nginx - https connection doesn't work - ssl

I have a server where I use nginx (+ certbot to generate ssl certificates ), when I try to access my site using http it works fine but when I try to accees it using https it doesn't work, I have the message This site can’t be reached in brwser.
nginx config:
...
listen 443 ssl http2;
ssl on;
ssl_certificate /path/to/my/cert;
ssl_certificate_key /path/to/my/cert_key;
...
also I checked if the 443 port is open, it seems to be ok:
sudo netstat -peanut | grep ":443 "
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 67057870 10224/nginx: master
Also I checked iptables rules, it seems to be ok too:
-A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT`
Any idea what can be the problem??
Thank you

Related

How to i fix timeout problem when i deploy website Apache server

i deploy website on Apache server and curl IP address to give 200 status.
**But ** i try to open website in browser, the website took too long respond
My Setting:
Server : Centos 7
already run command
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT&
&
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
network:
Proto localaddress State Program name
tcp 0.0.0.0:80 LISTEN httpd
tcp 0.0.0.0:443 LISTEN httpd
how do i troubleshoot where is wrong & fix the problem?

UFW port forwarding does not work with my coturn set up

I am trying to receive data on port 443 and forward that to my coturn server listening to port 5349.
I want this set up so that my webRTC app can connect over 443 but without my coturn server having root access(for privilege port 443).
In my /etc/ufw/before.rules I have below entries
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5349
COMMIT
When I test my turn setup at https://test.webrtc.org/ using 443 port I get:
Udp disabled
Relay connectivity timed out
Reflexive connectivity timed out
But using using port 5349 it seems to work.
I have all needed ports open in ufw. I tried with ufw disabled too.
Do I need to add any other changes for port forwarding like adding entry OUTPUT(which I don't know how to add, though).
Do I need to add the rule entry for IPv6 too (/etc/ufw/before6.rules)?
I added these to the before.rules file
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5349
-A PREROUTING -p udp --dport 443 -j REDIRECT --to-port 5349
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o lo -p tcp --dport 443 -j REDIRECT --to-port 5349
-A OUTPUT -o lo -p udp --dport 443 -j REDIRECT --to-port 5349
COMMIT
I am not sure if it is ok. But at the moment this seems to work. I am still open for suggestion. Please give me suggestions to improve what I have done so far

How to disable ssl certificate and only used to forward traffic on port 443 in Nginx?

Host A has https service serviceA and provides two IP for high availability。
e.g. Bose [ip1:443] and [ip2:443] are routed to the serviceA.
Host B (do not has ssl_certificate and ssl_certificate_key) use Nginx proxy module to proxies the requests towards the actual serviceA.
How to simply forward 443 port traffic to serviceA without ssl verification?
Here is my config:
http {
upstream backend {
server [ip1]:443;
server [ip2]:443;
}
server {
listen 443;
listen [::]:443;
location / {
proxy_pass https://backend;
}
}
}
There're two theoretically possible ways to solve your issue:
Nginx with ngx_stream_ssl_preread module
HAproxy (for balancing) -> proxy_protocol -> Nginx (with ssl certs)
Try:
ip6tables -t nat -A PREROUTING -d 2002:xxxx:9a21::1/128 -i sit6to4vip -p tcp --dport 443 -m statistic --mode random --probability .5 -j DNAT --to-destination 2002:xxxx:f6ea::1
ip6tables -t nat -A PREROUTING -d 2002:xxxx:9a21::1/128 -i sit6to4vip -p tcp --dport 443 -m statistic --mode random --probability .5 -j DNAT --to-destination 2002:xxxx:f6e9::1
ip6tables -t nat -A POSTROUTING -d 2002:xxxx:f6ea::1/128 -o sit6to4vip -p tcp --dport 443 -j SNAT --to-source 2002:xxxx:9a21::1
ip6tables -t nat -A POSTROUTING -d 2002:xxxx:f6e9::1/128 -o sit6to4vip -p tcp --dport 443 -j SNAT --to-source 2002:xxxx:9a21::1
It does't work

Apache respond all ports

How can I set my Apache configuration to listen (and respond) all ports? I want to build something like port tester.
I know that I can edit apache2.conf and add following lines but adding 65535 of them is painful.
Listen 1
Listen 2
Listen 3
Is there any way to listen and respond to all ports?
Please advise
No, you can't within Apache itself but you could make it listen on one port and setup an iptable rule (if running *nix) to redirect a range of port to Apache's port.
That would be something like that:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1:65535 -j DNAT --to-destination apache_local_ip:80

Port 80 open on server but cannot connect to it

I have an issue that I have been trying to resolve but cannot figure out what is going on. I have various web servers and they all have apache installed on them. They are all on the same network but one is giving me an issue.
I have servers (.44, .45 and .46)
I can ssh into .44 and ping .45 and .46 with no issues. However when I try to test and see if port 80 is open, .45 gives me this message.
someadminuser#somelocation:/var/www$ telnet 10.0.0.45 80
Trying 10.0.0.45...
telnet: Unable to connect to remote host: Connection refused
Here is the same test on .46
someadminuser#somelocation:/var/www$ telnet 10.0.0.46 80
Trying 10.0.0.46...
Connected to 10.0.0.46.
Escape character is '^]'.
So I ssh into .45 to see the port.
someadminuser#somelocation:~$ netstat -tulpn | grep :80
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
someadminuser#somelocation:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:httpflags:
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:http
Any help will be greatly appreciated.
****************UPDATE****************
I saved my ipv4 table and this is what i got:
# Generated by iptables-save v1.4.12 on Thu May 29 14:05:31 2014
*nat
:PREROUTING ACCEPT [3416:231940]
:INPUT ACCEPT [1175:75880]
:OUTPUT ACCEPT [337:25196]
:POSTROUTING ACCEPT [337:25196]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3000
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3000
Of course, there is more to it but this part look suspicious.
So the server is redirecting connections to local port 80 to local port 3000. Presumably there is nothing listening on port 3000 and that is why you are seeing the "connection refused".
If the working servers don't have this configuration, then you need to remove (or fix) the iptables. If the other servers do have that, then you need to figure out what they have running on port 3000 and why the failing server does not have the same.