I'm trying to get a websocket/push-server to run with SSL and can't get it to work.
Here are some informations about what I'm using and what I've done so far:
Ubuntu 16.04.6 LTS server with Plesk 17.8.11
Apache version 2.4.18
Ratchet and zmq extension installed
autobahn.js for websocket connection
PHP-FPM (7.2.19) served by Apache
Firewall disabled for testing
Apache mods enabled: proxy, proxy_balacer, proxy_fcgi, proxy_http, proxy_wstunnel
When I use an non-SSL connection via autobahn.js to ws://my.domain.net:8888/ everything works perfectly fine.
As soon as I try to use wss://my.domain.net/wss/ I get 504 connection timeouts in my browser.
Part of my push-server.php:
$context = new React\ZMQ\Context($loop);
$pull = $context->getSocket(ZMQ::SOCKET_PULL);
$pull->bind('tcp://0.0.0.0:5555'); // set to 0.0.0.0 for testing, was 127.0.0.1 before but didn't work either
$pull->on('message', array($pusher, 'onMessage'));
$webSock = new React\Socket\Server('0.0.0.0:8888', $loop);
$webServer = new Ratchet\Server\IoServer(
new Ratchet\Http\HttpServer(
new Ratchet\WebSocket\WsServer(
new Ratchet\Wamp\WampServer(
$pusher
)
)
),
$webSock
);
$loop->run();
The server is listening on both ports:
php 3957 root 17u IPv4 823972456 0t0 TCP *:8888 (LISTEN)
ZMQbg/0 3957 3958 root 17u IPv4 823972456 0t0 TCP *:8888 (LISTEN)
ZMQbg/1 3957 3959 root 17u IPv4 823972456 0t0 TCP *:8888 (LISTEN)
php 3957 root 16u IPv4 823972455 0t0 TCP *:5555 (LISTEN)
ZMQbg/0 3957 3958 root 16u IPv4 823972455 0t0 TCP *:5555 (LISTEN)
ZMQbg/1 3957 3959 root 16u IPv4 823972455 0t0 TCP *:5555 (LISTEN)
My apache config:
SSLProxyEngine on
ProxyRequests Off
SetEnv proxy-initial-not-pooled 1
ProxyPass /wss/ https://my.domain.net:8888/
ProxyPassReverse /wss/ https://my.domain.net:8888/
I also tried to use
ProxyPass /wss/ wss://my.domain.net:8888/
but then I get the following error message
[proxy:warn] AH01144: No protocol handler was valid for the URL /wss/. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
Now when I try to open a connection with autobahn.js to wss://my.domain.net/wss/ the request loads for a while and ends in a 504 Gateway Time-out and I get the following error message:
[proxy_http:error] (103)Software caused connection abort: [client x.x.x.x:33362] AH01102: error reading status line from remote server my.domain.net:8888
[proxy:error] [client x.x.x.x:33362] AH00898: Error reading from remote server returned by /wss/
Part of the Request Headers:
Cache-Control: no-cache
Connection: Upgrade
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Sec-WebSocket-Key: WG/ajAsTaVhBgEeEz5wiUg==
Sec-WebSocket-Protocol: wamp
Sec-WebSocket-Version: 13
Upgrade: websocket
Part of the Response Headers:
Connection: keep-alive
Content-Length: 578
Content-Type: text/html
Server: nginx
Opening the https://my.domain.net/wss/ in a browser ends in an Gateway Time-out as well, served by nginx.
I've spent like 2 days already googling and trying different solutions but nothing seems to work.
If you need more information, please let me know.
Thanks in advance!
Related
I am trying to set up an Apache server on CentOS. Following this article up to the step "Create Virtual Host". Here I replace "80" with "443":
<VirtualHost *:443>
Note that I do not configure firewalld as per that article, though.
In the /etc/httpd/conf/httpd.conf file, I also change the Listen 80 line to Listen 443.
