[SOLVED] Good nginx ssl instructions

Marjorie · 2023-01-03 15:22:55

Just for clarity. You are doing lots of tests in /etc/nginx/sites-available.
Have you enabled the sites? i.e created links (http and https) in /etc/nginx/sites-enabled to the active website in site-available.

NB. Ralph will know this all better than me as he has nginx and I have apache2, but I assume this part works much the same. The simplest way to set these things up is to just follow a good step-by-step guide.

dcolburn · 2023-01-03 16:04:45

I have tried the guides but there's always that one exception ... sigh.

I'm wondering if the ports 8001 and 8002 port activity is left over from a nginx tutorial and they maybe should be closed?

Have you enabled the sites? i.e created links (http and https) in /etc/nginx/sites-enabled to the active website in site-available.

I'm not exactly sure that I'm understanding what you're asking here.

There is a symlink from /etc/nginx/sites-available to /etc/nginx/sites-enabled for realupnow.com.conf

Did you mean something in addition to that, please?

I sure appreciate the assist. Ralph, being in AUS, only becomes available in the evening here in Georgia, USA. I kinda run out of gas about 11 or 11:30PM. (Were I not 67, and didn't need to be up by 8AM or so in the morning, I might get more done - by interacting with him longer without the long interruption. But, sleep we must.)

Last edited by dcolburn (2023-01-03 16:15:01)

Marjorie · 2023-01-03 17:09:16

Hi, yes that what I hoped to see: seems OK. Just wanted to check.
Needless to say I'm in the UK, age 71, wake at 7am GMT, so we're all time-shifted.
I went through a similar website setup process myself a few years ago (except I was also setting up a mail server), and using apache, but closely following the guide that I used meant it was relatively painless.
Still can't 'see' your website.

dcolburn · 2023-01-03 17:12:33

Weird this is that I was, for a little while, able to see the http website, but never the https. Something happened when we started to address the ssl part that took out the http as well.

Marjorie · 2023-01-03 17:35:55

Yes, me too.

I know that is from my apache/postfix guide but I think the steps for this stage (enabling https) will be very similar for nginx and it may prompt you to check the stages:
https://workaround.org/bullseye/tls-enc … rtificate/

dcolburn · 2023-01-03 18:36:54

This doesn't work echo "Just a test" > /var/www/webmail.example.org/test when changed to echo "Just a test" > /var/www/realupnow.com/test it also doesn't work when I do it as echo > /var/www/realupnow.com/index.html

BTW: I changed index.html to www-data:www-data from root:root - should I have done that? (It made no difference.)

dcolburn · 2023-01-03 18:46:16

This is from error.log.1

Do I need to address these errors, somehow?

2023/01/02 12:35:29 [emerg] 25927#25927: no "ssl_certificate_key" is defined for certificate "/etc/letsencrypt/live/realupnow.com/fullchain.pem"
2023/01/02 20:24:10 [emerg] 27474#27474: open() "/etc/nginx/snippets/ssl-params.conf" failed (2: No such file or directory) in /etc/nginx/sites-enabled/realupnow.com.conf:20
2023/01/02 21:04:16 [info] 27598#27598: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:65

Second question: Should there be an error.log and an error.log.1 or did something hiccup and I should delete error.log.1 so everything goes to err.log?

dcolburn · 2023-01-03 20:11:06

Should I include this after root /var/www/realupnow.com?

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html index.php;

I'm grabbing at straws as I'm not sure it's even getting that far ... sigh.

In some of the nginx instructions the index line is included, in others it's not.

It's unclear, to me, why.

Last edited by dcolburn (2023-01-03 23:44:50)

dcolburn · 2023-01-03 23:38:45

root@devuan1:/var/www/realupnow.com# ls -l /etc/nginx/sites-enabled
total 0
lrwxrwxrwx 1 root root 45 Jan  1 21:47 realupnow.com.conf -> /etc/nginx/sites-available/realupnow.com.conf
root@devuan1:/var/www/realupnow.com# ls -l /etc/nginx/sites-available
total 8
-rw-r--r-- 1 root root  948 Jan  3 15:03 realupnow.com.conf
drwxr-xr-x 2 root root 4096 Dec 30 17:24 sitesavailableunusedfiles
root@devuan1:/var/www/realupnow.com#

dcolburn · 2023-01-04 02:44:58

Maybe I need to wipe everything (nginx) and start over?

We seem to be chasing our tails trying to find a needle in a haystack.

I'm not sure what that would mean to certbot and the Letsencrypt certificate, etc.

