Example site? Password protected?

General Discussion

Re: Example site? Password protected?

Postby kevin » Mon Apr 13, 2015 1:06 pm

Checked with firefox and chrome - I don't have IE to test with, but I'd imagine it's down to cipher suite support/ssl protocol support for IE if that's the case.

You should be able to add support for IE by adding "SSLv3" and "MEDIUM" to ssl_protocols and ssl_ciphers, though we would recommend just ditching IE all together.
Not an employee of the company. Just here to help and keep things clean.
kevin
Platinum Nut
Platinum Nut
 
Posts: 994
Joined: Fri Aug 16, 2013 10:10 am

Re: Example site? Password protected?

Postby kevin » Mon Apr 13, 2015 2:40 pm

Here is a config that will work with IE as well (tested with IE 11 in Windows 7)

Code: Select all
server {
   listen 80;
   return 301 https://$host$request_uri;
}

server {
    error_page 502 /502.html;

    listen 443 ssl;
    server_name alarmdecoder-demo;

    ssl_certificate /etc/nginx/cert.crt;
    ssl_certificate_key /etc/nginx/cert.key;

    ssl on;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#    ssl_ciphers HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 4k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    location / {
        try_files $uri @alarmdecoder;
    }

    location @alarmdecoder {
        proxy_pass http://127.0.0.1:5000;
        include uwsgi_params;
        uwsgi_param UWSGI_SCHEME $scheme;
        uwsgi_param SERVER_SOFTWARE nginx/$nginx_version;

        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X_FORWARDED_PROTO https;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
   proxy_redirect http://localhost:5000 https://alarmdecoder-demo;
    }

    location /502.html {
        root /opt/alarmdecoder-webapp/ad2web/static;
    }

    location ~ \.(jpg|jpeg|png|css|js)$ {
    root /opt/alarmdecoder-webapp/ad2web;
    }
}

Not an employee of the company. Just here to help and keep things clean.
kevin
Platinum Nut
Platinum Nut
 
Posts: 994
Joined: Fri Aug 16, 2013 10:10 am

Re: Example site? Password protected?

Postby Gordon » Mon Apr 13, 2015 2:44 pm

OK I think I found my error.. I had made a back-up copy of the config file in the same directory, sites-enabled, instead of putting it in sites-available (or anywhere else!).. so nginx was no doubt reading both config files. Deleting (or moving instead, no doubt) the back-up file helped and it also stopped the “nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored” error message.

On my lan, alarmdecorder / nginx is on 192.168.1.98

https://192.168.1.98/keypad/ works fine on Chrome

however

https://192.168.1.98 resolves to http://alarmdecoder-demo/keypad/ and fails (Error code: ERR_NAME_NOT_RESOLVED)

I can live with that however I feel like it is a serviceable configuration but still has issues well beyond my knowledge level of nginx.

On IE, https://192.168.1.98/keypad/ resolves to http://alarmdecoder-demo/login?next=%2Fkeypad%2F and fails (still using the first config file you suggested) Can test the new config file if you like but I am good with the suggestion to ditch IE.. which I never use unless testing.
Gordon
newt
newt
 
Posts: 17
Joined: Fri Nov 28, 2014 3:02 pm

Re: Example site? Password protected?

Postby kevin » Mon Apr 13, 2015 2:54 pm

The alarmdecoder-demo errors are due to the fact that in my example I had provided a name of alarmdecoder-demo as well as a redirect to alarmdecoder-demo - you would want to replace those values with what it should really be - if you haven't changed your hostname etc, it would just be 'alarmdecoder' and not 'alarmdecoder-demo' - also, with regard to the IE stuff, please see my config from above - verified to work in IE11 for Windows 7.

So change "server_name alarmdecoder-demo;" to "server_name alarmdecoder;" and in the "proxy_redirect" make sure that is also not 'demo' - and you should be good to go.
Not an employee of the company. Just here to help and keep things clean.
kevin
Platinum Nut
Platinum Nut
 
Posts: 994
Joined: Fri Aug 16, 2013 10:10 am

Re: Example site? Password protected?

Postby Maxburn » Mon Apr 13, 2015 3:51 pm

Seems we aren't agreeing where to store the keys or what to name them, I followed the instructions earlier in the thread and wound up with keys with different names in a different folder than what that last config file is using.

