[SOLVED] Good nginx ssl instructions

dcolburn · 2023-01-04 04:56:48

This looks promising ...

root@devuan1:/var/www/realupnow.com# nft list ruleset | grep dport
		tcp dport 22 accept
		ct state new udp dport { 53, 67, 123, 547 } accept
		ct state new tcp dport { 53, 80, 443, 587 } accept
root@devuan1:/var/www/realupnow.com#

dcolburn · 2023-01-04 04:59:01

root@devuan1:/var/www/realupnow.com# netstat -anp : grep -w LISTEN
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
raw6       0      0 :::58                   :::*                    7           1527/NetworkManager 
root@devuan1:/var/www/realupnow.com#

Last edited by dcolburn (2023-01-04 04:59:32)

dcolburn · 2023-01-04 05:01:20

I stopped and started nginx but the output of netstat remained the same.

Might it be good for me to restart the server to clear out buffers, etc?

Last edited by dcolburn (2023-01-04 05:07:00)

dcolburn · 2023-01-04 05:15:41

root@devuan1:/var/www/realupnow.com# wget -H -O/dev/null http://realupnow.com/
--2023-01-04 00:14:56--  http://realupnow.com/
Resolving realupnow.com (realupnow.com)... 127.0.0.1
Connecting to realupnow.com (realupnow.com)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://realupnow.com/ [following]
--2023-01-04 00:14:56--  https://realupnow.com/
Connecting to realupnow.com (realupnow.com)|127.0.0.1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1 [text/html]
Saving to: ‘/dev/null’

/dev/null                           100%[=================================================================>]       1  --.-KB/s    in 0s      

2023-01-04 00:14:56 (3.10 MB/s) - ‘/dev/null’ saved [1/1]

root@devuan1:/var/www/realupnow.com#

dcolburn · 2023-01-04 05:19:51

I guess I need to quit for the night.

I'll reboot and look at things in the morning - unless you recommend against that.

Or, I'll try whatever you recommend, instead.

This sure has proved a wild ride so far ...

Sigh.

ralph.ronnquist · 2023-01-04 05:27:01

That doesn't look ok. Not that I really know nft syntax but by the looks of it ports 80 and 443 are now blocked, and it no longer responds to ping either. Do you need all that...

I think you'll need

tcp dport {22, 80, 443} accept

in the input filtering..

and do you really need to filter output at all? though it looks like it wold work...

ralph.ronnquist · 2023-01-04 05:33:17

Or you may need something like

        ip protocol icmp accept
        ip6 nexthdr ipv6-icmp accept
        ip protocol igmp accept

in the output filtering as well for ping responses.

dcolburn · 2023-01-04 13:29:59

root@devuan1:/var/www/realupnow.com# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@devuan1:/var/www/realupnow.com# wget -H -O/dev/null http://realupnow.com/
--2023-01-04 08:13:23--  http://realupnow.com/
Resolving realupnow.com (realupnow.com)... 127.0.0.1
Connecting to realupnow.com (realupnow.com)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://realupnow.com/ [following]
--2023-01-04 08:13:23--  https://realupnow.com/
Connecting to realupnow.com (realupnow.com)|127.0.0.1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1 [text/html]
Saving to: ‘/dev/null’

/dev/null                           100%[=================================================================>]       1  --.-KB/s    in 0s      

2023-01-04 08:13:23 (2.99 MB/s) - ‘/dev/null’ saved [1/1]

root@devuan1:/var/www/realupnow.com# netstat -anp : grep -w LISTEN
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
raw6       0      0 :::58                   :::*                    7           1527/NetworkManager 
root@devuan1:/var/www/realupnow.com# sudo service nginx stop
Stopping nginx: nginx.
root@devuan1:/var/www/realupnow.com# sudo service nginx start
Starting nginx: nginx.
root@devuan1:/var/www/realupnow.com# netstat -anp : grep -w LISTEN
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
raw6       0      0 :::58                   :::*                    7           1527/NetworkManager 
root@devuan1:/var/www/realupnow.com#

dcolburn · 2023-01-04 13:32:06

Question:

/etc/nginx/modules-available is empty but in /etc/nginx/modules-enabled are 21 symlinked modules.

