Guac not redirecting to https with letsencrypt


#1

My domain is:
.inovexcorp.com

Hello I setup guacamole with lets encrypt. I am able to reach https://hostname.com internallay and it takes me to guacamole but external does not work at all, unless I go to hostname.inovexcorp.com:8080/guacamole

Here is config under /etc/nginx/conf.d/guacamole.conf

  server {
    if ($host = remote.inovexcorp.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host ~ ^[^.]+\.inovexcorp\.com$) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name remote.inovexcorp.com;
    return 301 https://$host$request_uri;




}
server {
    listen 443 default_server ssl http2;
    server_name remote.inovexcorp.com;
    root html;
    index index.html index.htm;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/inovexcorp.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/inovexcorp.com/privkey.pem; # managed by Certbot
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout    1440m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    access_log  /var/log/nginx/guacamole.access.log;
    location / {
    proxy_pass http://localhost:8080/guacamole/;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_cookie_path /guacamole/ /;
    }

Thakn you for the help!


#2

Hi,

Is hostname.inovexcorp.com actually remote.inovexcorp.com?

Thank you


#3

Hey Steven yes it is


#4

Hi @schap

checking your domain via https://check-your-website.server-daten.de/?q=remote.inovexcorp.com

Your http redirects to https. But https doesn’t answer.

Is there a firewall or something else which blocks?


#5

I mean there is a firewall. but I set a static nat from the external ip to the internal ip. I may have to do some digging in the firewall. There is nothing else that could be wrong?


#6

What’s your exact question? Port 80 is open, port 443 is closed. This may be a problem, but if you don’t have a public website, it’s not a problem.

Do you want to renew a certificate?


#7

Hello,

We do have a public website… I am just trying to figure out where your saying 443 is off? Would it cause issues if we have a cert purchased somewhere else and I am using a letsencrypt cert for this instance?


#8

Hi,

Your port 443 is on… (and Listening to queries)

However, when i tried to connect to your server, the connection was stucked somewhere in your system…

openssl s_client -connect remote.inovexcorp.com:443 --debug
CONNECTED(00000194)
write to 0x2217fc1a380 [0x2217fc31a80] (323 bytes => 323 (0x143))
0000 - 16 03 01 01 3e 01 00 01-3a 03 03 31 f6 50 23 d6 …>…:…1.P#.
0010 - d9 50 eb 4d b9 d7 07 1a-85 8f 59 65 dc f5 b9 82 .P.M…Ye…
0020 - 9e ed 5f 27 4d 85 3f 8c-3f 8a ca 20 3e ed ea 88 …_'M.?.?.. >…
0030 - cb d8 08 b8 54 db 48 b4-b6 89 23 72 42 6a 62 54 …T.H…#rBjbT
0040 - 6b f8 9c 0e 4e 26 05 27-7a b3 a8 18 00 3e 13 02 k…N&.'z…>…
0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa …,.0…
0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./….(.k.#.' 0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3.. 0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 b3 ...=.<.5./...... 0090 - 00 00 00 1a 00 18 00 00-15 72 65 6d 6f 74 65 2e .........remote. 00a0 - 69 6e 6f 76 65 78 63 6f-72 70 2e 63 6f 6d 00 0b inovexcorp.com.. 00b0 - 00 04 03 00 01 02 00 0a-00 0c 00 0a 00 1d 00 17 ................ 00c0 - 00 1e 00 19 00 18 00 23-00 00 00 16 00 00 00 17 .......#........ 00d0 - 00 00 00 0d 00 30 00 2e-04 03 05 03 06 03 08 07 .....0.......... 00e0 - 08 08 08 09 08 0a 08 0b-08 04 08 05 08 06 04 01 ................ 00f0 - 05 01 06 01 03 03 02 03-03 01 02 01 03 02 02 02 ................ 0100 - 04 02 05 02 06 02 00 2b-00 09 08 03 04 03 03 03 .......+........ 0110 - 02 03 01 00 2d 00 02 01-01 00 33 00 26 00 24 00 ....-.....3.&..
0120 - 1d 00 20 c4 d7 cb f1 54-eb cb f0 1f e1 c7 6d cf … …T…m.
0130 - 4e 17 33 81 e4 0e 65 7c-30 51 11 f2 3d b4 fe 9f N.3…e|0Q…=…
0140 - 0e 10 50 …P
read from 0x2217fc1a380 [0x2217fc28863] (5 bytes => 0 (0x0))
write:errno=0

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 323 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

read from 0x2217fc1a380 [0x2217fbee550] (8192 bytes => 0 (0x0))

I’m not sure what’s wrong with this though… (Maybe the reverse proxy is not set up correctly?)

Thank you


#9

Check your page with your browser:

https://remote.inovexcorp.com/

ERR_CONNECTION_CLOSED says Chrome. Perhaps your SSL configuration is wrong. So the port answers - but then closes the connection.


#10

Yes it must be, any idea where or what the correct config would be? It works internally but not externally. Thank you all for your help.


#11

Is there a proxy or something else?


#12

I have nginx proxy setup on the guac instance


#13

Then your prox setup doesn’t work.


#14

this is my /etc/nginx/nginx.conf file

For more information on configuration, see:

#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
    if ($host ~ ^[^.]+\.inovexcorp\.com$) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }



    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/inovexcorp.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/inovexcorp.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

# Settings for a TLS enabled server.
#
#    server {
#        listen       443 ssl http2 default_server;
#        listen       [::]:443 ssl http2 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers HIGH:!aNULL:!MD5;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }



    server {
    if ($host ~ ^[^.]+\.inovexcorp\.com$) {
        return 301 https://$host$request_uri;
    } # managed by Certbot




        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
    return 404; # managed by Certbot


}}