I'm configuring https on standard Alpine Linux/3.9.0, running PHP/7.2.14 and lighttpd/1.4.52 (ssl). I have my domain name up (I'll call it "mydomain.com") and I've gotten the ssl files mydomain.crt, mydomain.p7b, mydomain.ca-bundle, mydomain.key, and mydomain.pem.
-When I search with http at mydomain.com:443, I access my website.
-When I search with https at mydomain.com, the connection times out.
I have configured /etc/lighttpd/lighttpd.conf incorrectly, and I think it has something to do with my ".crt" file. I have searched around StackOverflow and by googling it, but the two most helpful sources were:
https://tecadmin.net/configure-ssl-in-lighttpd-server/
https://www.digicert.com/ssl-certificate-installation-lighttpd.htm
This was added/modified in the default configuration file /etc/lighttpd/lighttpd.conf:
server.port = 443
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/mydomain.pem"
ssl.ca-file = "/etc/lighttpd/mydomain.crt"
server.name = "mydomain"
server.document-root = "/var/www/localhost/htdocs"
}
I have also tried replacing
ssl.ca-file = "/etc/lighttpd/mydomain.crt"
with
ssl.ca-file = "/etc/lighttpd/mydomain.ca-bundle"
I was expecting /etc/lighttpd/mydomain.crt to work, but I can only access port 443 through http (successful connection), not through https (connection time out). I have one .crt file (mydomain.crt). Am I supposed to modify the file mydomain.ca-bundle as a .crt file?
Okay, so the perpetrator was this line right here:
server.port = 443
Me being a novice at this, I didn't realize you should have port 80 AND port 443 open to enable https. lighttpd uses 80 by default, so I just had to comment out the line:
# server.port = 443
Note for future readers: thus it follows, that for https, ports 80 and 443 must also be ported forward on your router.
Related
I'm running traefik on an AWS instance with a rancher back-end. I am terminating SSL at the AWS load balancer, and am communicating on port 80 with the instance, which forwards the :80 traffic to the traefik container.
So the Load balancer currently has:
https:443 ==> http:80
http:80 ==> http:80
That means, if you type https://example.com, you get SSL, and if you type http://example.com, you just get an ordinary http connection.
The desire is to have an auto redirect via http 302 -- it would redirect http://example.com to https://example.com.
So far what I've unsuccessfully tried is the following:
** AWS Load balancer**
https:443 => http:80
http:80 => http:81
traefik.toml
------------
[entryPoints]
[entryPoints.http]
address = ":81"
[entryPoints.http.redirect]
regex = "^http://example.com/(.*)"
replacement = "https://example.com/$1"
address = ":80"
docker-compose.yml
------------------
API-Proxy:
container_name: api-proxy
image: traefik
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "$PWD/traefik.toml:/etc/traefik/traefik.toml"
command: "--web --rancher --docker.domain=rancher.localhost --logLevel=DEBUG"
cpu_shares: 128
restart: always
ports:
- 80:80/tcp
- 81:81/tcp
- 8100:8080/tcp
When I try accessing via port 80, there's a timeout. Traefik logs don't seem to be helpful.
Is this a silly approach? Or is it better to terminate SSL at the traefic container using Let's encrypt?
Try something like this in your Traefik config. Then forward both ports 443 and 80 on the LB to port 80 on Traefik.
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
I do this in Kubernetes on AWS currently. It's a little fiddly to get just right, but it is totally possible.
First you need to make sure that your ELB is listening for HTTP (not HTTPS) on port 80 and for HTTPS on port 443. If you have the ELB listening for HTTPS on port 80, you'll get very strange behavior by clients. Check that first. Note: this is the default behavior if you have deployed Traefik using Helm.
Use aws elb describe-load-balancers to print out all of your ELBs. You'll have to find the ELB in there (I don't know how to tell you which one it is) and look in the LoadBalancerDescriptions[].ListenerDescriptions[].Listener.Protocol and InstanceProtocol to make sure that they are HTTPS and HTTP, respectively.
Second, this is all you need in your config.toml:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
[entryPoints.httpn]
address = ":8880"
compress = true
Explanation:
Listen on port 80
Set up a permanent redirect for any traffic on port 80 to port 8880
Listen on port 8880 with HTTP and enable gzip compression
The ELB should have port 80 mapped to port 80 and port 443 mapped to port 8880. Now all HTTP traffic will be automatically redirected (use curl -v -L http://example.com to test) to HTTPS and terminated at the ELB and forwarded as HTTP to Traefik.
I am still looking for a good way to specify the protocols for the ELB listeners on deploy but I haven't come up with a good solution other than manually changing them via the AWS console after I deploy Traefik.
I have a winstone server (Jenkins) listening on 8443.
Jenkins has a valid cert, and Jenkins is doing the cert termination successfully:
JENKINS_ARGS="--httpPort=-1 --httpsKeyStore=/secure/jenkins.keystore --httpsKeyStorePassword=MY_PASSWORD --httpsPort=8443"
The only problem is that users now have to go:
https://example.com:8443
I don't want that port number in the URL.
I want:
https://example.com:8443 -> https://example.com
https://example.com -> https://example.com
http://example.com -> https://example.com
So I figure I'll run nginx on the same instance that is running Jenkins.
