Guac not redirecting to https with letsencrypt

My domain is:
.inovexcorp.com

Hello I setup guacamole with lets encrypt. I am able to reach https://hostname.com internallay and it takes me to guacamole but external does not work at all, unless I go to hostname.inovexcorp.com:8080/guacamole

Here is config under /etc/nginx/conf.d/guacamole.conf

  server {
    if ($host = remote.inovexcorp.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host ~ ^[^.]+\.inovexcorp\.com$) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name remote.inovexcorp.com;
    return 301 https://$host$request_uri;




}
server {
    listen 443 default_server ssl http2;
    server_name remote.inovexcorp.com;
    root html;
    index index.html index.htm;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/inovexcorp.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/inovexcorp.com/privkey.pem; # managed by Certbot
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout    1440m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    access_log  /var/log/nginx/guacamole.access.log;
    location / {
    proxy_pass http://localhost:8080/guacamole/;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_cookie_path /guacamole/ /;
    }

Thakn you for the help!

Hi,

Is hostname.inovexcorp.com actually remote.inovexcorp.com?

Thank you

Hey Steven yes it is

Hi @schap

checking your domain via https://check-your-website.server-daten.de/?q=remote.inovexcorp.com

Your http redirects to https. But https doesn't answer.

Is there a firewall or something else which blocks?

I mean there is a firewall. but I set a static nat from the external ip to the internal ip. I may have to do some digging in the firewall. There is nothing else that could be wrong?

What's your exact question? Port 80 is open, port 443 is closed. This may be a problem, but if you don't have a public website, it's not a problem.

Do you want to renew a certificate?

Hello,

We do have a public website… I am just trying to figure out where your saying 443 is off? Would it cause issues if we have a cert purchased somewhere else and I am using a letsencrypt cert for this instance?

Hi,

Your port 443 is on… (and Listening to queries)

However, when i tried to connect to your server, the connection was stucked somewhere in your system…

openssl s_client -connect remote.inovexcorp.com:443 --debug
CONNECTED(00000194)
write to 0x2217fc1a380 [0x2217fc31a80] (323 bytes => 323 (0x143))
0000 - 16 03 01 01 3e 01 00 01-3a 03 03 31 f6 50 23 d6 …>…:…1.P#.
0010 - d9 50 eb 4d b9 d7 07 1a-85 8f 59 65 dc f5 b9 82 .P.M…Ye…
0020 - 9e ed 5f 27 4d 85 3f 8c-3f 8a ca 20 3e ed ea 88 …_'M.?.?.. >…
0030 - cb d8 08 b8 54 db 48 b4-b6 89 23 72 42 6a 62 54 …T.H…#rBjbT
0040 - 6b f8 9c 0e 4e 26 05 27-7a b3 a8 18 00 3e 13 02 k…N&.'z…>…
0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa …,.0…
0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./….(.k.#.' 0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3.. 0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 b3 ...=.<.5./...... 0090 - 00 00 00 1a 00 18 00 00-15 72 65 6d 6f 74 65 2e .........remote. 00a0 - 69 6e 6f 76 65 78 63 6f-72 70 2e 63 6f 6d 00 0b inovexcorp.com.. 00b0 - 00 04 03 00 01 02 00 0a-00 0c 00 0a 00 1d 00 17 ................ 00c0 - 00 1e 00 19 00 18 00 23-00 00 00 16 00 00 00 17 .......#........ 00d0 - 00 00 00 0d 00 30 00 2e-04 03 05 03 06 03 08 07 .....0.......... 00e0 - 08 08 08 09 08 0a 08 0b-08 04 08 05 08 06 04 01 ................ 00f0 - 05 01 06 01 03 03 02 03-03 01 02 01 03 02 02 02 ................ 0100 - 04 02 05 02 06 02 00 2b-00 09 08 03 04 03 03 03 .......+........ 0110 - 02 03 01 00 2d 00 02 01-01 00 33 00 26 00 24 00 ....-.....3.&..
0120 - 1d 00 20 c4 d7 cb f1 54-eb cb f0 1f e1 c7 6d cf … …T…m.
0130 - 4e 17 33 81 e4 0e 65 7c-30 51 11 f2 3d b4 fe 9f N.3…e|0Q…=…
0140 - 0e 10 50 …P
read from 0x2217fc1a380 [0x2217fc28863] (5 bytes => 0 (0x0))
write:errno=0

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 323 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

read from 0x2217fc1a380 [0x2217fbee550] (8192 bytes => 0 (0x0))

I’m not sure what’s wrong with this though… (Maybe the reverse proxy is not set up correctly?)

Thank you

Check your page with your browser:

https://remote.inovexcorp.com/

ERR_CONNECTION_CLOSED says Chrome. Perhaps your SSL configuration is wrong. So the port answers - but then closes the connection.

Yes it must be, any idea where or what the correct config would be? It works internally but not externally. Thank you all for your help.

Is there a proxy or something else?

I have nginx proxy setup on the guac instance

Then your prox setup doesn't work.

this is my /etc/nginx/nginx.conf file

For more information on configuration, see:

#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
    if ($host ~ ^[^.]+\.inovexcorp\.com$) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }



    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/inovexcorp.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/inovexcorp.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

# Settings for a TLS enabled server.
#
#    server {
#        listen       443 ssl http2 default_server;
#        listen       [::]:443 ssl http2 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers HIGH:!aNULL:!MD5;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }



    server {
    if ($host ~ ^[^.]+\.inovexcorp\.com$) {
        return 301 https://$host$request_uri;
    } # managed by Certbot




        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
    return 404; # managed by Certbot


}}

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.