.crt;
ssl_certificate_key /path/to.key;
proxy_connect_timeout 1s;
proxy_pass rabbitmq_backend;
}
}
https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-tcp/
You have configured nginx as an HTTP reverse proxy, however rabbitmq is configured to use the AMQP protocol (see description of tcp_listeners at https://www.rabbitmq.com/configure.html)
In order for nginx to do anything meaningful you will need to reconfigure rabbitmq to use HTTP - for example http://www.rabbitmq.com/web-stomp.html.
Of course, this may have a ripple effect because any clients that are accessing rabbitmq via AMQP must be reconfigured/redesigned to use HTTP.
You can try and proxy to tcp, installing a tcp-proxy module for nginx to work with AMQP.
https://github.com/yaoweibin/nginx_tcp_proxy_module
Give it a go.
Nginx was originally only HTTP server, I also suggest looking into that above referred tcp proxy module, but if you would like to have proven load-balancer which is general TCP reverse proxy (not just HTTP, but can handle any protocol in general), you might consider using HAproxy.
since amqp is on tcp/udp level you need to configure nginx for tcp/udp connection
https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer
I might be late to the party, but I am very much sure that my article will surely help a lot of people in the upcoming days.
In the article I have explained how to install Letsencrypt certificate for RabbitMQ Management GUI with NGINX as reverse proxy on Port: 15672 which runs on HTTP protocol.
I have also used the same SSL certificates to power up the RabbitMQ Server that runs on AMQP protocol.
Kindly go through the following article for detailed description:
https://stackcoder.in/posts/install-letsencrypt-ssl-certificate-for-rabbitmq-server-and-rabbitmq-management-tool
NOTE: Don't configure RabbitMQ Server running on port 5672 as a reverse proxy. Even if you do then kindly use NGINX streams. But I
highly recommend sticking with adding certificate paths in
rabbitmq.conf file as RabbitMQ works on TCP/UDP
I am using Ubuntu 12.04LTS 64 bit pc.JBOSS as my local pc server and i have a project which is using mysql as database and struts framework.I can easily access my project using
http://localhost:8080
but when I want to access my project using
https://localhost:8080
It shows an error.
The connection was interrupted
The connection to 127.0.0.1:8080 was interrupted while the page was loading.
I have also checked
$ sudo netstat -plntu | grep 8080
this command which output is
"tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 5444/java"
If i kill this process,my project also killed.
and i also mentioned u that my 80 port is free also.
Can you tell me what is the problem is occured for which I cannot access my project in my local pc using https.
Advance Thanks for helping.
SSL has to be on a different port. Here is the breakdown:
http:// watched on port, typically 80
https:// watched on a different port, typically 443
You need to RUN SSL on a different port.
Listen 8081
SSL VirtualHost
<VirtualHost *:8081>
# SSL Cert info here
....
</VirtualHost>
> service httpd restart