The I start the server with :
sudo systemctl start httpd
I check the deployment with
wget https://my_dns
I get this error:
Resolving my_dns (my_dns)... xx.xxx.xx.xxx
Connecting to my_dns (my_dns)|xx.xxx.xx.xxx|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
If I try (test port 80)
wget my_dns
I get Connection refused, which makes sense.
So, it appears the server is on port 443. But what is this SSL issue and how do I resolve it?
Listening on port 443 does not imply that you are using SSL. You can listen for HTTP requests on any port you specify. Does this work?
wget http://my_dns:443
Apache (httpd) service is running on RedHat EC2 instance at port 80 and command "curl localhost:80" shows the content of index.html file located at /var/www/html of the apache server.
Below is the output of command "service httpd status", which shows that apache is running and listening on port 80 as well.
Active: active (running) since Thu 2020-01-23 16:25:44 UTC; 24s ago
Docs: man:httpd.service(8)
Main PID: 1651 (httpd)
Status: "Running, listening on: port 80"
I have opened port 80 for http on my EC2 instance.But when i try to access
the apache using http://<Public IP of EC2 Instance>:80
then browser gives message
"This site can’t be reached".
Please let me know why i am unable to access apache using
http://<Public IP of EC2 Instance>:80
and what would be fix to enable me to access it.
curl localhost:80
returns output as below
hello world
curl Public_IP_OF_EC2:80
returns output as below
curl: (7) Failed to connect to *.*.***.172 port 80: No route to host
The security group rule for my Ec2 instance is to accept all traffic which means port 80 for http is open on my EC2 instance.
I directly call a web service with url
curl http://venesh.ir/webservice/oauth/token
and I got error 403,
but when I call it by reverse proxy from some server I got 404,is it possible that haproxy change my address?
haproxy config:
frontend localhost
bind *:8081
option tcplog
mode tcp
acl isVenesh dst_port 8081
use_backend venesh if isVenesh
default_backend venesh
backend venesh
mode tcp
balance roundrobin
server web01 venesh.ir:80 check
when I call mySerevrIp:8081/webservice/oauth/token I expect getting the result that I directly call
curl http://venesh.ir/webservice/oauth/token that is 403,
but when I call curl mySerevrIp:8081/webservice/oauth/token I get error 404,
Is a problem with my haproxy or my config or is it possible that this problem is because of venesh.ir website?
It appears that http://venesh.ir/webservice/oauth/token expects the host header to be venesh.ir. You can test this from the command line. If the host header is not venesh.ir, it will return 404:
$ curl -I -H 'Host: 1.1.1.1' http://venesh.ir/webservice/oauth/token
HTTP/1.1 404 Not Found
Date: Mon, 24 Jun 2019 17:48:56 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1
You can add the host header to your configuration if you change your mode to http:
frontend localhost
bind *:8081
option httplog
mode http
default_backend venesh
backend venesh
mode http
balance roundrobin
http-request set-header Host venesh.ir
server web01 venesh.ir:80 check
The answer of #mweiss was true, and an alternative way that I found is Setting HOST value to venesh.ir in my request header then the tcp reverse proxy works fine.
When I try to connect to my server remotely I get the following error.
$ curl -k --verbose https://myserver.com:9010/test
* Adding handle: conn: 0x7f8bfb801a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f8bfb801a00) send_pipe: 1, recv_pipe: 0
* About to connect() to myserver.com port 9010 (#0)
* Trying <myserver ip>...
* Connected to myserver.com (myserver ip) port 9010 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
However, if I run this very command from within the server where the service is running then the connection completes successfully.
