Port Forwarding and SSL

Daniel_BlahBla · May 15, 2018, 10:08pm

Hey,

currently I have little problems to get my seafile behind nginx working. I have a custom domain and a subdomain which has a CNAME entry to my fritzbox dyndns. In the fritzbox i have opened the port 3001 to the outside. The internal server port in the fritzbox is set to 443 but was also for testing purposes on 80. When I now try to connect I got this error(firefox) : SSL_ERROR_RX_RECORD_TOO_LONG

My certifacte is from letsencrypt.

My nginx config looks like this:

server {
    listen       80;
    server_name  XXX;
    rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
    server_tokens off;
}
server {
    listen 443;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/XXX/fullchain.pem;        # path to your cacert.pem
    ssl_certificate_key /etc/letsencrypt/live/XXX/privkey.pem;    # path to your privkey.pem
    server_name XXX;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/dhparam.pem;

    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256$
    ssl_prefer_server_ciphers on;

    proxy_set_header X-Forwarded-For $remote_addr;

location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 1200s;

     # used for view/edit office file via Office Online Server
     client_max_body_size 0;

     access_log      /var/log/nginx/seahub.access.log;
     error_log       /var/log/nginx/seahub.error.log;
}

location /seafhttp {
    rewrite ^/seafhttp(.*)$ $1 break;
    proxy_pass http://127.0.0.1:8082;
    client_max_body_size 0;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_connect_timeout  36000s;
    proxy_read_timeout  36000s;
    proxy_send_timeout  36000s;

    send_timeout  36000s;
}

location /media {
    root /home/sfadmin/seafile-server-latest/seahub;
}

location /.well-known/acme-challenge/ {
    alias /var/www/XXX/.well-known/acme-challenge/;
}

}

wthess · May 16, 2018, 1:45am

That error is usually generated when the client accesses a port on the server, and the certificate on the port is not configured correctly for https.

In your case, it may be because you are using a port forward from one port number to another one. The best way to configure your server is to setup NGinx to listen on port 3001, and then, in your router, have port 3001 forwarded to 3001 on the NGinx server. Ie… External port = 3001… to internal port 3001.

If you do use an alternate port number, such as 3001, you’ll need to change your NGinx config. Here’s what you need to do:

Change this line:
proxy_set_header Host $host;

to this:
proxy_set_header Host $host:$server_port;

Daniel_BlahBla · May 16, 2018, 12:54pm

So I should remove the first part on my config where im rewriting from http to https and just keep the second server block with the https configuration? And adjust the port number there?

Kind Regards,
Daniel

bionade24 · May 16, 2018, 1:12pm

No you also have to open another port for one of these. So write

listen 3001 for http and listen 3002 for https. Then forward 3002.

Daniel_BlahBla · May 16, 2018, 1:21pm

Have now this:

server {
listen 3001;
server_name XXX;
rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
server_tokens off;
}

And for https this:

server {
listen 3002;
ssl on;
ssl_certificate /etc/letsencrypt/live/XXX/fullchain.pem; # path to your cacert.pem
ssl_certificate_key /etc/letsencrypt/live/XXX/privkey.pem; # path to your privkey.pem
server_name XXX;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/dhparam.pem;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    proxy_set_header X-Forwarded-For $remote_addr;

…

And this in my router:

When I now try to visit: XXX:3002/ I got a network timeout

bionade24 · May 16, 2018, 1:43pm

Did you execute nginx -s relaod ?

Daniel_BlahBla · May 16, 2018, 1:57pm

Yes I have executed nginx -s reload. But still no change

bionade24 · May 16, 2018, 2:00pm

So you use a subdomain of your fritz! Box? Where are the DNS records?

Or are you using MyFritz?

Daniel_BlahBla · May 16, 2018, 2:08pm

I have a .de domain from 1&1 and I’m using MyFritz. In the 1&1 domain control panel I have registered a subdomain cloud.XXX.de with a CNAME entry to my MyFritz address

wthess · May 16, 2018, 3:35pm

Did you also change this in your NGinx config? You’ll need it.

Daniel_BlahBla · May 16, 2018, 3:41pm

Thanks for your help. I think this is working but i also need to change this line(http server block):
rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https

to: rewrite ^ https://$host$request_uri? permanent; # force redirect http to https

right? Is that fine? And one more question regarding the well known acme challenge location. Should i move that in the http server block as well or is this not important?

edit: This is not working. I can get it to work when I write the port directly in the rewrite in the http block without changing the header.

wthess · May 16, 2018, 3:54pm

Yes, you can use the rewrite to force the redirect if you wish.

As for the well known acme challenge, it’s just another location entry. However, it may not work with an alternate port. I had problems with Letsencrypt due to using an alternate port and it wouldn’t update. Letsencrypt is very strict about how it updates, which is why I went ahead and paid for a valid certificate from my domain host. It costed me less than 9 US dollars per year. Headaches gone.

I’m not certain I understand what you mean. Can you elaborate or provide an example of what you are doing that makes it work?

Daniel_BlahBla · May 16, 2018, 3:59pm

I’m getting it to work in the local LAN if I use this rewrite rule in the http server block:
rewrite ^ https://$http_host:3002$request_uri? permanent;

Also I changed my configuration for the port forwarding in the fritz box to open up port 3001(http) and 3002(https).

But the rewrite line above is somehow only working for the internal LAN. If I try to connect over my domain it’s not working. Got SSL Error on port 3001 and when I directly try to connect over port 3002 I got network timeout.

bionade24 · May 16, 2018, 4:01pm

Can you try to connect over your ipv4-adress?

wthess · May 16, 2018, 4:03pm

Also, did you make the change I suggested to the proxy_set_header host entry?

And, yes, you’ll need that port number included in the rewrite as well.

wthess · May 16, 2018, 4:06pm

Additionally, what SSL error are you getting when you try to access it externally?

Daniel_BlahBla · May 16, 2018, 4:07pm

Not working got a 301 http status code

Daniel_BlahBla · May 16, 2018, 4:08pm

Yes I did

rewrite ^ https://$http_host:3002$request_uri? permanent;

proxy_set_header   Host $host:$server_port;

Daniel_BlahBla · May 16, 2018, 4:09pm

Still: SSL_ERROR_RX_RECORD_TOO_LONG

bionade24 · May 16, 2018, 4:10pm

So nginx can’t find the site for the redirect.