Guacamole 0.9.14 Nginx & Letsencrypt Assistance

ak31 · February 19, 2018, 12:10am

Having an Issue w/ getting GuacamoleNginx/LetsEncrypt Setup working properly

VM Environment
OS:Linux 16.04.03 LTS
Nginx:1.10.3
Certbot: Not sure on version
Domain:addmoreroutes.com
Hosting Provider:dyndns.org / A Record exists and is fine
Ubuntu:IPv6 is disabled

Guacamole is fine and working as I can access server internally within my network and externally just using port 8080 but I am not able to access my site using port 443. DestinationNAT/Port Forwards are correct on my home firewall and traffic is flowing thru fine. Traffic makes it to my server and I get a Nginx 404 Error message when I go to "https://hostname/guacamole/#/ from the outside. I followed this site as a guide
Attached below is the nginx configuration file

guacadmin@Guac1:~$ sudo nginx -t
[sudo] password for guacadmin:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
guacadmin@Guac1:~$ sudo nano /etc/nginx/sites-available/default

server {
server_name addmoreroutes.com;
listen 443 ssl; # managed by Certbot
ssl   on;
ssl_certificate /etc/letsencrypt/live/addmoreroutes.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/addmoreroutes.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location /Guacamole/ {
proxy_pass http://127.0.0.1:8080/guacamole/;
proxy_set_header Host $host;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
  access_log off;
}
}

server {
if ($host = addmoreroutes.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 0.0.0.0:80;
return 404; # managed by Certbot

}

_az · February 19, 2018, 9:30am

nginx will treat that location directive in a case-sensitive way.

Have you tried https://hostname/Guacamole/#/ instead?

Your server isn't responding for me right now, so apologies if it's barking up the wrong tree.

Is the right way to interpret your question that the 404 is the problem? Or you can't connect externally via port 443?

ak31 · February 19, 2018, 3:38pm

I tried the uppercase “Guacamole” like you mentioned and nothing. I can access my site via http but not https. I am re-doing this guacamole/nginx piece so you wont be able to access it at the moment. Does that link I posted with the guide look relevant since I was blindly following that.

ak31 · February 20, 2018, 4:01am

I tore this down and rebuilt this and will post the following code since I am running into the same issue

ak31 · February 20, 2018, 4:04am

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events
{
worker_connections 768;
}

http
{
# My Certificates
ssl_certificate /etc/nginx/ssl/$EXTERNALFQDN/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/$EXTERNALFQDN/privkey.pem;

    # SSL Performance Related
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # SSL Protocols and Ciphers
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2;
    ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:!AES128:!aNULL:!MD5:!eNULL:!EXPORT:!DES:!PSK:!RC4";
    # DHE Key-Exchange
    ssl_dhparam /etc/nginx/ssl/$EXTERNALFQDN/dhparam.pem;

    # Random Security Stuff
    server_tokens off;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security max-age=63072000;

    # Common Proxy Settings
    proxy_set_header Host      \$host;
    proxy_set_header X-Real-IP  \$remote_addr;
    proxy_set_header    X-Forwarded-For \$proxy_add_x_forwarded_for;

    ########################
    # Default Config Stuff #
    ########################
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 4096; #Default:2048
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    gzip on;
    gzip_disable "msie6";
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    # REDIRECTS ALL PORT 80/HTTP to 443/HTTPS

    {
            listen 80;
            listen [::]:80;
            server_name $EXTERNALFQDN;

            location ~ /.well-known/acme-challenge
            {
                root /var/www/html/;
            }

            return 301 https://\$host\$request_uri;
    }

    # GUACAMOLE SERVER SETTINGS
    server
    {
            listen 443 ssl;
            listen [::]:443 ssl;

    # SSL Protocols and Ciphers
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2;
    ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:!AES128:!aNULL:!MD5:!eNULL:!EXPORT:!DES:!PSK:!RC4";
    # DHE Key-Exchange
    ssl_dhparam /etc/nginx/ssl/$EXTERNALFQDN/dhparam.pem;

    # Random Security Stuff
    server_tokens off;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security max-age=63072000;

    # Common Proxy Settings
    proxy_set_header Host      \$host;
    proxy_set_header X-Real-IP  \$remote_addr;
    proxy_set_header    X-Forwarded-For \$proxy_add_x_forwarded_for;

    ########################
    # Default Config Stuff #
    ########################
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 4096; #Default:2048
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    gzip on;
    gzip_disable "msie6";
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    # REDIRECTS ALL PORT 80/HTTP to 443/HTTPS

    {
            listen 80;
            listen [::]:80;
            server_name $EXTERNALFQDN;

            location ~ /.well-known/acme-challenge
            {
                root /var/www/html/;
            }

            return 301 https://\$host\$request_uri;
    }

    # GUACAMOLE SERVER SETTINGS
    server
    {
            listen 443 ssl;
            listen [::]:443 ssl;

GNU nano 2.5.3 File: /etc/nginx/nginx.conf

            proxy_buffering off;
            proxy_redirect  off;
            proxy_cookie_path /guacamole/ /;
            proxy_http_version 1.1;
            proxy_set_header Upgrade \$http_upgrade;
            proxy_set_header Connection "upgrade";

            location ~ /.well-known/acme-challenge
            {
                root /var/www/html/;
            }

            location /
            {
                    proxy_pass http://x.x.x.x:8080/guacamole/;
            }
    }

}

system · March 22, 2018, 4:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.