You are not logged in.
- Topics: Active | Unanswered
#76 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 21:34:58
CONGRATS . . . and you figured it out while rrq was ZZZZzzzzz!!
I'm sure that he'll be relieved to awaken and not have it still out there.
I'm grateful that he encouraged me not to wipe everything and start clean ...
I'll ask a couple of people to White Hat it and suggest security adjustments.
Next, maybe, I may as well go ahead and get mail working.
#77 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 20:10:54
It's working, it's working, it's working!
Something had wiped the contents of index.html
BOTH http and https are responding and displaying.
Can someone check the security of the site - any obvious gaps that need to be addressed, please?
If so I'll start a new thread for that but this one seems to ... finally ... be SOLVED! :-)
#78 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 19:24:26
OK, it's now appearing to permit access to both https://realupnow.com and http://realupnow.com but it displays nothing.
It still doesn't appear to be listening ...
root@devuan1:/etc/nginx# netstat -anp : grep -w LISTEN
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
raw6 0 0 :::58 :::* 7 1472/NetworkManager
root@devuan1:/etc/nginx# chown www-data:www-data /etc/nginx/sites-available/realupnow.com.confWell ... maybe it is?
root@devuan1:/etc/nginx# wget -H -O/dev/null http://realupnow.com/
--2023-01-04 14:22:52-- http://realupnow.com/
Resolving realupnow.com (realupnow.com)... 127.0.0.1
Connecting to realupnow.com (realupnow.com)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://realupnow.com/ [following]
--2023-01-04 14:22:52-- https://realupnow.com/
Connecting to realupnow.com (realupnow.com)|127.0.0.1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1 [text/html]
Saving to: ‘/dev/null’
/dev/null 100%[=================================================================>] 1 --.-KB/s in 0s
2023-01-04 14:22:52 (3.11 MB/s) - ‘/dev/null’ saved [1/1]
root@devuan1:/etc/nginx# #79 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 17:53:05
So, now I see that the purpose of "location" is to call a "module". (Source: https://www.educba.com/nginx-modules/)
Code:
git clone https://github.com/module_name.gitOutput:
git clone https://github.com/perusio/nginx-hello-world-module.gitCode:
./configure --with-compat --add-dynamic-module=../module_name
make modulesCode:
load_module modules/module_name.so;Code:
server {
listen 80;
location / {
module_name;
}
}Output:
server {
listen 80;
location / {
hello_world
}
}#80 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 15:57:11
root@devuan1:/var/www/realupnow.com# nginx -V 2>&1 | tr -- - '\n' | grep _module
http_ssl_module
http_stub_status_module
http_realip_module
http_auth_request_module
http_v2_module
http_dav_module
http_slice_module
http_addition_module
http_flv_module
http_geoip_module=dynamic
http_gunzip_module
http_gzip_static_module
http_image_filter_module=dynamic
http_mp4_module
http_perl_module=dynamic
http_random_index_module
http_secure_link_module
http_sub_module
http_xslt_module=dynamic
mail_ssl_module
stream_geoip_module=dynamic
stream_ssl_module
stream_ssl_preread_module
root@devuan1:/var/www/realupnow.com# #81 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 13:46:25
Shouldn't the privileges here -rw-r--r-- 1 root root 953 Jan 4 08:40 realupnow.com.conf
... be the same here? lrwxrwxrwx 1 root root 45 Jan 1 21:47 realupnow.com.conf -> /etc/nginx/sites-available/realupnow.com.conf
#82 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 13:32:06
Question:
/etc/nginx/modules-available is empty but in /etc/nginx/modules-enabled are 21 symlinked modules.
Is that expected?