WDYT?

ralph.ronnquist · 2023-01-04 03:08:08

Your last wget test some posts ago looked all fine. I wold not suggest that you start from the top.

ralph.ronnquist · 2023-01-04 03:11:02

However nmap still says https is closed.
Please stop nginx and start it again.
use the following on the Dell-Devuan server:

# netstat -anp | grep -w LISTEN

to verify that it listens to port 443.

dcolburn · 2023-01-04 03:12:46

root@devuan1:/var/www/realupnow.com# sudo service nginx restart
Restarting nginx: nginx.
root@devuan1:/var/www/realupnow.com# netstat -anp | grep -w LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1430/sshd: /usr/sbi
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 29991/cupsd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 721/nginx: master p
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN 721/nginx: master p
tcp 0 0 0.0.0.0:8002 0.0.0.0:* LISTEN 721/nginx: master p
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 721/nginx: master p
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 721/nginx: master p
tcp6 0 0 :::22 :::* LISTEN 1430/sshd: /usr/sbi
tcp6 0 0 ::1:631 :::* LISTEN 29991/cupsd
tcp6 0 0 :::6566 :::* LISTEN 1500/saned
root@devuan1:/var/www/realupnow.com#

dcolburn · 2023-01-04 03:15:34

CLARIFICATION ...

I had added index index.html index.htm index.nginx-debian.html index.php; to see if it would make any difference and forgot to remove it.

Would that have had any impact of this last test?

If so I'll remove it and Stop, Restart, and netstat again.

ralph.ronnquist · 2023-01-04 03:15:57

That's good; nginx does listen on port 443.

What do you get from

# iptables-save

EDIT: I reduced to the generic prompt "#"

dcolburn · 2023-01-04 03:21:36

root@devuan1:/var/www/realupnow.com# iptables-save
# Generated by iptables-save v1.8.7 on Tue Jan  3 22:19:22 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [18:894]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-reject-input -j REJECT --reject-with icmp-port-unreachable
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j REJECT --reject-with icmp-port-unreachable
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 3306 -j DROP
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Tue Jan  3 22:19:22 2023

dcolburn · 2023-01-04 03:26:27

Ooops ... I thought my cut & paste created a problem but I think it had paused ...

root@devuan1:/var/www/realupnow.com# 
Display all 1559 possibilities? (y or n)^C
root@devuan1:/var/www/realupnow.com#

Last edited by dcolburn (2023-01-04 03:32:45)

dcolburn · 2023-01-04 03:37:58

Is there a way to issue iptables-save for only the last 20 lines or something?

ralph.ronnquist · 2023-01-04 03:38:48

Obviously you have a firewall setup with ufw. That's fine. Just make holes for 80 and 443.

dcolburn · 2023-01-04 03:46:20

We got rid of ufw and iptables in favor of nftables.

That's ancient stuff ... we need a way to view just the most recent from iptables-save.

I'm not even sure why there's an iptables response at all since we switched to nftables.

EDIT: I don't know how but I just ran whereis ufw and it's still there. I know we uninstalled it - or tried to.

iptables is still there as well.

Meanwhile, nptables is gone.

I have no idea how or why this has happened. Arghh!

The change was made here: https://dev1galaxy.org/viewtopic.php?id=5428

Is there any way that Raid 1 is acting flaky and restoring stuff from the second SSD?

Last edited by dcolburn (2023-01-04 03:53:36)

dcolburn · 2023-01-04 04:03:41

I'm thinking I should do this ...

# apt install nftables orphan-sysvinit-scripts {g,}ufw-
# cp /usr/share/orphan-sysvinit-scripts/nftables /etc/init.d
# update-rc.d nftables defaults
# editor /etc/nftables.conf # copy in example file from my link
# /etc/init.d/nftables start
Then check with
# nft list ruleset

Then use Synaptic to uninstall ufw and gufw - taking care to assure that I click the setting to completely remove them.

That should give us a cleaner working space.

WDYT?

ralph.ronnquist · 2023-01-04 04:21:16

Well I prefer the iptables rule syntax myself but if you prefer nftables then that's of course fine with me. Afaik, it's just a matter of syntax; either way it uses the kernel's network filtering rules, so I wouldn't be surprised if you can view the rules with iptables syntax or nftables syntax regardless of how you make the rules.

Whichever way, you need the input/output holes for 443 traffic similar to the current 80 or 22 traffic.

dcolburn · 2023-01-04 04:37:01

OK, lemme at least get rid of ufw and gufw ... again.

