I'm trying to upgrade a websocket connection ws:// to wss:// using a nginx reverse proxy https://github.com/nicokaiser/nginx-websocket-proxy/blob/master/simple-wss.conf
but I seem to be having trouble with the certificate part. My server is located on the same network as the client. So Ideally I would want my users to log in to "https://example.com" and then the client makes a connection to "wss://192.168.1.xxx:xxxx".
As of now the browsers are blocking it because of NET::ERR_CERT_COMMON_NAME_INVALID. I don't really know to produce a self signed certificate that the browsers will trust on the local network. Googling only gives me answers on how to do it if my server would be accessed using a domain name but I will always connect to a local network IP. Help is appreciated!
To anyone coming across this I managed to solve it using this post outlining the architecture https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/
What ended up happening was that we set up a url pointing to a server running nginx which parsed the subdomain and redirected the connection to that url. For example: wss://192-168-1-142.mydomain.com redirects to ws://192.168.1.142 which makes the browser trust the connection
Does this work?
Your post is a year old now and browsers have become stricter since then. Usually, a browser will produce 'mixed content' errors if you access HTTP content from a HTTPS page, and the only way to get round this is to change the site settings to allow insecure content, which is scary for users in the face of a big warning message.
If accessing an HTTPS web address redirects to an HTTP local IP address, won't the browser still complain about mixed content?
I have a similar situation to you. I am writing a Progressive Web Application (PWA) to control network music players on a home network. The players only support HTTP but a PWA requires HTTPS for services workers to work and to allow the app to be 'installed'.
My solution is to run a local server on the home network which can talk to the players over HTTP. Then I can access this server over HTTPS from my browser so that the browser itself is not making any HTTP calls.
This works fine if the server is on localhost because localhost is a special case where security rules are relaxed. But if the server is on another machine, how can I create an SSL certificate since (1) it seems that local IP addresses are not allowed in the Subject Alternative Name (SAN) section of the certificate, and (2) I won't know in advance what the IP address of the server will be.
If your workaround works, then the local server can use HTTP instead so I won't need a certificate. The local server can register itself with a web server, and then the browser can connect over HTTPS to the web server, which would redirect to the IP address of the local server over HTTP.
But does this trick work?
Related
We have been battling with an issue where I've been getting a 5006 error using "SagePay Server" for 24 hours after moving a nopcommerce site to a new server with a different IP address.
We use a free cloudflare service with SSL enabled on Cloudflare in Full SSL mode and then a self signed certificate on our server so the connection is always secured end to end. This was also the same on the old server.
When moving servers we simply updated the IP address in couldflare to point at the new IP address but we started getting 5006 errors during the checkout process...
SagePay support told us they could not connect to our notification URL which was using SSL. Our server showed no attempt from their server to connect to ours yet SapePays log files show an "internal_error" with no more useful information.
However it is possible to the call the notification URL passed to SagePay from a browser and it works without issue.
After talking with SagePay on several occasions it would seem the SagePay system does not support websites / traffic using SSL with SNI which means they can not connect to the notification URL over SSL.
In a time when IPv4 addresses are fast running out I would imagine more and more people will start to use SNI for SSL so they can run multiple sites using SSL from one IPv4 address - a massive oversight on SagePay's part me thinks.
Contrary to JaxUK, I can confirm SagePay does support SSL/TLS with SNI. Hope this helps someone
I am very confused with proxy server, and proxy and this word proxy. I saw everywhere people are using proxy program, proxy server. Some of them using the proxy websites to unblock the websites. There are lot of things like reverse-proxy like that..
When I read one article about nginx I ran into one pic it says proxy cache. So what's proxy cache?
And how can I write a proxy program? What does that mean ? Why we need to use a proxy program?
Anybody can answer my question as simple as possible, I am not much in to this area.
A proxy server is used to facilitate security, administrative control or caching service, among other possibilities. In a personal computing context, proxy servers are used to enable user privacy and anonymous surfing. Proxy servers are used for both legal and illegal purposes.
On corporate networks, a proxy server is associated with -- or is part of -- a gateway server that separates the network from external networks (typically the Internet) and a firewall that protects the network from outside intrusion. A proxy server may exist in the same machine with a firewall server or it may be on a separate server and forward requests through the firewall. Proxy servers are used for both legal and illegal purposes.
When a proxy server receives a request for an Internet service (such as a Web page request), it looks in its local cache of previously downloaded Web pages. If it finds the page, it returns it to the user without needing to forward the request to the Internet. If the page is not in the cache, the proxy server, acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the server out on the Internet. When the page is returned, the proxy server relates it to the original request and forwards it on to the user.
