DESKTOP EDITION CLOUD EDITION SERVER EDITION GUIDES FORUM

Nginx not binding to Manager Server port over SSL


#1

As per a previous posting I am not able to bind Nginx to the manager installation to run the server edition over ssl on ubuntu server 14.04.

This is what I did:

  1. Install nginx:

     sudo apt-get update
     sudo apt-get install nginx
    
  2. Make sure webserver starts automatically on reboot:

     sudo update-rc.d nginx defaults
    

    This should be enbaled by default so you might get a message like:

     System start/stop links for /etc/init.d/nginx already exist.
    
  3. Create a folder to hold your ssl certificate and create your self-signed ssl certificate:

     sudo mkdir /etc/nginx/ssl
     sudo openssl genrsa -out server.key 2048
     sudo openssl req -new -key server.key -out server.csr
     sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    
  4. Configure your redirect and bind manager’s port to use ssl by creating a redirect:

     sudo nano /etc/nginx/conf.d/ssl.conf
    

    Then paste the following content into the file before quitting and saving:

     #redirect to 443
     server {
            listen 12000 default_server;     #replace this by your manager port number
            server_name _;
            rewrite ^ https://$host$request_uri? permanent;
      }
      
      # HTTPS server
      server {
                 access_log  /etc/nginx/logs/ssl_access.log;
                 error_log   /etc/nginx/logs/ssl_error.log;
                 listen 443 ssl;
                 server_name _;
                 root html;
                 index index.html index.htm;
                 ssl on;
                 ssl_certificate /etc/nginx/ssl/server.crt;
                 ssl_certificate_key /etc/nginx/ssl/server.key;
                 ssl_session_timeout 5m;
                 ssl_protocols SSLv3 TLSv1;
                 ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
                 ssl_prefer_server_ciphers on;
                 location / {
                    try_files $uri $uri/ /index.html;
                   }
        }
    
  5. Create the folder to hold your ssl log files:

     sudo mkdir /etc/nginx/logs
    
  6. restart nginx:

     sudo service nginx restart
    

    Now this is where things go wrong for some reason the service won’t restart. Looking at the error logs in nginx:

     cat /var/log/nginx/error.log
    

    I get the following:

     bind() to 0.0.0.0:12000 failed (98: Address already in use)
    

Meaning that the port 12000 is already in use by manager. Yes of course but how do you bind this port to redirect to ssl then? This is the last step to finish off the process.

I would appreciate any guru’s insight into this.
Many thanks!


#2

As per your config, you are trying to make nginx to listen on ports 443 and 12000. It can’t listen on port 12000 if you have already Manager Server listening on that port.

You only want your nginx to listen on port 443 so remove the first server {} section.

Now, within the second server {} section which makes nginx listen on port 443, you need to set location / {} section so it’s redirecting requests to Manager Server on port 12000.

As per http://nginx.com/resources/admin-guide/reverse-proxy/

Instead of:

location / {
    try_files $uri $uri/ /index.html;
}

You should have something like this:

location / {
    proxy_pass http://127.0.0.1:12000;
}

#3

Thanks Lubos. Your suggestion makes sense and when I change the location the error nginx disappears however when I go to the browser it does not redirect http to https
Any ideas on this I am a bit lost here :smile:


#4

In case someone is interested in installing manager to run over SSL only. Here is how it is done on a Ubuntu server

  1. Install nginx:

  sudo apt-get update
  sudo apt-get install nginx
  1. Make sure nginx starts automatically on reboot:

  sudo update-rc.d nginx defaults

This should be enbaled by default so you might get a message like:

  System start/stop links for /etc/init.d/nginx already exist.
  1. Create a folder to hold your ssl certificate and create your self-signed ssl certificate:

sudo mkdir /etc/nginx/ssl
sudo openssl genrsa -out server.key 2048
sudo openssl req -new -key server.key -out server.csr
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  1. Configure your redirect and bind manager’s port to use ssl by creating a proxy_pass redirect:

sudo nano /etc/nginx/sites-available/manager

Then paste the following content into the file before quitting and saving:

# access manager app on LAN and WAN over ssl on port 555
server {
   listen 555 ssl;
   server_name yourserver.com;
   ssl on;
   ssl_certificate /etc/nginx/ssl/server.crt;
   ssl_certificate_key /etc/nginx/ssl/server.key;

   ssl_session_timeout 5m;

   ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
   ssl_prefer_server_ciphers on;

   # replace 12000 with your manager installation port here
   location / {
     proxy_pass http://127.0.0.1:12000;
   }
  # This takes care of redirecting the bad request made over http back to https on port 555
   error_page 400 497 https://$host:555$request_uri;
}
  1. restart nginx:

sudo service nginx restart

If things go wrong for some reason and the service won't restart. Look at the error logs for nginx:

cat /var/log/nginx/error.log
  1. Visit your manager installation via your browser and enjoy the secure connection!

https://yourserver.com:555

and check that

http://yourserver.com:555

redirects you to:

https://yourserver.com:555

Is there a way to use SSL?
#5

I’m glad you got it working. Great job and thanks for sharing.


#6

No worries thanks for your help on this. Still testing the server version and so far it is working!
Please note that you must use your localhost IP address in the nginx configuration file and not just “localhost” otherwise you will get all sorts of errors in your error log file even though manager will work!
I have rectified it in the above post!
Hope it will help other people to get it working.


#7

How to make it work on Windows server?


#8

Thank you for sharing, this is tremendous… I generated the /etc/nginx/sites-available/manager file as you described but found that I needed to edit the ssl.conf file when checking the error log, cat /var/log/nginx/error.log.
I made a small tweak on our server’s ngnix ssl.conf file which is similar to what you have already presented.

sudo nano /etc/nginx/conf.d/ssl.conf

Now instead of using port 555 as you have given in the example I popped in the SSL port number of 443. This change allows the user to simply enter https://myserver.domain.com and you are presented with the manager login as a secure login page in whatever web browser you have chosen to use. Great!

My question is has that change compromised anything on the system because it was really simple to setup using the information you provided?

My next step will be to purchase a Certificate to make the IE and Chrome Browsers happy and complain about a Certificate Error. However with Firefox once the Certificate message is okayed and accepted all is seamless and functional.

Your thoughts - Thank you once again.