Thanks for clarifying that necessary name change, I was working through the same problem as you were posting it.
Maxburn
Senior Nut
Senior Nut
 
Posts: 55
Joined: Sat Feb 28, 2015 4:57 pm

Re: Example site? Password protected?

Postby Gordon » Mon Apr 13, 2015 4:07 pm

@ Kevin.. Oh now I am seeing how some of this works. I still had a problem with DNS lookup (there is none, I go by IP). The RasPi has its host name set to alarmdecoder but my windows laptop does not know that, so changing the variables you suggested as alarmdecoder to the IP seems to work fine. If it does not, I will fix the host name lookup. THANKS

@ maxburn .. Yes the SSL key /cert file names and paths are not consistent in this thread. I saw that when i pasted the code and got an error on nginx reload... but of course you can use whatever names and paths you wish.
Gordon
newt
newt
 
Posts: 17
Joined: Fri Nov 28, 2014 3:02 pm

Re: Example site? Password protected?

Postby kevin » Mon Apr 13, 2015 4:38 pm

Ya, sorry about inconsistency with the paths in my example(s) - that's what happens when you're testing on the fly changes :) You can literally use whatever you want there though as long as it's a path to a valid key and certificate


With regard to DNS lookup on windows if you download Bonjour for Windows, it will pick up the name properly as the Avahi daemon will broadcast! This only applies to windows, linux and osx seem to work with this out of the box. :)
Not an employee of the company. Just here to help and keep things clean.
kevin
Platinum Nut
Platinum Nut
 
Posts: 994
Joined: Fri Aug 16, 2013 10:10 am

Re: Example site? Password protected?

Postby Maxburn » Mon Apr 13, 2015 4:57 pm

In my case I am using a public DNS name and it appears to work fine this way. I have my router set to forward 80 and 443 to the ad2pi internally so it will upgrade http to https on the fly which was a nice touch. The SSL certificate warns that the names don't match but I'll work on that later.

Inside my home network I'm no longer able to get to the device via local IP but that's not a big deal as the public address works.

I think I'm still using the default device name, not sure what benefit it would be to change that. Unless it's linked to my problem with the SSL certificate names not matching.
Maxburn
Senior Nut
Senior Nut
 
Posts: 55
Joined: Sat Feb 28, 2015 4:57 pm

Re: Example site? Password protected?

Postby kevin » Mon Apr 13, 2015 5:03 pm

Your SSL certificate would need to match the FQDN you are using, if you are using https://myalarm.example.com then you would want your cert's common name to be myalarm.example.com when setting up the cert/CSR if using a purchased SSL certificate. In which case you would also want the CA cert to be added to the config. You would also want to update the "server_name" and "proxy_redirect" items in the config to match the FQDN.

In a default case, for a FQDN you would use https://alarmdecoder and common name of alarmdecoder to avoid this mismatch while leaving the config entries defaulted as 'alarmdecoder' in the server_name and proxy_redirect fields.
Not an employee of the company. Just here to help and keep things clean.
kevin
Platinum Nut
Platinum Nut
 
Posts: 994
Joined: Fri Aug 16, 2013 10:10 am

Re: Example site? Password protected?

Postby Gordon » Tue Apr 14, 2015 1:41 pm

Well I still can’t get this to work from outside my LAN.. but seeing how it seems to be a problem with MY network configuration I am going to bail on it for and revert to the original config except use a “hidden” port for minimal security. Bonjour for Windows is something I would like to avoid if possible but when / if I have time I will try again. Thanks for the help.. I’m on the right track even if I don’t make it to the finish line.

BTW, A Quick and dirty way to end the css file errors in nginx error log:
Code: Select all
touch /opt/alarmdecoder-webapp/ad2web/static/css/user_custom.css

In addition, I added the “notice” log level option to the error logging in /var/log/nginx/error.log to increase verbosity:
Code: Select all
 error_log /var/log/nginx/error.log notice;
Even at this log level, I see no errors other than the “missing” css file error.
Gordon
newt
newt
 
Posts: 17
Joined: Fri Nov 28, 2014 3:02 pm

PreviousNext

Return to General

Who is online

Users browsing this forum: No registered users and 32 guests

cron