So my question is:
Do I have to reconfigure jenkins to NOT do cert termination so that nginx does it only?
Can nginx redirect 80 and 443 to localhost:8443 without a cert (Since Jenkins is doing cert termination)?
Do BOTH nginx AND Jenkins need to do cert termination?
Sorry for those similar questions.
I'm pretty sure an AWS ELB cannot replace what nginx is doing here, but I thought I'd throw it out there, in case an ELB can solve this for me too.
1) No, you can have Nginx Stream the connection directly to the Jenkins using the Stream Module.
Do note this was added in 1.9.0 but is not part of the default build so you might have to build it yourself.
It works a lot like an http server block but you have to set it up outside of the http block.
stream {
upstream jenkins_server {
server jenkins:443;
}
server {
listen 443;
proxy_pass jenkins_server;
}
}
2) You do not need a cert on nginx but you should have a http server block for port 80 that does a 301 to the 443 stream talked about in answer part 1.
server {
listen 80;
server_name your_server_name_here;
return 301 https://$host$request_uri;
}
3) No, you don't as you can use the nginx stream to passthru the ssl from the client to the Jenkins server.
We're running Vagrant VMs here. On a VM, I installed nginx. I then created a self-signed certificate. When I look at the certificate's innards, I see:
subject= /C=US/ST=IN/L=myCity/O=My Company/OU=MyProduct/CN=silly.com/emailAddress=info#silly.com
This is obviously sanitized. I believe this certificate is supposed to work for silly.com. Do I interpret this correctly?
On my laptop, I added a hostfile entry to map silly.com to the appropriate IP address.
On the VM, I added the following configuration to /etc/nginx/conf.d/default.conf
# HTTPS server server {
listen 443;
server_name silly.com;
ssl on;
ssl_certificate /etc/nginx/ssl/silly.crt;
ssl_certificate_key /etc/nginx/ssl/silly.key; }
When I browse the site, the port 80 http screen is displayed properly. When I browse with https://silly.com, however, the https portion is rejected and the non-SSL screen is displayed. (I think I clicked 'proceed' while experimenting...)
I commented from the nginx.conf file all lines relating to port 80. Then I restarted nginx. I will get the same success on port 80 and failure on port 443 as I did before.
I tested the config file with nginx -t. It reported no errors.
Would someone offer a debugging tip, please?
It might have something to do with the fact that your opening server { block is effectively commented out because of the # HTTPS server comment. You should actually be getting an error on this config because the closing } is there. Perhaps this is preventing you from restarting Nginx.
I'm trying to start to use vagrant for development - I'm completely new to using vagrant for my development - relying on an apache/php/mysql set up on a laptop.
I'm developing using laravel and have set up homestead and am up and running.
I've tried to enable SSL on the homestead (box?) and followed these instructions to set up: https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04
I made the changes to the homestead sites_enabled file for the site i'm working on.
I added port 443 just beneath port 80 within the server,added the entries for SSL On etc
I've restarted the nginx server and am able to see my pages using https (although chrome doesn't like the certificate)
If I then try to access pages using http I get a 400 error The plain HTTP request was sent to HTTPS port
so a few questions:
1. how can I alter the set up to use a combination of HTTP and HTTPS requests?
2. is it bad practice to serve a site with a combination of HTTP and HTTPS requests - should I simply serve the whole site as https?
Very confused to a completely new subject
Thank you
Add port forwarding to homestead 1.x
You need to forward the SSL port by adding a new line to homestead.rb
sudo nano /vagrant/scripts/homestead.rb
# add SSL port forwarding ...
config.vm.network "forwarded_port", guest: 443, host: 44300
Create SSL certificate
Steps one to four
Do the steps one to step four only from this tutorial https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04
Step five - Set up the certificate
Edit your homestead site you are working on (replace example with your existing site)
sudo nano /etc/nginx/sites-available/example
Duplicate the whole server{…} section (not only the listen line as you did).
In the duplicated section edit listen 80 to listen 443.
Before the end of the section add the following lines:
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
exit and do a vagrant reload.
Be careful with --provision. The changes to sites-available/example you just made are reset to default.
If you need to make the changes permanently even in case of provisioning, then have a look at the serve.sh located at your host's homestead folder homstead/scripts/serve.sh and edit it equally to step 5.
Use https://your.domain:44300 in your browser to access via SSL. Accept the self signed certificate in your browser if necessary.
In addition to Peh. I did not get it working with the above code:
I did need to remove
SSL on
and add the ssl to the listener
listen 443 ssl;
apache + ssl is configured using xampp on windows server 2003. http content has no problem by domain name, but https content can only be visited from localhost. "netstat -a" shows
Proto Local Address Remote Address State
...
TCP hostname:https hostname:0 Listening
...
How to config to enable https via domain name?
Found the reason. Another program take the 443 port so apache https failed. use "netstat -a -o -n" can get the detail.
I'm assuming you can already access apache using this domain name.
Take a look in your ports.conf, usually found at
/etc/apache2/ports.conf
It should contain a line like:
NameVirtualHost *:443
and also
Listen 8443 https