all,
I have a website which can be accessed via HTTP well at port 86. Now it is required to add SSL to secure the connection. This website is served with thttpd web server which, yes, has no SSL support. I searched a lot through google then. Suggestions are adding SSL through Stunnel to thttpd.
UPDATED:
Here is my stunnel.conf:
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
; **************************************************************************
; * Global options *
; **************************************************************************
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = /usr/local/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup
fips = no
; PID is created inside the chroot jail
pid = /stunnel.pid
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/local/etc/stunnel/crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
; **************************************************************************
; Example SSL server mode services
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
; Example SSL client mode services
;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
; Example SSL front-end to a web server
[https]
accept = 443
connect = 86
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini
Here is the result I got:
linux-1ryy:/usr/local/etc/stunnel # /usr/local/bin/stunnel
Clients allowed=500
stunnel 4.56 on i686-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
FIPS mode is disabled
Compression not enabled
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Initializing service [https]
Certificate: /usr/local/etc/stunnel/stunnel.pem
Certificate loaded
Key file: /usr/local/etc/stunnel/stunnel.pem
Private key loaded
Using DH parameters from /usr/local/etc/stunnel/stunnel.pem
DH initialized with 1024-bit key
ECDH initialized with curve prime256v1
SSL options set: 0x01000004
Configuration successful
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Closing service [https]
Service [https] closed (FD=7)
Sessions cached before flush: 0
Sessions cached after flush: 0
Service [https] closed
str_stats: 10 block(s), 883 data byte(s), 420 control byte(s)
Here is the port listening information before running /usr/local/bin/stunnel:
linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5484/mysqld
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 336/xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1558/sshd
tcp 0 0 :::86 :::* LISTEN 5536/thttpd
tcp 0 0 :::22 :::* LISTEN 1558/sshd
And here is the port listening information after running it:
linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5484/mysqld
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 336/xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1558/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 23145/stunnel
tcp 0 0 :::86 :::* LISTEN 5536/thttpd
tcp 0 0 :::22 :::* LISTEN 1558/sshd
I have no idea now what is going wrong. Any suggestions will be appreciated.
ADDED:
If I close firewall, I can access via https://<my-ip-address> successfully. However, I keep still getting this error message:
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Wondering why...
As can be seen from the netstat there is already an stunnel process on port 443 (pid=10833) (and another on port 8443, pid=11191) and that's why starting another stunnel process on port 443 fails with
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Related
If a webserver is handling traffic on port 80, each client must establish a connection between itself and the server on that port. Assuming a client maintains the connection, how is the server able to service other clients in parallel?
Does the server immediately kill the connection with a client after a request? Or do webservers dynamically generate new ports for clients to use such that port 80 is free for new connections?
A port is one end of a communication channel.
The server initials sets up a LISTENing port (80 in the case of an HTTPS server). A client creates a port (the operating system will assign a random, available port number to this) and CONNECTs to the listening port. At that point the communications channel is uniquely described by the IP address of the server, port 80 at the server, and the IP address of the client along with port number of the client. If you look at the output of netstat you'll see lots of sockets/ports in various stages of connection:
symcbean#skynet ~ $ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.202:47206 stackoverflow.com:https ESTABLISHED
tcp 0 1 192.168.1.202:50894 aba1c1ff9d2ec5376.:smtp SYN_SENT
tcp 0 0 192.168.1.202:47210 stackoverflow.com:https ESTABLISHED
tcp 0 0 192.168.1.202:60806 ec2-34-213-90-136:https ESTABLISHED
tcp 0 0 192.168.1.202:51124 151.101.1.69:https ESTABLISHED
tcp 0 0 192.168.1.202:34784 i0.wp.com:https ESTABLISHED
tcp 0 0 192.168.1.202:54082 lhr25s14-in-f10.1:https ESTABLISHED
tcp 0 0 192.168.1.202:38412 172-155-250-212.s:https ESTABLISHED
Exactly how the server handles communicating concurrently on multiple channels varies. I've never come across a server which only handles a single connection at a time.
On the (prefork) Apache webserver, the process which opened the listening socket hands off the connection to a pre-existing child process to deal with. Some servers run as a single process but with multiple threads of execution. Some (such as nginx and lighthttpd) run as a single thread and give their attention to the channel sending data first.
I used WAMP in the past without problem.
I needed to use skype for once, so I did and now the Apache service of WAMP won't start. When I test port 80 using the WAMP tools, I get this message:
***** Test which uses port 80 *****
===== Tested by command netstat filtered on port 80 =====
Test for TCP
Port 80 is not found associated with TCP protocol
Test for TCPv6
Port 80 is not found associated with TCP protocol
===== Tested by attempting to open a socket on port 80 =====
Your port 80 seems not actually used.
Unable to initiate a socket connection
Error number: 10061 -
I tried changing the port Skype uses, but this is not possible in the Windows 10 version. I installed Skype Classic and changed the port there, no result. Then changed Apache to port 8080, without result, so I changed it back to 80.
I fully uninstalled both Skype and Skype classic, then I uninstalled WAMP and installed it fresh again. Even after the removal of Skype and resinstallation of WAMP I still get the same error message.