#83 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 13:29:59
root@devuan1:/var/www/realupnow.com# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@devuan1:/var/www/realupnow.com# wget -H -O/dev/null http://realupnow.com/
--2023-01-04 08:13:23-- http://realupnow.com/
Resolving realupnow.com (realupnow.com)... 127.0.0.1
Connecting to realupnow.com (realupnow.com)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://realupnow.com/ [following]
--2023-01-04 08:13:23-- https://realupnow.com/
Connecting to realupnow.com (realupnow.com)|127.0.0.1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1 [text/html]
Saving to: ‘/dev/null’
/dev/null 100%[=================================================================>] 1 --.-KB/s in 0s
2023-01-04 08:13:23 (2.99 MB/s) - ‘/dev/null’ saved [1/1]
root@devuan1:/var/www/realupnow.com# netstat -anp : grep -w LISTEN
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
raw6 0 0 :::58 :::* 7 1527/NetworkManager
root@devuan1:/var/www/realupnow.com# sudo service nginx stop
Stopping nginx: nginx.
root@devuan1:/var/www/realupnow.com# sudo service nginx start
Starting nginx: nginx.
root@devuan1:/var/www/realupnow.com# netstat -anp : grep -w LISTEN
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
raw6 0 0 :::58 :::* 7 1527/NetworkManager
root@devuan1:/var/www/realupnow.com# #84 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 05:19:51
I guess I need to quit for the night.
I'll reboot and look at things in the morning - unless you recommend against that.
Or, I'll try whatever you recommend, instead.
This sure has proved a wild ride so far ...
Sigh.
#85 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 05:15:41
root@devuan1:/var/www/realupnow.com# wget -H -O/dev/null http://realupnow.com/
--2023-01-04 00:14:56-- http://realupnow.com/
Resolving realupnow.com (realupnow.com)... 127.0.0.1
Connecting to realupnow.com (realupnow.com)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://realupnow.com/ [following]
--2023-01-04 00:14:56-- https://realupnow.com/
Connecting to realupnow.com (realupnow.com)|127.0.0.1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1 [text/html]
Saving to: ‘/dev/null’
/dev/null 100%[=================================================================>] 1 --.-KB/s in 0s
2023-01-04 00:14:56 (3.10 MB/s) - ‘/dev/null’ saved [1/1]
root@devuan1:/var/www/realupnow.com# #86 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 05:01:20
I stopped and started nginx but the output of netstat remained the same.
Might it be good for me to restart the server to clear out buffers, etc?
#87 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 04:59:01
root@devuan1:/var/www/realupnow.com# netstat -anp : grep -w LISTEN
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
raw6 0 0 :::58 :::* 7 1527/NetworkManager
root@devuan1:/var/www/realupnow.com# #88 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 04:56:48
This looks promising ...
root@devuan1:/var/www/realupnow.com# nft list ruleset | grep dport
tcp dport 22 accept
ct state new udp dport { 53, 67, 123, 547 } accept
ct state new tcp dport { 53, 80, 443, 587 } accept
root@devuan1:/var/www/realupnow.com# #89 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 04:49:35
This is /etc/nftables ...
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
table inet firewall {
chain INBOUND {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid drop
iif "lo" counter packets 0 bytes 0 accept
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept
tcp dport 22 accept
log
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTBOUND {
type filter hook output priority filter; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback
oif "lo" accept
# Accepted ports out (DNS / DHCP / TIME / WEB for package updates / SMTP)
ct state new udp dport { 53, 67, 123, 547 } accept
ct state new tcp dport { 53, 80, 443, 587 } accept
log prefix "DROP_output: " limit rate 3/second
}
}#90 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 04:47:27
How can the response to start be "none" but then the reply to ruleset display as follows?
root@devuan1:/var/www/realupnow.com# /etc/init.d/nftables start
Starting nftables: none.
root@devuan1:/var/www/realupnow.com# nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table inet firewall {
chain INBOUND {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid drop
iif "lo" counter packets 0 bytes 0 accept
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept
tcp dport 22 accept
log
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTBOUND {
type filter hook output priority filter; policy drop;
ct state vmap { invalid : drop, established : accept, related : accept }
oif "lo" accept
ct state new udp dport { 53, 67, 123, 547 } accept
ct state new tcp dport { 53, 80, 443, 587 } accept
log prefix "DROP_output: " limit rate 3/second
}
}
root@devuan1:/var/www/realupnow.com# #91 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 04:37:01
OK, lemme at least get rid of ufw and gufw ... again.
