I am running an Ubuntu 12.04 server with Apache 2.2 and OpenSSL 1.01(recent). I am attempting to serve a self signed certificate across for HTTPS browsing. The server is also running webmin, and a tomcat application server.
Currently HTTPS requests do not work for the primary server, returning an er_connection_refused.
I am currently using virtual hosts to specify locations for https connections. HTTPS only works for my webmin portal and not for any other location on the webserver. I had assumed this was a port conflict between miniserv and apache, however there doesn't appear to be any conflict that I can determine. I have checked for other possible webservers that may be using SSL (such as jetty or nginx) but there doesn't appear to be any.
Is there any way to determine which services are associate with which ports. Failing that is there any way to determine which services are currently using SSL.
Thanks in advance.
To find out which services are listening on SSL run:
netstat -tulpn | grep :443
It will generate output like:
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1607/https
It sounds like it could also be a conflict in the way you have set up SSL for the virtual hosts. Often vhost config can be a bit funny if you're sharing the same certificate for multiple vhosts.
Edit:
Also another good one for finding what is using a given port is:
lsof -i :443 | grep LISTEN
Which generates output as:
httpd 1132 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
httpd 3084 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
httpd 3312 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
httpd 3555 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
httpd 3593 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
Related
I am trying to set up an Apache server on CentOS. Following this article up to the step "Create Virtual Host". Here I replace "80" with "443":
<VirtualHost *:443>
Note that I do not configure firewalld as per that article, though.
In the /etc/httpd/conf/httpd.conf file, I also change the Listen 80 line to Listen 443.
The I start the server with :
sudo systemctl start httpd
I check the deployment with
wget https://my_dns
I get this error:
Resolving my_dns (my_dns)... xx.xxx.xx.xxx
Connecting to my_dns (my_dns)|xx.xxx.xx.xxx|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
If I try (test port 80)
wget my_dns
I get Connection refused, which makes sense.
So, it appears the server is on port 443. But what is this SSL issue and how do I resolve it?
Listening on port 443 does not imply that you are using SSL. You can listen for HTTP requests on any port you specify. Does this work?
wget http://my_dns:443
I'm trying to get a websocket/push-server to run with SSL and can't get it to work.
Here are some informations about what I'm using and what I've done so far:
Ubuntu 16.04.6 LTS server with Plesk 17.8.11
Apache version 2.4.18
Ratchet and zmq extension installed
autobahn.js for websocket connection
PHP-FPM (7.2.19) served by Apache
Firewall disabled for testing
Apache mods enabled: proxy, proxy_balacer, proxy_fcgi, proxy_http, proxy_wstunnel
When I use an non-SSL connection via autobahn.js to ws://my.domain.net:8888/ everything works perfectly fine.
As soon as I try to use wss://my.domain.net/wss/ I get 504 connection timeouts in my browser.
Part of my push-server.php:
$context = new React\ZMQ\Context($loop);
$pull = $context->getSocket(ZMQ::SOCKET_PULL);
$pull->bind('tcp://0.0.0.0:5555'); // set to 0.0.0.0 for testing, was 127.0.0.1 before but didn't work either
$pull->on('message', array($pusher, 'onMessage'));
$webSock = new React\Socket\Server('0.0.0.0:8888', $loop);
$webServer = new Ratchet\Server\IoServer(
new Ratchet\Http\HttpServer(
new Ratchet\WebSocket\WsServer(
new Ratchet\Wamp\WampServer(
$pusher
)
)
),
$webSock
);
$loop->run();
The server is listening on both ports:
php 3957 root 17u IPv4 823972456 0t0 TCP *:8888 (LISTEN)
ZMQbg/0 3957 3958 root 17u IPv4 823972456 0t0 TCP *:8888 (LISTEN)
ZMQbg/1 3957 3959 root 17u IPv4 823972456 0t0 TCP *:8888 (LISTEN)
php 3957 root 16u IPv4 823972455 0t0 TCP *:5555 (LISTEN)
ZMQbg/0 3957 3958 root 16u IPv4 823972455 0t0 TCP *:5555 (LISTEN)
ZMQbg/1 3957 3959 root 16u IPv4 823972455 0t0 TCP *:5555 (LISTEN)
My apache config:
SSLProxyEngine on
ProxyRequests Off
SetEnv proxy-initial-not-pooled 1
ProxyPass /wss/ https://my.domain.net:8888/
ProxyPassReverse /wss/ https://my.domain.net:8888/
I also tried to use
ProxyPass /wss/ wss://my.domain.net:8888/
but then I get the following error message
[proxy:warn] AH01144: No protocol handler was valid for the URL /wss/. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
Now when I try to open a connection with autobahn.js to wss://my.domain.net/wss/ the request loads for a while and ends in a 504 Gateway Time-out and I get the following error message:
[proxy_http:error] (103)Software caused connection abort: [client x.x.x.x:33362] AH01102: error reading status line from remote server my.domain.net:8888
[proxy:error] [client x.x.x.x:33362] AH00898: Error reading from remote server returned by /wss/
Part of the Request Headers:
Cache-Control: no-cache
Connection: Upgrade
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Sec-WebSocket-Key: WG/ajAsTaVhBgEeEz5wiUg==
Sec-WebSocket-Protocol: wamp
Sec-WebSocket-Version: 13
Upgrade: websocket
Part of the Response Headers:
Connection: keep-alive
Content-Length: 578
Content-Type: text/html
Server: nginx
Opening the https://my.domain.net/wss/ in a browser ends in an Gateway Time-out as well, served by nginx.
I've spent like 2 days already googling and trying different solutions but nothing seems to work.
If you need more information, please let me know.