To the user, the proxy server is invisible; all Internet requests and returned responses appear to be directly with the addressed Internet server. (The proxy is not quite invisible; its IP address has to be specified as a configuration option to the browser or other protocol program.)
An advantage of a proxy server is that its cache can serve all users. If one or more Internet sites are frequently requested, these are likely to be in the proxy's cache, which will improve user response time. A proxy can also log its interactions, which can be helpful for troubleshooting.
When there genuinely is no web server installed on a machine, and the user types in the machine's IP address or FQDN into the web browser, the user will get a genuine "can't connect to the server" message from the web browser.
However, after installing the Apache web server, the direct IP address and the FQDN (i.e. archimedes.example.com) will now show the default "It works!" page. How can I make my server act as if there is no server in these places (for the IP and the FQDN)?
Note that a 404 error does not qualify, because that makes it clear that a web server is available.
Is this even possible to do in the first place?
The goal of this is that I just want my regular websites, say genuinewebsite.com, that is genuinely supposed to be on this server to be recognized. All the other "default" addresses (the IP address and FQDN) that really have no connection to any websites should just act as if there is no web server there in the first place.
No, it is not possible, because to get the hostname the browser used for the request, the browser first has to connect successfully and send it in the request. By that time, you can't really refuse the connection; the best you can do is close it on them which will appear as a connection reset error.
So I've gone ahead and set up my ShoutCast server DNAS and set my DSP in Winamp on my host computer. The server listens on port 8000, so per some instructions I installed an output plugin for winamp (Shoutcast DSP) and used 8000 and the password to connect. Server accepts the connection.
Now, what the heck do I do now? My host computer is SSL secured and the DNAS server is installed within the secure web directory (if that matters). My desired end result is that I want to listen to my ShoutCast setup at home (host computer) from any computer.
I try browsing to my ip address and port 8000 (without using HTTPS) and it comes back with nothing. If I browse with HTTPS://my.server.com:8000, I get Error code: ssl_error_rx_record_too_long)
Have I completely missed something, or am I just a total moron?
Thanks.
SHOUTcast doesn't support SSL. The service on port 8000 is an unencrypted server for HTTP and ICY (the rather pointless SHOUTcast native streaming protocol, which is almost but not quite HTTP). The ssl_error_rx_record_too_long error is characteristic of trying to access a non-HTTPS service as HTTPS.
You should be able to connect to 8000 with your web browser and get the DNAS status page. If, on the other hand, you connect to that port with a media player, it'll return the direct MP3 stream. (Unfortunately, in an incredibly boneheaded piece of design, the way SHOUTcast decides which to respond with is by sniffing your User-Agent header for something beginning with Mozilla, so if you're using an alternative browser or blocking your UA you'll not be able to get the status, and if the stream's down you might just get nothing.)
To listen to a SHOUTcast server through SSL you would need to set up a proxy on another port that forwarded HTTPS requests to local HTTP requests; it'd also have to be a streaming-capable proxy, and you might need some hacks to stop ICY breaking it.
Probably easier, you could set up an SSH forwarded port from your client to the server. That would also be the only way to allow the DJ to connect to SHOUTcast with encryption, since the DJ protocol isn't HTTP compatible at all. Obviously SSH tunnels are no good for random public listeners though.
You could also try Icecast, an alternative to SHOUTcast that I believe has some SSL support (and also uses plain HTTP streaming instead of ICY).
I am working on Windows Server 2003 (IIS6), which has two asp.net sites running in seperate app pools. One of the sites has an ssl certificate installed and was running fine on https. The other site has no certificate and does not require https
The problem I have is that when I publish my app from vs2005 to the site with ssl the https urls stop working and I can only use http. The error I get is as follows
From Google Chrome: Error 104 (net::ERR_CONNECTION_FAILED): The attempt to connect to the server failed.
From IE7: Internet explorer cannot display the web page, could be unavailable, dns is not reachable etc
The strange thing is the first time this happened, https eventually became available but I don't know what triggered the availability but when I published an updated assembly to the bin folder of the site which does not require https, the OTHER site became unavailable on https again
Help much appreciated!
UPDATED: Thanks for the suggestions but it turns out that the firewall was not open on the ssl port
Check if the firewall port for SSL (443) wasn't accidentally closed 443. ;-)
If both webs use the same IP address, make sure, that only the web with the certificate uses the SSL port 443 (first property page). The input field should be empty for the insecure site.
If that is not the problem, you could try to debug stopping the web without certificate and restart the web server.