schap
November 8, 2018, 1:46pm
1
My domain is:
.inovexcorp.com
Hello I setup guacamole with lets encrypt. I am able to reach https://hostname.com internallay and it takes me to guacamole but external does not work at all, unless I go to hostname.inovexcorp.com:8080/guacamole
Here is config under /etc/nginx/conf.d/guacamole.conf
server {
if ($host = remote.inovexcorp.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host ~ ^[^.]+\.inovexcorp\.com$) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name remote.inovexcorp.com;
return 301 https://$host$request_uri;
}
server {
listen 443 default_server ssl http2;
server_name remote.inovexcorp.com;
root html;
index index.html index.htm;
ssl on;
ssl_certificate /etc/letsencrypt/live/inovexcorp.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/inovexcorp.com/privkey.pem; # managed by Certbot
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
access_log /var/log/nginx/guacamole.access.log;
location / {
proxy_pass http://localhost:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_cookie_path /guacamole/ /;
}
Thakn you for the help!
Hi @schap
checking your domain via https://check-your-website.server-daten.de/?q=remote.inovexcorp.com
Your http redirects to https. But https doesn't answer.
Is there a firewall or something else which blocks?
schap
November 8, 2018, 8:49pm
5
I mean there is a firewall. but I set a static nat from the external ip to the internal ip. I may have to do some digging in the firewall. There is nothing else that could be wrong?
What's your exact question? Port 80 is open, port 443 is closed. This may be a problem, but if you don't have a public website, it's not a problem.
Do you want to renew a certificate?
schap
November 9, 2018, 12:55pm
7
Hello,
We do have a public website… I am just trying to figure out where your saying 443 is off? Would it cause issues if we have a cert purchased somewhere else and I am using a letsencrypt cert for this instance?
Hi,
Your port 443 is on… (and Listening to queries)
However, when i tried to connect to your server, the connection was stucked somewhere in your system…
openssl s_client -connect remote.inovexcorp.com:443 --debug
CONNECTED(00000194)
write to 0x2217fc1a380 [0x2217fc31a80] (323 bytes => 323 (0x143))
0000 - 16 03 01 01 3e 01 00 01-3a 03 03 31 f6 50 23 d6 …>…:…1.P#.
0010 - d9 50 eb 4d b9 d7 07 1a-85 8f 59 65 dc f5 b9 82 .P.M…Ye…
0020 - 9e ed 5f 27 4d 85 3f 8c-3f 8a ca 20 3e ed ea 88 …_'M.?.?.. >…
0030 - cb d8 08 b8 54 db 48 b4-b6 89 23 72 42 6a 62 54 …T.H…#rBjbT
0040 - 6b f8 9c 0e 4e 26 05 27-7a b3 a8 18 00 3e 13 02 k…N&.'z…>…
0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa …,.0…
0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./….(.k.#.'
0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3..
0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 b3 ...=.<.5./......
0090 - 00 00 00 1a 00 18 00 00-15 72 65 6d 6f 74 65 2e .........remote.
00a0 - 69 6e 6f 76 65 78 63 6f-72 70 2e 63 6f 6d 00 0b inovexcorp.com..
00b0 - 00 04 03 00 01 02 00 0a-00 0c 00 0a 00 1d 00 17 ................
00c0 - 00 1e 00 19 00 18 00 23-00 00 00 16 00 00 00 17 .......#........
00d0 - 00 00 00 0d 00 30 00 2e-04 03 05 03 06 03 08 07 .....0..........
00e0 - 08 08 08 09 08 0a 08 0b-08 04 08 05 08 06 04 01 ................
00f0 - 05 01 06 01 03 03 02 03-03 01 02 01 03 02 02 02 ................
0100 - 04 02 05 02 06 02 00 2b-00 09 08 03 04 03 03 03 .......+........
0110 - 02 03 01 00 2d 00 02 01-01 00 33 00 26 00 24 00 ....-.....3.&. .
0120 - 1d 00 20 c4 d7 cb f1 54-eb cb f0 1f e1 c7 6d cf … …T…m.
0130 - 4e 17 33 81 e4 0e 65 7c-30 51 11 f2 3d b4 fe 9f N.3…e|0Q…=…
0140 - 0e 10 50 …P
read from 0x2217fc1a380 [0x2217fc28863] (5 bytes => 0 (0x0))
write:errno=0
—
no peer certificate available
—
No client certificate CA names sent
—
SSL handshake has read 0 bytes and written 323 bytes
Verification: OK
—
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
—
read from 0x2217fc1a380 [0x2217fbee550] (8192 bytes => 0 (0x0))
I’m not sure what’s wrong with this though… (Maybe the reverse proxy is not set up correctly?)
Thank you
Check your page with your browser:
https://remote.inovexcorp.com/
ERR_CONNECTION_CLOSED says Chrome. Perhaps your SSL configuration is wrong. So the port answers - but then closes the connection.
schap
November 9, 2018, 3:00pm
10
Yes it must be, any idea where or what the correct config would be? It works internally but not externally. Thank you all for your help.
Is there a proxy or something else?
schap
November 9, 2018, 3:19pm
12
I have nginx proxy setup on the guac instance
Then your prox setup doesn't work.
schap
November 9, 2018, 3:23pm
14
this is my /etc/nginx/nginx.conf file
For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
if ($host ~ ^[^.]+\.inovexcorp\.com$) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/inovexcorp.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/inovexcorp.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
server {
if ($host ~ ^[^.]+\.inovexcorp\.com$) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 404; # managed by Certbot
}}
system
Closed
December 9, 2018, 3:23pm
15
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.