Thanks in advance!
I'm doing a GET request to my EC2 instance, but I'm getting the following error:
80: Connection refused
These are the security rules of my instance:
Ports Protocol Source launch-wizard-1
80 tcp 0.0.0.0/0 ✔
22 tcp 177.32.53.207/32 ✔
What's wrong with these rules? Why can't I access port 80?
EDIT
I attached my apache conf file (/etc/apache2/apache2.conf) in this url, since it's too big to post all the code here.
EDIT2
when I run netstat -ntlp | grep LISTEN
I get this:
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN
What is the source of your connection request? Are you attempting to access your instance from outside of Amazon or from a difference EC2 instance in the same availability zone? Are you supplying an IP address or a DNS name as the argument to your connecting code?
Keep in mind that AWS EC2 uses SDN (software defined networking) which doesn't work quite like classical TCP/IP routing that you may be expecting from using Linux, or other OSes, on bare metal systems (or even on VMs using more traditional networking).
Ultimately you will probably want to allocate "elastic IP" (EIP) from AWS and bind it to your web server instance. Then route your requests to that IP address. (Often you'd also create a DNS entry, perhaps through Amazon's "Route53" service to use the a name rather than the address).
It's possible to get to your instance from within and from outside their network. But you have to use the Amazon generated DNS name to do so then, because they use split-horizon, your clients will get the correct (internal or external) IP address.
Also you have to consider the security settings on your VPC (virtual private cloud) network(s) as well as those you've applied to your instance.
I am trying to configure haproxy 1.5 on Ubuntu 3.2.0-91-generic as a TLS proxy for plain TCP traffic to a non-TLS server running on the same machine. The local non-TLS server is running on port 9501, and I want haproxy to listen on port 9500, decrypting incoming TLS connections on that port and forwarding the unencrypted TCP traffic to the server on port 9501. I'm doing all this on 172.28.11.94, which is a local intranet address that's bound to my eth0 interface. My haproxy config looks like this:
listen rtt 172.28.11.94:9500
mode tcp
bind 172.28.11.94:9500 ssl crt /etc/haproxy/cert.pem
option tcplog
server rks 172.28.11.94:9501
haproxy reports that this is valid:
dlobron#bos-lpjbb:/etc/haproxy$ sudo haproxy -f haproxy.cfg -V -c
Configuration file is valid
But when I run haproxy, I get an error:
dlobron#bos-lpjbb:/etc/haproxy$ sudo haproxy -f haproxy.cfg -V
Available polling systems :
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 2 (1 usable), will use poll.
Using poll() as the polling mechanism.
[ALERT] 011/114700 (6149) : Starting proxy rtt: cannot bind socket [172.28.11.94:9500]
I verified that my local non-TLS server on port 9501 is fine:
dlobron#bos-lpjbb:/etc/haproxy$ telnet 172.28.11.94 9501
Trying 172.28.11.94...
Connected to bos-lpjbb (172.28.11.94).
Escape character is '^]'.
203 WELCOME
The warning about select() not working is a little strange, but it seems like it's falling back to poll(), which should be fine. But I can't figure out why it can't bind to port 9500 when I run it as root, as I'm doing here. Any help would be much appreciated!
The very helpful guys on the HAProxy mailing list pointed out my problem: the first line of my server stanza is:
listen rtt 172.28.11.94:9500
This is telling HAProxy to bind to 172.28.11.94:9500, and then the "bind" line in my config file is telling it to bind a second time to that same point - hence the error. I changed the first line of the stanza to just:
listen rtt
and it's now fine.
I'm using the new Azure cloud app and I have created a new VM with ubuntu 14.04.
I installed apache2 and some common modules (like php5).
Well, after that, I configured my app, but when I tried to access, The browser shows "Timeout" (using Chrome). The "ping" maps the hostname to the ip address but it doesn't gets any response (i suppose that ping is disabled by default)
At first I thought it was my app, so I only set the default apache settings in the "sites-enabled" folder (the one with the static html page that comes with apache).
But the same happens, so I check the usual things like firewall, iptables rules, etc. But I get always the same result :/
This is not my first server, but I'm not able to think in another option, so I just want to check what you guys think about what could be the problem.
iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw status
Status: inactive
default settings on the site-enabled folder (I erased the comments lines)
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1654/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 34899/postgres
tcp 0 0 x2.x2.x2.x2:16001 (other ip diff from server's ip) 0.0.0.0:* LISTEN 937/python
tcp6 0 0 :::80 :::* LISTEN 48801/apache2
tcp6 0 0 :::22 :::* LISTEN 1654/sshd
telnet ip 80 (from my pc)
Connecting To x.x.x.x 80...Could not open connection to the host, on port 80
: Connect failed
telnet localhost 80
Connected to localhost.
Escape character is '^]'.
exit
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Not Implemented</title>
</head><body>
<h1>Not Implemented</h1>
<p>exit to / not supported.<br />
</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at x3.x3.x3.x3 Port 80</address>
</body></html>
Connection closed by foreign host.
The ip x2.x2.x2.x2 and x3.x3.x3.x3 have the same value but they aren't equal to the server IP. (At least isn't the same ip value I use to connect to the VM by ssh)
Sounds like it might be an endpoint. By default when you create a virtual machine in the Azure portal, endpoints for Remote Desktop, Windows PowerShell Remoting, and Secure Shell (SSH) are automatically created.
You will have to go into the Azure portal to configure additional endpoints.
Each endpoint has a public and private. Public is used for outside requests/traffic coming into the VM through the load balance. Private is use by the VM for incoming traffic to route to the proper port/app.
Here is a link on Azure help that talks about setting up endpoints
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/