Hopefully it sticks this time ...
#92 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 04:03:41
I'm thinking I should do this ...
# apt install nftables orphan-sysvinit-scripts {g,}ufw-
# cp /usr/share/orphan-sysvinit-scripts/nftables /etc/init.d
# update-rc.d nftables defaults
# editor /etc/nftables.conf # copy in example file from my link
# /etc/init.d/nftables start
Then check with
# nft list rulesetThen use Synaptic to uninstall ufw and gufw - taking care to assure that I click the setting to completely remove them.
That should give us a cleaner working space.
WDYT?
#93 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 03:46:20
We got rid of ufw and iptables in favor of nftables.
That's ancient stuff ... we need a way to view just the most recent from iptables-save.
I'm not even sure why there's an iptables response at all since we switched to nftables.
EDIT: I don't know how but I just ran whereis ufw and it's still there. I know we uninstalled it - or tried to.
iptables is still there as well.
Meanwhile, nptables is gone.
I have no idea how or why this has happened. Arghh!
The change was made here: https://dev1galaxy.org/viewtopic.php?id=5428
Is there any way that Raid 1 is acting flaky and restoring stuff from the second SSD?
#94 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 03:37:58
Is there a way to issue iptables-save for only the last 20 lines or something?
#95 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 03:26:27
Ooops ... I thought my cut & paste created a problem but I think it had paused ...
root@devuan1:/var/www/realupnow.com#
Display all 1559 possibilities? (y or n)^C
root@devuan1:/var/www/realupnow.com# #96 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 03:21:36
root@devuan1:/var/www/realupnow.com# iptables-save
# Generated by iptables-save v1.8.7 on Tue Jan 3 22:19:22 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [18:894]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-reject-input -j REJECT --reject-with icmp-port-unreachable
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j REJECT --reject-with icmp-port-unreachable
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 3306 -j DROP
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Tue Jan 3 22:19:22 2023#97 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 03:15:34
CLARIFICATION ...
I had added index index.html index.htm index.nginx-debian.html index.php; to see if it would make any difference and forgot to remove it.
Would that have had any impact of this last test?
If so I'll remove it and Stop, Restart, and netstat again.
#98 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 03:12:46
root@devuan1:/var/www/realupnow.com# sudo service nginx restart
Restarting nginx: nginx.
root@devuan1:/var/www/realupnow.com# netstat -anp | grep -w LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1430/sshd: /usr/sbi
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 29991/cupsd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 721/nginx: master p
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN 721/nginx: master p
tcp 0 0 0.0.0.0:8002 0.0.0.0:* LISTEN 721/nginx: master p
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 721/nginx: master p
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 721/nginx: master p
tcp6 0 0 :::22 :::* LISTEN 1430/sshd: /usr/sbi
tcp6 0 0 ::1:631 :::* LISTEN 29991/cupsd
tcp6 0 0 :::6566 :::* LISTEN 1500/saned
root@devuan1:/var/www/realupnow.com#
#99 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-04 02:44:58
Maybe I need to wipe everything (nginx) and start over?
We seem to be chasing our tails trying to find a needle in a haystack.
I'm not sure what that would mean to certbot and the Letsencrypt certificate, etc.
WDYT?
#100 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-03 23:38:45
root@devuan1:/var/www/realupnow.com# ls -l /etc/nginx/sites-enabled
total 0
lrwxrwxrwx 1 root root 45 Jan 1 21:47 realupnow.com.conf -> /etc/nginx/sites-available/realupnow.com.conf
root@devuan1:/var/www/realupnow.com# ls -l /etc/nginx/sites-available
total 8
-rw-r--r-- 1 root root 948 Jan 3 15:03 realupnow.com.conf
drwxr-xr-x 2 root root 4096 Dec 30 17:24 sitesavailableunusedfiles
root@devuan1:/var/www/realupnow.com# Board footer