Hopefully it sticks this time ...

dcolburn · 2023-01-04 04:47:27

How can the response to start be "none" but then the reply to ruleset display as follows?

root@devuan1:/var/www/realupnow.com# /etc/init.d/nftables start
Starting nftables: none.
root@devuan1:/var/www/realupnow.com# nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}
table inet firewall {
	chain INBOUND {
		type filter hook input priority filter; policy drop;
		ct state established,related accept
		ct state invalid drop
		iif "lo" counter packets 0 bytes 0 accept
		ip protocol icmp limit rate 4/second accept
		ip6 nexthdr ipv6-icmp limit rate 4/second accept
		ip protocol igmp limit rate 4/second accept
		tcp dport 22 accept
		log
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
	}

	chain OUTBOUND {
		type filter hook output priority filter; policy drop;
		ct state vmap { invalid : drop, established : accept, related : accept }
		oif "lo" accept
		ct state new udp dport { 53, 67, 123, 547 } accept
		ct state new tcp dport { 53, 80, 443, 587 } accept
		log prefix "DROP_output: " limit rate 3/second
	}
}
root@devuan1:/var/www/realupnow.com#

dcolburn · 2023-01-04 04:49:35

This is /etc/nftables ...

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0;
	}
	chain forward {
		type filter hook forward priority 0;
	}
	chain output {
		type filter hook output priority 0;
	}
}

table inet firewall {
    chain INBOUND {
        type filter hook input priority filter; policy drop;
        ct state established,related accept
        ct state invalid drop
        iif "lo" counter packets 0 bytes 0 accept
        ip protocol icmp limit rate 4/second accept
        ip6 nexthdr ipv6-icmp limit rate 4/second accept
        ip protocol igmp limit rate 4/second accept
        tcp dport 22 accept
        log
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
    }

    chain OUTBOUND {
        type filter hook output priority filter; policy drop;

        # Allow traffic from established and related packets, drop invalid
             ct state vmap { established : accept, related : accept, invalid : drop }
    
        # Allow loopback
             oif "lo" accept

        # Accepted ports out (DNS / DHCP / TIME / WEB for package updates / SMTP)
             ct state new udp dport { 53, 67, 123, 547 } accept
             ct state new tcp dport { 53, 80, 443, 587 } accept 

             log prefix "DROP_output: " limit rate 3/second     
    }
}

Last edited by dcolburn (2023-01-04 04:52:06)

The officially official Devuan Forum!

#126 2023-01-03 15:22:55

Re: [SOLVED] Good nginx ssl instructions

#127 2023-01-03 16:04:45

Re: [SOLVED] Good nginx ssl instructions

#128 2023-01-03 17:09:16

Re: [SOLVED] Good nginx ssl instructions

#129 2023-01-03 17:12:33

Re: [SOLVED] Good nginx ssl instructions

#130 2023-01-03 17:35:55

Re: [SOLVED] Good nginx ssl instructions

#131 2023-01-03 18:36:54

Re: [SOLVED] Good nginx ssl instructions

#132 2023-01-03 18:46:16

Re: [SOLVED] Good nginx ssl instructions

#133 2023-01-03 20:11:06

Re: [SOLVED] Good nginx ssl instructions

#134 2023-01-03 23:38:45

Re: [SOLVED] Good nginx ssl instructions

#135 2023-01-04 02:44:58

Re: [SOLVED] Good nginx ssl instructions

#136 2023-01-04 03:08:08

Re: [SOLVED] Good nginx ssl instructions

#137 2023-01-04 03:11:02

Re: [SOLVED] Good nginx ssl instructions

#138 2023-01-04 03:12:46

Re: [SOLVED] Good nginx ssl instructions

#139 2023-01-04 03:15:34

Re: [SOLVED] Good nginx ssl instructions

#140 2023-01-04 03:15:57

Re: [SOLVED] Good nginx ssl instructions

#141 2023-01-04 03:21:36

Re: [SOLVED] Good nginx ssl instructions

#142 2023-01-04 03:26:27

Re: [SOLVED] Good nginx ssl instructions

#143 2023-01-04 03:37:58

Re: [SOLVED] Good nginx ssl instructions

#144 2023-01-04 03:38:48

Re: [SOLVED] Good nginx ssl instructions

#145 2023-01-04 03:46:20

Re: [SOLVED] Good nginx ssl instructions

#146 2023-01-04 04:03:41

Re: [SOLVED] Good nginx ssl instructions

#147 2023-01-04 04:21:16

Re: [SOLVED] Good nginx ssl instructions

#148 2023-01-04 04:37:01

Re: [SOLVED] Good nginx ssl instructions

#149 2023-01-04 04:47:27

Re: [SOLVED] Good nginx ssl instructions

#150 2023-01-04 04:49:35

Re: [SOLVED] Good nginx ssl instructions

Board footer