Is that expected?

dcolburn · 2023-01-04 13:46:25

Shouldn't the privileges here -rw-r--r-- 1 root root 953 Jan 4 08:40 realupnow.com.conf

... be the same here? lrwxrwxrwx 1 root root 45 Jan 1 21:47 realupnow.com.conf -> /etc/nginx/sites-available/realupnow.com.conf

dcolburn · 2023-01-04 15:57:11

root@devuan1:/var/www/realupnow.com# nginx -V 2>&1 | tr -- - '\n' | grep _module
http_ssl_module 
http_stub_status_module 
http_realip_module 
http_auth_request_module 
http_v2_module 
http_dav_module 
http_slice_module 
http_addition_module 
http_flv_module 
http_geoip_module=dynamic 
http_gunzip_module 
http_gzip_static_module 
http_image_filter_module=dynamic 
http_mp4_module 
http_perl_module=dynamic 
http_random_index_module 
http_secure_link_module 
http_sub_module 
http_xslt_module=dynamic 
mail_ssl_module 
stream_geoip_module=dynamic 
stream_ssl_module 
stream_ssl_preread_module 
root@devuan1:/var/www/realupnow.com#

dcolburn · 2023-01-04 17:53:05

So, now I see that the purpose of "location" is to call a "module". (Source: https://www.educba.com/nginx-modules/)

Code:

git clone https://github.com/module_name.git

Output:

git clone https://github.com/perusio/nginx-hello-world-module.git

Code:

./configure --with-compat --add-dynamic-module=../module_name
make modules

Code:

load_module modules/module_name.so;

Code:

server {
 listen 80;
 location / {
  module_name;
 }
}

Output:

server {
	listen 80;
	
	location / {
		hello_world
	}
}

dcolburn · 2023-01-04 19:24:26

OK, it's now appearing to permit access to both https://realupnow.com and http://realupnow.com but it displays nothing.

It still doesn't appear to be listening ...

root@devuan1:/etc/nginx# netstat -anp : grep -w LISTEN
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
raw6       0      0 :::58                   :::*                    7           1472/NetworkManager 
root@devuan1:/etc/nginx# chown www-data:www-data /etc/nginx/sites-available/realupnow.com.conf

Well ... maybe it is?

root@devuan1:/etc/nginx# wget -H -O/dev/null http://realupnow.com/
--2023-01-04 14:22:52--  http://realupnow.com/
Resolving realupnow.com (realupnow.com)... 127.0.0.1
Connecting to realupnow.com (realupnow.com)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://realupnow.com/ [following]
--2023-01-04 14:22:52--  https://realupnow.com/
Connecting to realupnow.com (realupnow.com)|127.0.0.1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1 [text/html]
Saving to: ‘/dev/null’

/dev/null                           100%[=================================================================>]       1  --.-KB/s    in 0s      

2023-01-04 14:22:52 (3.11 MB/s) - ‘/dev/null’ saved [1/1]

root@devuan1:/etc/nginx#

dcolburn · 2023-01-04 20:10:54

It's working, it's working, it's working!

Something had wiped the contents of index.html

BOTH http and https are responding and displaying.

Can someone check the security of the site - any obvious gaps that need to be addressed, please?

If so I'll start a new thread for that but this one seems to ... finally ... be SOLVED! :-)

golinux · 2023-01-04 20:30:42

CONGRATS . . . and you figured it out while rrq was ZZZZzzzzz!!

dcolburn · 2023-01-04 21:34:58

golinux wrote:

CONGRATS . . . and you figured it out while rrq was ZZZZzzzzz!!

I'm sure that he'll be relieved to awaken and not have it still out there.

I'm grateful that he encouraged me not to wipe everything and start clean ...

I'll ask a couple of people to White Hat it and suggest security adjustments.

Next, maybe, I may as well go ahead and get mail working.

The officially official Devuan Forum!

#151 2023-01-04 04:56:48

Re: [SOLVED] Good nginx ssl instructions

#152 2023-01-04 04:59:01

Re: [SOLVED] Good nginx ssl instructions

#153 2023-01-04 05:01:20

Re: [SOLVED] Good nginx ssl instructions

#154 2023-01-04 05:15:41

Re: [SOLVED] Good nginx ssl instructions

#155 2023-01-04 05:19:51

Re: [SOLVED] Good nginx ssl instructions

#156 2023-01-04 05:27:01

Re: [SOLVED] Good nginx ssl instructions

#157 2023-01-04 05:33:17

Re: [SOLVED] Good nginx ssl instructions

#158 2023-01-04 13:29:59

Re: [SOLVED] Good nginx ssl instructions

#159 2023-01-04 13:32:06

Re: [SOLVED] Good nginx ssl instructions

#160 2023-01-04 13:46:25

Re: [SOLVED] Good nginx ssl instructions

#161 2023-01-04 15:57:11

Re: [SOLVED] Good nginx ssl instructions

#162 2023-01-04 17:53:05

Re: [SOLVED] Good nginx ssl instructions

#163 2023-01-04 19:24:26

Re: [SOLVED] Good nginx ssl instructions

#164 2023-01-04 20:10:54

Re: [SOLVED] Good nginx ssl instructions

#165 2023-01-04 20:30:42

Re: [SOLVED] Good nginx ssl instructions

#166 2023-01-04 21:34:58

Re: [SOLVED] Good nginx ssl instructions

Board footer