I also tried to kill the tasks using port 80, but the only task I can actually kill is my firefox browser, result of netstat below.
C:\Windows\system32>netstat -aon | findstr :80
TCP 192.168.178.27:49893 93.184.220.29:80 ESTABLISHED 13120
TCP 192.168.178.27:49917 216.58.211.99:80 TIME_WAIT 0
TCP 192.168.178.27:49918 23.208.79.207:80 TIME_WAIT 0
TCP 192.168.178.27:49919 88.221.254.211:80 TIME_WAIT 0
TCP 192.168.178.27:49926 52.85.249.5:80 TIME_WAIT 0
TCP 192.168.178.27:49931 23.208.77.171:80 TIME_WAIT 0
TCP 192.168.178.27:49939 23.208.77.171:80 TIME_WAIT 0
TCP 192.168.178.27:49953 216.58.211.99:80 TIME_WAIT 0
TCP 192.168.178.27:49960 216.58.211.99:80 TIME_WAIT 0
Any help is appreciated.
I am getting this error:
[!] bind: Permission denied (13)
[!] Error binding service [https] to :::443
These are my stunnel.conf settings:
[https]
accept = 120.113.121.99:443
accept = :::443
key = /etc/stunnel/localhost.key
cert = /etc/stunnel/localhost.crt
exec = /usr/bin/fossil
execargs = /usr/bin/fossil http /home/kane/repository/2017wcm_g4.fossil -- https --nojail
Why is this error occurring? How would I best remedy it?
Two things come to mind:
Are you certain there's no other program listening to port 443? (netstat --listen)
Also, I know Linux requires root permissions in order to listen to ports below 1024. Does stunnel have those permissions?
I'm doing a GET request to my EC2 instance, but I'm getting the following error:
80: Connection refused
These are the security rules of my instance:
Ports Protocol Source launch-wizard-1
80 tcp 0.0.0.0/0 ✔
22 tcp 177.32.53.207/32 ✔
What's wrong with these rules? Why can't I access port 80?
EDIT
I attached my apache conf file (/etc/apache2/apache2.conf) in this url, since it's too big to post all the code here.
EDIT2
when I run netstat -ntlp | grep LISTEN
I get this:
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN
What is the source of your connection request? Are you attempting to access your instance from outside of Amazon or from a difference EC2 instance in the same availability zone? Are you supplying an IP address or a DNS name as the argument to your connecting code?
Keep in mind that AWS EC2 uses SDN (software defined networking) which doesn't work quite like classical TCP/IP routing that you may be expecting from using Linux, or other OSes, on bare metal systems (or even on VMs using more traditional networking).
Ultimately you will probably want to allocate "elastic IP" (EIP) from AWS and bind it to your web server instance. Then route your requests to that IP address. (Often you'd also create a DNS entry, perhaps through Amazon's "Route53" service to use the a name rather than the address).
It's possible to get to your instance from within and from outside their network. But you have to use the Amazon generated DNS name to do so then, because they use split-horizon, your clients will get the correct (internal or external) IP address.
Also you have to consider the security settings on your VPC (virtual private cloud) network(s) as well as those you've applied to your instance.
I'm using the new Azure cloud app and I have created a new VM with ubuntu 14.04.
I installed apache2 and some common modules (like php5).
Well, after that, I configured my app, but when I tried to access, The browser shows "Timeout" (using Chrome). The "ping" maps the hostname to the ip address but it doesn't gets any response (i suppose that ping is disabled by default)
At first I thought it was my app, so I only set the default apache settings in the "sites-enabled" folder (the one with the static html page that comes with apache).
But the same happens, so I check the usual things like firewall, iptables rules, etc. But I get always the same result :/
This is not my first server, but I'm not able to think in another option, so I just want to check what you guys think about what could be the problem.
iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw status
Status: inactive
default settings on the site-enabled folder (I erased the comments lines)
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1654/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 34899/postgres
tcp 0 0 x2.x2.x2.x2:16001 (other ip diff from server's ip) 0.0.0.0:* LISTEN 937/python
tcp6 0 0 :::80 :::* LISTEN 48801/apache2
tcp6 0 0 :::22 :::* LISTEN 1654/sshd
telnet ip 80 (from my pc)
Connecting To x.x.x.x 80...Could not open connection to the host, on port 80
: Connect failed
telnet localhost 80
Connected to localhost.
Escape character is '^]'.
exit
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Not Implemented</title>
</head><body>
<h1>Not Implemented</h1>
<p>exit to / not supported.<br />
</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at x3.x3.x3.x3 Port 80</address>
</body></html>
Connection closed by foreign host.
The ip x2.x2.x2.x2 and x3.x3.x3.x3 have the same value but they aren't equal to the server IP. (At least isn't the same ip value I use to connect to the VM by ssh)
Sounds like it might be an endpoint. By default when you create a virtual machine in the Azure portal, endpoints for Remote Desktop, Windows PowerShell Remoting, and Secure Shell (SSH) are automatically created.
You will have to go into the Azure portal to configure additional endpoints.
Each endpoint has a public and private. Public is used for outside requests/traffic coming into the VM through the load balance. Private is use by the VM for incoming traffic to route to the proper port/app.
Here is a link on Azure help that talks about setting up endpoints
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/