I am using a self-signed certificate. I used the guide at codeproject.com to create my certificate. And my Dropwizard server config is:-
server:
requestLog:
timeZone: UTC
appenders:
- type: file
currentLogFilename: logs/requests.log
archivedLogFilenamePattern: logs/requests-%d.log
archivedFileCount: 3
threshold: ALL
applicationConnectors:
- type: https
port: 9010
keyStorePath: myserver.keystore
keyStorePassword: password
certAlias: myserverAlias
validateCerts: false
trustStorePath: /etc/pki/java/cacerts
adminConnectors:
- type: https
port: 9011
keyStorePath: myserver.keystore
keyStorePassword: password
certAlias: myserverAlias
validateCerts: false
trustStorePath: /etc/pki/java/cacerts
Also I see no error in the logs.
Additional details
The successful connection from within the server looks like this.
$ curl -k --verbose https://myserver.com:9010/test
* Trying <myserver ip>...
* Connected to myserver.com (myserver ip) port 9010 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_DSS_WITH_AES_128_CBC_SHA
* Server certificate:
* subject: CN=myserver.com,OU=TECH,O=AppleGrew,L=HYD,ST=TS,C=IN
* start date: Apr 05 06:16:32 2015 GMT
* expire date: Apr 04 06:16:32 2018 GMT
* common name: myserver.com
* issuer: CN=myserver.com,OU=TECH,O=AppleGrew,L=HYD,ST=TS,C=IN
> GET /test HTTP/1.1
> User-Agent: curl/7.40.0
> Host: myserver.com:9010
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 06 Apr 2015 06:01:23 GMT
< Content-Type: application/json
< Vary: Accept-Encoding
< Content-Length: 99
<
* Connection #0 to host myserver.com left intact
{"status":"OK","message_type":"INFO","message_recipient":"SYSTEM","testMsg":"The service is live!"}
However, the version of curl running server-side and remote client-side are different.
Server-side it is:
curl 7.40.0 (x86_64-redhat-linux-gnu) libcurl/7.40.0 NSS/3.16.2 Basic ECC zlib/1.2.8 libidn/1.18 libssh2/1.4.2
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets
Client-side it is:
curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz
Update
I was able to connect to the server from a remote Linux system. The curl version on that system is:-
curl 7.19.7 (i686-pc-linux-gnu) libcurl/7.19.7 NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
Just a guess because your question lacks the necessary details:
you have a different version of curl on your client and on the server
your server setup triggers any of the differences between your curl versions, like:
support for RC4 disabled in newer versions
support for SSL 3.0 disabled in newer versions
no ciphers overlap
...
To get more help you should provide the versions and SSL stacks of curl you are using (curl -V), server side settings and maybe debug output (curl -v) for successful and unsuccessful connections.
Server aborted the SSL handshake
Because of this you should also have a look at the logs on the server side. It might even be that a firewall is blocking the connections, so you might check if the server gets he connection at all.
I am running an Ubuntu 12.04 server with Apache 2.2 and OpenSSL 1.01(recent). I am attempting to serve a self signed certificate across for HTTPS browsing. The server is also running webmin, and a tomcat application server.
Currently HTTPS requests do not work for the primary server, returning an er_connection_refused.
I am currently using virtual hosts to specify locations for https connections. HTTPS only works for my webmin portal and not for any other location on the webserver. I had assumed this was a port conflict between miniserv and apache, however there doesn't appear to be any conflict that I can determine. I have checked for other possible webservers that may be using SSL (such as jetty or nginx) but there doesn't appear to be any.
Is there any way to determine which services are associate with which ports. Failing that is there any way to determine which services are currently using SSL.
Thanks in advance.
To find out which services are listening on SSL run:
netstat -tulpn | grep :443
It will generate output like:
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1607/https
It sounds like it could also be a conflict in the way you have set up SSL for the virtual hosts. Often vhost config can be a bit funny if you're sharing the same certificate for multiple vhosts.
Edit:
Also another good one for finding what is using a given port is:
lsof -i :443 | grep LISTEN
Which generates output as:
httpd 1132 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
httpd 3084 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
httpd 3312 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
httpd 3555 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
httpd 3593 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)