I have a static internet ip and our router goes NAT to my server (192.168.1.5) with 80 port. We just added 443 port also, but it shows "This site canβt provide a secure connection" still.
You will need to port map both (80 and 443).
10 Likes
We created NAT on 80 and 443 also but problem is persist still
It still does not look like requests to port 443 get to that nginx server. Can you show result of these two commands from that server?
ifconfig | grep -Ei 'add|inet'
sudo netstat -pant | grep -i listen
10 Likes
root@test:/etc/nginx/sites-available# ifconfig | grep -Ei 'add|inet'
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
inet6 fe80::42:b5ff:fe10:13c9 prefixlen 64 scopeid 0x20<link>
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet 192.168.1.15 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::e61f:13ff:fe2c:8fa4 prefixlen 64 scopeid 0x20<link>
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
inet6 fe80::300e:5fff:fe92:73ad prefixlen 64 scopeid 0x20<link>
inet6 fe80::3c3f:83ff:fe9e:f8dc prefixlen 64 scopeid 0x20<link>
root@test:/etc/nginx/sites-available# sudo netstat -pant | grep -i listen
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 1160/systemd-resolv
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1623/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 2809/docker-proxy
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 18613/nginx: master
tcp 0 0 192.168.1.15:5090 0.0.0.0:* LISTEN 1711/freeswitch
tcp 0 0 192.168.1.15:5060 0.0.0.0:* LISTEN 1711/freeswitch
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 2823/docker-proxy
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN 1298/node
tcp 0 0 192.168.1.15:5066 0.0.0.0:* LISTEN 1711/freeswitch
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1409/redis-server 1
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 18613/nginx: master
tcp 0 0 192.168.1.15:7443 0.0.0.0:* LISTEN 1711/freeswitch
tcp6 0 0 :::8021 :::* LISTEN 1711/freeswitch
tcp6 0 0 :::22 :::* LISTEN 1623/sshd
tcp6 0 0 127.0.0.1:8090 :::* LISTEN 1704/java
tcp6 0 0 ::1:5090 :::* LISTEN 1711/freeswitch
tcp6 0 0 127.0.0.1:8900 :::* LISTEN 1794/java
tcp6 0 0 ::1:5060 :::* LISTEN 1711/freeswitch
tcp6 0 0 127.0.0.1:8901 :::* LISTEN 1802/java
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 1997/java
tcp6 0 0 ::1:5066 :::* LISTEN 1711/freeswitch
tcp6 0 0 ::1:6379 :::* LISTEN 1409/redis-server 1
tcp6 0 0 :::8080 :::* LISTEN 1997/java
tcp6 0 0 ::1:7443 :::* LISTEN 1711/freeswitch
root@test:/etc/nginx/sites-available#
1 Like
Was that a typo? Because you just showed 192.168.1.15
10 Likes
It is not problem, I just changed it for security. It was 192.168.1.5
Is there something we should be aware of?
10 Likes
Can you show us:
sudo systemctl status nginx
Thanks
10 Likes
root@test:/etc/nginx/sites-available# sudo systemctl status nginx
β nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2022-06-08 00:55:06 UTC; 2h 17min ago
Docs: man:nginx(8)
Process: 18600 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
Process: 18612 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 18601 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 18613 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
ββ18613 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
ββ18615 nginx: worker process
ββ18617 nginx: worker process
ββ18619 nginx: worker process
ββ18621 nginx: worker process
ββ18622 nginx: worker process
ββ18623 nginx: worker process
ββ18624 nginx: worker process
ββ18625 nginx: worker process
Jun 08 00:55:06 test systemd[1]: Starting A high performance web server and a reverse proxy server...
Jun 08 00:55:06 test systemd[1]: Started A high performance web server and a reverse proxy server.
To which IP does the NAT send the port 80 and 443 requests?
10 Likes
I don't think the https requests are reaching that server correctly. I think it is most likely in your NAT forwarding.
But, if you don't see anything with that then this logging may help.
Add below logging for your two now.[redacted] server blocks.
This will prove where the requests are processed and may show errors.
Update /etc/nginx/sites-enabled/default
Add these lines:
error_log /var/log/nginx/error443.log warn;
access_log /var/log/nginx/access443.log;
after these lines in the listen 443 server:
server {
server_name now.[redacted];
client_max_body_size 2048M;
And, add these lines:
error_log /var/log/nginx/error80.log warn;
access_log /var/log/nginx/access80.log;
after these lines in the listen 80 server:
server {
if ($host = now.[redacted]) {
return 301 https://$host$request_uri;
} # managed by Certbot
Then restart nginx and do these tests
curl -I https://now.[redacted]/trying443.html
curl -I http://now.[redacted]/try80.html
curl -I http://now.[redacted]:443/tryhttpwith443.html
And show the contents of the 4 log files
10 Likes
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
3 of 4 log was empty.
root@test:/var/log/nginx# cat access80.log
192.168.1.202 - - [08/Jun/2022:03:52:57 +0000] "HEAD /try80.html HTTP/1.1" 301 0 "-" "curl/7.58.0"
192.168.1.202 - - [08/Jun/2022:03:53:02 +0000] "HEAD /tryhttpwith443.html HTTP/1.1" 301 0 "-" "curl/7.58.0"
202 is my pc ip.
Temporarily change:
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://192.168.1.10:4000;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
to:
location / {
return 200 'this much works securely';
}
then try:
curl -I https://now.[redacted]/trying443-200.html
and show the output and log entry.
10 Likes
I suspect even that simple test will fail:
openssl s_client -connect now.[redacted]:443
CONNECTED(0000019C)
6096:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl\record\ssl3_record.c:250:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1654662847
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
I think the version of nginx has been stripped of all higher TLS, try SSLv3.
10 Likes
It shows again. root@test:/etc/nginx/sites-available# curl -I https://now.[redacted]/trying443-200.html curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
How it can be changed?
root@test:/etc/nginx/sites-available# dpkg -l | grep -i openssl
ii libcurl4:amd64 7.58.0-2ubuntu3.18 amd64 easy-to-use client-side URL transfer library (OpenSSL flavour)
ii libcurl4-openssl-dev:amd64 7.58.0-2ubuntu3.18 amd64 development files and documentation for libcurl (OpenSSL flavour)
ii libxmlsec1-openssl:amd64 1.2.25-1build1 amd64 Openssl engine for the XML security library
ii openssl 1.1.1-1ubuntu2.1~18.04.17 amd64 Secure Sockets Layer toolkit - cryptographic utility
ii python3-ndg-httpsclient 0.4.4-1 all enhanced HTTPS support for httplib and urllib2 using PyOpenSSL for Python3
ii python3-openssl 17.5.0-1ubuntu1 all Python 3 wrapper around the OpenSSL library
ii python3-service-identity 16.0.0-2 all Service identity verification for pyOpenSSL (Python 3 module)
This request should NOT be in access80.log, as it was directed towards port 443.
Please double, triple, quatro-check your portmaps.
Although.. Weird thing is: you're doing this from within your own network it seems, looking at the .202 IP address? Is there a local firewall messing with the ports on your host? Iptables redirecting 443 tot 80 or something like that?
7 Likes
Show:
nginx -V
9 Likes
root@test:/etc/nginx/sites-available# nginx -V
nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KgqPmI/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
Show output from your .202 PC:
ping now.[redacted]
9 Likes